🕵️ On chain detective mode enabled 👀 This user who was caught suffered a real loss of over 550000 US dollars and lasted for about 35 minutes. He has been on the phishing website, gradually exporting his funds. As shown in Figure 1, within 1-2 minutes, 4 people were killed first, resulting in a loss of 264000 US dollars. The method is very simple, which is to transfer directly. Among them, 10.7286 ETH is essentially a transfer, but 0x3158952e 4 bytes are used in the Input Data, and the decoding is a Claim. Therefore, what the wallet sees is that a Claim operation has been performed. As shown in Figure 2, the Curve Pool with a user value of $100000 was not successfully phishing. The user may have thought that the gas was insufficient and charged 0.015 ETH (I also suspected that it was charged by a phishing gang, but after analyzing with @ realScamSniffer, I didn't think so). The phishing continued to bounce, taking away the relevant fees and a little bit of funds. It was found that this was not right, it was just a small sesame, so the phishing gang also charged the user 0.015 ETH (Subsequently, a similar address with similar numbers was followed to poison 0.000001 ETH, which can be ignored) As shown in Figure 3, the Curve Pool with a user value of $100000 was not successfully phishing for the second time Afterwards, two permission offline authorization signatures were obtained, resulting in the loss of $289000 Afterwards, the operation on Spark was no longer related to phishing, and finally I entered a real website If the user still wants to use this address, they must cancel all abnormal authorizations today through @ RevokeCash, otherwise they may continue to be stolen in the future. That's it. Through on chain analysis, the truth can be roughly restored, and those interested can analyze it themselves: https://(debank.com)/profile/0xf9e35c5758b5d9b964f657a1ff604b9d6c66f231/history? mode=analysis @SlowMist_Team @MistTrack_io