Attackers stole about $4 million in USDC from the NFT gaming project Webaverse after they took a picture of the balance in the Trust Wallet wallet in person.
full story https://t.co/vdkAHyBaG9
— 0xngmi (aggregatoor arc) (@0xngmi) February 6, 2023
According to Webaverse co-founder Ahad Shams, the team was contacted by a man claiming to be an investor in a Web3 company named Joseph Safra.
He said that he had already been scammed by the industry, so he made a number of demands. Safra offered to fly to Rome to discuss investments and confirm the availability of funds for the project. Referring to his poor familiarity with crypto wallets, he asked to use Trust Wallet, whose interface is clear to him.
Shams, upon his arrival in Rome, dined with “Safra” and his “lawyer”. The next day, there was a meeting with the “banker” at which the Webaverse team was supposed to show their funds.
“We created a new Trust Wallet back at home on a device that we didn’t use to interact with them. We were sure that without our private keys or seed phrases, the funds would be safe one way or another,” Shams emphasized.
He noted that they transferred about 4 million USDC to the wallet already sitting in front of the “investor”. After that, “Safra” asked to take a picture of the balance screen. According to Shams, the request alerted, but there was no private information on the tab.
After taking several pictures, the attackers said that they needed to go out and consult. They have not returned back.
A few minutes later, the funds from the wallet disappeared. The scammers converted assets into ETH, wBTC and USDT in 1inch, distributing the amount to 14 addresses.
Shams filed a complaint with the police in Rome and turned to the US Federal Bureau of Investigation.
He and the team are still technically unable to explain how the attackers gained access to the funds.
CEO of ZenGo, the developer of the crypto wallet of the same name, Uriel Ohayon suggested two possibilities:
- downloading a known infected release of the application;
- transferring a smartphone with an open wallet into the hands of a scammer, who needs a subtle movement of his finger to go to the security settings tab with a seed phrase.
this story makes no sense.
the only way the funds were stolen is either because they installed a malicious version or because the scammer had *physical* access to the phone and took it in hands and move the security settings and took picture of the seed without them noticing.
— Ouriel @ZenGo (@OurielOhayon) February 7, 2023
Recall that in December 2022, unknown persons hacked the BitKeep wallet and stole ~$8 million worth of user assets. Hackers injected malicious code into the downloaded file of the Android application.
Found a mistake in the text? Select it and press CTRL+ENTER
ForkLog Newsletters: Keep your finger on the pulse of the bitcoin industry!
