Phishing Attack Steals $8 Million Worth of Cryptocurrency

Phishing Attack Steals CryptoScammers stole $8 million worth of Ethereum from users of the Uniswap cryptocurrency exchange, according to Sujith Somraaj at Decrypt. Notably, the attackers relied purely on social engineering to pull off the theft, despite some early claims that they exploited a vulnerability in Uniswap’s underlying protocol.

“The phishing scam promised a free airdrop of 400 UNI tokens (worth approximately $2,200),” Somraaj writes. “Users were asked to connect their crypto wallets and sign the transaction to claim the malicious airdrop. Upon connection, the unknown hacker grabbed user funds through a malicious smart contract.”

The scammers used this malicious contract to trick the victims into granting access to their cryptocurrency.

“Notably, the code was not verified for the smart contract deployed on Etherscan—something most legitimate projects do,” Somraaj says. “After deployment, for collecting their airdropped tokens, the hacker tricked users into signing a transaction. Instead, this transaction served as an approval transaction, giving the hacker access to all the Uniswap LP (Liquidity Pool) tokens held by the user.”

Somraaj explains how the attackers were able to gain access to the funds.

“Whenever users add liquidity to Uniswap, they receive LP tokens in return as a representation of their liquidity positions,” Somraaj writes. “These tokens are transferable and use the ERC-721 token standard, like all other NFTs. Hence through an approval transaction, a third- party (the hacker wallet in this case) could spend funds on behalf of the user. After gaining access from the previous approval transaction, the hacker transferred all the LP tokens to his wallet and withdrew all the liquidity from Uniswap.”

People should always be wary when they see offers that seem too good to be true, particularly when cryptocurrency is involved. We tend to think of cryptocurrency transactions as something individual speculators engage in, but increasingly they touch many businesses as well. They’re novel enough that employees may find themselves gulled through simple unfamiliarity. New-school security awareness training can give your employees a healthy sense of suspicion so they can thwart social engineering attacks.

Decrypt has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews