- Hacker involved in a September 2023 phishing incident transfers $10 million in Ether to crypto mixer Tornado Cash.
- The attack, which resulted in a $24 million loss, exploited the “Increase Allowance” feature in smart contracts.
- Crypto phishing remains a significant threat, with Ethereum and ERC-20 tokens being primary targets for thieves.
A hacker associated with a significant phishing attack last September has laundered $10 million worth of Ether through the Tornado Cash protocol. This movement of funds, detected by the blockchain security firm CertiK, originated from an account linked to a $24 million theft from a cryptocurrency investor.
The Intricacies of the Attack
The phishing attack, which took place on September 6, 2023, saw a substantial amount of Ether siphoned from an investor’s account via the liquid staking provider Rocket Pool. The theft was executed through two separate transactions, draining a combined total of 14,430 units of staked Ether in different forms. This nefarious act was facilitated by exploiting the “Increase Allowance” function within smart contracts, a mechanism that permits third-party access to a user’s ERC-20 tokens once approval is granted.
Ongoing Threats in the Crypto World
The incident highlights the persistent dangers posed by phishing attacks within the cryptocurrency sector. According to a report by Scam Sniffer, a project dedicated to combating such scams, February alone witnessed nearly $47 million lost to these deceptive practices. A significant portion of these incidents occurred on the Ethereum network, emphasizing the vulnerability of ERC-20 tokens to such exploits.
In a similar vein, recent events have underscored the risks associated with token approvals. An outdated contract associated with the Dolomite exchange was exploited to divert $1.8 million from unsuspecting users, prompting calls for revoking previously granted approvals to mitigate further losses.
A Community on High Alert
The crypto community remains vigilant in the face of these ongoing security challenges. Despite the swift action of the Layerswap team to curb the fallout from a website breach, the hackers managed to abscond with approximately $100,000 from 50 individuals. In response, the protocol has committed to reimbursing the affected parties and offering additional compensation.
