Whale Hunter's Payday

When phishing for whales, sometimes you land a big one.

A crypto whale found themselves $55.47 million lighter after falling victim to a sophisticated phishing attack targeting their Maker vault.

On August 20, ZachXBT noticed something phishy, when a whopping 55.47 million DAI had vanished from a single wallet.

The whale, perhaps sensing something was amiss, attempted to withdraw their funds to safer waters.

But it was too late, the ownership had already changed and the transaction failed.

A digital fortune had evaporated in the blink of an eye, serving as a very expensive lesson in the dangers lurking in crypto's deep waters.

How did this whale fall for such an elaborate trap and end up on the phisher's menu?

The attack played out like a masterclass in digital sleight of hand.

Our unfortunate whale inadvertently signed an unknown transaction, unknowingly handing over the keys to 55.47 million DAI.

The attacker, armed with control of the victim's externally owned account (EOA), set their sights on the real prize: a Maker Vault.

With the finesse of a seasoned angler, the attacker transferred ownership of the victim's DSProxy, a smart contract allowing multiple calls in a single transaction, to their own address.

This clever maneuver allowed them to change the vault's owner address and withdraw 55,473,618 DAI stablecoins directly into their wallet.

Hook, line and sinker.

Victim's address: 0xf2B889437F243396b29E829908b5d8ebE2e13048

Phishing address: 0x0000db5c8B030ae20308ac975898E09741e70000

Attacker's withdrawal address: 0x5D4b2A02c59197eB2cAe95A6Df9fE27af60459d4

The main heist transaction: 0xf70042bf3ae7c22f0680f8afa078c38989ed475dfbe5c8d8f30a50d4d2f45dc4

Lookonchain reported that the attacker had already begun laundering their ill-gotten gains.

By the time of reporting, 27.5 million DAI had been swapped for 10,625 ETH.

In these murky waters, even skilled crypto divers struggle to retrieve what's been lost to the depths.

Will the remaining funds be recovered or are they destined to sleep with the fishes?

This incident serves as another stark reminder of the dangers lurking in the crypto depths.

Phishing attacks continue to be a preferred method for malicious actors, with CertiK reporting nearly $498 million lost to such attacks in the first half of 2024 alone.

Jingyi Guo, an analyst at Blocksec, highlighted the likelihood that the victim had signed a phishing transaction, given their failed attempts to invoke the DSProxy after the ownership change.

One errant click is all it takes and it can cost you dearly.

As the crypto seas become increasingly treacherous, users are urged to implement stronger security measures.

Multi-factor authentication, hardware wallets and a healthy dose of paranoia are becoming as essential as a life jacket on a sinking ship.

For now, this whale's tale serves as a cautionary story for all who swim in these waters.

The next time you're about to sign a transaction, remember that there's always a bigger phish out there and it might just be waiting for you to take the bait.

In the grand ocean of crypto, even the mightiest whales aren't safe from a well-crafted lure.

As phishing attacks evolve and predators grow bolder, is there any safe harbor left in the turbulent seas of crypto?

REKT는 익명 작성자들에 의한 공공 플랫폼이며, REKT에 작성된 관점이나 내용에 대해서 그 어떤 책임도 지지 않습니다.

기부 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT는 당사 웹 사이트의 익명의 작성자 또는 REKT에 의해 게시되거나 관련된 서비스에서 게시되는 콘텐츠에 대해 어떠한 책임도 지지 않습니다. 당사는 익명 작성자들의 행동 및 게시물에 대한 규칙을 제공하지만, 익명의 작성자가 웹 사이트 또는 서비스에 게시, 전송 혹은 공유한 내용을 통제하거나 책임지지 않으며, 귀하가 웹 사이트 또는 서비스에서 직면할 수 있는 불쾌함, 부적절함, 음란함, 불법 또는 기타 해로운 콘텐츠에 대해서도 책임을 지지 않습니다. REKT는 당사 웹 사이트 또는 서비스 사용자의 온라인 또는 오프라인 행위에 대한 책임을 지지 않습니다.