Fake Rabby Wallet scam linked to Dubai crypto CEO and many more victims

Unsuspecting users lost an estimated $1.6 million to a fake cryptocurrency wallet that somehow slipped through Apple’s strict app review process in February. Magazine follows a trail of clues on the blockchain to find out who’s behind the fake wallet.

The fraudulent app, posing as DeBank’s Rabby Wallet, remained on the App Store for four days, siphoning funds from multiple victims before Apple removed it.

“I never once thought it would be a scam since I had complete faith in the Apple App Store. About 20 to 30 minutes later, I opened my Rabby laptop wallet and saw my balance had basically gone to zero,” a fake Rabby wallet victim tells Magazine. 

One of the earliest victims to highlight the scam was X user Bthemouth, who reported his funds had been drained to the Rabby Drainer (RD) wallet “0x652…0371F.”

Blockchain analysis ties the RD wallet to “0x44Bd…9E480,” which was initially labeled “Konpyl” on the NFT marketplace OpenSea. While the account name has since been changed, its original label can still be verified at Arkham Intelligence, a blockchain data platform that tracks OpenSea accounts, among others.

A private investigator, who Magazine has confirmed is collaborating on the case with the authorities, claims that his investigation connects “Konpyl” to a larger web of at least 20 cases, and Magazine has independently confirmed links to seven of those.

The common denominator between this mountain of scams is the Konpyl address.

“He’s been doing this for about seven years, [and] he goes after users who put their life savings in some of this stuff, not like the big protocols,” the investigator tells Magazine.

The investigator shared images of Know Your Customer (KYC) records with Magazine, which were allegedly submitted to numerous exchanges by addresses linked to the scams.

The documents seen by Magazine are linked to “Konstantin Pylinskiy,” the CEO of Dubai-based investment firm Moonward Capital, who uses X and Telegram handles “@konpyl.” However, several fake KYC credentials and aliases were also used to open accounts, so Magazine is not suggesting Pylinskiy is Konpyl — just that the name is linked to the accounts. 

Initially, Konpyl greeted Magazine on Telegram with “How can I help you?” But when asked to clarify the connection between Konstantin Pylinskiy, the Konpyl online persona, and the Rabby wallet scam, he stopped responding.

Magazine has attempted to contact Pylinskiy through alternative channels, but he did not respond.

Moonward Capital also did not respond to Magazine’s request to comment on this story.

Magazine has confirmed with a United States government agency that an ongoing investigation is linked to the Konpyl address.

The latest inbound transaction to the Konpyl wallet is from an address flagged with a “Fake_Phishing” label on Etherscan. Its interaction with Konpyl is the sole outbound transaction.

The fake Rabby Wallet-Konpyl connection

“He had a drain bot in my account,” Bthemouth tells Magazine, referring to an automated script designed to siphon funds. “Even after all these months, it’s still active.”

The Rabby Drainer actor takes multiple steps to conceal its tracks, such as splitting criminal proceeds into multiple wallets and using DeFi services to obscure evidence and blend into the crowd.

The scammer then frequently consolidates large amounts of funds into subsequent wallets to deposit in centralized exchanges. Even after such obfuscation efforts, there are connections between RD and Konpyl.

Bthemouth’s drained funds went to Rhino, a multichain bridge that the Rabby wallet scammer frequents. The scammer deposited tokens into Rhino and withdrew them through another wallet.

Between February 15 and 18, RD drained several more victims, with most of the proceeds in ERC-20 tokens. On February 19, these tokens were converted to 52 ETH (approximately $151,000 at the time) using DeFi services like Uniswap and 1inch.

Later that day, the funds traveled to wallet “0xCE6A…b2Ac5,” which, along with Bthemouth’s money and an additional 7 ETH, transferred roughly $173,000 in Ether to Rhino.

Onchain detectives Tay and SomaXBT identified wallet “0x4E93…c71C2” as the Rhino output recipient. It acquired $173,388 in USDT in three transactions, with the first batch arriving around 10 minutes following the initial deposit.

