Trader loses over $180k in USDC, ANDY to phishing attack

A cryptocurrency investor recently fell victim to a phishing attack on Ethereum, eventually losing over $180,000 in USD Coin (USDC) and ANDY (ANDY), a recently launched meme coin inspired by Pepe.

Data from Etherscan reveals that the attack occurred on April 23 in nearly one hour, lasting from 05:39 to 06:29 UTC.

Transaction data confirms that the perpetrators executed a multi-call phishing attack, essentially combining multiple function calls into a single transaction. While these calls might look benign when viewed separately, together, they tell the tale of a malicious action.

Moreover, the multiple calls triggered outflows from the victim’s address to several wallets belonging to the hackers, with some of these addresses already identified as phishing wallets by Etherscan. In all, the victim lost over 1.6 billion ANDY tokens, worth $162,400, and 17,913 USDC.

This attack emptied the victim’s account, with its balance currently sitting at $32 worth of Ethereum (ETH) and Arbitrum (ARB). While one of the attacker’s addresses has held onto the loot, the second, which received all the ANDY tokens, immediately swapped them for WETH on Uniswap and then moved the WETH to a new address.

The attack likely exploited the victim’s interactions with smart contracts. Often, these malicious actors create contracts that look like they are performing a standard defi operation — such as swapping tokens — but embedded in the transactions are calls that, for instance, approve the transfer of the user’s tokens to the attacker.
Crypto.news spotted a similar attack last month, which led to the loss of $674,000 in USDC. The perpetrators immediately funneled the assets to the Ox protocol for liquidation. Amid the growing prevalence of these schemes, a report revealed that over 57,000 crypto users lost $46 million to phishing attacks in February.