Introduction
Back in early 2022, CertiK confirmed that a project named MuskSwap was an exit scam resulting in millions in losses. We then monitored the malicious wallets and observed the transfer of approximately $3.5 million into Tornado Cash over a period of 4 months. CertiK’s investigators were able to link the scammers behind MuskSwap to other scam projects from the same time period. In total, the threat actors behind MuskSwap stole $5.1 million, which was all deposited into Tornado Cash. CertiK’s diligent investigators have been able to discover over 200 wallets that withdrew funds from Tornado Cash related to MuskSwap, and traced the funds to Binance, which we have reported to. In this blog, we will detail the investigation into MuskSwap and associated scams.
MuskSwap’s April 2022 transfer of $3.5 million to Tornado Cash marked the culmination of a long-running exit scam. Our analysis has revealed connections to several other projects performing the same scam, leading to a total of over $5.1 million routed through Tornado Cash. Due to operational security mistakes by the scammer, we have identified the corresponding withdrawals.
MuskSwap Exit Scam
MuskSwap’s website described the mission thusly:
“$MUSK & MuskSwap was born to show admiration to elon musk's super projects like solarcity, tesla, space x and his constant influence on the world finance & the crypto market.”
The project advertised itself as a decentralised exchange with BEP-20 token swapping, using $MUSK as its native token. The project launched an Initial DEX Offering (IDO) in July 2021 in which investors would receive airdropped tokens that were locked and unable to be sold until January 1, 2022. There were also opportunities to earn MUSK tokens either by referring other users or by completing certain tasks, also with the caveat of the rewards not unlocking until January 1 2022.
$MUSK started trading on Pancake Swap on July 23, 2021 and saw an increase of ~2300% to its all time high on October 31, 2021. On Christmas Day, December 2021 the $MUSK token dropped 96% to below its IDO price. The Telegram’s admins paused the chat shortly after.
In a now deleted post, MuskSwap blamed liquidity issues for the price drop before announcing a new plan on New Year’s Eve, 2021, a day before tokens were due to be unlocked. The announcement stated there would be a new sale round through January 2022 and a new token unlock date of March 1, 2022.
On February 15 the Telegram’s chat was resumed but the unlock date had been delayed again – this time until 25 March 2022 – and came with the condition that 15% of tokens would unlock on that date and 15% monthly thereafter. By March 11, activity in the project’s Telegram had been paused for a second time and would remain paused. The token continued to trade until a second drop of 95% on April 5, 2022, at which point the project’s website was removed and the project could be confirmed as an exit scam.
Associated Exit Scams
CertiK assesses that the scammer behind the MuskSwap exit scam was also behind at least five other scam tokens.
-
RocketDoge: 0x2270528dd9c3aa19906c501aDb279bF88292fA1f A meme coin that was created in August 2021.
-
InfinityGame: 0xbe3D73659bfB5084344dfdDCBcd22fdA7989c3dD A few weeks after RocketDoge, InfinityGame IDO was launched in September 2021 promising swapping, farming, staking, and earning the project’s $IFG token with GameFi aplications.
-
SpaceX: 0x6657c7ef476927D410E625aEda9A118D2Cc488B2 SpaceX was created in October 2021 as an addition to MUSK token. The token dropped ~86% on January 1, 2022 with a further slippage on April 5, 22.
-
MUFC: 0xE44946b6A075b2C99fDe1dD0c4dA4a3436211f8C Manchester United Fan Token was created in December 2021 and raised approximately $1.3 million before funds were removed from the MUFCSellTokenProxy contract.
-
Elona Musk: 0x1301f4ADb0139667A2be7A267a4C5F0D14F4491E Created in March 2022, Elona Musk is linked to the InfinityGame deployer.
All the tokens followed the same pattern: they launched an IDO using a SellTokenProxy contract containing privileged functions that allowed IDOAdmin to withdraw funds. We can see this the below with the withdrawBNB function.
Using the MUFCSellTokenProxy as an example, the stolen BNB was transferred to 0xB7A65eaa3947E33F858515f09709553109fdE751 and the stablecoins transferred to 0x257b9cb838ea20bfffb04cf57a912e7f3581d368. The stablecoins were swapped for BNB, and alongside the funds in 0xB7A65 the BNB was distributed to multiple wallets which gradually deposited into Tornado Cash.
The image below is a simplified diagram of on-chain activity highlighting connections between MuskSwap and other tokens and the siphoning of funds to Tornado Cash. In reality there are many more wallets involved.
