In a shocking cyber-heist, a crypto tycoon kissed goodbye to a jaw-dropping $24 million staked in ether (ETH), all thanks to a meticulously planned phishing attack. The unlucky investor met their peril on Rocket Pool, a platform for liquid staking. As the saying goes, the crypto world giveth and taketh away in quick succession.
The notorious hack unfolded over two sizable transactions, with the bandit making off with 9,579 staked ETH (stETH) and 4,851 Rocket Pool ETH (rETH) in a single day. The stolen booty totaled a whopping $15.5 million in stETH and $8.5 million in rETH. Nothing short of a bold James Bond caliber operation!
PeckShield, a crypto-security dog on the trail, revealed that the scammer later traded the stolen loot for 13,785 ETH and 1.64 million Dai (DAI). Interestingly, a sizable piece of the DAI pie found its way to FixedFloat, a popular automated crypto exchange platform. Meanwhile, most of the remaining stolen bounty was found loitering in three ether addresses.
According to Scam Sniffer, the sniffer dog for scams, the victim unwittingly paved the way for the massive robbery by approving the “Increase Allowance” transactions, granting the scammer the golden ticket. The approval feature is an integral part of ERC-20 tokens that authorizes a third party to spend tokens from an owner’s stash using smart contracts.
As the crypto-world heals from the shockwaves of this mega-heist, experts express concern over risks linked to approving ERC-20 allowances. They caution users against anonymous developers who might unleash potent smart contracts to con users. In a startling coincidence, this audacious robbery coincides with the imposition of self-limit rules by some liquid staking providers, vowing not to hoard more than 22% of the Ethereum staking market.