It's a dog-eat-dog world for crypto scammers.

New reports have just revealed how one individual identified crypto scammers in order to rob them of their ill-gotten funds.

Crypto scammers often employ social engineering techniques to interact with victims and convince them to part with their hard-earned money. Scammers do this either by sending funds directly to fraudsters or by providing the permissions needed to get access to wallets.

Water Labbu, the name of the individual who robbed the scammers, reportedly leveraged a similar method to steal cryptocurrencies, obtaining access permissions to their victim’s wallets. They, however, didn’t use any kind of social engineering, leaving the dirty work to the original fraudsters.


Instead of creating their own scam websites, Water Labbu compromised the websites of other scammers that were posing as legitimate decentralized applications (dApps) and injected malicious JavaScript code into them.

Lurking in the shadows, Water Labbu patiently waited for high-value victims to connect their wallets to a scam dApp, before injecting a JavaScript payload into that website to steal the funds.

Nothing changed for the original scammer’s victims—they still were robbed. The only difference is that Water Labbu began snatching crypto from the fraudsters, diverting the funds to their own wallets.

“The request is disguised to look like it was being sent from a compromised website and asks for permission to transfer a nearly-unlimited amount of USD Tether from the target’s wallet,” reads Trend Micro’s report.

The Water Labbu attack flow. Source: Trend Micro

Water Labbu makes off with more than $300,000

In one identified instance, the malicious script successfully drained USDT from two addresses, swapping them on the Uniswap exchange—first to the USDC stablecoin and then to Ethereum (ETH)—before sending the ETH funds to the Tornado Cash mixer.

The report also noted that Water Labbu used different methods for different operating systems. For example, if the victim loaded the script from a desktop running Windows, it returned another script showing a fake Flash update message asking the victim to download a malicious executable file.

Trend Micro said Water Labbu had compromised at least 45 scam websites, most of them following the so-called “lossless mining liquidity pledge” model, the dangers of which law enforcement agencies alerted about earlier this year.

According to security analysts, the profit made by Water Labbu is estimated to be at least $316,728 based on transaction records from nine identified victims.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.