CertiK analysts have been closely monitoring a scammer known as "Faint" since late 2022. This individual has been linked to numerous Discord compromises and phishing activities on both Ethereum and Solana.
ZachXBT has posted a detailed thread on a scammer named “Soup”, who is linked to Faint. The theft attributed to Faint is estimated to be around $1 million. This article delves into the details of Faint's activities, connections, and possible real-world identity.
Since late 2022, Faint has been responsible for compromising various Discord servers, impacting projects across different blockchain ecosystems. Alongside Faint, another scammer known as "Soup" has been active, and their collaboration has been confirmed by other analysts.
Faint's main wallet is associated with several Ethereum Name Service (ENS) domains, and further insights into Faint's activities can be gleaned from his now-deleted OpenSea account. While there are similarities between Faint and another individual, Chase Senecal, we believe this is likely to be a misdirection attempt.
On 4 November, 2022, Faint transferred the ENS hzontop.eth to EOA 0xeb99f3b4027a0f399f93863f52AC83F45b8DD6C9 and burned ENS faintxbt.eth on 7 July, 2023. We can see further details on Faint through his now-deleted OpenSea account.
Faint’s now-deleted OpenSea account
The OpenSea account linked to a Twitter profile @f_faint. It’s important to note here that Faint has since deleted his account. However, another @f_faint exists on X. We assess that this account is currently being used by an individual who has no apparent connection or affiliation with the scammers or fraudulent activities described in this article. Any association between the handle @f_faint on Platform X and the criminal activities discussed herein is purely coincidental, and no allegations or implications should be made against the user of this handle.
Through Faint’s Twitter account, we quickly discovered Soup’s Twitter profile.
We also noticed similarities with Faint’s profile and Chase Senecal who went by @horror and HZ. One of the ENS domains that Faint owned was hzontop.eth which was later transferred to EOA 0xeb99f.
Transfer of ENS hzontop.eth. Source: Etherscan
Additionally, Faint’s OpenSea profile came with the header, “my money got depression.” This was a phrase that Chase Senecal's Twitter profile also had. We can see this in a screenshot provided by Zachxbt in his initial thread on HZ/Chase.
Faint’s OpenSea and a screenshot of Zachxbt’s thread on Chase
Whilst we have documented similarities between Chase Senecal and Faint, we assess that it is unlikely that Chase controlled Faint’s account.
Faint would often taunt and boast on X following a Discord compromise. For example, when Cross the Ages announced on Twitter that their Discord server was compromised on the 28 December, 2022 Faint posted the following:
In this image we see an iced tout watch and a Metamask window showing a blurry wallet address. We can just make out “0xA” in the image. By searching for wallets that Faint interacted with on 28 December or prior, CertiK assesses that it is highly likely that the wallet shown in Faint’s tweet is 0xadf92.
Faint funding probable wallet linked to CrossTheAge Discord hack
This wallet utilized a Monkey Drainer to steal users funds on that date. We can verify this by examining a few of the transferFrom
transactions where victims signed approvals to an address that the Monkey Drainer controlled.
Faint-related wallet utilizing Monkey Drainer
It is unclear precisely when, but Faint changed his Twitter handle to @faintxbt and continued to boast on Twitter over the different Discord servers that he compromised.
Following the closure of the Monkey Drainer phishing kit, Faint then moved onto Venom Drainer. This is evident through Faint’s related wallets. Below is an example of a Faint-related wallet utilizing the Venom Drainer kit to steal DIA tokens and swap for WETH before sending the funds to Faint’s main wallet.
Faint-related wallet utilizing the Venom Drainer
This scammer has been active since at least late 2022. We can also attribute a number of Discord compromises on Solana based projects, and from reports from victims we can attribute a Solana wallet to Faint.
On 21 and 22 January, 2023 GooneyToonsNFT and Frogs on Cope’s Discord servers were compromised by Faint. Additionally, Apin Labs Discord server was compromised which was highly likely carried out by Faint.
The attack on the Frogs on Cope Discord server linked to Faint’s Twitter profile. We can see in the below screenshot the Discord profile that posted the phishing site links back to Faint’s Twitter.
Frogs on Cope Discord server compromise linked to Faint’s x.com account
The Frogs on Cope community noted that Ejc7WAoU6CVjBjK1F4vGysdogZrADsEcf9ZXDSxRJFcK was the scammer's wallet, and since we can assess with a high degree of certainty that Faint compromised the Frogs on Cope Discord server, we can attribute the above Solana wallet to Faint.
Victims announcing the scammers wallet
In total, the wallet received 1,408.92 SOL (~$34,000). However, it’s possible that additional Solana wallets belonging to Faint acquired more funds. The vast majority of the stolen funds are in wallets controlled by Faint on Ethereum.
