Home
News
Key Takeaways:
- The founder of Arrow DAO ducked an “extremely thorough” social engineering attempt that could have given criminals access to his $125 million in ether assets.
- He detailed the extensive effort employed by the scammers in trying to steal his money, including producing work for his project.
- The scam fails only because the founder decided to use a new Ethereum address during token sales.
A crypto founder managed to evade a “sophisticated” social engineering scam attempt that could have cost him more than $125 million worth of Ethereum (ETH). Although the attack didn’t bring down the entrepreneur’s business he says that it does highlight the fact that hackers are becoming more sophisticated and super smart about their criminal activity online.
Social engineering: A new method used by cyber-criminals
Cyber-criminals have many methods to gain access to someone’s computer or network. Social engineering is one tactic that hackers can use to gain another person’s trust, and it often involves gaining their confidence by manipulation. For example, a hacker might craft a special e-mail with seemingly legitimate attachments such as “shipping information” or “important documents.” The user will click on the embedded link and unwittingly install malware onto their computer or reveal sensitive information for the hacker in the process which then gives them access to whatever the hacker chooses.
Thomasg.eth is the CEO of Arrow, an early-stage decentralized organization working to build a decentralized air transportation system. On Sunday he posted about how social engineering and other tactics almost led him to give up all his ETH to scammers and fraudsters. He revealed that this wasn’t the first time it had happened – just the most recent one. For two weeks, the scammers worked on orchestrating a large-scale ruse for them to get all of Thomas’s ETH. Thomas had been discussing with multiple people that he believed were working on behalf of a potential technical partner or potential leads for another key position in his company who turned out to be part of the scam team posing as representatives from either group.
Arrow Founder statement
The scam failed only because the scammers didn’t realize that the contract address they had been given was different from Thomasg.eth’s primary address.
Arrow Founder said on Twitter:
Two weeks ago, I was the target of an extremely thorough social engineering scheme that nearly cost me all my ether. Thank God was able to recover in time or I would have been screwed and forced to sell my ERC20 tokens before the price plummeted and locked me out of selling for months if not years!
Scammers volunteer at Arrow to gain trust
Thomas.eth says that a user named Heckshine reached out to him over Discord and offered to help “with 3D design and animation” for free, which impressed Thomas because of how attentive the designer was with his project in the first place. The pair quickly gained trust between one another and Heckshine was then introduced to an accomplished graphic designer (Linh) who, unbeknownst to Thomas, began using their new connections personal details, and credentials towards a much larger fraud scheme. Linh convinced Thomasg to try out the staking system of another popular gaming NFT project that she was leading – Space Falcon, but whose domain name Linh had already purchased for this very purpose of lying about it being an NFT owned by a trusted friend who had already been working on Thomasg’s own NFT project: Arrow DAO.
Explaining, Thomasg said:
“When I launched a new NFT project, I wanted to ensure it was safe before my token went through the staking process. I moved my asset over to a fresh ETH address in order to go through this process, while also making sure they were 100% safe by moving them over to a new ETH address beforehand.. The stake went through and I was earning yield on it!”
Linh was prepared for this type of question and helped John out by offering to stake an NFT from his account. That is when he realized that something wrong is going on.
“So I went to the EtherScan website and checked the new address where I staked my first NFT and my blood goes ice-cold. “The aWETH that I approved was not Armstrong’s ETH, but rather it was Aave’s aWETH and on my main address, I found that all my ETH was actually sitting on Aave itself.”
Thomasg.eth looked into the contract further and found out that the smart contract protocol included a function where if triggered, all the aWETHER could have been deactivated at any time by hackers. At first, he thought it was limited to only taking away staking rewards, but little did he know, they could have emptied his entire $125 million account of all its aWETH!
Conclusion
Thomasg, who owns an ENS address starting with ETH, was likely a victim of a phishing attack. The criminal(s) could have researched his ENS name which exposes his real ETH address because it is possible to view the full address online. Many owners of ENS addresses do not bother to secure their names at all and that makes their addresses susceptible to malicious transfers.
Andrew is a blockchain developer who developed his interest in cryptocurrencies while pursuing his post-graduation major in blockchain development. He is a keen observer of details and shares his passion for writing, along with coding. His backend knowledge about blockchain helps him give a unique perspective to his writing skills, and a reliable craft at explaining the concepts such as blockchain programming, languages and token minting. He also frequently shares technical details and performance indicators of ICOs and IDOs.
