A sophisticated phishing marketing campaign targeting liquidity providers (LPs) of the Uniswap v3 protocol resulted in attackers stealing at least $4.7 million in Ether (ETH). Nonetheless, the group believes the losses could be even greater.
MetaMask security researcher Harry Denley was among the first to raise the alarm about the attack, informing his 13,000 Twitter followers on Monday that 73,399 addresses had been sent malicious ERC-20 tokens to steal their assets.
According to a tweet from Binance CEO Changpeng “CZ” Zhao, at least $4.7 million in ETH has been lost in the attack. However, there are some reports in the crypto community that the incursion may cause additional significant losses.
The procedure
According to Denley, the phishing attack works by sending unsuspecting customers a “malicious token” called “UniswapLP” that is disguised as coming from the legitimate “Uniswap V3: Positions NFT” contract by manipulating the “From” field in the blockchain transaction explorer.
Customers interested in their new tokens may be directed to a website purporting to allow them to exchange their new tokens for Uniswap (UNI), which cost $5.34 each at the time of writing.
The website would instead send the customers’ address and browser consumer data to the attackers’ command heart, which would then attempt to empty cryptocurrency from their wallets.
To read our blog on “Celsius declares bankruptcy after repaying DeFi loans,” click here