A crypto founder ducked an “extremely thorough” social engineering scam attempt that could have cost him more than $125 million worth of Ethereum (ETH). The attempt shows that hackers are becoming more sophisticated and “super smart.”
Social engineering is a method used by cyber-criminals to gain someone’s trust, often by manipulation, in order to steal sensitive information or cause them to take action that “they otherwise would not.” Heather Morgan may have stolen $4.5 billion from Bitfinex this way.
Thomasg.eth is the pseudonymous founder of Arrow, an early-stage DAO working to build a decentralized air transportation system. On Sunday he detailed how he was almost socially engineered into giving up all his ETH.
The founder spoke of the extensive effort employed by the scammers in trying to steal his money, including producing work for his project and engaging in discussions with multiple people over a period of two weeks.
The scam failed only because Thomasg.eth decided to use a new Ethereum address, and not his primary address when performing a favor involving non-fungible tokens (NFTs) for the hackers. Writing on Twitter, the Arrow founder said:
For the past two weeks, I have been targeted in an extremely thorough social engineering scam that nearly cost me all of my ETH. I’m super lucky to have made it through unscathed.
Social engineering: Scammers volunteer at Arrow to gain trust
Thomas.eth said a user named Heckshine reached out to him on Discord and offered to help “with 3D design and animation” for free. He obliged and hands him a few tasks. Heckshine’s work is prolific, and Thomasg is “impressed” with the designer’s dedication to the project.
Trust gained, Heckshine soon put the Arrow DAO founder into contact with an ‘accomplished’ industry connection, Linh, who initiates the scam. Thomasg.eth agrees to take Linh on board as an advisor.
She later convinced Thomasg to try out the staking service of an NFT project that she was leading – Space Falcon, a popular gaming project on Solana, but whose domain name Linh corrupted for the purposes of fraud. Linh sends an NFT to his ethereum address. Explaining, Thomasg said:
“Now here is where I got incredibly lucky. Since it’s a new project, I decided to move the NFT to a fresh ETH address before going through the staking process – just in case they get exploited down the road or something. The stake goes through and I’m earning yield on it.”
But Linh pushes him to stake another NFT, this time from his main account. That is when he “finally realized that something sketchy is going on.”
“So I pull up Etherscan for the new address where I staked the first NFT and my blood goes ice f***ing cold,” Thomasg says. “The aWETH that I approved was not [Space Falcon’s] Armstrong ETH, but rather Aave’s aWETH. On my main address, almost all of my ETH is sitting in Aave.”
Bogus smart contracts
Thomasg.eth investigated the contract further and found out that the smart contract included a command where all the aWETH could have been drained at any time by the hackers.
While the first active stake could have resulted in the theft of only the staking rewards, an attack on his main address, which contained around $125 million in aWETH at the time, would have thoroughly emptied the account.
It is likely the criminals got attracted to the fat balance in Thomasg’s address, which uses the Ethereum Name Service (ENS). The service allows users to leverage names as addresses instead of alphanumeric characters that make up a regular ETH address. The hackers would have researched him very well before initiating engagement.
“Perhaps my biggest mistake with all of this was keeping all of my funds in the same wallet as my ENS. Security through obscurity would have prevented me from becoming a target in the first place.”
The scammers have since erased their footprint on Discord, but Thomasg now believes they hired a graphic designer to do Heckshine’s work while the duo focused on stealing from him.
“They also had built custom contracts and the front end that are entirely specific to this scam,” he said. “These guys were incredibly well funded and super smart.”
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.