Blockchain records show that the same Rhino output wallet received nearly $100,000 from Konpyl over six monthly transactions between February and July.

These funds eventually make their way to OKX.

The scammer appears to use several exchanges, typically employing more than one deposit address per exchange.

When analyzing wallets suspected of association with hacks, their first inbound transactions often leave important clues to associated wallets. Sometimes, they can show who funded the wallet’s gas fees.

But this is not a characteristic of Konpyl-related scams.

“[Konpyl] funds these accounts with victims’ wallets,” says the private investigator.

“He’ll take from other hacks to fund these hacker wallets, so you have no idea that it’s him.”

Rabby Wallet drainer’s total damage

Including RD, which drained an estimated $152,257 from victims, there are at least 10 addresses identified by public victim reports. These addresses are responsible for over $1 million in losses after users downloaded February’s fake Rabby wallet from the App Store.

The February incident wasn’t the first time a fake Rabby wallet appeared on the App Store. Another iteration of the scam used at least two other Konpyl-linked wallets to drain approximately $93,000 from victims in late 2023.

Magazine has confirmed that the older Rabby wallet scam is connected to Konpyl, with fund trails pointing to the same Rhino output address used in Bthemouth’s case.

The private investigator tells Magazine that three other suspicious wallets, suspected of being connected to the Rabby wallet scheme, drained $278,872, though these cases weren’t publicly reported by victims.

In addition, Magazine is aware of at least three more wallets that weren’t part of the Rabby fake wallet scheme but stole funds using other tactics, such as phishing links shared on social media. This trio of wallets also displays connections to Konpyl by using a common OKX deposit address as the Rabby wallet scammer and transferring funds to the Rhino output wallet.

Together, they drained $93,261 from victims, bringing the estimated loss connected to the Rabby fake wallet saga to at least $1.6 million.

Other scams linked to the fake Rabby Wallet

The 2024 Rabby wallet scam is not the first illicit activity with strong blockchain ties to the Konpyl address, blockchain records identified by the private investigator show.

For example, a victim report on Reddit states that a user’s funds were drained by wallet “0x0000…4e9Aba” (which we refer to as LS1 for Ledger Scam). A closer look at LS1 reveals similar deposit strategies to those used in the 2024 Rabby fake wallet schemes.

In 2020, LS1 used deposit address “0x05a8…a21e6” (YB1) to move funds into the cryptocurrency exchange Yobit. 

LS1 frequently interacts with “0x1111…858eB” (LS2), sending and receiving over $51,000 of crypto with each other over 14 transactions for a year starting from April 2020.

The two wallets appear to use different deposit addresses on Yobit, as LS2 favors “0x7e17…873cE” (YB2).

YB2 was regularly used by Konpyl at that time to move funds to Yobit. Konpyl sent over $41,000 of ETH across 23 transactions from September 2020 to February 2021.

YB1 and YB2 are further connected by “0xBd7D…A2DB7.” It uses the second deposit address five times for $196,000 in ETH while logging a 2.4-ETH transaction to YB1.

This wallet also has two direct transactions from Konpyl for 6 ETH.

Investigation into fake Rabby Wallet and other scams continues

“One of my goals is for Apple to get off their ass and go after scammers on their App Store. I reported to Apple months ago but never heard back,” the investigator tells Magazine.

Rival tech giant Google previously set a precedent of responding to such fraud schemes earlier this year when it sued a group of alleged crypto scammers for defrauding more than 100,000 people by uploading dodgy apps on its marketplace Google Play.

Bthemouth has given up on recovery efforts and says he’s already done “everything” that he can.

A victims group was formed early on, but by now, “everyone went on with their lives.”

“It’s a dead end,” Bthemouth says.

But there is still some hope for victims. 

Investigations by law enforcement agencies and private blockchain detectives are ongoing, with Konpyl and associated wallets remaining at the center of suspicion.

This article first appeared at Cointelegraph.com News