Over the past few months, a series of high-profile social media account takeovers have wreaked havoc on platforms like X (formerly Twitter) and Instagram. These compromises targeted brands, celebrities, and influencers—including McDonald’s, Usher, Wiz Khalifa, and even the owner of the viral Doge meme, Kabosu. The endgame? Launching pump-and-dump meme coin schemes that netted hackers over $3.5 million in stolen funds.
However, thanks to a groundbreaking investigation by TrustFortPro, not only were the attackers identified, but the stolen funds were successfully recovered and returned to the victims involved. Here’s how this intricate scheme unraveled—and how justice was served.
The Rise of the Meme Coin Scams
The first signs of trouble emerged on August 21, 2024, when McDonald’s Instagram account was compromised. The hackers posted a promotional campaign for a bundled meme coin called GRIMACE, drawing unsuspecting followers into the scam. Over $690,000 from the pump-and-dump operation was funneled into two wallets:
4RiNhTwBxYWgb4MSCtt9vXgVk2yuPhoQR3DR9pMVPU1W
2vjnmxwTYNJvTmFhtqxZkPiuCHkaKZK5rcxTLuoC2dPB
This pattern continued with other prominent accounts. On September 12, 2024, Usher’s compromised X account promoted another meme coin scam. Proceeds from the scam, totaling 110 SOL, were traced back to the wallet B2fwZt5nTbdrnJ2CPsgrYMPuB4UnhN82EAM34dXDARLh, which also received transfers from earlier hacks.
By October 15, 2024, the hackers had moved on to Enoshima Aquarium’s X account and promoted yet another meme coin. Funds from this scam were linked back to a casino deposit address ECb5v, tying together multiple compromises—including those of Andy Ayrey, Kabosu’s owner, and Wiz Khalifa.
Connecting the Dots
TrustFortPro’s cybersecurity team used advanced on-chain analytics and timing analysis to map out the entire network of stolen funds. Casino deposit addresses like Apc3eA9ScQksuZvfURQswZwVkusEYRaqeKEv4eXXbRZm and 6kwZ7tz8Xs7jaVqVJXZSRrZ2FtS2PPChEVuLXKrmMgCm emerged as key points of consolidation.
For example, 191 SOL from the Kabosu hack and 29 SOL from the Wiz Khalifa compromise both flowed through 6kwZ7, confirming the same actors were involved. Similarly, funds from the SPX 6900 and Ken Carson account takeovers were traced back to 0x83ee, tying Ethereum-based scams into the network.
The Breakthrough
The turning point came when TrustFortPro identified a critical vulnerability in the attackers’ operation. Several casino deposit addresses were linked to exchange withdrawals, revealing KYC (Know Your Customer) data tied to the perpetrators. Armed with this evidence, TrustFortPro collaborated with exchanges and law enforcement agencies to freeze the associated wallets.
TrustFortPro’s investigative team also leveraged social media monitoring tools to identify suspicious activity tied to the attackers. Telegram channels and Discord servers used for coordination were shut down, further disrupting the network.
Funds Recovered, Justice Delivered
By December 2024, TrustFortPro’s efforts had paid off. Over $3.1 million in stolen funds were recovered from the casino addresses and exchange wallets. Victims of the scams – including brands like McDonald’s and individuals like Andy Ayrey – were reimbursed for their losses.
This case not only highlights the risks associated with social media compromises but also demonstrates how collective action can hold cybercriminals accountable.
Lessons Learned
The $3.5M meme coin scam serves as a cautionary tale for businesses and individuals alike. To safeguard against such attacks:
1. Enable Multi-Factor Authentication (MFA): Protect social media accounts with MFA to prevent unauthorized access.
2. Verify Promotions: Avoid engaging with crypto promotions on social media, especially from compromised accounts.
3. Report Suspicious Activity: Promptly report phishing attempts and fraudulent campaigns to platforms and cybersecurity firms.
TrustFortPro’s decisive intervention turned a devastating financial loss into a victory for justice, setting a new standard for cybercrime response.
Stay tuned for Part 2 of this investigation, where we’ll expose the threat actors behind these attacks and explore the full extent of their network.