A user lost $4.2 million in aEthWETH and aEthUNI due to a sophisticated crypto heist and phishing scam.
This incident brought forth the vulnerabilities in the ERC-20 Permit signature feature.
In a major setback for the digital asset community, an individual has fallen victim to a sophisticated phishing crypto heist, resulting in the loss of cryptocurrencies worth $4.2 million. The incident, which transpired at 7:26 UTC+8 today, saw the depletion of substantial amounts of aEthWETH and aEthUNI tokens from the victim’s wallet.
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) January 22, 2024
Scam Sniffer, a leading cybersecurity firm specializing in cryptocurrency scams, has been closely monitoring this case. They have also revealed the transaction history for this particular scam on X (formerly Twitter).
According to their analysis, the attacker meticulously crafted a scheme that mirrored legitimate transaction requests. This deceptive tactic misled the user into granting access to their digital assets.
Their report also sheds light on the intricacies of the attack. Also, it emphasizes the use of multiple ERC-20 Permit signatures by the victim. These token spenders have addresses that are pre-computed by CREATE2.
Loopholes in transaction-aiding tools?
CREATE2 has become infamous for its wide usage by wallet drainers organizing crypto heists. These unscrupulous people bypass security protocols by generating malicious alerts for every signature. The involvement of CREATE2 played a crucial role in the successful execution of the phishing scheme.
The ERC-20 Permit signature, an innovative feature in the Ethereum blockchain, is designed to streamline transactions by allowing token transfers without the need for a gas fee. However, this incident highlights a dark twist to this feature, exposing its potential exploitation by cybercriminals.
A Scam Sniffer representative has said:
“The level of sophistication and planning in this attack is a grim reminder of the evolving threats in the cryptocurrency landscape. The malicious use of ERC-20 Permit signatures in this case marks a concerning trend in cyber attacks targeting crypto assets.”
Scam Sniffer’s report further indicates that the phishing attack was not a random act but a carefully orchestrated plan, leveraging in-depth knowledge of the victim’s crypto holdings and transaction patterns.
The future: Better safe than sorry
Looking at ways to resist future crypto heists and scams – Image via Freepik
In response to this alarming event, the firm has issued an urgent advisory to the crypto community. Moreover, this urges users to be extra cautious and to thoroughly verify the authenticity of transaction requests. This particularly involves permit signatures.
This devastating loss of $4.2 million is not just a significant blow to the victim but also serves as a critical warning for the entire crypto community. Users must improve their security protocols and remain vigilant against such deceptive tactics.
This incident has heightened considerable serious concerns about the security of digital assets and the increasing sophistication of phishing attacks in the cryptocurrency space. As the cryptocurrency market expands, the community must remain alert and prepared to combat these evolving crypto heists.
Prakriti is a Content Writer at AMBCrypto. She describes herself as a passionately creative individual, with a dash of strategic prowess. With over 3.5 years of experience in the field of content writing and marketing, she is dedicated to churning out top-notch content in domains like Crypto, Web 3.0, AI and contributing to quench the thirst for technical knowledge of her readers.