Unveiling the masterminds behind the PEPE ten-thousand-fold myth: manipulating the market to launder Rug Pull project funds, now buying luxury cars and living in mansions

Original: NFTethics

整理: Odaily 星球日报

If you are a fan of meme coins, you must have heard of this year's hottest project, PEPE, and you may have also heard related wealth myths. For example, some so-called "SmartMoney" addresses bought in for $100 at the beginning of PEPE's issuance and have never sold, ultimately yielding tens of thousands of times (on-chain data can confirm this).

Why can't ordinary people become the first wave to board and catch the "ten-thousand-fold coin"? Because, in such projects, the most profit is made only by the operators, who can buy at the bottom and escape at the top; moreover, the original intention of these meme projects is often just to help launder some dirty money.

Recently, X platform (formerly Twitter) user "NFTethics" published several long articles, through meticulous on-chain analysis and various evidence, identifying the true identity of the operator behind PEPE.

To summarize the key points of their tweets:

1. The funds from the Rug Pull project AnubisDAO in November 2021 were laundered through this year's popular PEPE project, and the operator behind it is the anonymous and well-known DeFi investor Sisyphus.

2. Sisyphus's true identity is Kevin Pawlak, head of OpenSea Ventures, who now lives extravagantly;

3. Sisyphus (i.e., Kevin Pawlak) is the real mastermind behind the AnubisDAO project, having obtained the private key of the project manager at that time through hacking and transferred the funds, successfully finding a scapegoat to evade responsibility.

The latest news is that an OpenSea spokesperson responded to the matter: "Kevin Pawlak left in June 2023, and his work scope at OpenSea was limited, holding a non-management position. We do not know if he was involved in the AnubisDAO Rug event. Additionally, we have no connection to the related projects and no relevant information, as these projects were conducted before he joined OpenSea."

1. Anubis Project Rug Funds Laundered Through PEPE

Let's go back to November 2021, when the OlympusDAO clone project AnubisDAO (token ANKH) raised 13,256.4 ETH (worth about $57 million at the time) after conducting an LBP (Liquidity Bootstrapping Pool). However, soon after, the management discovered that these funds had been transferred to another new address, while the LBP had already been ongoing for 20 hours and had not yet reached its end time.

What role did our protagonist Sisyphus play in AnubisDAO? On the surface, he was the project's promotional ambassador, but behind the scenes, he was the mastermind (which will be introduced later).

The day before the funds from AnubisDAO were drained, Sisyphus was still vigorously promoting the project in the Discord community, claiming he had already bought $420,000 worth (remember this point, it will be tested) and would buy more; to dispel everyone's concerns, Sisyphus also stated that this project would never Rug, and even if development went poorly, everyone would eventually get their principal back.

As a result, the next day, the project really Rugged. Sisyphus immediately wrote a long post to clear his name, stating that he had already contacted law enforcement agencies in the U.S. and Hong Kong, urging the hacker to return the money quickly. After that, Sisyphus went silent and stopped updating any news related to AnubisDAO, as if $420,000 was just a small amount of money.

Of course, the hacker did not return the stolen funds from AnubisDAO. Over the past two years, these stolen funds have continuously been transferred into various mixers and platforms that do not require KYC for laundering. One wallet (Anubis Rug 3) interacted with a KYC-free platform FixedFloat in Seychelles—this wallet's gas was sent by FixedFloat. As shown below:

Interestingly, the initial funds of early PEPE holders also came from the FixedFloat platform, such as Zach Testa (account: DegenHarambe) and Max Zim (account: SumFattyTuna). Notably, Zach Testa bought in just minutes after the PEPE token contract was released on April 14, and then posted about the project; three minutes later, Max Zim immediately retweeted and also bought PEPE. The whole process seemed very smooth, as if everything was rehearsed.

Sisyphus had a very close relationship with Zach Testa and Max Zim, with reports suggesting that Zim was Sisyphus's former roommate. Before the AnubisDAO Rug, Sisyphus's wallet had interacted with Zim in terms of transfers; moreover, the two had participated in a program interview together—Sisyphus did not appear in person.

On April 17, Sisyphus tweeted, "Someone turned 0.02 ETH into 63 ETH over the weekend using a token called 'pepe'," and posted a certain address starting with 0x5DD. Zim immediately responded to Sisyphus's post, and the two interacted.

