Cybersecurity experts have revealed a popular way to steal cryptocurrencies. How does it work?
Certik, a cybersecurity company with a focus on blockchain assets, has warned of the growing danger of a new type of fraud called “ice phishing”. A victim of such an attack is forced to sign a smart contract authorisation, which in turn allows them to withdraw tokens from their cryptocurrency wallet. This scheme is slightly different from traditional phishing, where scammers try to “steal” the victim’s personal information and passwords, rather than funds directly. Here’s a closer look at what’s going on.
How crypto-assets can be lost
Certik representatives have warned crypto investors about the potential danger in a thread discussing ice phishing on Twitter. Here’s their relevant rejoinder.
Ice phishing poses a significant threat to the community of active Web3 users. Instead of gaining access to your private key, scammers trick you into signing permission to spend from your wallet.
The danger of this scheme is that one can encounter this type of danger at almost any time. For example, scammers like to force users to sign certain transactions at the time of launching new NFT collections. That is, in this case, the digital asset hobbyist may think that he is authorising his own address to interact with a certain smart contract to further receive tokens, but in fact he is giving permission for more extensive actions. For example, some permissions include allowing the contract itself to withdraw funds from its address.
What's particularly dangerous here is that the subsequent withdrawal can take place either a day or a month later. Consequently, the owner of the cryptocurrency may be a victim without even realising it. Well, scammers may be waiting for the address to be topped up to maximise their own "earnings".
According to Cointelegraph’s sources, the first stage of the scam begins with the wallet authorising the victim to transfer tokens via a smart contract. The scammers achieve this by spamming fake “bargain offers” to their victims.
A prime example of such an incident is the theft of 14 NFTs from the Bored Ape Yacht Club (BAYC) collection earlier this month. The owner of the tokens was asked to sign a smart contract agreeing to the use of his NFTs in a fake short film about the BAYC universe. The owner of the expensive NFTs turned out to be quite gullible. As a result, he gave the crooks the permission they needed and lost the not inconsiderable dollar value in digital assets.
Back to the Certik thread. The image below shows that as a result of the transaction, the victim’s wallet (0x0d2e) gave permission to a smart contract from Tether to interact USDT with the attacker’s address (0x4632).
Details of the fraudster’s transaction
A request was then sent from the scammer’s wallet to a smart contract from Tether to transfer USDT from the victim’s wallet to his other address (0x9ca3).
Details of the fraudster’s transaction
Certik noted that users can use the Etherscan browser to check the full list of permissions for a particular smart contract.
Smart contract details should be checked with Etherscan
In addition, even before interacting with a suspicious or simply unfamiliar smart contract, users are advised to check it in Etherscan. It’s possible that certain smart contracts by scammers may already be flagged as fraudulent by the browser.
Separately, the already familiar Ledger hardware wallets allow us to combat such schemes. Their peculiarity is that they have a screen which is not connected to the internet, which means it is impossible to hack and force to display untrue data for each transaction. In addition, these devices show the user what signing a particular transaction will actually lead to, and what permissions they are granting when doing so. This feature is known as transparent signing.
Ledger Nano S Plus Genesis Edition
Be that as it may, the amount of money stolen by individual fraudsters will never compare to the damage that the crypto industry suffered with the collapse of the FTX exchange founded by Sam Bankman-Fried. Sam has already been arrested and extradited to the US from the Bahamas, but that doesn’t make it any easier for former users of the FTX platform.
According to Blockchain.com platform CEO Peter Smith, cryptanalysts can play an important role in finding FTX funds with which to at least compensate those affected.
😈 YOU CAN FIND MORE INTERESTING THINGS ON OUR YANDEX.ZEN!
In his recent interview with Fox Business, Smith said that tracking FTX’s financial flows on the blockchain has already done a lot for future compensation to investors and creditors. True, analysts have their own limitations: they can’t track transactions that go into offchain, that is, beyond the blockchain. Here’s the cue that Cointelegraph cites.
The hardest part for analytics firms is when money goes off the blockchain into the banking system because they can no longer trace it.
Ex-CEO of FTX Sam Bankman-Fried
As an example, Smith cited several cases of Bankman-Fried buying property in the Bahamas. This money could have been traced if it was still on the blockchain. In addition, FTX used shadow banking, a system of transactions among a large number of brokers, lenders and other organisations, to muddle its trail.
However, the exchange still has a relatively large amount of money left in various blockchains – open liquidity farming positions, transactions, blockchain bridges and so on. According to Smith, sourcing, collecting and making cryptocurrencies available in liquid form to the FTX bankruptcy litigation will do much for those affected.
We think this warning from Certik analysts is worth taking as responsibly as possible. Scammers in the cryptocurrency niche are a popular story, so sooner or later almost every coinholder will have to deal with them. Therefore, it is better to prepare for this event and know in advance how to behave. In this case, the ideal preparation would be the purchase and use of a hardware wallet.
Related posts
