In a Tweet sent out on Monday morning, the team behind MistTrack’s crypto compliance platform revealed that scammers had stolen millions of dollars in crypto by pretending to represent HitBTC. MistTrack is owned by SlowMist, a company that focuses on cybersecurity for crypto.

Researchers claim that someone set up hitbt2c.lol to mimic the authentic website for HitBTC (hitbtc.com) and lure crypto traders into connecting their wallets to a real exchange or depositing crypto. Instead of depositing money on a legitimate exchange, users would deposit funds to the scammers’ addresses.

MistTrack found four blockchain addresses used by scammers to steal money from unsuspecting users. The researchers estimate that these wallets have accumulated more than $15 million in crypto during their lifetime. SlowMist reports that there are similar phishing sites active right now, including fake copies of the Coinone Exchange and Ledger Hardware Wallet maker.

A member of MistTrack’s team told CoinDesk in a direct message on Twitter that “one of the victims asked for our help.” The earliest activity that we noticed from this address could have been as early as June 2022. “There’s one active address, and we think that is the main scammer’s address,” they said.

CoinDesk examined where the money was going.

DeFi, CEX, and the mysterious OTC

MistTrack flagged Four addresses: one for Bitcoin blockchains, two for Ethereum and one for Tron.

3BvQyAZwBXxk7rEStd6burfQgQ5AD2FFsq (BTC), TCV1cN2iRG1F1NHwr3GnujhNkEbBoXdZs8 (USDT on Tron),

0xB59299A0F15a282Bfc671BC0c2231184292C01b1 (ETH) and 0xdc961cF2F71dd0ab4f83eA294dBfEF1970ae15c6 (ETH).

Since July 2022, the Bitcoin has received more than 52 BTC. The majority of these funds were sent to an OTC trading service that allows users to trade crypto outside of major exchanges.

It is possible that victims of other scams have flagged the address of this supposed OTC multiple times, indicating that the fake HitBTC scam may be just the latest in a series of scams perpetrated by a serial scammer, or that scammers use the same service for cashing out their stolen crypto.

According to Bitcoin Abuse Database the wallet received money through phishing scams similar to the one against HitBTC as well as “pig butchering” scams, in which scammers engage in an online romance with the victim before enticing them to “invest in” a lucrative cryptocurrency project (which doesn’t exist). Some users speculated that it could be a cybercriminal’s OTC broker.

The wallet sends large batches of bitcoin to an address on the official a href=”https://wbtc.network/dashboard/audit” rel=”noopener” target=”_blank>proof-of-reserves list/a> for wBTC, meaning it belongs to one of authorized wBTC custodians. The wallet sends bitcoin in large amounts to an address that is on the proof of reserves list, which means it belongs to a wBTC custodian.

According to Etherscan, the Ethereum Address that MistTrack tweeted, active since June 20,22, received SHIB Tokens worth $247 and sent them to OKX in September.

Over the last year and half, this wallet has received more than 11.5 million USDT in different stablecoins, including 8,3 million USDT and 2.4 million USDC, as well as 833,000 DAI. This address received more than 47.87 wrapped BTC.

This address is often in contact with Tokenlon DEX, swapping wrapped ether (WETH), for USDT. The address also sent USDT several times to addresses that belong to the OKX central exchange. One of the OKX address in question received money regularly from another folder that was previously labeled a phishing scheme on Etherscan. This wallet hasn’t had any activity since December 2022.

MistTrack has also attributed two other wallets to the scam. A Tron-based Tether Address received only 242 USDT in September last year, and another Ethereum Address is empty and never received funds.

Data suggests that the owner(s) of wallets flagged as fraudulent by MistTrack may have run multiple scams including phishing and used decentralized finance tools (DeFi), swapping cryptocurrencies for one another, to hide their tracks. They also use centralized methods to cash out their crypto, such as a centralized broker and exchange.

CoinDesk has yet to receive a comment from OKX.

CoinGecko, and CoinMarketCap report that HitBTC reported a daily trading volume of around $400 million in recent times. MistTrack has yet to receive a response from the exchange. As of this writing, there was no mention of the phishing attack on the exchange’s official website or Telegram channel. CoinDesk has not received a response from the exchange.