cointelegraph

Crypto whale loses $24M in staked Ethereum to phishing attack

A cryptocurrency whale has fallen victim to a massive phishing attack, losing millions of dollars in staked Ethereum on the liquid staking provider Rocket Pool.

A large cryptocurrency investor lost the entire address balance of Lido Staked ETH (stETH) and Rocket Pool ETH (rETH) due to a phishing attack, the cryptocurrency security firm PeckShield reported.

The hack was completed in just two transactions, as one had 9,579 stETH stolen and the other involved 4,851 rETH. At the time of the attack, which occurred on Sept. 6, the stolen amounts were worth $15.5 million in stETH and $8.5 million in rETH, a staggering $24 million combined.

Crypto whale loses $24M in staked Ethereum to phishing attack
The phisher transactions in the $24 million phishing hack. Source: X

According to PeckShield data, the phisher subsequently swapped the stolen assets for 13,785 Ether (ETH) and 1.64 million Dai (DAI) tokens.

A significant portion of the DAI stash has already been transferred into the fully automatic cryptocurrency exchange FixedFloat, PeckShield reported.

SlowMist’s crypto tracking team MistTrack also reported that the most of the remaining stolen funds were transferred to three addresses, including 0x4f2f02ee, 0x7023505 and 0x2abdc2ab.

Related: MetaMask scammers take over government websites to target crypto investors

According to data from the anti-scam source, Scam Sniffer, the victim enabled token approvals to the scammer by signing “Increase Allowance” transactions.

Crypto whale loses $24M in staked Ethereum to phishing attack
“Increase Allowance” method on the phisher’s transaction. Source: Etherscan

Allowance or access permissions are a feature of ERC-20 tokens which enable a third party to have the right to spend some tokens that belong to a different owner, using smart contracts. Some cryptocurrency observers have previously warned against risks associated with approving ERC-20 allowances, noting that anonymous developers could deploy malicious smart contracts to scam users.

The news comes soon after at least five Ethereum liquid staking providers imposed or started working to impose a self-limit rule in which they promise not to own more than 22% of the Ethereum staking market. The providers reportedly included Rocket Pool, StakeWise, Stader Labs and Diva Staking.

Magazine: Asia Express: Thailand’s national airdrop, Delio users screwed, Vietnam top crypto country