Web3 anti-scam sleuth uncovers phishing attack that drained $4.2m using a malicious opcode

Web3 anti-scam sleuth uncovers phishing attack that drained $4.2m using a malicious opcode

An unknown user lost $4.2 million worth of aEthWETH and aEthUNI tokens on Jan. 22.

According to an X crypto researcher under the handle @realscamsniffer, an unidentified person has lost aEthWETH and aEthUNI amounting to $4.2 million after verifying transactions with a falsified ERC-20 permission signature.

insane! someone lost $4.20m worth of aEthWETH and aEthUNI to crypto phishing about 40 minutes ago!https://t.co/PqtYbfjrW5 pic.twitter.com/2Nhx4HDQcK

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) January 22, 2024

The victim signed approvals for several transactions with an ERC-20 authorization that used an opcode contract to bypass security warnings that created new addresses for each signature before the transaction had been executed, which redirected victims’ funds from the victim to the new unauthorized address.

Opcode malware in the context of cryptocurrency hacks refers to malicious software that exploits the operation codes used in the scripting languages of various cryptocurrency platforms. For instance, they could redirect cryptocurrency to the attacker’s address, allow the attacker to spend other users’ funds, or freeze assets within a smart contract.

victim:
0x1749ad951fb612b42dc105944da86c362a783487

scammers:
0x0000372B2BC916D6c904495e53533Ae90740F688
0xf672775e124E66f8cC3FB584ed739120d32bBaad

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) January 22, 2024

The X user warned that traders must be cautious when signing and approving transactions, paying particular attention to warnings from Web3 wallet apps. Additionally, researchers advocate a process known as do your own research, or DYOR, when it comes to all things crypto, which means taking responsibility and knowledge about forms of phishing and scams of all shapes and stripes.

In November 2023, a Uniswap user who created a liquidity pool lost more than $700,000 in seconds after an influx of MEV bots, likely due to a configuration error. The transaction attracted the attention of MEV bots, which was focused on maximizing profits by shuffling transactions in a block.

According to an annual report by the crypto sleuth @realscamsniffer, users lost almost $295 million to phishing attacks in 2023, with phishing taking the cake as the most commonly used form of scam by hackers in the space.

You might also like: Pastor dupes investors out of $1.3m in crypto-selling scam

Leave a Reply

Your email address will not be published. Required fields are marked *