Doing the Laundry
In each of the exit scams the withdrawBNB function was used to siphon BNB out of the token sell contracts:
- MUFCSellTokenProxy 0xe5B91F158b5689C0De62C8d4f13a0b57FD95f6d6
- RocketDogeTokenProxy 0x4E20Cc0F3A24edC258e3a519867D773bADbcE87c
- SellTokenProxy 0xd48c850246cA27Ff144B587B4E251eAA197338fF (linked to Infinity Game)
- SpaceXSellTokenProxy 0x5eEB4f279873568837ADA43C6536734cF3c1c294
- SellToken 0x0c7eA4321FB0421258b48d0CCc504A40a388522e (linked to MUSK)
- CZSellToken 0xC48f307F8110d5E3D9892F36445569B70bf61ADc
After withdrawing BNB/BUSD from the contracts the funds were then distributed to multiple wallets. Below is an example of the MuskSwap deployer distributing BUSD. The MuskSwap deployer wallet alone has outflows of ~$4.3m.
Then:
- 0x3d33 deposited funds in Binance
- 0x9f4a used funds to buy MuskSwap token
- 0x64bb split 3,017 BNB (~$1.2m) into batches of 100 BNB and sent it to Tornado Cash
- 0x152c split 5,696 BNB (~$2.3m) into batches of 100 BNB and sent it to Tornado Cash
Similarly for MUFC token:
- 0xb7a6 split 2,798 BNB (~$1.1m) into batches of 100 BNB which were then sent to Tornado Cash
- 0x257b swapped $311k BUSD and $191k USDT for BNB, split into 100 BNB batches and sent to Tornado Cash
Post-Tornado Cash Movements
We have been able to identify many of the withdrawing wallets from the exit scams. Our analysts have concluded that the funds from the MuskSwap exit scam have been sent to a centralized exchange deposit wallet, whereas the MUFC funds are still in the process of being laundered and currently sit in multiple Ethereum wallets.
CertiK has identified over 200 Tornado Cash withdrawal wallets that are highly likely to be associated with the MuskSwap deployer. The funds are transferred to the same number of intermediary wallets before being transferred to at least 13 consolidation wallets. At this point, the BNB that has been laundered through Tornado Cash is swapped for USDT and consolidated into a further two wallets.
Tornado Cash holds funds for multiple users until such time they withdraw the funds and, while it is possible that users that are not connected to MuskSwap could have been withdrawing funds from Tornado Cash at the same time as MuskSwap deposited them, there are over 200 examples of wallets that received the funds from Tornado Cash in quick succession after the deposits were made from MuskSwap linked wallets.
A key element of staying private whilst using Tornado is a time delay between deposit and withdrawal – which the MuskSwap deployer ignored. For example, on July 27, 0xce7, which received funds originating from MuskSwap, made a number of deposits including 10 between 11:43 and 11:48.
Below is a small example of how we were able to marry deposits with withdrawals using timing analysis
| Deposit Time | Deposit Txn | Withdrawal Time | Withdrawal Txn |
|---|---|---|---|
| 2023-07-04 5:37:52 | Deposit | 2023-07-04 5:40:16 | Withdrawal |
| 2023-07-04 5:48:46 | Deposit | 2023-07-04 5:50:57 | Withdrawal |
| 2023-07-04 6:12:11 | Deposit | 2023-07-04 6:14:53 | Withdrawal |
| 2023-07-04 8:12:03 | Deposit | 2023-07-04 8:13:42 | Withdrawal |
| 2023-07-04 8:24:57 | Deposit | 2023-07-04 8:27:00 | Withdrawal |
| 2023-07-04 8:28:54 | Deposit | 2023-07-04 8:31:03 | Withdrawal |
| 2023-07-04 9:01:33 | Deposit | 2023-07-04 9:05:00 | Withdrawal |
The final destination for these funds is Binance deposit address 0x8A9C14444A494b773432576f7Cf3C841B54aFB22 which we have reported.
Conclusion
MuskSwap was a well-established project with millions in daily trading volume and more than 200,000 holders. Rather than exit scam at its peak, the project was used as a springboard to develop other exit scams prior to its own exit scam. All the exit scams investigated utilized the same techniques, using an IDO to raise funds which the owner could remove from the contracts at will. They also used the same laundering method through Tornado Cash making withdrawals immediately after depositing, effectively negating the privacy features of the platform. A key difference after the withdrawals is that the funds from MUFC were bridged to wallets on Ethereum which still hold the funds, example here. Funds from MuskSwap were aggregated into three main wallets which deposited over $3.2m in funds to a high-profile centralized exchange, to whom we have reported the addresses in question.
Through our analysis we have recorded over 200 wallets that were used in the exit scams, all of which are fed into SkyInsights, our crypto compliance and risk management platform. Below is the risk analysis of a wallet involved in the MuskSwap exit scam.
