In September 2023, an account involved in a phishing attack successfully moved $10 million worth of Ether (ETH) to the crypto-mixing protocol known as Tornado Cash. This incident was flagged by CertiK, a blockchain security firm, on March 21. The funds were originally stolen from a crypto whale during the phishing incident, which occurred on September 6, 2023. The victim lost $24 million in staked ETH on the liquid staking provider Rocket Pool, and the hack was carried out in two separate transactions. One transaction involved the theft of 9,579 stETH, while the other drained 4,851 rETH from the crypto whale.
According to Scam Sniffer, an anti-scam project, the victim unknowingly signed an “Increase Allowance” transaction, which granted token approvals to the hacker. This feature, enabled by smart contracts, allows third parties to spend ERC-20 tokens that belong to others if they have been given approval. The token allowances feature has been a topic of concern within the crypto community, as it opens the door to potential scams involving malicious smart contracts.
PeckShield, another blockchain security company, discovered that the attacker exchanged the stolen assets for 13,785 ETH and 1.64 million Dai (DAI). Some of the DAI was transferred to the FixedFload exchange, while the majority of the stolen funds were moved to other wallets.
Phishing attacks continue to pose a significant problem for the crypto space. According to Scam Sniffer’s crypto phishing report, nearly $47 million was lost to phishing scams in February alone. The report revealed that 78% of these thefts occurred on the Ethereum network, with ERC-20 tokens accounting for 86% of the stolen assets.
Token approvals have also led to recent losses for crypto users. On March 20, an old contract previously used by the Dolomite exchange was exploited, resulting in the drain of $1.8 million from users who had authorized approvals for the contract. As a result, Dolomite’s development team urged users to revoke approvals given to the old contract address.
While some attacks result in significant financial losses, there are instances where attempts to steal crypto are quickly thwarted. On March 20, the Layerswap team successfully prevented further damage after its website was breached, thanks to the intervention of its domain provider. However, the hackers still managed to drain approximately $100,000 in assets from 50 users. The protocol has committed to refunding the affected users and providing additional compensation for the inconvenience caused.
In other news, a game firm’s stock tripled after it made a Bitcoin purchase, and Hong Kong introduced its in-kind BTC ETF.