Ghostline @ghostlineboo.bsky.social

Punk is as punk does. Creator of Sisu wallet forensics. See Where The Money Went
ghostline.boo

🚨 SISU ALERT — CRITICAL RISK

📍 Known Exploit: Ronin Bridge Exploiter (Lazarus)
🔗 ethereum
💰 176,016.0 ETH · ⚠️ 233 flags
Score: 100/100
Wallet: 0x098B...2f96

🔍 ghostline.boo
0
0
1
An hour after splashdown:
0
0
0
The 5110% ratio is the tell. Real wallets don't send 51x what they receive in 60 minutes unless there's a pre-loaded balance waiting for the trigger. This is a layering account with a loaded chamber.

Class is over, pal. 5/5
0
0
0
4/ The wallet is both predator and prey simultaneously. It's structuring outbound. It's being poisoned inbound. Everyone in this ecosystem is trying to steal from everyone else.
1
0
0
3/ Meanwhile 13 attacker wallets sent it 44 dust transactions across 4 coordinated poisoning campaigns. 14 vanity addresses generated specifically to mimic its real counterparties.
1
0
0
2/ 6 structuring transactions to 2 recipients in 24 hours. Amounts clustered between 0.248 and 0.355 ETH — tight enough to look like normal activity, variable enough to avoid exact-match detection.
1
0
0
1/ 0x590ebe…dc. A wallet that consistently sends out far more than it receives — because it's already loaded. The tiny inbound deposit is just the trigger. The outbound is the layering run.
1
0
0
Listen up, pal. A wallet received 0.0147 ETH. Within 60 minutes it sent out 0.7494 ETH. That's a 5,110% pass-through ratio. Here's what that means. 🧵
1
0
0
The relay and the poisoning aren't separate operations. They're the same operation. Move the money. Poison the trail. One wallet doing both simultaneously for 365 days.

Class is over, pal. 5/5
0
0
0
4/ Six campaigns. Six real counterparties being mimicked. Twelve vanity addresses generated and deployed in coordination. All running while the relay function moves funds through in sub-5-minute windows.
1
0
0
3/ Each poisoning campaign deploys 2 vanity addresses that match both the first 4 AND last 4 characters of the real counterparty. That's not brute force — vanity address generation takes computation. These were pre-manufactured.
1
0
0
2/ Three active funding relays, all running simultaneously. Source A funds it, matching amounts forward to Destination A in under 1 minute. Source B funds it twice — forwarding to two different destinations in 2 and 4 minutes respectively.
1
0
0
1/ 0x24f87c…43. April 24, 2025 — almost exactly one year ago. In that time it built out a full dual-function operation: layering infrastructure on one side, address poisoning factory on the other.
1
0
0
Listen up, pal. One wallet. Three simultaneous relays. Six coordinated poisoning campaigns running at the same time. Active for almost exactly one year. 🧵
1
0
0
The dormancy is the technique. Not the sleep — the waking up. A wallet that’s been cold for years draws less automated scrutiny on reactivation. That’s the window.
Class is over, pal. 5/5
0
0
0
4/ This isn’t a reactivated old wallet. The timing is deliberate. 3.2 years of dormancy creates distance from the original source. When it woke up, it was already layered.
1
0
0
3/ $968,795 sent in the traced window. 56 unique recipients. And mixed in with the structuring runs: 64 dust transactions poisoning 6 victim addresses simultaneously.
1
0
0
2/ The structuring is almost perfect. Amounts range from 2.873 ETH to 2.890 ETH — a spread of just 1% across 62 transactions. That’s not a coincidence. That’s a script calibrated to stay below detection thresholds.
1
0
0
1/ 0xba9e575…21. Created 2021. Silent for 1,163 days. Then: 62 outgoing transactions in 24 hours to 56 unique recipients. Someone had been waiting.
1
0
0
Listen up, pal. A wallet went dark in September 2021. It woke up April 8, 2026 — 3.2 years later — and immediately started structuring. Here’s the story. 🧵
1
0
0
5/ A wallet this size doing this volume of dust attacks isn't a script kiddie. It's infrastructure. The funds are the war chest. The poisoning is the revenue model.

Class is over, pal. 5/5
0
0
0
4/ 5 chains active simultaneously: Ethereum, Arbitrum, Polygon, Celo, Linea. The poisoning campaigns run across all of them from a single address holding a third of a billion dollars.
1
0
0
3/ The token portfolio: GALA (rug pull risk, upgradeable proxy, liquidity not locked) and PENDLE (owner can mint unlimited supply). Neither is an accident. Both are operational cover.
1
0
0
2/ Of its 200 traced transactions, 154 were dust or zero-value — sent to 43 unique victims across 5 chains. 92% of all outbound activity is address poisoning. The money just... sits there while the attacks run.
1
0
0
1/ 0x28c6c06…d60. Balance: 99,478 ETH. That's $318 million sitting in one wallet, right now, today. It received funds from Coinbase 10, BitGo, and a wallet Etherscan already labeled Fake_Phishing1105440.
1
0
0
Listen up, pal. A wallet holds $318 million in ETH — 99,478 ETH — and spends its days sending dust to 43 victims. Here's what we found. 🧵
1
0
0
Load more