Author: zachxbt, chain detective
Original translation: Zhouzhou, BlockBeats
Editor’s note: This article analyzes how hacker Serpent took control of 9 accounts including McDonald’s, Kabosu and others on X and Instagram, started a meme coin scam, stole around $3.5 million and used it to play in casinos. Serpent was a former professional “Fortnite” player who was released for cheating. In 2022, the NFT project DAPE he co-founded experienced a rug grab, and the ERROR project launched in 2024 also faced a rug grab, ultimately leading to its ban on X.
Here is the original content (rearranged for better readability):
Over the past few months, I have been tracking a series of leak incidents involving McDonald’s, Usher, Kabosu owner Andy Ayrey, Wiz Khalifa, SPX 6900, etc., which resulted in the theft of approximately 3.5 million dollars thanks to the publication of the Pump Funmeme piece.
On August 21, 2024, McDonald’s Instagram account was hacked and a post promoting the GRIMACE bundled meme coin was published, after which the hacker began spoofing. From this pump and dump, more than $690,000 was funneled into two wallets.
4RiNhTwBxYWgb4MSCtt9vXgVk2yuPhoQR3DR9pMVPU1W
2vjnmxwTYNJvTmFhtqxZkPiuCHkaKZK5rcxTLuoC2dPB
On September 3, 2024, the McDonald’s attacker transferred 101.5 SOL to two addresses after actor Dean Norris’ X account was hacked, and these two addresses were deployed and targeted at SCHRADER.
4s9Uz9pTBXcEaEtcjs8eg98r2TVte3rq3JUm3rVTFMudfewGbNKmqNyYs9bSAMDUaTbTcuA1v39sWr7GRqkDJ6EM
1gxo1pjTqjbee7rHW4cGvuNffX1qP4F8fP17g6SSC5EYbQrnktDrKSFB1uh4ju7PxQjprWFin37WUsAe225b9c6
On September 6, 2024, funds obtained through McDonald’s APT (Account Takeover) were transferred to a casino deposit address.
CuNzegC9DE4CxCMn31ZcYLvtDaysLD9RX8eRvmtZQrnB
By performing a temporal analysis, follow-up withdrawals shortly after deposits can be identified.
B2fwZt5nTbdrnJ2CPsgrYMPuB4UnhN82EAM34dXDARLh
On September 12, 2024, B2fw transferred 110 SOL to two addresses that participated in the meme coin rush promoted during the Usher leak incident.
4FUrwoHz1fuUf4eR6YEAYSG9d9rN5fzbowMXtbjwJAhTDtHXjpnTb1sz6aeF6T79JaiMFyT2xX2EuTxqT5UhFfKD
427zpHF1WWgYgKxcSiUzwXLg2UqsF6xq7K13PU3mh6Wr99mipiVA6GcDTwi7EY93RJeRuEUDZAK9BnoMeki7sU6C
Subsequently, B2fw transferred 4868 SOL to the ECb5v casino deposit address, which is also directly linked to other APT (Account Takeover) incidents, including the Andy Ayrey and Enoshima Aquarium leaks.
Ecb5vsomUG3MEnLCgiFvkdnnqpggTEXtN17z62iDPuU3
On October 15, 2024, Enoshima Aquarium’s X account was hacked and promoted a pool coin. That day, 84 SOL obtained through the scam were transferred to ECb5v.
5PDjh74JTLMPW4dXr6fKm3Yue2j3vhbxLSK5dPbQ3oEGK4axE7fua1ngBMas4xpRY6dBr92Ccps7b1WwcLdnxXWL
On October 29, 2024, Andy Ayrey’s (Truth Terminal founder) X account was hacked for several days and promoted 6 meme coin scams. 3GVUs was one of the addresses involved in the token rush.
3GVUs2gNr161ohqnVXjUeoNQmf3cELxKSiPrxyQu6pjd
On October 30, 2024, 3GVUs transferred 169 SOLs to Ecb5vs.
67nwsLLE3aGua4VeH8p6qHc3SL3rpxi9omMxRnfpeyZVsBpZawnUHo4Pt4tdT5Vxny2uRNDRH3vSZ1fzvKkNCML4
Of the $2.178 million obtained from ATO Andy Ayrey, $750,000 was deposited to the Apc3e casino deposit address.
Apc3eA9ScQksuZvfURQswZwVkusEYRaqeKEv4eXXbRZm
ATO Kabosu’s SOL 0.1 funded an address that attended ATO Andy Ayrey.
