網路釣魚詐騙透過「龍捲風現金」攻擊加密貨幣安全漏洞洗錢 1000 萬美元

區塊鏈安全公司 CertiK 報告稱，一個參與 2023 年 9 月價值 2400 萬美元網路釣魚詐騙的帳戶最近將價值 1000 萬美元的以太幣轉移到加密貨幣混合協議 Tornado Cash 中。在批准「增加津貼」交易後，受害者透過流動性質押提供者 Rocket Pool 損失了大量質押的以太幣，從而授予攻擊者訪問其代幣的權限。關於代幣配額的討論在加密貨幣社群中一直很突出，人們擔心可能會被濫用。

Cryptocurrency Security Breach: Phishing Scam Launders $10 Million Through Tornado Cash

加密貨幣安全漏洞：網路釣魚詐騙透過龍捲風現金洗錢 1000 萬美元

On March 21, CertiK, a prominent blockchain security firm, raised an alarm in the cryptocurrency community, reporting the transfer of $10 million worth of Ether (ETH) from an account implicated in a major phishing scam in September 2023. The funds were laundered through Tornado Cash, a crypto-mixing protocol designed to obfuscate the trail of illicit transactions.

3 月 21 日，知名區塊鏈安全公司 CertiK 在加密貨幣社群發出警報，表示 2023 年 9 月涉及重大網路釣魚詐騙的帳戶中價值 1000 萬美元的以太坊 (ETH) 被轉移。這些資金透過Tornado Cash ，一種加密貨幣混合協議，旨在混淆非法交易的痕跡。

This incident is a chilling reminder of the persistent threat posed by phishing scams, which have become increasingly sophisticated and targeted in the cryptocurrency space. The account in question was part of a larger hack that stole a staggering $24 million from a prominent cryptocurrency investor known as a "crypto whale" on September 6, 2023.

這起事件令人不寒而慄地提醒人們，網路釣魚詐騙所帶來的持續威脅已經變得越來越複雜，並且在加密貨幣領域變得越來越有針對性。該帳戶是 2023 年 9 月 6 日從一位被稱為「加密鯨」的著名加密貨幣投資者那裡竊取了高達 2,400 萬美元的更大規模駭客攻擊的一部分。

The victim of this phishing attack lost a substantial amount of staked Ether (ETH) through the liquid staking provider Rocket Pool. Through a series of cunning transactions, the attackers managed to siphon funds in two separate transfers, extracting a total of 9,579 stETH and 4,851 rETH.

這次網路釣魚攻擊的受害者透過流動性質押提供者 Rocket Pool 損失了大量質押的以太幣 (ETH)。透過一系列狡猾的交易，攻擊者成功地在兩次單獨的轉帳中吸走了資金，總共提取了 9,579 stETH 和 4,851 rETH。

According to Scam Sniffer, an anti-scam initiative that has been closely tracking this incident, the breach occurred when the victim inadvertently approved an "Increase Allowance" transaction. This action granted the hackers permission to access the victim's ERC-20 tokens via a token allowance mechanism—a feature that enables third parties to spend tokens on behalf of the token holder.

據一直密切跟踪這一事件的反詐騙組織 Scam Sniffer 稱，此次違規行為是在受害者無意中批准了一項「增加津貼」交易時發生的。此操作授予駭客透過代幣允許機制存取受害者的 ERC-20 代幣的權限，該機制使第三方能夠代表代幣持有者使用代幣。

The conversation around token allowances has been gaining traction within the cryptocurrency community, with many voicing concerns over the potential for misuse through the deployment of malicious smart contracts. These concerns have been further validated by recent events, including the Dolomite exchange exploit on March 20, which resulted in the theft of $1.8 million from unsuspecting users due to an outdated contract.

關於代幣配額的討論在加密貨幣社群中越來越受到關注，許多人對透過部署惡意智慧合約而可能被濫用表示擔憂。最近發生的事件進一步證實了這些擔憂，包括 3 月 20 日的 Dolomite 交易所漏洞，由於合約過期，導致毫無戒心的用戶被盜 180 萬美元。

In the wake of the latest phishing scam, PeckShield, another blockchain security firm, conducted a thorough investigation and uncovered a complex network of transactions. The fraudsters converted their illicit gains into 13,785 ETH and 1.64 million Dai, dispersing a portion of these funds through the FixedFload exchange and other digital wallets.

在最新的網路釣魚騙局發生後，另一家區塊鏈安全公司 PeckShield 進行了徹底調查，發現了一個複雜的交易網路。詐騙者將其非法收益轉換為 13,785 ETH 和 164 萬 Dai，並透過 FixFload 交易所和其他數位錢包分散了其中一部分資金。

This incident underscores the persistent risk of phishing scams in the cryptocurrency domain, which continue to result in significant financial losses. A recent report by Scam Sniffer highlighted that nearly $47 million was stolen through crypto phishing in February alone, with the majority of these incidents occurring on the Ethereum network and primarily involving ERC-20 tokens.

這起事件凸顯了加密貨幣領域網路釣魚詐騙的持續風險，這繼續導致重大的財務損失。 Scam Sniffer 最近的一份報告強調，光是 2 月就有近 4,700 萬美元透過加密貨幣網路釣魚被盜，其中大部分事件發生在以太坊網路上，並且主要涉及 ERC-20 代幣。

Despite the ongoing efforts of security firms like CertiK and PeckShield to safeguard the cryptocurrency ecosystem, malicious actors continue to find ways to exploit vulnerabilities and compromise user funds. These incidents serve as a stark reminder of the importance of practicing vigilance and employing robust security measures to protect digital assets.

儘管 CertiK 和 PeckShield 等安全公司不斷努力保護加密貨幣生態系統，但惡意行為者仍在繼續尋找利用漏洞和損害用戶資金的方法。這些事件清楚地提醒我們保持警惕並採取強有力的安全措施來保護數位資產的重要性。

Token approvals, in particular, have emerged as a significant vulnerability that needs to be addressed. As the cryptocurrency community continues to evolve, it is imperative to develop and implement robust mechanisms to prevent the unauthorized use of token allowances and mitigate the risk of phishing scams.

尤其是代幣審批已成為需要解決的重大漏洞。隨著加密貨幣社群的不斷發展，必須開發和實施強大的機制來防止未經授權使用代幣配額並降低網路釣魚詐騙的風險。

While the cryptocurrency industry has witnessed its share of successful security interventions, the ongoing challenges and risks associated with digital asset security should not be underestimated. Vigilance, education, and collaboration among security experts, cryptocurrency exchanges, and users are essential to combat phishing scams and protect the integrity of the cryptocurrency ecosystem.

儘管加密貨幣行業已經見證了成功的安全乾預措施，但與數位資產安全相關的持續挑戰和風險不應被低估。安全專家、加密貨幣交易所和用戶之間的警覺、教育和協作對於打擊網路釣魚詐騙和保護加密貨幣生態系統的完整性至關重要。