Exploit

2023 Phishing Loot Laundered! Hacker Spins $10 Million Through Tornado Cash

In a recent development, a blockchain security firm, CertiK, flagged a transfer of $10 million worth of Ether (ETH) to the crypto-mixing service Tornado Cash. This move is linked to a September 2023 phishing attack that targeted a major cryptocurrency investor, or “whale,” resulting in a total loss of $24 million.

The attack as reported by ChainAffairs leveraged a vulnerability in token allowances. On September 6th, 2023, the unsuspecting whale unknowingly signed a transaction that increased the allowance for a malicious smart contract. This essentially gave the attacker permission to spend the whale’s staked ETH on the Rocket Pool platform. The stolen amount included 9,579 stETH and 4,851 rETH tokens.

Concerns Over Token Allowances Resurface

The incident reignites concerns surrounding token allowances within the Ethereum network’s ERC-20 token standard. This feature allows users to grant third-party contracts permission to spend their tokens. While convenient, it can be exploited by malicious actors if users aren’t cautious. Security experts have long warned about the potential for hackers to deploy deceptive smart contracts to trick users into granting excessive allowances.

Attacker Launders Funds Through Tornado Cash

After gaining access to the stolen ETH, the attacker swapped it for a mix of other cryptocurrencies, including 13,785 ETH and 1.64 million Dai (DAI). Security firm PeckShield traced some of these funds to the FixedFloat exchange, while the majority was transferred to various wallets. The attacker then moved a portion of the stolen funds through Tornado Cash, a cryptocurrency mixing service often used to obfuscate transaction trails.

Phishing Attacks Remain a Major Threat

This incident highlights the ongoing threat of phishing attacks in the cryptocurrency space. According to a report by Scam Sniffer, February 2024 saw nearly $47 million lost to such scams. The report further indicates that the Ethereum network was the primary target, accounting for 78% of the stolen funds, with ERC-20 tokens making up 86%.

Also Read: The Web of Deceit: Navigating the Complex World of Crypto Scams

Token Approvals and the Importance of Vigilance

The incident also underscores the importance of vigilance when dealing with token allowances. A similar exploit involving an old contract from the Dolomite exchange resulted in $1.8 million drained from user accounts in March 2024. These events serve as a stark reminder for crypto users to carefully review any smart contract interactions before granting approvals.

While not all attacks succeed, like the thwarted Layerswap breach, these incidents emphasize the evolving landscape of crypto scams. Staying informed and practicing safe protocols remain crucial for protecting your digital assets.sharemore_vert

About The Author

Previous post MetaWin Raises the Bar for Transparency in Online Gaming
Next post ApeX Protocol Launches ApeX Grid Bot With Negative 0.002% Fees across 45+ Perpetual Markets
Dark