ZachXBT Latest Survey: How Did 'Fortnite' Esports Pros Use a Meme Scam to Steal $3 Million?

Original Author: zachxbt, On-chain Detective
Original Translator: zhouzhou, BlockBeats

Editor's Note: This article analyzes how the hacker Serpent took control of accounts belonging to McDonald's, Kabosu, and others on X and Instagram, initiated a Meme Coin scam, stole approximately $3.5 million, and used it for casino gambling. Serpent was a professional player of "Fortnite" who was dropped due to cheating. In 2022, a rug pull occurred in the NFT project DAPE, co-founded by him. In 2024, the ERROR project he launched also faced a rug pull and was ultimately banned by X.

The following is the original content (slightly reorganized for better readability):

Over the past few months, I have been tracking a series of related data breaches involving McDonald's, Usher, Kabosu's owner, Andy Ayrey, Wiz Khalifa, SPX 6900, etc., which resulted in approximately $3.5 million in theft through the release of Pump Funmeme Coin.

On August 21, 2024, McDonald's Instagram account was hacked, and a promotional post for the meme coin GRIMACE was published, after which the hacker began to engage in mischief. Over $690,000 was transferred to two wallets from this pump and dump event.

4RiNhTwBxYWgb4MSCtt9vXgVk2yuPhoQR3DR9pMVPU1W

2vjnmxwTYNJvTmFhtqxZkPiuCHkaKZK5rcxTLuoC2dPB

On September 3, 2024, the McDonald's attacker moved 101.5 SOL to two addresses, and after actor Dean Norris's X account was compromised by the hacker, these two addresses were deployed to and targeted SCHRADER.

4s9Uz9pTBXcEaEtcjs8eg98r2TVte3rq3JUm3rVTFMudfewGbNKmqNyYs9bSAMDUaTbTcuA1v39sWr7GRqkDJ6EM

1gxo1pjTqjbee7rHW4cGvuNffX1qP4F8fP17g6SSC5EYbQrnktDrKSFB1uh4ju7PxQjprWFin37WUsAe225b9c6

On September 6, 2024, funds from a McDonald's APT (Account Takeover) were transferred to a casino deposit address.

CuNzegC9DE4CxCMn31ZcYLvtDaYsLD9RX8eRvmtZQrnB

Through timeline analysis, subsequent withdrawals shortly after the deposit can be identified.

B2fwZt5nTbdrnJ2CPsgrYMPuB4UnhN82EAM34dXDARLh

On September 12, 2024, B2fw transferred 110 SOL to two addresses involved in a meme coin presale promoted during the Usher leak event.

4FUrwoHz1fuUf4eR6YEAYSG9d9rN5fzbowMXtbjwJAhTDtHXjpnTb1sz6aeF6T79JaiMFyT2xX2EuTxqT5UhFfKD

427zpHF1WWgYgKxcSiUzwXLg2UqsF6xq7K13PU3mh6Wr99mipiVA6GcDTwi7EY93RJeRuEUDZAK9BnoMeki7sU6C

Subsequently, B2fw transferred 4868 SOL to the casino deposit address ECb5v, which is directly linked to other APT events, including the Andy Ayrey and Enoshima Aquarium leaks.

Ecb5vsomUG3MEnLCgiFvkdnnqpggTEXtN17z62iDPuU3

On October 15, 2024, Enoshima Aquarium's X account was breached, promoting a bundled meme coin. On the same day, 84 SOL obtained from this scam was transferred to ECb5v.

5PDjh74JTLMPW4dXr6fKm3Yue2j3vhbxLSK5dPbQ3oEGK4axE7fua1ngBMas4xpRY6dBr92Ccps7b1WwcLdnxXWL

On October 29, 2024, Andy Ayrey (Founder of Truth Terminal) had his X account compromised, which lasted for several days and promoted 6 meme coin scams. 3GVUs was one of the addresses involved in buying the tokens.

3GVUs2gNr161ohqnVXjUeoNQmf3cELxKSiPrxyQu6pjd

On October 30, 2024, 3GVUs transferred 169 SOL to Ecb5vs.

67nwsLLE3aGua4VeH8p6qHc3SL3rpxi9omMxRnfpeyZVsBpZawnUHo4Pt4tdT5Vxny2uRNRDH3vSZ1fzvKkNCML4

Out of the $2.178 million obtained from Andy Ayrey's ATO, $750,000 was deposited into a casino deposit address Apc3e.

