A cryptocurrency investor, whose identity remains unknown, has reportedly suffered a loss exceeding $3 million due to a sophisticated phishing attack. The individual unwittingly authorized a fraudulent smart contract, leading to the substantial theft.
On September 11th, blockchain investigator ZachXBT brought the incident to public attention, revealing that the victim’s digital wallet had been emptied of $3.047 million worth of USD Coin (USDC).
Reports indicate that the perpetrator swiftly converted the stolen stablecoins into Ethereum. Subsequently, the funds were channeled through Tornado Cash, a privacy-focused tool frequently employed to obscure the origin and destination of illicitly obtained cryptocurrency.
Details of the Exploit
Yu Xian, the founder of SlowMist, provided insights into the mechanics of the attack, noting that the compromised account was a 2-of-4 Safe multi-signature wallet.
According to Xian, the security breach originated from two sequential transactions where the victim mistakenly approved transfers to a deceptive address closely resembling the intended recipient’s.
The attacker meticulously crafted the malicious contract, ensuring that its initial and terminal characters mirrored the legitimate address, making it particularly difficult to distinguish.
Xian further explained that the exploit capitalized on the Safe Multi Send function, effectively concealing the illegitimate approval within what appeared to be a standard authorization process.
He stated:
Wall Street Doesn’t Want You to See This…
Get 5 days of high-level strategies the pros use to win in crypto. Limited seats available — claim yours now.
Brought to you by CryptoSlate
“The deceptive authorization was difficult to identify because it deviated from a typical approval process.”
Security analysts at Scam Sniffer revealed that the attacker had meticulously planned the operation well in advance. They reportedly created a bogus smart contract, which was verified on Etherscan, almost two weeks prior to the attack. This contract was programmed with various “batch payment” functions to give it a veneer of authenticity.
On the day of the exploit, the fraudulent approval was executed through the Request Finance application interface, ultimately granting the attacker access to the victim’s funds.
In response, Request Finance confirmed that a malicious individual had deployed a counterfeit version of their Batch Payment contract. The company emphasized that only one client was affected and assured users that the vulnerability has been addressed.
Nonetheless, Scam Sniffer emphasized the broader implications of this phishing incident.
The blockchain security firm cautioned that similar exploits could arise from various sources, including vulnerabilities within applications, malware or browser extensions tampering with transactions, compromised front-end interfaces, or DNS hijacking.
Significantly, the utilization of verified contracts and nearly identical addresses underscores the increasing sophistication of attackers in evading user detection.