Trust Wallet Responds to $4M Social Engineering Hack
Binance-owned Trust Wallet responds to a social engineering attack that saw a metaverse startup lose $4 million in a face-to-face social engineering scam.
Trust Wallet said that an organized crime syndicate from Rome, Italy, used social engineering methods to steal $4 million worth of USDC from a Trust Wallet belonging to Web 3 startup Webaverse.
Metaverse Firm Tricked into Transferring $4M From Multi-Sig Trust Wallet
According to the wallet vendor, the criminal persuaded the victim to transfer funds from a multi-sig Trust wallet to a single Trust wallet. A multi-sig wallet requires more than one private key to sign transactions.
Before the victim transferred the funds, the criminal gave them an electronic version of a non-disclosure agreement and fake Know-Your-Customer information. Trust Wallet suspects that the fake NDA contains malware necessary to steal the money.
After the victim transferred the money, the criminal took a picture of the wallet to “confirm” the transfer. He then disappeared with the victim’s crypto.
What perplexed Webaverse cofounder Ahad Shams was how the scammer stole the funds without seeing the Trust Wallet’s private key. One Twitter user suggested that the scammer may have accessed the funds through an on-screen QR code, which has not been confirmed.
Later investigations revealed that the stolen funds were split into six addresses. The scammer converted the USDC to ETH, Wrapped Bitcoin and USDT, and sent them to fourteen addresses, from which they were sent to four other addresses. Presently one address holds 83% of the stolen crypto.
Trust Wallet said that victims of this scam should report the incident to law enforcement, which can prevent the scammer from cashing out using a fiat on-ramp. The firm also cautions against using public WiFi hotspots when traveling abroad or entering login credentials over an unsecured HTTP connection.
NFT Entrepreneur Recounts Similar Theft in 2021
While crypto scams take on various forms, in most cases, scammers try to get a victim to send their crypto to a fraudulent address or steal it outright.
Before the Webaverse incident, customers of other wallet vendors reported at least two similar incidents in Milan and Barcelona, Spain.
Generative NFT artist and entrepreneur Jacob Riglin, who goes by the Twitter handle @jacobriglin, had his $90,000 worth of crypto stolen by a legitimate-looking property firm while abroad in Barcelona.
According to @jacobriglin, he arranged to meet three people at a restaurant after exchanging emails over the sales of a few of his NFTs. In the emails, the representatives of the alleged property firm said @jacobriglin must pay them a commission as soon as he receives payments for the NFTs.
While chatting over the commission issue at the restaurant, the trio asked @jacobriglin to prove he had the funds to pay them. Similarly to the Shams case, @jacobriglin opened the wallet and discovered the criminals had stolen his money.
While he didn’t know whether the trio used WiFi to steal the funds, he suspected they had done this before, given the subtlety of the theft.
In 2022, American victims of romance scams lost $185 million. Romance scams are social engineering attacks that target victims looking for companionship on social media and dating apps.
After building up an online relationship with the victim, scammers usually ask them to send crypto to a specific address before blocking the victim and disappearing.
With Valentine’s Day around the corner, it may be wise to take necessary measures to protect yourself.