Escalating Risks of Cryptocurrency Scams
A recent incident involving a hacker has highlighted the escalating risks associated with cryptocurrency scams, particularly those exploiting the Ethereum blockchain’s permit function. The malicious actor absconded with over $440,000 worth of USDC after the wallet owner inadvertently approved a deceptive “permit” signature, as reported in a tweet by Scam Sniffer on Monday.
Rising Financial Losses
This theft is part of a broader trend of increasing phishing-related financial losses. Between October and November, Scam Sniffer documented a staggering rise in losses, with approximately $7.77 million siphoned from over 6,000 victims, marking a 137% escalation despite a 42% decrease in the number of individuals affected.
Mechanics of Permit-Based Scams
Scam Sniffer indicated that what they term “whale hunting” has significantly ramped up, with some scams netting as much as $1.22 million. These permit-based scams manipulate users into authorizing transactions that appear legitimate while, in reality, they grant malicious actors the ability to spend the users’ tokens without their consent. This process often involves deceptive tactics such as altering user interface fields, impersonating trusted contract names, or disguising requests as routine activities.
Understanding the mechanics of these scams is crucial. They leverage the user-friendly permit function of Ethereum, which facilitates easier token management by allowing users to delegate spending rights to verified applications. This feature, intended for convenience, can inadvertently turn into a security loophole when rights are granted to fraudulent entities.
Tara Annison, a product expert at Twinstake, explained that attackers can swiftly execute token transfers in one go or, alternatively, grant themselves access through the permit and wait for an opportune moment to siphon off any new funds added to the wallet. “These scams thrive on users not realizing the extent of the permissions they are granting,” Annison noted, emphasizing the psychological aspect of the fraud that preys on users’ naivety and eagerness.
Common Tactics and User Awareness
This episode is just one of many where individuals are misled into approved transactions that they do not fully comprehend. A prevalent tactic involves manipulating users with offers of free incentives, fake project pages, or bogus security alerts aimed at urging them to connect their wallets.
In response to this surge in attacks, various wallet providers have introduced more robust protective measures. For instance, MetaMask has begun alerting users to potentially suspicious sites and strives to clarify transaction data into easier terms. Nevertheless, with scammers continuously evolving their strategies, ongoing vigilance from users remains essential.
Harry Donnelly, CEO of Circuit, commented on the prevalence of permit-based scams, advising users to carefully verify sender addresses and contract information. “Discrepancies between the protocol and the intended transaction are often clear indicators of an attempted theft,” he remarked. Annison further underscored the importance of users actively understanding what they are signing. The tools to aid comprehension have improved, but users must still take care not to blindly authorize transactions.
Challenges in Recovery
Once funds are lost to these scams, recovery is nearly impossible. Martin Derka, co-founder of Zircuit Finance, expressed somber views on reclaiming stolen assets, describing the likelihood as “practically zero.” He elaborated that individuals behind such phishing schemes have no intention of negotiation or communication, effectively vanishing with the funds.
“It’s a numbers game for these attackers,” Derka said, emphasizing the bleak reality that once the cryptocurrency is gone, it is unlikely to be recovered.