Apc3eA9ScQksuZvfURQswZwVkusEYRaqeKEv4eXXbRZm

0.1 SOL from the Kabosu ATO funded an address that participated in the Andy Ayrey ATO.

On October 17, 2024, the owner of Kabosu's Instagram account was hacked and promoted a meme coin scam.

That day, 191 SOL from the scam was transferred to a casino deposit address:

6kwZ7tz8Xs7jaVqVJXZSRrZ2FtS2PPChEVuLXKrmMgCm

The APT (Account Takeover) events of Kabosu and Andy Ayrey are directly related to Wiz Khalifa's APT event.

On November 3, 2023, an attacker posted a wallet address on Wiz Khalifa's account. 29 SOL was transferred to 6kwZ7, similar to what happened in the Kabosu ATO.

NFCs23ddXQc9Zff2VJotEn2zaSAh4tvw6U6kb7fdXovZ8YPQgJMGQkXmtWiTutqnoBf6wR2khaKvFpyEKNhHfjJ

WIZ's deployer funds came from Andy Ayrey's ATO. Other addresses involved in the exploit redirected all gains obtained through instant swaps to a casino deposit address 0x83ee.

0x83ee6b53a0ae76b71bed0c32721a451776dbdb3a

On October 16, 2024, 0x83ee received 0.54 ETH from the scam's deployer, while SPX 6900 was compromised on October 11, 2024.

On Solana, another scam promoted by the compromised SPX 6900 account received backing from the Ken Carson attacker.

To further demonstrate the relationship between Kabosu's owner, SPX 6900, Ken Carson, and Enoshima ATO, each meme coin's deployer provided funds to the previous deployer's address through instant swap funds, attempting to obscure the origin of the funds.

Investigate how threat actor Serpent transitioned from a professional Fortnite player to aiding in a memecoin scam initiated through leaks from 9+ accounts on X and IG to steal $3.5M and use the proceeds for online casino gambling.

Serpent (SerpentAU) is a former professional Fortnite player from Australia, who was released by the esports organization "Overtime" in June 2020 after being found cheating. He then co-founded the NFT project DAPE in March 2022, which later rug-pulled.

In March 2024, Serpent launched another project called ERROR, but the project rug-pulled, leading to his ban from platform X.

Deployer Address:

0x8233873ee35547097ccb9098adbab955d7120ee8

On October 23, 2024, the ERROR deployer moved a total of 29 ETH to two instant exchanges.

Through time analysis, it was observed that these funds were received on Solana and transferred to the same gambling deposit address.

Ecb5vsomUG3MEnLCgiFvkdnnqpggTEXtN17z62iDPuU3

Multiple ATO (Aggressive Transaction Outcomes) directly linked to the deposit address Ecb5vs include: McDonald's, Usher, Andy Ayrey, Dean Norris, and Enoshima Aquarium. (For detailed tracking, please refer to the beginning of the document.)

Serpent gambles monthly on Roobet, Stake, BC Game, and Shuffle with stakes of millions of dollars, often screen sharing with friends on Discord.

I obtained recordings of his gambling sessions, where he inadvertently disclosed multiple deposit and withdrawal addresses.

Discord ID: 1269557350486904945

During a screen sharing session on November 1, 2024, Serpent shared a $100K deposit and $200K withdrawal, transferred to the following address.

When plotting the transaction graph, it was discovered that this address had high exposure to addresses associated with McDonald's, Andy Ayrey, and Usher ATO.

0xb8c9c8a5756a7992df65f949b7c1423eeb435aa5

During Andy Ayrey's security breach incident, another threat actor participated in hijacking these fraudulent projects, using the alias "Dex" (from Massachusetts, USA).

After I mentioned him in my Telegram channel last week, he started to panic and fabricated a story about being extorted, claiming to have lost $700K.

The funds currently related to these security breaches are stored in the following addresses:

0xeb60a5242c1c97eb54195ec83de43bb26813c0d1

0x2355ac2929bb7051814de3c48670fccbb515d8be

4jjWZ8RaXZBqntnhu2JFidXEQWXgfKRbJQZdTHrdaqbv

Today, following the release of the first part of my investigation, Serpent started deleting all his posts on the new X account. I suspect there are still some ATO (Attack Transaction Activity) incidents related to this that I have not been able to directly trace on-chain. Regarding one of the breached accounts, I have shared a detailed investigation report with one of the victims I am collaborating with.

「Original Article Link」