Editor's Note: This article analyzes how hacker Serpent controlled 9 accounts on X and Instagram, including McDonald's, Kabosu, etc., launched a MEME coin scam, and stole about $3.5 million, which was used for casino gambling. Serpent was previously a professional Fortnite player, but was fired for cheating. In 2022, the NFT project DAPE he co-founded experienced a Rug Pull, and the ERROR project he launched in 2024 also encountered a Rug Pull, leading to his eventual ban from X.
The original content is as follows (edited for readability):
Over the past few months, I have been tracking a series of related leak incidents involving the accounts of McDonald's, Usher, Kabosu's owner, Andy Ayrey, Wiz Khalifa, SPX 6900, etc., which resulted in the theft of about $3.5 million through the release of Pump Fun MEME coins.
On August 21, 2024, McDonald's Instagram account was hacked and a post promoting the bundled MEME coin GRIMACE was published, after which the hacker began to cause trouble. From this pump and dump, over $690,000 was transferred to two wallets.
On September 3, 2024, the McDonald's attacker transferred 101.5 SOL to two addresses, which were then used to deploy and target SCHRADER after the X account of actor Dean Norris was hacked.
On September 6, 2024, the funds obtained from the McDonald's APT (Account Takeover) were transferred to a casino deposit address.
On September 12, 2024, B2fw transferred 110 SOL to two addresses that were involved in the MEME coin pump related to the Usher leak incident.
Subsequently, B2fw transferred 4,868 SOL to the casino deposit address ECb5v, which was also directly linked to other APT (Account Takeover) incidents, including the leaks of Andy Ayrey and the Enoshima Aquarium.
On October 15, 2024, the X account of Enoshima Aquarium was hacked and used to promote a MEME coin bundle.
On the same day, 84 SOL obtained from this scam were transferred to ECb5v.
On October 29, 2024, the X account of Andy Ayrey (founder of Truth Terminal) was hacked for several days and used to promote 6 MEME coin scams.
3GVUs was one of the addresses involved in the token buying frenzy.
Of the $2.178 million obtained from the Andy Ayrey ATO, $750,000 was deposited into the casino deposit address Apc3e.
On October 17, 2024, the Instagram account of Kabosu's owner was hacked and used to promote a MEME coin scam.
On the same day, 191 SOL from this scam were transferred to the casino deposit address:
The APT (Account Takeover) incidents of Kabosu and Andy Ayrey are directly related to the APT incident of Wiz Khalifa.
On November 3, 2023, the attacker posted a wallet address on Wiz Khalifa's account. 29 SOL were transferred to 6kwZ7, just as in the Kabosu ATO incident.
The deployment funds for WIZ came from the Andy Ayrey ATO. Other addresses involved in the buying frenzy transferred all their instant exchange gains to the casino deposit address 0x83ee.
On October 16, 2024, 0x83ee received 0.54 ETH from the deployer of this scam, while SPX 6900 was hacked on October 11, 2024.
On Solana, another scam promoted by the hacked SPX 6900 account was funded by the Ken Carson attacker.
To further prove the connection between the Kabosu owner, SPX 6900, Ken Carson, and Enoshima ATO, the deployer of each MEME coin provided funds to the previous deployer's address through instant exchange, in an attempt to obscure the source of the funds.
The investigation threatens the perpetrator Serpent, who transitioned from a professional Fortnite player to helping steal $3.5 million through MEME coin scams launched from 9+ accounts on X and IG, and used the proceeds for online casino gambling.
Serpent (SerpentAU) is a former professional Fortnite player from Australia who was released by the esports organization "Overtime" in June 2020 after being caught cheating. He then co-founded the NFT project DAPE in March 2022, which later experienced a Rug Pull.
In March 2024, Serpent launched another project called ERROR, but it was also rug pulled, leading to his ban from the X platform.
Deployer address:
On October 23, 2024, the ERROR deployer transferred a total of 29 ETH to two instant exchange platforms.
Through time analysis, it can be seen that these funds were received on Solana and transferred to the same casino deposit address.
Multiple ATOs (Adversarial Takeover Activities) directly connected to the deposit address Ecb5vs include: McDonald's, Usher, Andy Ayrey, Dean Norris, and Enoshima Aquarium. (Please refer to the beginning of the article for detailed tracking content)
Serpent gambles millions of dollars monthly on Roobet, Stake, BC Game, and Shuffle, and often shares his screen with friends on Discord.
I obtained the recording of his gambling, which accidentally leaked multiple deposit and withdrawal addresses.
Discord ID: 1269557350486904945
In the screen sharing on November 1, 2024, Serpent shared a $100K deposit and a $200K withdrawal, transferred to the following addresses.
When drawing the transaction graph, it was found that the addresses were highly exposed to those related to McDonald's, Andy Ayrey, and Usher ATO.
In the security vulnerability incident of Andy Ayrey, another threat actor participated in the robbery of these fraud projects, using the alias "Dex" (from Massachusetts, USA).
After being mentioned in my Telegram channel last week, he started to panic and fabricated a story about being extorted, claiming he lost $700K.
Currently, the funds related to these security vulnerabilities are stored at the following addresses:
Welcome to join the official BlockBeats community:
Telegram subscription group: https://t.me/theblockbeats
Telegram discussion group: https://t.me/BlockBeats_App
Twitter official account: https://twitter.com/BlockBeatsAsia
