Doxing agent0000 thought process

This is just an exercise of a Challenge recently published by The Secret Agency.
https://twitter.com/SCRT_Agency/status/1570775633223122945
I thought I best paste it here than struggle breaking it down on Twitter.

Doxing agent0000 thought process:

secret1fe6rnp2aucgw9h69tr8jm6x7ars8g9td7yuww0 first clue is that the keyboard-smash string is a Secret Network public address because it starts with secret1. Paste the address into secretnodes.com and see what we can find!

Agent0000 staking 6 SCRT to WhisperNode :zipper_mouth_face: and Citadel.one validators is a minor detail but could become supporting evidence. Chances are high that you also join telegram or discord chats of your validators and publicly follow and comment on their Twitter accounts.

Secretnodes shows the account has 19 transactions, and you can make a list of the contracts that the account had interactions with:

  • Sscrt
  • Secret-dai
  • Secret-luna2
  • 2021-05-01_22-44-51-600_SIENNA_SNIP20
  • Validators Citadel.One & WhisperNode :zipper_mouth_face:

So we know Agent0000 likes to play with some SNIP20’s such as sSCRT, sDAI, sLUNA2 and SIENNA. Out of those, we know that sSCRT and perhaps SIENNA is probably pretty busy and used by many. However, maybe 1 or 2 people are still dealing with sDAI or sLUNA2 contracts. You can tell by the amount of liquidity these tokens have on SN; opening and inspecting their contracts confirmed my suspicion. Therefore, it is safe to assume that a linking public address to Agent0000 would not be very hidden in those low liquidity SNIP20s as their contracts would be relatively quiet, which could increase the chances of catching Agent0000!

However, something else caught my eye. Call it coincidence or time for a break, but the first transaction of secret1…yuww0 was made at 16:20 UTC, 420 Brah!! How could you not the prize be hidden behind there? So I followed the TX FE0479AD5864BE8097658EE9EC464BF3603618D11DD6C006E84DBBFEF2C8E3F4 and opened the Raw JSON to see a bunch of code filled with GREEN strings and values. I KNEW I WAS AT THE RIGHT PLACE AND AT THE RIGHT TIME! All I was expecting now is Luigi to knock on the door and offer me a slice of pizza.

Anyway, all I can understand somehow and visualize is the clue address and the secret1k0jntykt7e4g3y88ltc60czgjuqdy4c9e8fzek address, which is the sSCRT SNIP20 contract: “11400000” “uscrt” “sent_funds” I’ve got stuck and gave up.

Then for some reason, I tried atomscan.com explorer to see if there was anything else, and to my surprise, the first transaction hash of the clue address was 53645BFC8915BE5627886214735DC883DD815488C9EA6C7B98D500F89706FA31 Why different from secretnodes.com? Well, the transaction interacted with the secret132u3k3snt949r2kvetj6j2csjketjaz3lgrlez contract, which upon looking on secretnodes.com was tagged to Cloak-V3 contract!

I remember reading about Cloak somewhere on “How to Create and Maintain a Private Wallet (Tutorial)How to Create and Maintain a Private Wallet (Tutorial) | by Secret Network | Medium Is the BlackBox contract! And I also remember reading this: To ensure the privacy of your new wallet, we recommend waiting for a while, as there are ways to analyze chain data to connect wallets if transactions happen close together or simultaneously. We recommend waiting for a few hours.

Let’s see then what transactions occurred around 16:20 on the BlackBox Cloak-V3 contract. And there was one just 3 minutes apart, at 16:23! with the following at 19:50 and the prior at 12:30. This made 058C4E35171642CDEE54DF6681005E8B5BC0DBDA02D5249EB819EA377958D0B0 really suspicious! Upon inspecting the RawJSON for SecretNetwork addresses, a new one appeared as “coin_received” 10200000uscrt "receiver” secret13sxrnyvx5wxxflhw8yzqax2ftsrd0d5zfeflxs

Things began to click. I remember the first TX had 11400000 uscrt sent_funds, which is not much of a difference if you perhaps factor in gas costs and Blackbox mixer fees (if they have any). So I lookup secret13sxrnyvx5wxxflhw8yzqax2ftsrd0d5zfeflx s on secretnodes.com just to see it has also staked 6 SCRT to the WhisperNode :zipper_mouth_face: and Citadel.one validators, and that was just convincing evidence that this was the linking public address of agent0000.

Factors that contributed to the finding:

  • Reading the Manual to learn about BlackBox|Cloak contract.
  • Inspecting RawJason (amateur level)
  • Identifying illiquid SNIP20’s such as luna2 and DAI
  • Trying different blockchain explorers
  • 420

In the future:

  • SecretNetwork reaches 2,500 TPS average, SNIP20’s are flying and so are sNFT
  • BlackBox, stakely faucet are running hot, with multiple transactions in the same block
  • Entire Cosmos relies on SecretNetwork, more users, more anonymity
5 Likes

This was an impressive display of chain analysis and very well played!

3 Likes

Well done! Stay tuned to https://twitter.com/SCRT_Agency for more chances to win! :male_detective:

2 Likes

Sounds like he’s been caught red handed

1 Like