Crypto Whale Loses $24M in Staked Ethereum

A recent incident saw a prominent crypto investor, often referred to as a "whale" due to their substantial holdings, lose a whopping $24M in staked Ethereum.

On September 6, a crypto whale with the address "0x13e382" found themselves on the losing end of one of the most significant crypto phishing attacks in recent history. The investor lost 4,851 rETH (Rocket Pool ETH) valued at approximately $8.58 million and 9,579 stETH (Lido Staked ETH) worth around $15.63 million. In total, the loss amounted to a staggering $24.23 million.

The phisher transactions in the $24 million phishing hack

The theft was executed with precision, with the stolen assets initially deposited into two specific addresses: "0x693b72" and "0x4c10a4." Notably, one of these addresses, "0x4c10a4," has been linked to multiple crypto phishing websites, suggesting the involvement of seasoned scammers.

Web3 security firm, Scam Sniffer, shed light on the possible modus operandi of the scammers. The whale, despite their extensive on-chain experience, unintentionally granted token approval to the fraudsters. This was done by authorizing "increaseAllowance" transactions, a feature of ERC-20 tokens that allows a third party to spend some tokens belonging to a different owner using smart contracts. Such permissions can be exploited by malicious actors, especially if they deploy rogue smart contracts.

“Increase Allowance” method on the phisher’s transaction

ERC-20 tokens have a feature that lets an external party spend tokens owned by someone else through smart contracts. Many crypto experts have cautioned about the dangers of granting such ERC-20 permissions, highlighting the potential for unverified developers to use rogue smart contracts for fraudulent activities.

Recently, several Ethereum liquid staking providers, such as Rocket Pool, StakeWise, Stader Labs, and Diva Staking, have either implemented or are in the process of adopting a self-imposed rule. This rule ensures they don't control more than 22% of the Ethereum staking market.

The affected party wasn't just any investor. They were a significant liquidity provider, offering WBTC/USDT liquidity exceeding $1.6 million on Uniswap V3. Their engagement with various protocols, including Aave, 1inch, Curve, OMG, EOS, and more, showcases their active participation in the crypto ecosystem. The earliest transaction linked to this address dates back to June 2017, originating from Bitfinex.

Phishing attacks aren't new to the crypto space. Ethereum Web3 security firm Kaspersky highlighted that crypto-related phishing scams have surged by 40% this year alone. The rise of such scams, especially on platforms like Twitter, has become a significant concern. Verified paid bots, particularly after the introduction of the new Twitter Blue subscription last November, have been instrumental in these phishing attempts.