A crypto whale has fallen victim to a major identity theft attack, resulting in the loss of millions of dollars’ worth of stake-locked Ethereum in the liquid staking provider Rocket Pool. This attack highlights the risk of using malicious smart contracts to defraud users of ERC-20 tokens, and Ethereum staking providers are taking necessary precautions and measures to limit such risks.
$24 Million Hack Attack
According to the crypto security firm PeckShield, a large crypto investor lost their entire balance of Lido Staked ETH (stETH) and Rocket Pool ETH (rETH) due to an identity theft attack. The attack was completed with only two transactions, stealing 9,579 stETH and 4,851 rETH. The stolen amounts on the date of the attack, September 6th, amounted to a total of $24 million, with $15.5 million worth of stETH and $8.5 million worth of rETH.
According to PeckShield’s data, the fraudster then exchanged the stolen assets for 13,785 Ethereum and 1.64 million Dai tokens. PeckShield reported that a significant portion of the DAI stash had already been transferred to the fully automated crypto exchange FixedFloat. MistTrack, the crypto monitoring team of SlowMist, also reported that the majority of the stolen funds were transferred to three addresses, including 0x4f2f02ee, 0x7023505, and 0x2abdc2ab. According to data from the anti-scam resource Scam Sniffer, the victim enabled token approvals for the scammer by signing “Increase Allowance” transactions.
Warning Issued About the Method
One feature of ERC-20 tokens is the permission or access rights that allow a third party, using smart contracts, to spend tokens belonging to a different owner. Some crypto observers had previously warned about the risks associated with approving ERC-20 permissions, noting that anonymous developers could use malicious smart contracts to defraud users.
The news comes shortly after at least five Ethereum liquid staking providers committed to not having more than 22% of the Ethereum stake market, or began working to implement this restriction. The providers reportedly include Rocket Pool, StakeWise, Stader Labs, and Diva Staking.
