Applying Basic OSINT Techniques in Web3: The $LIBRA Case Study

The purpose of this post is not to criticize or take a political stance, but rather to provide researchers and investigators with useful OSINT techniques for analyzing Web3 environments. This scenario is perfect for such an analysis, as it contains multiple elements that allow for a thorough examination.

I have divided this analysis into three parts:

• Analysis of Twitter (now X) posts
• Analysis of the website and domain
• Analysis of the contract

Let’s begin:

Part 1: Analysis of Twitter (now X) Posts

On February 14, an important event took place regarding a suspected scam. The controversy revolved around a cryptocurrency called $LIBRA, which was mentioned by a Latin American president.

Post mentioning the cryptocurrency $LIBRA

post donde se menciono la cryptomoneda $LIBRA

However, this post was deleted a few hours later, as confirmed by President Milei: https://x.com/JMilei/status/1890606683291779195

post despues de eliminar el twit donde se mencionaba la cryptomoneda $LIBRA

Post after deleting the tweet mentioning $LIBRA
Shortly after, the value of the cryptocurrency dropped.

Although the tweet no longer exists, the website and the contract remain accessible, allowing us to conduct an analysis and identify patterns. These patterns suggest that the website and the cryptocurrency show signs of being a scam.

Part 2: Analysis of the Website and Domain

When visiting the website www.vivalalibertadproject.com, users with MetaMask installed receive a security warning.

Upon entering, the first thing presented is the contract address, which we will analyze in the next section.

Additionally, there are two buttons labeled “Request Funding”, which redirect users to a Google Forms page.

This form requests the following information:

• Name
• Email
• Social media accounts
• A description of the project and how the requested funds will be used

This information is easily visible in the website’s source code or directly from the browser. However, two additional key pieces of information stand out:

• An email address
• The name of a company

We also observed that KIP Network (KIP Protocol) mentioned the $LIBRA cryptocurrency on their X (Twitter) account on February 14.

However, their current statement claims that this is a private project and that it has no relation to President Milei.

Regarding the email address, we noticed that it uses Gmail:
📧 vivalalibertadproject@gmail.com

For serious companies or projects, it is best practice to use a corporate email rather than a generic Gmail account, which can be easily created.

By analyzing the account recovery options, we discovered the following:

• The recovery phone number appears to be from the U.S. and ends in 72.

• Another recovery email is a Gmail account starting with “jo” followed by six characters.

Domain Analysis

• The domain was created on February 14, the same day the cryptocurrency was promoted.
• It was registered via GoDaddy and its DNS zone is hosted on Cloudflare.

• Interestingly, one day later, a similar .vip domain was registered through Namecheap.

However, the token linked to the .vip domain is on Ethereum, while the original post referenced a Solana-based token (as we will see in Part 3).

Additionally, the Google Forms link has now been replaced with a redirect to Uniswap, leading to a token flagged as malicious.

At this stage, we have multiple indicators supporting the hypothesis that this entire setup is a scam.

Part 3: Contract Analysis

The Solana token address provided on the website was:
🔗 Bo9jh3wsmcC2AjakLWzNmKJ3SgtZmXEcSaW7L2FAvUsU

To analyze it, we checked Solscan:
🔗 Solscan Token Analysis

Key findings from Solscan:

• Creator Address:
  🔗 DefcyKc4yAjRsCLZjdxWuSUzVohXtLna9g22y3pBCm2z

• This address has a public label:
  🏷 “Libra: Team Wallet 1”
• The wallet holds multiple suspicious tokens.

Token Holders Analysis

• Four wallets hold over 90% of the total cryptocurrency supply, including the creator’s wallet.

Metadata Analysis

• Mint: "Bo9jh3wsmcC2AjakLWzNmKJ3SgtZmXEcSaW7L2FAvUsU"This confirms that it is a Solana token, likely an SPL Token or NFT.
• Update Authority: "DefcyKc4yAjRsCLZjdxWuSUzVohXtLna9g22y3pBCm2z"This user can modify the token’s metadata.
• URI:"https://gateway.pinata.cloud/ipfs/bafkreignny757l6mm3n7s3ix7sxoazstqwvredp3qfeje..."
• Hosted on IPFS (Pinata), likely containing additional token details (image, description, etc.). Upon opening this URI, we observed the following message:

• Seller Fee Basis Points: 0This means no resale fees, often a red flag in scam projects.
• Creators: "DefcyKc4yAjRsCLZjdxWuSUzVohXtLna9g22y3pBCm2z"This address has 100% ownership.
• Token Standard: 2Confirms that this is a Solana SPL token or NFT.

Conclusion

Through this OSINT Web3 investigation, we identified multiple indicators pointing toward this being a potential scam.

• The Twitter (X) post was deleted, yet the project remains active.
• The website triggers security warnings and was registered on the same day as the promotion.
• The contract analysis reveals centralized ownership, suspicious metadata, and high concentration of funds in a few wallets.

This case serves as a valuable example of how to apply OSINT techniques to Web3 investigations, analyzing on-chain and off-chain data to identify fraudulent projects.