Introduction

On July 22, 2023, IEGT orchestrated an exit scam, resulting in a $1.14 million loss. While not the largest fraudulent act of the year, its complexity was unparalleled, especially in the clever camouflage of team wallet balances. $800,000 still remains in the culprit's possession, with the remainder funneled into Tornado Cash. CertiK conducted an on-chain and OSINT investigation and has determined that a Chinese based organization named IEC Servicer was responsible for the exit scam.

Event Summary

IEGT's token price plummeted an entire 100% when EOA 0x00002b9 offloaded over one billion tokens, a baffling move considering IEGT's total supply officially stood at just five million. This maneuver was feasible because the developers discreetly minted a massive volume of tokens before directing them to the selling wallet. This design allowed the fraudsters to orchestrate a token dump when they deemed fit.

The selling wallet did not receive any incoming IEGT transactions. Instead, upon initialization of the IEGT contract', the rogue wallet (0x00002b9) was directly assigned the tokens that were ultimately dumped. Through the use of Inline Assembly, a low-level programming language, the scammers altered the token balance in the _pathSet function.

The function essentially allocates the selling wallet a vastly higher amount of IEGT tokens upon initialization. The y variable is set to 2b9b0748d575cb21de3cae868ed19a7b5b56 and is placed in storage 0 giving the value 00000000000000000000000000002b9b0748d575cb21de3cae868ed19a7b5b56. This is relevant since the malicious wallet is 0x00002b9b0748d575CB21De3caE868Ed19a7B5B56. The wallet is then free to dump IEGT tokens at a time of their choosing.

Some of the notes that are written in the IEGT contract are in Chinese.

From there, we were able to determine that the IEGT token contract belonged to a Chinese based organization named IEC Servicer.

IEC Servicer

Due to the large number of funds that were stolen in the token dump, it is highly likely that the project generated hype and excitement around the token to entice victims to invest. When searching for the token, CertiK discovered a project called IEC Servicer which claims to be jointly developed by Singapore IEC Technology, William Hills, and Digital Currency Group. This is likely to be a fake association.

The X account posted on 13 July that they are launching “IEGT”. Although the post doesn’t confirm a contract address, or that IEGT is even a token, CertiK assesses with a high degree of certainty that this is an advertisement for the IEGT token by IEC Servicer. Both the IEGT token creation and announcement occurred on 13 July, establishing a connection. The announcement of the launch of IEGT was posted just a few hours prior to the contract's creation. By further delving into the IEC Servicer project, CertiK was able to confirm that the IEGT token was promoted by IEC Servicer.

The IEC Servicer account posted a total of three videos on YouTube from the @IECservicer profile to date. Despite being only 16 seconds long, the video titled IEC Thailand offers a lot of clues into the IEC Servicer entity.

For example, in the first few frames of the video a banner with an email address and Telegram channel appear at the top of the banner.

When searching the Telegram group we saw plenty of attempts to manipulate individuals into investing into the IEC Servicer platform. One example is of a video that has been manipulated from the Binance Blockchain Week in Paris from 2022 to trick investors into believing that IEC Servicer has held large conferences.

Despite the meticulous efforts to erase Binance's traces in the video, the scam artists overlooked a minor screen fragment located on the video's lower-left corner. However, any direct association with the IEGT contract remained conspicuously absent from the highlighted Telegram group.

Broadening the search spectrum unveiled another Telegram enclave: @iechaincn. This Chinese channel solidified the link between IEGT and IEC Servicer. Our investigations established the group's administration under IEC Servicer. The group is rife with telltale signs of the scam's modus operandi. One post featured the IEGT token's price chart with the same contract address as the IEGT token that we investigated.

The Telegram group also confirms how victims interacted with the IEGT dApp. In one video posted by a now deleted account we can see a step-by-step guide on how to access the dApp. By accessing the Token Pocket mobile wallet browser, users navigate to iegt.net which then allows them to invest USDT into the project. We can see how the IEC logo is clearly present on the iegt.net dApp.

Decoding the Singular Buyer Anomaly

One of the strangest aspects of the IEGT exit scam was that the IEGT token only had one buyer. This indicates that victims weren’t directly interacting with the token’s contract, but instead sending their money to intermediary wallets which then transferred the tokens to a single wallet who purchased the token.

This buyer's identity can be traced back to EOA 0x099, whose financial operations became particularly active around late May 2023, receiving an influx of USDT. Significantly, a considerable portion of this influx originated from EOA 0xE55b. With over 7,000 USDT transactions, this wallet seemed to redirect its funds towards EOA 0x099, which in turn, used this liquidity to secure IEGT tokens.

Based on evidence from the IEC Servicer Telegram group, EOA 0xE55b was likely one of the intermediary wallets that victims sent their assets to. In one video posted on July 22, we can see an individual accessing the IEC Servicer dApp on their mobile phone, selecting a pool with a probable seven day lock, and EOA 0xE55b being presented as a recipient address for funds. This wallet appears to be one of many intermediary wallets.

In another example, we can see an individual sending USDT to EOA 0x122 after selecting a pool, which also sends funds to the IEGT buying address.

It is likely that when victims invested in “pools”, they sent USDT to these intermediary wallets which then transferred the funds to the main buying wallet of IEGT.

The IEC Servicer Team

Returning to the video that the IEC Servicer YouTube channel posted of a conference in Thailand that likely took place in Bangkok’s Palace Hotel, we see one individual on stage giving a presentation on IEC Servicer.

Cross-referencing this still with material from the the IEC Servicer Telegram group, we can see two short 20 second videos of the same individual speaking in English talking about the IEC project. Based on an article from caifutw.com, the individual is named Serge Smith and is the project’s spokesperson. Additionally, in the same YouTube video posted by IEC Servicer we can see another group of individuals posing in front of a IEC Servicer banner.

CertiK has identified some of these individuals as Russian nationals who are highly likely to be paid actors. It is also likely that the individual going by the name Serge Smith is a paid actor.

Following the Money Trail

The 100% slippage of IEGT came when EOA 0x00002b9 sold 1 billion tokens for approximately $1.14 million. In the swap function, EOA 0x000000481 received the funds and transferred 100,000 USDT back to the main selling address and 200,000 USDT to EOA 0x810. The rest of the stolen USDT ($843,464.45) remains in the sellers wallet.

EOA 0x810 swapped the 200,000 USDT for BNB and deposited 800 BNB into Tornado Cash.

Conclusion

Whilst the IEGT exit scam isn’t the largest incident that CertiK has detected in 2023, it is one of the most sophisticated. Not only did the scammers go to great lengths to orchestrate a token dump exit scam, they also altered videos of legitimate events to create hype around the IEC Servicer project. The average retail investor would likely struggle to objectively assess the deception that we have uncovered in this incident. A CertiK audit would have discovered that the IEGT token contract allowed the team to massively inflate the token balance of one of their wallets, allowing them to later dump tokens at a time of their choosing. Furthermore, the presence of probable actors and alterations to videos would’ve been spotted by our KYC specialists, who come from a range of law enforcement and intelligence backgrounds.