Interestingly, the address starting with 0x5DD received initial funds from the FixedFloat platform on April 7. Additionally, on April 7, another version of the "PEPE" token (referred to as aPEPE for distinction) was also launched, sharing the same contract and early holders as the currently well-known version of PEPE. For instance, Zim entered to buy aPEPE at the very beginning of its sale on April 7—but he later claimed in a community interview that he had never heard of PEPE before. It seems that Zim knew from the start that the PEPE coin was going to rise.

The coincidences do not end there. Two minutes after the Anubis Rug 3 wallet transferred 3,000 ETH, Zim's wallet address began on-chain interactions to buy PEPE; investigations found that whenever wallets associated with Anubis Rug were active in transfers, Zim's wallet seemed to be involved in PEPE-related operations.

Moreover, Anubis's funds were primarily laundered through platforms like Stake; the wallet addresses related to PEPE also transferred large amounts of funds to Stake after the launch date of PEPE (April 14) and then from Stake to FixedFloat. Additionally, most of the stolen funds from Anubis were transferred out between March and July this year, which overlaps with the growth cycle of PEPE, indicating a deep connection between the two, suggesting that the stolen funds may have been laundered through the hype of PEPE.

The complete whereabouts of the stolen funds from Anubis still require some CEX and OTC platforms to work together—some of the funds flowed into platforms that require KYC. Whether the stolen funds from Anubis are related to the hype of PEPE still needs more evidence for verification.

To add a detail, in August this year, the PEPE team had internal strife, with several former members privately deleting multi-signature permissions to sell tokens, and the official team eventually issued a vague announcement.

2. Sisyphus Leads Anubis and Designs the Rug Pull

The blogger "NFTethics" obtained internal chat logs from team members a few days before the funds from Anubis were stolen.

Based on investigative reasoning, Sisyphus seems to be the real mastermind behind the project, as almost everything required his approval and signature, including the exact wording of every tweet and every technical/financial issue. Moreover, the project Rug Pull appears to have been orchestrated by Sisyphus himself, successfully making another member, "Beerus," take the blame.

In the team division of labor chart, Sisyphus positioned himself as "responsible for external public relations and helping to unite DAO members," but in reality, he was the one giving orders.

Team member "AureliusBTC" said in the chat, "None of us really understand LBP (Liquidity Bootstrapping Pool), but as long as Sisyphus understands, that's enough." When another member, "Beerus," posted to publicly announce a new member joining Anubis, Sisyphus immediately instructed him to delete the tweet, and Beerus complied. Furthermore, Sisyphus also mentioned in the chat that he had contacts with Alameda Research (SBF's crypto company) and that they had also purchased Anubis's token ANKH.

Let's turn our attention back to the draining of liquidity from Anubis. After the incident, Sisyphus publicly claimed, "DAO members agreed to let Beerus deploy the LBP because they were either too busy or didn't want to take responsibility." However, there is no evidence in the internal chat to support this claim—indeed, Sisyphus initially mentioned that they were using "the best multi-signature ever," but later in the chat, he said he couldn't sign to authorize it—leading to speculation that he might have changed the original multi-signature to be solely under Beerus's responsibility, thus laying the groundwork for the subsequent attack. The timeline of the story is as follows:

• On the night of October 28, Sisyphus mentioned he was going to sleep for 6 hours, with his last message at 00:16;
• The next morning, when he joined the chat, it was 07:18, and he had answered a few questions in the group;
• At 07:20, Beerus, who held the LBP management authority, received an email from Sisyphus's email address—containing a PDF with a SAFT (Simple Agreement for Future Tokens)—Beerus later mentioned that this PDF contained a Trojan virus that compromised his computer and stole LBP management permissions;
• At 07:26, Sisyphus communicated with Beerus for a while, reminding him to stay alert before the LBP ended, continuing to chat until 07:44, with 4 hours remaining until the LBP ended;
• At 07:48, the LBP funds were exhausted, and all ETH was withdrawn from the management account to a new address, leaving behind a pile of worthless ANKH tokens.

According to subsequent investigations, neither the Copper platform nor Balancer's smart contracts were breached or damaged. In other words, Beerus's wallet account as the LBP creator was either truly hacked as he claimed or was self-directed. Meanwhile, Sisyphus claimed that his email address never sent that email.

Who is lying? We can infer from some side information. First, it wasn't just Beerus who received the email; other VC contacts also received it—what's different is that Beerus received the PDF email at 07:20, while others received it half an hour later, some even several hours later. One possible explanation is that the attacker sent mass emails to confuse the attack targets and also reserved time for Beerus to open the PDF to attack his computer.

