Abusive Stacks addresses - addresses used by hacks

[314159265359879]

This topic is to collect addresses from known hackers/phishers/abusers.

For users who have fallen victim to a hack, phishing scam or otherwise you can report here and additionally are advised to report to local Police.
If your issues are related specifically to bitcoin addresses report here (too):

• https://www.bitcoinabuse.com/
• https://www.bitcoinwhoswho.com/scams

Add the following details:
A. Stacks Address(es) (of hacker/scammer),
B. Very short description of hack/scam (max three words),
C. Involved transaction(s) id or explorer links.

[314159265359879]

SP30F77CBR0DSZAET7A5WYMGDHRNDQYDHCPK5SWMC

WonSTX scammer

https://explorer.hiro.so/txid/0x35c8782620814bbf22a2003c7ae3d837289287eb398cb14fc55e96dff4334283?chain=mainnet

from SP30F77CBR0DSZAET7A5WYMGDHRNDQYDHCPK5SWMC off-ramped to this likely exchange address
SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V
With this memo: jSJasoaKNXvG2ta
https://explorer.hiro.so/txid/0xdfe12827821dcaae43955ec8789b08dd6e35abe21a4f949658e0a025bcdbcc6a?chain=mainnet

[kyranjamie]

Very much in support of this, great initiative @314159265359879

[GAD2511]

This will be helpful for users.
I'm 100% align with the proposal

[314159265359879]

Date: june 15th 2023

A: SP20ATZMT9K27BE5VSSMHKAFZQGMV8AV8YFMY4DAD
To: Exchange Kucoin - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS
Memo: 1910082500 (the scammers' account on Kucoin)
B: Fake iOS app
C: https://explorer.hiro.so/txid/0x8b8ce176bf3f495e852ad88e01346b7df7d218c0a5e8c43641edbc232b71372e?chain=mainnet

[314159265359879]

Date: July 13th 2023

A: SP2KW0M6MBSSAV1BFDKH56VFNZK73Z36C0N369K9M
B: wonstx scam
C: https://explorer.hiro.so/txid/0x6829fa018ff0642fbc90255a8d3901e38f7f763c89c8fad629a2cbec01efaa63?chain=mainnet

likely similar cases, other incoming transactions on the scammers' address:
https://explorer.hiro.so/txid/0x5c562632474759b6454a31f26edaaae5661bdc261722acb7dd6df28435d4d6bf?chain=mainnet
https://explorer.hiro.so/txid/0x9913dba3951dddc7c3a02d7bd84a0b258195374f5c2cadebc57b026b667c89d4?chain=mainnet

[314159265359879]

June 15th

A: SP20ATZMT9K27BE5VSSMHKAFZQGMV8AV8YFMY4DAD
To: Exchange Kucoin - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS
Memo: 1910082500 (the scammers' account on Kucoin)
B: Fake iOS app
C: https://explorer.hiro.so/txid/0x010ba51215b02f062be3d80fa3355bda5dd2c34cee6f1557c4f1e28e3bfa9738?chain=mainnet

[DeeList]

June 17, 2023

A. Scammers addresses:

SP6RBV6HPPVJQ319AGK5Z7YA23YSNNZGX5QDTESG
https://explorer.hiro.so/address/SP6RBV6HPPVJQ319AGK5Z7YA23YSNNZGX5QDTESG?chain=mainnet

SP1S7XGG3Z9K2163E6F63RYMQC5KXPKEGBFM9EHNY
https://explorer.hiro.so/address/SP1S7XGG3Z9K2163E6F63RYMQC5KXPKEGBFM9EHNY?chain=mainnet

B. Fake iOS/Android app

C. In this final transaction, 11,658 STX were sent to Kucoin Exchange: https://explorer.hiro.so/txid/0x26d027e73889a1efa1bd60233beb87a089a660861bdc5291de99869288a802df?chain=mainnet

Sent to: Exchange Kucoin - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS
https://explorer.hiro.so/address/SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS?chain=mainnet
Using Kucoin Exchange Memo: 1913375219

[DeeList]

October 6, 2023

A. SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT
https://explorer.hiro.so/address/SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT?chain=mainnet

B. Unknown phishing scam

C. https://explorer.hiro.so/txid/0x0a0baa8e13f43326f9dba0e6a50458180adae185587a814dc4e78a9cf489b444?chain=mainnet

Scammer sent funds to Simpleswap.io: SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V
using this memo: CWf47qnFVud48mL
https://explorer.hiro.so/txid/0x5bad49b0bff83e1bf41a7b2a26da157277288d133a94834b5e3c791d9f1165a3?chain=mainnet

