About Domain Days Dubai
Domain Days Dubai is a business event in the MEA region (Middle East & Africa) featuring rich and actionable insights into the world of digital assets, featuring Domain Investors, Registrars, Registries, Monetization & Parking Providers, Traffic Sources, Web3 & ALT domains, Web Hosting Providers, Cloud Providers, and Industry Enthusiasts.
The two-day event brings together experts worldwide to discuss the latest industry trends and gain insights into the MEA region. Moreover, this year, we are hosting the region's first domain name/digital asset auction at the event!
Why Attend Domain Days Dubai?
The conference covers a range of topics, including domain name registration and management, auctions, investing, parking, and monetization strategies.
The conference focuses on the industry's newest topics, mainly the rise of Web3 domains, which are gaining traction worldwide and shaping the future of the Internet. Finally, the event emphasizes the significance of the MEA region as a new hub for domains and hosting companies.
It's all about networking! The conference provides ample opportunities for networking and collaboration. Attendees can meet and connect with professionals from different industry sectors, exchange ideas, and forge new partnerships.
Check our review of Domain Days 2025
Oct 22, 2025
Until
Oct 23, 2025
Original text and other information on OSINT is available at>>>>
In this article I will show:
Let's get started!
In order to operate the tokens, you need some amount of cryptocurrency to pay transaction fees. In our case it is the Ethereum blockchain, which means you need some ETH to send tokens or sell them.
Let's try to find out where the hacker's address 0x8648... ETH he needed to pay commissions came from.
This line of enquiry is called a source search
Open Etherscan, insert the address, see the first transactions. They will be right at the bottom of the page.
And here are the ones we need: 1, 2. The sender of the funds in the transaction table is always shown on the left of the IN (incoming transaction) or OUT (outgoing transaction) bar
So, we have identified the source of the funds, which is address 0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6. What can we extract from this information?
In our case, the first address of the hacker, 0x8648... (aka Fake_Phishing5435 in the picture above) never received any funds before the transactions we detected. So address 0xa474... is the sponsor address (or funding address) with respect to the hacker address, or 0x8648..., or Fake_Phishing5435.
Most often the sponsor address is affiliated with a target address. The owner of the sponsor address could be, for example, some customer who has paid for services with crypto. Or, for example, the sponsor address is operated by a cryptocurrency exchange whose services are used by the owner of the target address.
But even more often, both the target address and the sponsor address have the same owner. Let's analyze the transactions of the sponsor address and try to figure out which option would be correct in our case.
The most interesting direction in the case of the sponsoring address is to try to detect suspicious transactions (such as the theft of NFT). To do this, open the address in Etherscan.io and go to "ERC-721 token Txns", which is the section responsible for NFT transfers.
The target address also made questionable transactions with NFT and was banned from Opensea.io.
The transactions we are looking for are found in the Internal Txns section:
Let's find out what address 0x945b was used for... To do that, we again study the transactions in chronological order, we are interested in all incoming and outgoing transactions after the address received the stolen funds.
Target email address (13 ETH) was the first one to receive the stolen funds. Next, address 0x945b accumulated presumably stolen funds from several other addresses, including the target address. The money was then, as ZachXBT wrote, withdrawn to the Tornado.Cash mixer
The money sent to the mixer was grouped into two payments of 100 ETH, of which 125 ETH originally belonged to the target address, 13 ETH to the sponsoring address, and the remaining 62 ETH to other addresses.
It turns out that either the hacker owns all five addresses and uses 0x945b as an intermediate point before money laundering, or the owner of 0x945b is a separate criminal (money launderer) whose services are used by several criminals at the same time.
Let's briefly examine the other hacker addresses: as you can see from the graph, they too have interacted with NFT on Opensea. Let's use the old vetting method and... one of the addresses is in a ban on Opensea! The second address is not in the ban, but appears in the ZachXBT investigation. Here you can see the names and faces of our heroes, the dangerous cybercriminals.
Well here comes our friends Mathys and Camille from romantic France shitting themselves hard by posting a screenshot of one of their profiles on Opensea with previously stolen NFTs on their personal Twitter. This profile appears in our investigation, on the graph is address 0x5bb51...
This time the sponsor address is signed in the block browser as Fake_Phsihing5099. Comments about the affiliation of all the addresses appearing in the investigation seem to me to be redundant with:
Having discovered the new sponsor address I decided to go towards the final destination of the funds and figure out exactly where Fake_phishing5099 was sending the dirty money.
After looking through all the transactions, I found an interesting address 0x27429f480a3E2a69D7E4D738EBc54AeB4096eb43.
The owner of this address, according to a thread on epicnpc.com, is spamming in Discord (Discord is where many of the victims received the phishing links).
Target address 0x864875aef79B107221bEE89C8ff393BD2B66d96
What can we learn after clustering the addresses together?
Conclusions