Fake Rabi Wallet Scam Linked to Dubai Crypto CEO and Many Other Victims – Cointelegraph Magazine

Unsuspecting users lost an estimated $1.6 million in February to fake wallets that slipped through Apple's strict app review process. Magazine follows clues on the blockchain to find out who is behind the fake wallet.

A fraudulent app posing as DeBank's Rabi Wallet remained on the App Store for four days, extorting money from many victims, before Apple removed it.

“I trusted the Apple App Store so I never thought it was a scam. About 20 to 30 minutes in, I opened my Rabi laptop bag and saw that my balance had basically gone to zero,” one victim of a fake Rabi bag told the magazine.

One of the first victims to highlight the scam was X user Bthemouth, who reported that the money had flowed into Rabbi Drenner's (RD) wallet “0x652…0371F”.

Blockchain analysis links the RD wallet to “0x44Bd…9E480”, which was originally named “Konpyl” on NFT marketplace OpenSea. After the account name is changed, the original account can still be verified by Arkham Intelligence.

A private investigator who confirmed the magazine is cooperating with authorities on the case linked Konpyl to a larger web of at least 20 cases.

The common denominator between this mountain of cheats is the conpil address.

“He's been doing this for about seven years. [and] Unlike big protocols, it follows users with their life savings, the researcher told the magazine.

The investigator shared images with the magazine of alleged Know Your Customer (KYC) records for several exchanges with addresses linked to the scams.

The documents seen by the magazine are related to “Konstantin Pylinsky”, the CEO of the Dubai investment company Moonward Capital, who uses the handle X and Telegram “@konpyl”. However, several fake KYC credentials and aliases were used to open the accounts, so the magazine is not suggesting that it is Pylinskiy Konpyl – only that the name is associated with the accounts.

Initially, Konpil wrote in Telegram magazine, “How can I help you?” He greeted. But he stopped short of responding when asked to explain the connection between Konstantin Pilinsky, Konpil's online man, and the Rabi wallet scam.

The magazine tried to contact Pilinski through alternate channels, but he did not respond.

Moonward Capital also did not respond to the Journal's request for comment on this story.

The magazine confirmed with a US government agency that the ongoing investigation is related to Konpil's address.

The most recent incoming transaction to the CoinPil wallet was from an address with a “fake_phishing” tag on Etherscan. The relationship with Conpil is the only outgoing transaction.

Fake Rabbi Wallet-Konpyl connection

Bthemouth tells the magazine: “I had a drain bot in my account, referring to an automated script designed to attract funds. “Even after all these months, he's still active.”

The Rabby Drainer actor takes several steps to hide his tracks, such as splitting criminal proceeds into multiple wallets and using DeFi services to hide evidence and blend in with the crowd.

The fraudster then merges more funds into subsequent wallets and places them in a central exchange. Even after such obfuscation efforts, there are connections between RD and Konpyl.

The rabbi of Bthemouth's spilled funds went to Rhino, the multi-chain bridge frequented by the pickpocket swindler. The fraudster deposits the tokens into Rhino and withdraws them through another wallet.

Between February 15th and 18th, RD poured in many more victims, most of the proceeds in ERC-20 tokens. On February 19, these tokens were exchanged for 52 ETH (about $151,000 at the time) using DeFi services such as Uniswap and 1inch.

Later that day, the funds traveled to Wallet “0xCE6A…b2Ac5”, which, along with Bthemouth's funds and an additional 7 ETH, transferred approximately $173,000 in Ether to Rhino.

Onchain investigators Tai and SomaXBT have identified wallet “0x4E93…c71C2” as the recipient of the Rhino product. He earned $173,388 in USDT in three transactions, with the first batch arriving around 10 minutes after the first deposit.

Blockchain records show that the same Rhino wallet received nearly $100,000 from Konpil in six monthly transactions between February and July.

These funds will eventually make their way to OKX.