---

Additional related transactions

The thiefs account has swapped or transferred funds to other accounts:

10,210.371718 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK
https://explorer.hiro.so/txid/0x177a9802e531434c5d82f07f04b4344c675000c69d9adf5661ebcb2b619b18c3?chain=mainnet
SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK swapped STX (10k) to xBTC
https://explorer.hiro.so/txid/0x831af9d38174b3222f5597430ff9a6e31089e9e052b4a0ed7cb41879d61073ec?chain=mainnet

SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT swapped STX (10k) to xBTC
https://explorer.hiro.so/txid/0x6d682afc91ea2c82b5706a88a720e8df7e33dab1c98f31b7cac8cb481be73668?chain=mainnet

20,500 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP3JED59RPM3QNRPC17KATCTNCC8PPHGG5C2RF22N
https://explorer.hiro.so/txid/0x3ab18ca02b854f291264a76b83471df6d0f2339b098ad7cdacefdb8119fbfc6a?chain=mainnet
20,499.50 STX from SP3JED59RPM3QNRPC17KATCTNCC8PPHGG5C2RF22N to SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V
(received by likely exchange, used this memo: sZSVJdpT5iFwXLT )
https://explorer.hiro.so/txid/0x971edb07e0e968d5cedefa94f2bd7b86c3800229dcc283e49843e055ead252f4?chain=mainnet

21000 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP9HWJAZTKXWNPM39N7P1FXVPMMJMCPCW5KM25B7
https://explorer.hiro.so/txid/0x4d3d8ef8ac7b0521c3791fb4a96a8595e21e6284313e01602ee2cf14266b8f79?chain=mainnet
20,999.50 STX from SP9HWJAZTKXWNPM39N7P1FXVPMMJMCPCW5KM25B7 to SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V
(received by likely exchange, used this memo: BdsndVXdWV74sAd )
https://explorer.hiro.so/txid/0xe5318def7bc3b2a2a3b5ce6426378153c37a609112a6f4277047ce147573f490?chain=mainnet

21,500 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP3Y8G53WQ7QHTAVY4809GKM8K5D5RQNZB258SJBW
https://explorer.hiro.so/txid/0xed81c83b4480ff56649d157f12a1e30e8576dc038ecd3a2aecafb2d0642ba1dd?chain=mainnet

21,200 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP2VFNF4KWECVEVBD910S1DDVTXTTFK6Y4VBKQ2NY
https://explorer.hiro.so/txid/0x05947d51f9690be02a973bb8aeb451eab4161f30a483e1445eec9dc098a980ef?chain=mainnet

26,511.639477 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SPV8W17TNHHQPY3BRAG79TSEWWECV1D949ADKEEN
https://explorer.hiro.so/txid/0x38e0d34ea39131c6f4b27c7064fcf2d12871be3e4b3dd76a872c38ae4c177fc3?chain=mainnet

last checked 08.00h GMT / 10.00h CET / 04.00h EDT

Accounts with stolen funds related to this theft (likely owned by the thief):
SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT
SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK
SP3JED59RPM3QNRPC17KATCTNCC8PPHGG5C2RF22N
SP9HWJAZTKXWNPM39N7P1FXVPMMJMCPCW5KM25B7
SP3Y8G53WQ7QHTAVY4809GKM8K5D5RQNZB258SJBW
SP2VFNF4KWECVEVBD910S1DDVTXTTFK6Y4VBKQ2NY
SPV8W17TNHHQPY3BRAG79TSEWWECV1D949ADKEEN

Used Simpleswap.io bridge with these memo's: CWf47qnFVud48mL, sZSVJdpT5iFwXLT, BdsndVXdWV74sAd
SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V

**** Update October 18th 2023 ****

SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT
swapped xBTC to STX
https://explorer.hiro.so/txid/0xd0c9b8fa3bc31b138e89cc52f5894d86604be4d3d9d26f4cb26d58674dc10ec9?chain=mainnet
Then send 9325 STX to simpleswap.io address: SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo 57aZcFc1acTP27P
https://explorer.hiro.so/txid/0x03ff40e5b2e3e3f8a4f8eacddccac34eb5b1183b118760ceb444f7b556ab58ac?chain=mainnet

SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK
swapped xBTC to STX
https://explorer.hiro.so/txid/0x6fdd33f3334d2c5269957865417d5aa99ef55a38486ea99858f6de6ff72105e9?chain=mainnet
9900 STX to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo bu8wjpBCyx68WRu
https://explorer.hiro.so/txid/0xaed3a982fe4e5399911a2d3ceb3a6e423012bb19bff3f841ebf0afbbd7389ef3?chain=mainnet

SP3Y8G53WQ7QHTAVY4809GKM8K5D5RQNZB258SJBW
21499.50 STX send to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo HhUd5sLHoYBLQzU
https://explorer.hiro.so/txid/0xf01d7f02a0b9e845158dd67be890de5379b584f6f175e185d587f62c001b628f?chain=mainnet

SP2VFNF4KWECVEVBD910S1DDVTXTTFK6Y4VBKQ2NY
21199.50 STX send to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo CusRSXfTssVJCQu
https://explorer.hiro.so/txid/0x5cd30fc57799d75e2895d7bea4814ca76c84e2411ef25d07ccda96d20d9796b7?chain=mainnet

SPV8W17TNHHQPY3BRAG79TSEWWECV1D949ADKEEN
26511 STX send to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo ZTiQXpoRfbssKtC
https://explorer.hiro.so/txid/0x831c6b2e213a4bcd7806c56414b8ceb04306c99d4735d4e4bf583cb8cb7df70d?chain=mainnet

Simpleswap.io memo's used: 57aZcFc1acTP27P, bu8wjpBCyx68WRu, HhUd5sLHoYBLQzU, CusRSXfTssVJCQu, ZTiQXpoRfbssKtC

[314159265359879]

A: SP2KW0M6MBSSAV1BFDKH56VFNZK73Z36C0N369K9M --> SPNP4WKB4WHDSEM72CX9RT4ZAXRA9DY35XR93Z3Q --> SP1SFPCMWKJ3MBBEQ6JKF3FKA17W65AHRG2NJG2A1 --> (likely the offramp to
exchange: SP3AP6DRSQ6P4FETB5M33D082Q2ABGJW60MT6103Q)
B: wonstx scam
C: https://explorer.hiro.so/txid/0xa2efd1884e897c29ea4e0e170606e05cac93d18be613b94ce606647b3fdbade2?chain=mainnet

Like similar cases reported here earlier: #3931 (comment)

[314159265359879]

October 30th 2023

A. SPTKWPQKKNF2SKXZHX98SJ0PVP1AS2ZVXXE5BH06 and SP37FW4WK2CZ0E9ESMHYJ2XS6D5T2EY5Y4GTTHVDY
B.
C. first transaction by thief 9:36:26 PM 10/30/2023 (CET) https://explorer.hiro.so/txid/0x71c0d3a154f98e4e7a32224a33183c2392f56eb6807e1781484a765384b83cbf?chain=mainnet
And all transaction by thief upto 11:20:26 AM 10/31/2023 (CET) https://explorer.hiro.so/txid/0xb481fdf9a99cd3681783d3d5f8e21f41e40f2955f72331547805f83036da6336?chain=mainnet

From
SPTKWPQKKNF2SKXZHX98SJ0PVP1AS2ZVXXE5BH06 had about 53k STX yesterday
the address holds 337 STX now it used this bridge contract yesterday:
https://explorer.hiro.so/txid/0x5c01d7551ee54d70de83588a24a8eea3b79fb7cb4b7915a243312abddea55608?chain=mainnet
https://explorer.hiro.so/txid/0x0060e0478fabe39f584e69abd184f4de637ec50beb5a0627cf7595a486f9e2d0?chain=mainnet

SP37FW4WK2CZ0E9ESMHYJ2XS6D5T2EY5Y4GTTHVDYhad 1.6k STX yesterday
the address holds 26 STX now it used this bridge contract yesterday:
https://explorer.hiro.so/txid/0xf4c28e7738d284d40da14eaf6752f9f187dce9676668b4805748566b5821dbcf?chain=mainnet

[314159265359879]

A. SP3CF28QZ3EQ9T8SD7MTBXAGK4MZXQB672NDRR0XB
B. input Secret key via a phishing website
C. https://explorer.hiro.so/txid/0x96712af57853365e5e85c3422d26a32dd41f809ac0a22110e0f89600fcaeb09e?chain=mainnet

