Web3 anti-scam sleuth uncovers phishing attack that drained $4.2m using a malicious opcode
An unknown user lost $4.2 million worth of aEthWETH and aEthUNI tokens on Jan. 22.
According to an X crypto researcher under the handle @realscamsniffer, an unidentified person has lost aEthWETH and aEthUNI amounting to $4.2 million after verifying transactions with a falsified ERC-20 permission signature.
The victim signed approvals for several transactions with an ERC-20 authorization that used an opcode contract to bypass security warnings that created new addresses for each signature before the transaction had been executed, which redirected victims’ funds from the victim to the new unauthorized address.
Opcode malware in the context of cryptocurrency hacks refers to malicious software that exploits the operation codes used in the scripting languages of various cryptocurrency platforms. For instance, they could redirect cryptocurrency to the attacker’s address, allow the attacker to spend other users’ funds, or freeze assets within a smart contract.
The X user warned that traders must be cautious when signing and approving transactions, paying particular attention to warnings from Web3 wallet apps. Additionally, researchers advocate a process known as do your own research, or DYOR, when it comes to all things crypto, which means taking responsibility and knowledge about forms of phishing and scams of all shapes and stripes.
In November 2023, a Uniswap user who created a liquidity pool lost more than $700,000 in seconds after an influx of MEV bots, likely due to a configuration error. The transaction attracted the attention of MEV bots, which was focused on maximizing profits by shuffling transactions in a block.
According to an annual report by the crypto sleuth @realscamsniffer, users lost almost $295 million to phishing attacks in 2023, with phishing taking the cake as the most commonly used form of scam by hackers in the space.