In September 2023, an account associated with a phishing attack managed to transfer $10 million worth of Ether (ETH) to the crypto-mixing protocol called Tornado Cash. The transfer was flagged by CertiK, a blockchain security firm, on March 21. This account was linked to a previous hack that occurred on September 6, 2023, where a crypto whale lost $24 million in staked ETH on Rocket Pool, a liquid staking provider. The hacker executed two transactions, one taking 9,579 stETH and the other draining 4,851 rETH from the victim.
According to Scam Sniffer, the victim fell for a scam by signing an “Increase Allowance” transaction, which allowed the hacker to gain token approvals. This feature, present in smart contracts, permits third parties to spend ERC-20 tokens of others if they have approval. The crypto community has been warned about the potential risks of this token allowances feature, as developers can deploy malicious smart contracts for scams.
PeckShield, another blockchain security company, revealed that the attacker exchanged the stolen assets for 13,785 ETH and 1.64 million Dai (DAI). Some of the DAI was sent to the FixedFload exchange, while the majority of the stolen funds were moved to other wallets.
Phishing attacks continue to plague the crypto space, with Scam Sniffer’s report showing that nearly $47 million was lost to crypto phishing scams in February. The report also indicated that 78% of these thefts occurred on the Ethereum network, and ERC-20 tokens accounted for 86% of the assets stolen.
Token approvals have also caused recent losses for crypto users. On March 20, an old contract previously used by the Dolomite exchange was exploited, resulting in the draining of $1.8 million from users who had authorized approvals for the contract. To mitigate the risk, Dolomite’s development team urged users to revoke approvals given to the old contract address.
While some attacks result in significant losses, there are instances where attempts to steal crypto are swiftly halted. On March 20, the Layerswap team managed to prevent further damage after their website was breached, thanks to intervention from their domain provider. However, the hackers still managed to drain around $100,000 in assets from 50 users. The protocol has committed to refunding the affected users and offering additional compensation for the inconvenience caused.
In other news, a game firm’s stock tripled following its purchase of Bitcoin, and Hong Kong introduced an in-kind BTC ETF, as reported by Asia Express magazine.