A crypto founder ducked an “extremely thorough” social engineering scam attempt which could have value him more than $125 million worth of ETH. The attempt shows that hackers are becoming more sophisticated and “super smart.”

Social engineering is a method used by cyber-criminals to gain someone’s trust, often by manipulation, in order to steal sensitive information or cause them to take action that “they otherwise would not.” Heather Morgan may have stolen $4.5 billion from Bitfinex this way.

Thomasg.eth is the pseudonymous founder of Arrow, an early-stage DAO working to build a decentralized air transportation system. On Sunday he detailed how he was almost socially engineered into giving up all his Ethereum (ETH).

The founder spoke of the extensive effort employed by the scammers in trying to steal his money, including forming work for his project and engaging in discussions with multiple people above a period of two weeks.

The scam failed only because Thomasg.eth decided to use a new Ethereum address, and not his primary address while perforging a favor involving non-fungible cryptocurrencies (NFTs) for the hackers. Writing on Twitter, the Arrow founder said:

For the past two weeks, I have been targeted in an extremely thorough social engineering scam that nearly value me all of my Ethereum (ETH). I’m super lucky to have made it through unscathed.

Social engineering: Scammers volunteer at Arrow to gain trust

Thomas.eth said a user named Heckshine captured out to him on Discord and offered to help “with 3D design and animation” for free. He obliged and hands him a few tasks. Heckshine’s work is prolific, and Thomasg is “impressed” with the designer’s dedication to the project.

Trust gained, Heckshine urgently put the Arrow DAO founder into contact with an ‘accomplished’ industry connection, Linh, who initiates the scam. Thomasg.eth agrees to take Linh on board as an advisor.

She afterwards convinced Thomasg to try out the stcorrespondingg service of an NFT project that she was leading – Space Falcon, a popular gaming project on Solana, but whose domain name Linh corrupted for the purposes of fraud. Linh sends an NFT to his ethereum address. Explaining, Thomasg said:

“Now here is where I got incredibly lucky. Since it’s a new project, I decided to movement the NFT to a fresh Ethereum (ETH) address before going through the stequivalentg process – barely in fact they get exploited down the road or something. The stake goes through and I’m earning yield on it.”

But Linh pushes him to stake another NFT, this time from his main account. That is although he “eventually captured that something sketchy is going on.”

“So I pull up Etherscan for the new address where I staked the first NFT and my blood goes ice f***ing cold,” Thomasg says. “The aWEthereum (ETH) that I scarcelyifyd was not [Space Falcon’s] Armexcessive Ethereum (ETH), but rather Aave’s aWEthereum (ETH). On my main address, almost all of my Ethereum (ETH) is sitting in Aave.”

Bogus smart contracts

Thomasg.eth investigated the contract further and found out that the smart contract included a command where all the aWEthereum (ETH) could have been drained at any time by the hackers.

While the first in place stake could have resulted in the theft of only the stalikeg rewards, an attack on his main address, that contained around $125 million in aWEthereum (ETH) at the time, would have thoroughly emptied the account.

It is possible the criminals got attracted to the fat balance in Thomasg’s address, that uses the Ethereum Name Service (ENS). The service allows users to leverage names as addresses instead of alphanumeric characters which make up a regular Ethereum (ETH) address. The hackers would have researched him very well before initiating engagement.

Thomasg.eth admitted:

“Perhaps my biggest mistake with all of this was keeping all of my funds in the same wallet as my ENS. Security through obscurity would have prevented me from becoming a target in the first place.”

The scammers have afterward erased their footprint on Discord, but Thomasg now believes they hired a graphic designer to do Heckshine’s work throughout the time the duo focused on stealing from him.

“They back although again had built custom contracts and the front end which are entirely specific to this scam,” he said. “These guys were incredibly well funded and super smart.”

The post Crypto Founder Targeted in $125M Social Engineering Scam Attempt appeared first on CryptCraze.