On October 17, 2024, Kabosu owner’s Instagram account was hacked and promoted a meme coin scam.
That day, 191 SOL obtained through the scam were transferred to the casino’s deposit address:
6kwZ7tz8Xs7jaVqVJXZSRrZ2FtS2PPChEVuLXKrmMgCm
Kabosu and Andy Ayrey’s APT incidents are directly related to Wiz Khalifa’s APT incident.
On November 3, 2023, the attacker posted a wallet address to Wiz Khalifa’s account. 29 SOLs were transferred to 6kwZ7, just like what happened in Kabosu ATO.
NFCs23ddXQc9Zff2VJotEn2zaSAh4tvw6U6kb7fdXovZ8YPQgJMGQkXmtWiTutqnoBf6wR2khaKvFpyEKNhHfjJ
Funds for the WIZ deployer came from the Andy Ayrey ATO. Other addresses involved in the token rush transferred all profits obtained from instant swaps to the casino deposit address 0x83ee.
0x83ee6b53a0ae76b71bed0c32721a451776dbdb3a
On October 16, 2024, 0x83ee received 0.54 ETH from the scam deployer, while SPX 6900 was hacked on October 11, 2024.
On Solana, another scam promoted by the hacked SPX 6900 account was funded by attacker Ken Carson.
To further demonstrate the connections between Kabosu owner SPX 6900 Ken Carson and Enoshima ATO, each coin deployer provided funding to the previous deployer’s address via instant swap funds, attempting to hide the source funds.
Investigate how threat actor Serpent went from being a professional Fortnite player to helping steal $3.5 million through coin scams initiated by leaks from over 9 accounts on X and IG, and used the profits to play at the online casino.
Serpent (SerpentAU) is an Australian former professional Fortnite player who was released by esports organization “Overtime” in June 2020 after being found guilty of cheating. He then co-founded the NFT project DAPE in March 2022, which was later withdrawn.
In March 2024, Serpent launched another project called ERROR, but the project shut down, leading to its ban from the X platform.
Deployer address:
0x8233873ee35547097ccb9098adbab955d7120ee8
On October 23, 2024, the ERROR deployer transferred a total of 29 ETH to two instant exchanges.
By performing a temporal analysis, we can see that these funds were received at Solana and transferred to the same casino deposit address.
Ecb5vsomUG3MEnLCgiFvkdnnqpggTEXtN17z62iDPuU3
Several ATOs (Aggressive Trading Activities) directly connected to the Ecb5vs deposit address include: McDonald’s, Usher, Andy Ayrey, Dean Norris and Enoshima Aquarium. (For detailed tracking content, please refer to the beginning section)
Serpent plays millions of dollars every month on Roobet, Stake, BC Game and Shuffle, and often shares his screen with friends on Discord.
I obtained recordings of him gambling, which inadvertently leaked several deposit and withdrawal addresses.
Discord ID: 1269557350486904945
During a screen share on November 1, 2024, Serpent shared a deposit of $100,000 and a withdrawal of $200,000, transferred to the following address.
When mapping the transaction graph, it was found that this address had high exposure to addresses linked to McDonald’s, Andy Ayrey and Usher ATO.
0xb8c9c8a5756a7992df65f949b7c1423eeb435aa5
During the Andy Ayrey security breach incident, another threat actor participated in seizing these fraudulent projects, using the alias “Dex” (from Massachusetts, USA).
He started freaking out after I mentioned him on my Telegram channel last week and concocted an extortion story, claiming he lost $700,000. 
Currently, funds related to these security breaches are stored at the following addresses:
0xeb60a5242c1c97eb54195ec83de43bb26813c0d1
0x2355ac2929bb7051814de3c48670fccbb515d8be
4jjWZ8RaXZBqntnhu2JFidXEQWXgfKRbJQZdTHrdaqbv
Today, after the first part of my investigation was published, Serpent started deleting all of his posts on his new X account. I suspect there is still some ATO (aggressive trading activity) associated that I have not could not follow directly on the channel. Regarding one of the account takeover incidents, I shared a detailed investigation report with a victim I work with.
ChainCatcher reminds readers to view blockchain rationally, improve their risk awareness, and be wary of various virtual token issuances and speculations. All content on this site consists of market information or related party opinions only and does not constitute any form of investment advice. If you find any sensitive information in the content, please click “Report” and we will address it as soon as possible.