At the time of writing, Faint’s main wallet contains 154.511 ETH valued at $283,038 and at least 1,409.92 SOL which we have attributed to EOA Ejc7WAoU6CVjBjK1F4vGysdogZrADsEcf9ZXDSxRJFcK. However, based on our investigation, there are numerous other wallets that are associated with Faint. We have concluded that Faint is directly involved in the theft of at least $960,000.
With the closure of Monkey Drainer, many scammers looked to fill the vacuum that the cybercriminal known as Monkey left. This saw the development and promotion of multiple drainer kits on Telegram from a variety of vendors. Currently, one of the more popular drainer kits is provided by a scammer known as Pink, who provides the Pink Drainer kit.
Scammers such as Soup have been utilizing the Pink Drainer kit to post phishing links in compromised Discord servers. In these incidents, we can see that ENS kittenator.eth is closely associated with the Pink Drainer kit. Below is an example of kittenator.eth receiving funds from Pink Drainer Contract 1, as well as being the recipient in an ice phishing transfer of approximately 27 stETH.
Kittenator.eth interactions with Pink Drainer
Kittenator.eth’s wallet initially received funds from eXch, a cryptocurrency swap service on the 19 June. The platform’s built in privacy and obfuscation features mean that we cannot trace this wallet directly to any other wallet, nor does the wallet link to any OpenSea account. However, there is an OpenSea account named “Kittenator” attached to EOA 0x058, which is where we find our connection to Faint.
Kittenator's OpenSea account
The wallet is connected to two ENS domains, faintlyy.eth and soupp.eth.
From faintlyy.eth, there are just two jumps to Faint’s main wallet.
Connections from Faint’s main wallet to Kittenator's account
Faint is linked to the username Kittenator and is therefore possibly related to the ENS Kittenator.eth which has been involved in multiple Discord compromises that have utilized the Pink Drainer to steal funds.
A significant insight into the real-world identity of the scammer known as Faint emerged from a taunting post made in reaction to the Cross The Ages announcement of a Discord hack on December 28. In this post, Faint not only mocked the project but also displayed a watch. Given the previously established on-chain connection between Faint's main wallet and the likely compromised Cross The Ages Discord server, attention was drawn to the watch.
Since this was posted on the 28 December, 2022 we can rule out Chase Senecal since his watch was seized by the FBI on 24 October, 2022.
The image from Faint’s X profile isn’t the clearest of the watch, but does lead us to some additional clues. For example, we can see that the watch has a circular case with a circular crown to the right of the case as well as a distinctive strap. In a thread by ZachXBT, where he exposed a Canadian based scammer known as Madman, we can see that an individual with the handle @turf is present and flexing a watch.
Post from Madman’s Instagram account. Source: ZachXBT
In an image posted by Turf, we see a possible candidate for a similar watch.
Post from Turf’s Instagram account
After careful examination of the watch seen in Faint's Twitter post and the one in the aforementioned image, a likely match was determined. The image in which Faint displayed the watch, in a derisive response to the Cross The Ages Discord compromise announcement, connects the watch to a scammer's wallet. If this watch is confirmed as a match, it could definitively link Faint to this individual.
The Web3 security community has long been aware of a group of Canadian-based scammers responsible for stealing millions of dollars in recent years. Regrettably, the growing availability of wallet drainer kits means that substantial funds will likely continue to fall into the hands of scammers like Faint.
To protect oneself, investors are encouraged to consider using applications such as Wallet Guard and Pocket Universe, which can alert users to connections with wallet drainers. Even if a phishing site manages to evade these applications, individuals can still take precautions. One essential step is to verify that the address to which funds are being sent or approvals are being signed is not recognized as a known phishing address.
For example, when connecting our wallet to a fake Azuki phishing site that CertiK detected in July 2023, we can see that the site wants us to send ETH to 0x000011387eb24f199e875b1325e4805efd3b0000 via a fake claim
function.
Searching on Etherscan, we can see that the address comes with a warning and is in fact connected to a well known wallet drainer provider.
When a site requests that you sign permits or approvals, the same precautionary measures should be applied. If possible, inspect the wallet to determine if it's linked to any known phishing addresses. This vigilance is especially crucial when a well-known Discord or Twitter account unexpectedly announces a new airdrop or mint without prior notice. By adhering to these straightforward steps, you can significantly reduce the risk of falling prey to phishing scams.
CertiK remains committed to continued Web3 security analysis and actively monitoring these identified scammers. We will ensure that all pertinent information is made accessible to law enforcement agencies. For ongoing updates and to stay attuned to the persistent risks that these individuals present to your financial security, follow @CertiKAlert. Your vigilance is a vital defense against these ever-present threats.