[314159265359879]

A. Stacks Address(es) (of hacker/scammer),
SPSXHDCRH4XKW5PYQY29RW5VYD5V40MCN1PQFWYC

B. Very short description of hack/scam (max three words),
Compromised Secret Key, how is not yet determined

C. Involved transaction(s) id or explorer links.
https://explorer.hiro.so/txid/0x1d2e2bc52373a3e4c4d3f63218246b3847e143e168fb471c007047184c3c6e8f?chain=mainnet
https://explorer.hiro.so/txid/0x3d41ee56ef61a78f7f5b7fe515f66cc674d5514355f59014be1c34590175bf88?chain=mainnet
https://explorer.hiro.so/txid/0x27eb4e8d139d286f8ebbe8ee407b3cf28224d9b26a7e896aeb760333318cb892?chain=mainnet

The scammer used this bridge transaction
https://explorer.hiro.so/txid/0x703fff7423a9218a9182cea47d4adf8bb6e0c23d6a60e510c6dd5e70c7359760?chain=mainnet

[314159265359879]

A. Stacks address of the scammer/hacker
SP1MECCFNV7BM2DRSSPE1G408EMTWGPNCZ4NN6RXH

B. Short description
Used fake Leather/Hiro wallet app on App store to phish user's Secret Key

C.
https://explorer.hiro.so/txid/0x788fa7eb83a6ec993d7aafb1fc4a14821169ce61f2cc548b602edf6bd626fbc8?chain=mainnet

[DevCodeSniper]

A. SP229ZRR5W3FGCNBHCW71QA30XJ4K7D6J6MRXD6SC
To: Exchange - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS
Memo: 2081669650
B. Fake iOS app (Used fake Leather wallet app on App store)
C. https://explorer.hiro.so/address/SP229ZRR5W3FGCNBHCW71QA30XJ4K7D6J6MRXD6SC?chain=mainnet

[314159265359879]

A. SP2MGA2YR7FHXR6YDXN1KJM74RYWNBFYZGQ8JV9WK and --> SP8EN907FP4WKMM27B5EPG2HFMHV3BT14FPD8HZA (and many others)
To: Exchange - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS (Kucoin)
Memo: 2081843542, 2081843542 2081843542 2081860014
B. Fake iOS app (Used fake Leather wallet app on App store)
C. Theft transaction from user who reported this:
https://explorer.hiro.so/txid/0x682dd9d885e3a8f110fbca41147257bae9261109b6325b55d1e8eb5051a68025?chain=mainnet
Subsequent transaction
https://explorer.hiro.so/txid/0x136db2131441327560f31ac9d8e1ec2fd4b415c24ff8b6f19f624f08f50822c9?chain=mainnet
from which it was send to exchange (transactions listed above with memo's)

[DeeList]

April 16, 2024

A. Scammers Addresses: SP25MMGERHCRRBBQ0GHHFK1JVAHX7RSQMVJ9Q3BS6 and ---> bc1pzy5gz33a2cf8jmeaex829zuu3dx5xnhpupzm0wua7wzn6gtukhxs5crr5e

B. Unauthorized transfer/Compromised Secret Key.

C. Involved Transactions: Stacks tx: https://explorer.hiro.so/txid/0x4bce34568d6dd3fd40ba32666e22f790a98616c106d2b2a3cda0d8a5eb770955?chain=mainnet
BTC tx: https://mempool.space/tx/091b843f9ab02074e2d7749771ca4c5a49dcf63dd7aa28fa6bc22862c60e1dfe

[314159265359879]

July 1st 2024

A. Scammer addresses SP2AKYDTTKYD3F3NH57ZHNTJD0Z1QSJMG6NYT5KJG ---> SP36WZV3YE1YHYSTBR8BJGMF8VTSN3J9F8XPS3E6N

B. scam token lured user to scam dapp to use function call "claim" that is created with post-conditions in "allow mode".

C. Related "claim" transaction that drained the wallet https://explorer.hiro.so/txid/0x3826c9ce79607ccf9a45d134bad31ec4fcc8119c7f3d3bda15e3d6ffa54869ec?utm_source=leather-wallet&chain=mainnet thief transferred funds subsequently https://explorer.hiro.so/txid/0x6538cf8db95de80131153ea17bc57caa818729b697e35e8f4f2805a1b56d4613?chain=mainnet