The shadow of CYBSB

By /

SHIELDING of a crypto fraud case

In the spring of 2025, Lukas – a reserved architect with an interest in digital innovations – was contacted via LinkedIn by an elegant woman called Matilda. Her profile looked respectable: board member of a design firm in London, clear language, neat pictures. What began as a professional exchange soon turned into a daily conversation via WhatsApp.

Matilda spoke of passive income through crypto investments. “An opportunity like this doesn’t come along often,” she said. Suspicious but intrigued, Lukas tested the recommended platform: CYBSB – a modern portal with AI dashboards and live profits. He invested 1,000 USDC via his Coinbase wallet. Two days later, the system showed growth to 2,200 USDC – and the payout worked.

Confidence was born. Lukas invested more – 18,000, 27,000, in the end almost 66,000 USDC. But with the profit came the standstill: suddenly the system demanded “verification fees”, then “gas fees”, finally “certifications”. Ever new excuses, ever higher amounts. When Lukas refused, he was warned: “Your account has been flagged for insider trading.”

He got scared. Matilda suddenly sounded stern. “Cooperate, or your funds will remain frozen.” Lukas paid one last time – but nothing happened. The site remained online, but his winnings were just numbers on a fake dashboard. No one responded.

The experts at WPC later analyzed his transactions. The money had long since been channeled through a network of wallets, over bridges such as Allbridge, through intermediate wallets, disguised with spam tokens, until it finally disappeared on Binance – where real identities could begin, but can only be reached by legal means.

The platform was more than just deception – it was a Trojan horse. Lukas had unknowingly downloaded Windows malware that stole passwords, snuck into processes and communicated with servers whose locations nobody knew.

Today, Lukas has learned that digital proximity can be deceptive. CYBSB was not a portal – it was a trap. And Matilda? Probably nothing more than an algorithm with a face.

Exemplary cash flow diagram

Summary of a crypto fraud case

Facts

Period: May – June 2025
Loss: approx. 66,000 USDC
Fraud type: Cryptocurrency fraud via social engineering, fake investment platform, malware

1. crime scene

A victim was contacted via LinkedIn using a false identity. This was followed by daily communication via WhatsApp with the aim of introducing the victim to an alleged crypto investment project. The fraudulent platform (domain: cybsb.co) suggested high returns and demanded ever larger deposits in USDC via the base blockchain network.

A fake dashboard with manipulated profit displays was used to deceive customers. Refunds were refused and “fees” were repeatedly demanded (e.g. “verification fee”, “gas fee”, “authentication”).

2. technical details

  • Primary sender address (victim wallet):
    0x1985ea6e9c68e1c272d8209f3b478ac2fdb25c87 (Coinbase)
  • Central recipient address (scam wallet):
    0xc99a4180e47ef856020d849c9be68f04b647c3ee
  • Total amount of transfers:
    approx. 66,000 USDC in several transactions
  • Verdächtige Weiterleitungsziele (Layering & Geldwäsche):
    • Allbridge: 0x833589fcd6edb6e08f4c7c32d4f71b54bda02913
    • Binance-nah: 0x3304e22ddaa22bcdc5fca2269b418046ae7b566a
    • Other intermediate wallets with layering and mixing activity

3. malware & platform risks

The fraudulent platform was linked to a Windows malware that was classified as dangerous by hybrid analysis (Trojan with credential stealing function).

  • SHA-256 Hash of the file:
    8756b238041ce5fce16ac318ec29d28914e4478cdcbd1cb9901c8c3f9e027286
  • Behavior:
    • Registry manipulation
    • Process injection
    • Network communication to suspicious servers
    • Goal: Access to wallet access and sensitive data

4. money laundering behavior

The cash flow follows typical patterns:

  • Placement: Deposits via Coinbase
  • Layering: distribution to several first/second layer wallets
  • Integration: Bridge and CEX output tests

In addition, multi-token techniques were used for obfuscation:

  • ETH microtransfers
  • Spam/airdrop tokens such as BRETT, US_CIRCLE
  • “Ping-pong” transactions between wallets

5. recommended measures

  • Reporting to central exchanges:
    • Binance (Suspicious wallet: 0x3304…)
    • Allbridge (Bridge-Adresse: 0x8335…)
    • Coinbase (Sender address: 0x1985…)

→ Goal: Request KYC data, possible blocking of wallets

  • Blacklisting of the following key addresses:
    See section 9.2 in the original report (including 0xc99a…, 0xf5fe…, 0x2b16…)
  • Fighting malware on the end device:
    • Device check with Malwarebytes/ESET
    • Clean registry & App Data folder
    • Renew access data for wallets and emails
    • Activate DNS filter (to block suspicious domains)

6. evidence available

  • Wallet and transaction data (CSV & graphs)
  • Screenshot of the fake platform
  • Hybrid analysis of the malware
  • Full transaction history on the base chain

Are you also a victim of fraud? We will be happy to assist you.

REQUEST IMMEDIATE HELP NOW
Scroll to Top