A recent phishing attack on Ethereum resulted in a cryptocurrency investor losing over $180,000 in USDC and ANDY tokens. Hackers exploited the victim's interactions with smart contracts, combining multiple function calls into a single transaction that drained their balance. The attack highlights the increasing prevalence of phishing scams within the cryptocurrency industry, where over 57,000 users lost a combined $46 million in February alone.
Cryptocurrency Investor Loses Over $180,000 in Phishing Attack Targeting Ethereum and Meme Coin
On April 23rd, a cryptocurrency investor fell prey to a sophisticated phishing attack targeting their Ethereum (ETH) wallet, resulting in the loss of over $180,000 worth of digital assets. The incident, which unfolded over a span of just one hour, was meticulously executed by cybercriminals exploiting the victim's interactions with smart contracts.
Data obtained from the blockchain analytics firm Etherscan revealed that the attack began at 05:39 UTC and continued until 06:29 UTC. The perpetrators utilized a "multi-call phishing" technique, combining multiple function calls into a single transaction. While these calls may appear innocuous individually, their collective impact allowed the attackers to siphon funds from the victim's wallet.
Transaction records indicate that the perpetrators directed outflows from the victim's address to multiple wallets under their control. Some of these wallets have been flagged as phishing entities by Etherscan. The attack resulted in the loss of over 1.6 billion ANDY tokens, a recently launched meme coin inspired by Pepe, valued at approximately $162,400, as well as 17,913 USDC, a stablecoin pegged to the US dollar.
This devastating attack effectively emptied the victim's cryptocurrency account, leaving behind a balance of just $32 worth of ETH and Arbitrum (ARB). While one of the attacker's wallets has retained the stolen funds, the second, which received all the ANDY tokens, immediately swapped them for Wrapped Ethereum (WETH) on the Uniswap decentralized exchange and transferred the WETH to a newly created address.
The attack most likely exploited the victim's interactions with smart contracts, which are self-executing programs stored on the blockchain. Malicious actors often create contracts that mimic legitimate decentralized finance (DeFi) operations, such as token swaps, but embed malicious code within the transactions. These embedded calls can grant the attacker the authority to transfer the user's tokens without their knowledge or consent.
This phishing attack bears striking similarities to a previous incident reported by Crypto.news in March, where an investor lost $674,000 in USDC in a similar multi-call phishing scheme. The perpetrators swiftly funneled the stolen assets to the Ox protocol for liquidation.
The prevalence of such phishing scams is alarming, with a recent report indicating that over 57,000 cryptocurrency users lost approximately $46 million to phishing attacks in February alone. These attacks highlight the importance of vigilance and caution when interacting with smart contracts and decentralized exchanges.
Investors are urged to exercise extreme caution when authorizing transactions or connecting their wallets to third-party platforms. It is crucial to thoroughly verify the authenticity of contracts and websites before granting any approvals. Additionally, utilizing hardware wallets for storing cryptocurrency and employing multi-factor authentication can provide an extra layer of protection against phishing attempts.