Furthermore, when analyzing the other received PDFs afterward, there were no visible anti-spoofing warnings. SPF does not flag Gmail addresses unless the address does not actually come from Gmail; based on the photos, that address likely sent the actual email. In other words, these emails were indeed sent from Sisyphus's real email address—yet Sisyphus adamantly claimed he never sent any emails and pretended to be clueless in the group, asking, "What does this mean?"

Additionally, analysis of other people's emails found no Trojan virus loaded—actually, it might only be Beerus's that had the virus, and afterward, he submitted his computer to the Hong Kong police to clear his name (there has been no recent progress, and the incident seems to have fizzled out).

The question arises: how did the attacker know that Beerus held LBP management permissions? Aside from some insiders, no one knew that Beerus was the (only) one with control. In fact, Anubis team member Convex mentioned this in the group chat: "Why would Beerus even receive malware? It makes no sense for him to be the attack target. It's well known that I and aureliusBTC are the developers, more like the ones holding the private keys. Outsiders have no idea about Beerus's specific situation."

Interestingly, Sisyphus also asked Beerus, "Dude, what did you click?" At this point, Beerus had not yet revealed to everyone that he clicked on that malicious email PDF; how did Sisyphus know?

After the LBP fund pool was drained, Sisyphus accused Beerus of executing the Rug on the project, saying, "You ruined my reputation." Moreover, Sisyphus also published the attacker's IP address, mentioning it came from Beerus's residence in Hong Kong—however, this IP address came from a third-party VPS provider, which can rent servers from different regions and lacks reference value. Later, Beerus was doxxed by investors, revealing his true identity as the son of a well-known figure in Hong Kong's horse racing scene, Zhang Shunzheng, who was 19 years old at the time.

Another detail is that Max Zim, an early participant in PEPE mentioned earlier, also participated in the Anubis sale. Afterward, he defended Sisyphus on Twitter, as the two had a close relationship.

3. Sisyphus Opens a New Account, True Identity is OpenSea Ventures Head Kevin Pawlak

As we mentioned earlier, Sisyphus, who claimed to have invested $420,000 in the Anubis project, showed no signs of disappointment after the project Rugged. After posting a long message to clear his name, he stopped paying attention to subsequent developments.

On November 6 (a week after the attack), Sisyphus opened another account on Twitter under the alias "0xMagallan" (now deactivated). This account was unusually active over the past two years, with over 5,000 posts, participating in various project marketing, and containing two wallet addresses: ferdinand-magellan.eth and ukrainedonations.eth.

In fact, Sisyphus (Kevin Pawlak) has many controversial aspects. For instance, he once purchased an expensive NFT Etherrock 72 and fragmented it into PEBBLE tokens on the NFT fragmentation protocol Fractional, selling it at a very high premium. In terms of ETH, the PEBBLE token has fallen over 99% from its peak. The project was shut down in 2023, ending all operations; the PEBBLE website pebble.xyz has also expired and is up for sale.

It seems that no one has ever seen the true identity of Sisyphus or 0xMagallan, and there is no related information online. However, "NFTethics" confirmed his true identity through various on-chain information and multiple sources, identifying him as Kevin Pawlak, head of OpenSea Ventures.

Kevin Pawlak

First, the timestamps on the pawlak.eth and sisyphus.eth addresses match perfectly. On-chain data shows that they both minted Zorbs (ZORB) within a minute of each other, and they also minted sismo.eth DAO (SDAO) within ten minutes, with other on-chain operations occurring in very short intervals, indicating that the accounts were basically active in sync.

Interestingly, Kevin Pawlak often used the alias "Sisyphus" to post some critical comments about OpenSea—perhaps to apply pressure on them to launch a project from which he could benefit the most, or maybe just to vent.

More people, including TheBlock reporter Tim Copeland, confirmed that Sisyphus's true identity is indeed Kevin Pawlak—his identity is well-known in small circles. He has now renamed his wallet to pawlak.eth. The wallet address is: 0xBB5BB336d1Db8471B77F936C210B15fa2A5b3cbb.

Kevin Pawlak is very intelligent, a semifinalist in Intel's Science Talent Search, holding a degree in chemical engineering, and aspired to be a surgeon/scientific researcher. However, those who know him mention his dark side: ruthless, unethical, and antisocial, capable of lying without conscience or remorse.

In October last year, Kevin Pawlak purchased another property in New York for $3.3 million. According to insiders, Kevin Pawlak recently bought a Rolls Royce and a Lamborghini in France (worth over $1 million) and privately flaunted his wealth and luxurious lifestyle.

Currently, Kevin Pawlak (Sisyphus) has not responded to external doubts. If there are any updates, Odaily Planet Daily will report on them as soon as possible.