网络钓鱼诈骗通过“龙卷风现金”攻击加密货币安全漏洞洗钱 1000 万美元

区块链安全公司 CertiK 报告称，一个参与 2023 年 9 月价值 2400 万美元网络钓鱼诈骗的账户最近将价值 1000 万美元的以太币转移到加密货币混合协议 Tornado Cash 中。在批准“增加津贴”交易后，受害者通过流动性质押提供商 Rocket Pool 损失了大量质押的以太币，从而授予攻击者访问其代币的权限。关于代币配额的讨论在加密货币社区中一直很突出，人们担心可能会被滥用。

Cryptocurrency Security Breach: Phishing Scam Launders $10 Million Through Tornado Cash

加密货币安全漏洞：网络钓鱼诈骗通过龙卷风现金洗钱 1000 万美元

On March 21, CertiK, a prominent blockchain security firm, raised an alarm in the cryptocurrency community, reporting the transfer of $10 million worth of Ether (ETH) from an account implicated in a major phishing scam in September 2023. The funds were laundered through Tornado Cash, a crypto-mixing protocol designed to obfuscate the trail of illicit transactions.

3 月 21 日，知名区块链安全公司 CertiK 在加密货币社区发出警报，称 2023 年 9 月涉及重大网络钓鱼诈骗的账户中价值 1000 万美元的以太坊 (ETH) 被转移。这些资金通过Tornado Cash，一种加密货币混合协议，旨在混淆非法交易的踪迹。

This incident is a chilling reminder of the persistent threat posed by phishing scams, which have become increasingly sophisticated and targeted in the cryptocurrency space. The account in question was part of a larger hack that stole a staggering $24 million from a prominent cryptocurrency investor known as a "crypto whale" on September 6, 2023.

这一事件令人不寒而栗地提醒人们，网络钓鱼诈骗所带来的持续威胁已经变得越来越复杂，并且在加密货币领域变得越来越有针对性。该账户是 2023 年 9 月 6 日从一位被称为“加密鲸”的著名加密货币投资者那里窃取了高达 2400 万美元的更大规模黑客攻击的一部分。

The victim of this phishing attack lost a substantial amount of staked Ether (ETH) through the liquid staking provider Rocket Pool. Through a series of cunning transactions, the attackers managed to siphon funds in two separate transfers, extracting a total of 9,579 stETH and 4,851 rETH.

此次网络钓鱼攻击的受害者通过流动性质押提供商 Rocket Pool 损失了大量质押的以太币 (ETH)。通过一系列狡猾的交易，攻击者成功地在两次单独的转账中吸走了资金，总共提取了 9,579 stETH 和 4,851 rETH。

According to Scam Sniffer, an anti-scam initiative that has been closely tracking this incident, the breach occurred when the victim inadvertently approved an "Increase Allowance" transaction. This action granted the hackers permission to access the victim's ERC-20 tokens via a token allowance mechanism—a feature that enables third parties to spend tokens on behalf of the token holder.

据一直密切跟踪这一事件的反诈骗组织 Scam Sniffer 称，此次违规行为是在受害者无意中批准了一项“增加津贴”交易时发生的。此操作授予黑客通过代币允许机制访问受害者的 ERC-20 代币的权限，该机制使第三方能够代表代币持有者使用代币。

The conversation around token allowances has been gaining traction within the cryptocurrency community, with many voicing concerns over the potential for misuse through the deployment of malicious smart contracts. These concerns have been further validated by recent events, including the Dolomite exchange exploit on March 20, which resulted in the theft of $1.8 million from unsuspecting users due to an outdated contract.

关于代币配额的讨论在加密货币社区中越来越受到关注，许多人对通过部署恶意智能合约而可能被滥用表示担忧。最近发生的事件进一步证实了这些担忧，包括 3 月 20 日的 Dolomite 交易所漏洞，由于合约过期，导致毫无戒心的用户被盗 180 万美元。

In the wake of the latest phishing scam, PeckShield, another blockchain security firm, conducted a thorough investigation and uncovered a complex network of transactions. The fraudsters converted their illicit gains into 13,785 ETH and 1.64 million Dai, dispersing a portion of these funds through the FixedFload exchange and other digital wallets.

在最新的网络钓鱼骗局发生后，另一家区块链安全公司 PeckShield 进行了彻底调查，发现了一个复杂的交易网络。诈骗者将其非法收益转换为 13,785 ETH 和 164 万 Dai，并通过 FixFload 交易所和其他数字钱包分散了其中一部分资金。

This incident underscores the persistent risk of phishing scams in the cryptocurrency domain, which continue to result in significant financial losses. A recent report by Scam Sniffer highlighted that nearly $47 million was stolen through crypto phishing in February alone, with the majority of these incidents occurring on the Ethereum network and primarily involving ERC-20 tokens.

这一事件凸显了加密货币领域网络钓鱼诈骗的持续风险，这继续导致重大的财务损失。 Scam Sniffer 最近的一份报告强调，仅 2 月份就有近 4700 万美元通过加密货币网络钓鱼被盗，其中大部分事件发生在以太坊网络上，并且主要涉及 ERC-20 代币。

Despite the ongoing efforts of security firms like CertiK and PeckShield to safeguard the cryptocurrency ecosystem, malicious actors continue to find ways to exploit vulnerabilities and compromise user funds. These incidents serve as a stark reminder of the importance of practicing vigilance and employing robust security measures to protect digital assets.

尽管 CertiK 和 PeckShield 等安全公司不断努力保护加密货币生态系统，但恶意行为者仍在继续寻找利用漏洞和损害用户资金的方法。这些事件清楚地提醒我们保持警惕并采取强有力的安全措施来保护数字资产的重要性。

Token approvals, in particular, have emerged as a significant vulnerability that needs to be addressed. As the cryptocurrency community continues to evolve, it is imperative to develop and implement robust mechanisms to prevent the unauthorized use of token allowances and mitigate the risk of phishing scams.

尤其是代币审批已成为需要解决的重大漏洞。随着加密货币社区的不断发展，必须开发和实施强大的机制来防止未经授权使用代币配额并降低网络钓鱼诈骗的风险。

While the cryptocurrency industry has witnessed its share of successful security interventions, the ongoing challenges and risks associated with digital asset security should not be underestimated. Vigilance, education, and collaboration among security experts, cryptocurrency exchanges, and users are essential to combat phishing scams and protect the integrity of the cryptocurrency ecosystem.

尽管加密货币行业已经见证了成功的安全干预措施，但与数字资产安全相关的持续挑战和风险不应被低估。安全专家、加密货币交易所和用户之间的警惕、教育和协作对于打击网络钓鱼诈骗和保护加密货币生态系统的完整性至关重要。