Hackers have attempted a phishing attack on Uniswap V3 that resulted in nearly $4.7 million worth of tokens being stolen from users.
According to a report, the phishing attack has targeted over 73,000 addresses, and fraudulent ERC-20 tokens were transferred to those addresses.
The hacker sent fraudulent ERC-20 tokens to the addresses and then attempted to transfer those tokens out of their wallets—all while pretending that they were legitimate ERC-20 tokens.
Binance’s CEO, Changpeng Zhao, revealed to his 6.6 million Twitter followers that the company’s threat intel had discovered a possible vulnerability on Ethereum’s Uniswap V3 network. A total of 4,295 ETH has been stolen by the hacker, who then laundered their money using Tornado Cash.
The hacker used a novel trick to gain access to Binance’s smart contract and siphoned off all funds from the exchange. They did this by exploiting a vulnerability in the smart contract for Uniswap V3, which was not patched by either the team or its community. As a result, the hacker was able to loot all funds in Binance’s wallet and move them into their account.
The hacker stole funds from users’ wallets who had not implemented proper security measures on their platforms. According to Zhao: “Our engineers have found another vulnerability on Ethereum’s Uniswap V3 protocol that allows hackers to steal your funds.”
“The team will continue to investigate. As a result, we temporarily suspend Uniswap trading on Binance until further notice. We will update our users as soon as we have more information about this situation.” He further added.
Security researcher Harry Denley at MetaMask, a browser-based cryptocurrency wallet, and exchange, collected evidence that the phishing effort targeted native coin positions at Ethereum, Binance Coin, and Uniswap LP. The attacker reached 74,800 addresses after incurring transaction fees of 8.5 ETH and still has an additional 90.86 ETH.
The attacker carried out their strategy in two stages: Send your address as well as information about your browser client to /66312712367123.com. This attempts to steal assets from the company by using a link to a fake website that claims to be offering a social media account recovery service for tokens like BNB or LSK. Tries to steal assets from the company
The second stage involves sending phishing emails with links to the same fake website used in stage one above.
For this attack to be successful, users must have been vulnerable to a phishing campaign or have been tricked into clicking on a malicious link sent via email or instant message (IM). The attacker also needed access to multiple accounts at these crypto exchanges and some way of distributing funds from them across different wallets without arousing suspicion from exchanges or other users.
The hack of Uniswap V3 has left users with losses of up to $4.7 million
As word spread around crypto Twitter, the price of Uniswap fell, reporting losses of 10 percent throughout the evening.