The scammer appears to use multiple exchanges, typically using more than one deposit address per exchange.

When analyzing suspected hacked wallets, the first incoming transactions often leave valuable clues to the associated wallets. Sometimes, gas bills can reveal who backed the wallet.

But this is not a feature of compile-related scams.

“[Konpyl] The private investigator runs these accounts through victims' wallets.

He takes from other hacks to fund these hacked wallets, so you never know it's him.

Rabby Wallet Drain General Damage

There are at least 10 addresses identified in public victim reports, including RD, which siphoned off an estimated $152,257 from victims. These addresses are responsible for more than $1 million in losses after users downloaded February's fake Rabi wallet from the App Store.

The February incident was not the first time a fake Rabi wallet appeared on the App Store. Another scam used at least two other wallets linked to Konpil to extort nearly $93,000 from victims by the end of 2023.

The magazine confirmed that Rabi's previous wallet scam was linked to Konpyl, with fund routes pointing to the Rhino withdrawal address used in the Bthemouth case.

The private investigator told the magazine that while these cases were not publicly disclosed by the victims, three other suspicious wallets linked to the Rabi wallet scheme netted $278,872.

The magazine also knows of at least three more wallets that were not part of Rabi's fake wallet scheme but stole money using other methods, such as phishing shared on social media. This triple wallet also shows its connection to Konpil by using a shared OKX deposit address as a Rabi wallet cheat and transferring funds to Rhino's output wallet.

Together, they extorted $93,261 from victims, bringing the estimated losses associated with Rabbi's fake wallet to at least $1.6 million.

Other scams related to the fake Rabbi Wallet

The 2024 Rabby Wallet scam is not the first illegal activity with strong blockchain ties to Konpil's address, according to blockchain records identified by the private investigator.

For example, a victim's report on Reddit shows that the user's money is in the wallet “0x0000…4e9Aba” (which we call LS1 for the Ledger scam). Taking a closer look at the LS1, the It features the same deposit strategies as those used in the 2024 Rabby fake wallet schemes.

In the year In 2020, LS1 used the deposit address “0x05a8…a21e6” (YB1) to transfer funds to Yobit currency.

LS1 frequently interacts with “0x1111…858eB” (LS2), sending and receiving over $51,000 worth of crypto in over 14 transactions over a year since April 2020.

Since LS2 supports “0x7e17…873cE” (YB2), the two wallets seem to use different deposit addresses on Yobit.

YB2 was regularly used by Konpil at that time to transfer funds to Yobit. Konpyl sent more than $41,000 worth of ETH in 23 transactions from September 2020 to February 2021.

YB1 and YB2 are also connected by “0xBd7D…A2DB7”. When a 2.4-ETH transaction enters YB1, it uses the second deposit address five times for $196,000 in ETH.

This wallet has two direct transactions from Konpyl for 6 ETH.

The investigation into fake rabbi bags and other scams continues.

“One of my goals is to get Apple off its ass and track down the cheaters in their app store. I reported it to Apple months ago, but I haven't heard back,” the investigator told the magazine.

Rival tech giant Google filed a class action lawsuit against crypto fraudsters earlier this year for defrauding more than 100,000 people by uploading dodgy apps to its marketplace Google Play.

Bthemouth has given up on recovery efforts and said he has done “everything” he can.

A victim's group was formed earlier, but now “everyone has moved on with their lives.”

“It's a dead end,” says Bthemouth.

But there is still some hope for victims.

Investigations by law enforcement agencies and private blockchain investigators are ongoing, Konpyl and associated wallets remain at the center of suspicion.

Subscribe

A very engaging read in Blockchain. It is given once a week.

John Yun

Yohan Yun is a multimedia journalist who has been reporting on blockchain since 2017. He has contributed to the crypto media outlet Forkast as an editor and covered Asian tech stories as an assistant reporter for Bloomberg BNA and Forbes. He spends his free time cooking and experimenting with new recipes.