Uniswap Users Lose Over $8 Million in Sophisticated Phishing Attack
Users of the decentralized exchange Uniswap lost Ethereum worth approximately $8,000,000 as a result of a sophisticated phishing attack. This incident was not due to a hack or exploitation of a vulnerability, but it still affected many cryptocurrency investors and their digital assets.
One of the first to report the incident was Binance CEO Changpeng Zhao, who announced on Twitter that his threat analysis team had “detected a potential exploit for Uniswap V3 on the ETH blockchain.”
“At this point, the hacker has stolen 4,295 ETH [about $4.6 million] and is laundering it through Tornado Cash. Can someone notify Uniswap?” Zhao wrote.
However, it was soon clarified that there was no exploit or vulnerability involved. Uniswap creator Hayden Adams stated that a phishing attack had occurred, affecting some users.
How the Phishing Attack Worked
As is now known, the attackers used a fake UNI token airdrop as bait to trick victims into approving transactions that gave the hackers full access to their assets. Experts explain that the scammers created an ERC20 token and distributed it for free to 73,399 users who held UNI tokens, spending a total of 8.5 ETH on transaction fees.
The attackers’ goal was to redirect recipients to a fraudulent website disguised as the official Uniswap domain (uniswap.org). The operators posed as “Uniswap V3: Positions NFT,” deceiving victims into approving a compromise of their wallets.
A detailed description of how the scammers spoofed the sender’s address can be found in blockchain expert Harry Denley’s blog. Additionally, security specialists at Check Point conducted an in-depth technical analysis of the attack.
The essence of the attack was that users who landed on the malicious site (where they were offered to exchange the LP token received via airdrop for UNI tokens) and clicked the “Click here to claim” button believed they were about to receive a reward, but in reality, they were granting the attackers full access to their assets.
Precautions for Airdrop Recipients
As mentioned above, the scammers managed to steal about $8 million in cryptocurrency in total. Experts now remind users to carefully verify everything when receiving an airdrop, starting with the website’s domain name and the source of the airdrop, as well as the official website and social media of the platform, to ensure the giveaway is legitimate.