Aswan CTF OSINT Challenges
April 27, 2025
Welcome to our write-up for the Aswan CTF 2025, where our team, 0xD4wn, battled it out among fierce competitors to secure a well-earned second place! The competition was a thrilling test of skills, with challenges spanning various domains, but the OSINT (Open-Source Intelligence) category truly put our investigative prowess to the test. In this write-up, we’ll dive into the three gripping OSINT challenges that had us chasing digital breadcrumbs across blockchains and social platforms. From unmasking a notorious crypto whale to tracing their financial trails, here’s how we tackled
Description
In the shadows of the blockchain, a notorious crypto whale has been making waves with massive leveraged positions that netted over $20M in profits. Intelligence suggests this whale has connections to illegal activities, including exploits against crypto casinos and phishing campaigns. You've been tasked with following digital breadcrumbs to expose this threat actor's identity. Our team has tracked suspicious activity to a cluster of wallets, particularly focusing on wallet addresses connected to the Hyperliquid platform. During our investigation, we discovered this wallet's owner verified their identity through a cryptographic signature that revealed their Twitter handle. Your first task is to locate this critical piece of evidence - find the signature hash that exposed the threat actor's social media presence. Answer format: YAO{signature_hash}
First of all let’s search for this incident. We have some interesting words here “crypto whale, $20M in profits, Hyperliquid platform”
so with these we can start our hunt.
nice with the words we noticed we searched and a blog about the incident.
The search by “ZachXBT” let’s what did he find.
I have got the “X.com” thread for Zach’s investigation https://x.com/zachxbt/status/1902713021937426495
No we have got the X handle for the criminal “@qwatio” let’s search for it
I have got this by following Zach’s investigation and here we got the first flag: YAO{0xd2e57d51712606b3674270ec6005db8e695d4839cf1719205b58702c0f2d0dbc1b02070be232121e60bb48008e59f7b308e803b77a29cc4de826ac863c7ccca81c}
Let’s see the second challenge
Description
The investigation deepens as we follow the cryptocurrency trail across multiple blockchains. The suspect appears to be highly skilled in covering their tracks, but every criminal leaves traces. We've uncovered a Telegram account linked to the suspect through negotiations with a Solana-based casino after an input validation exploit. The casino reported losing over $100,000 through an unusual loophole that altered game mechanics. This Telegram account was active during critical moments of the heist but was later updated before going completely dark. When was the last time the suspect's Telegram account was updated before they disappeared? Answer format: YAO{DD/MM/YYYY}
here we need to get the date of last activity let’s see if Zach have something for us.
from this pictures you can get the date with the hard way(brute force that I used to solve it)
here we see a a rug-pull by the criminal which for sure will make him want to cover his traces.
so we have the date 10/02/2025 but is it the date?
From Zach’s investigation Zach says that was after the casino incident so of course he should have deleted before the rug-pull
so I tried these dates 10/02/2025, 09/02/2025, 08/02/2025
and we got the flag
YAO{08/02/2025}
Description
With the suspect's communication channels mapped, we need to track their financial movements. After accumulating significant profits, the whale transferred a substantial portion of their funds to another Ethereum wallet for safekeeping. Your final task is to identify the specific transaction ID where the attacker moved their first funds to a new wallet. Answer format: YAO{transaction_hash}
here we want to search the criminal transaction for
- First transaction.
- this wallet
Let’s use Blockchain.com
Boom!! here we go so the flag is
YAO{0xbd998d274c34fc38315d21d8b91095d535a2dfff8446c704b06f98afe88f0f9c}