‘Haunts me to this day’ — Crypto project hacked for $4M in a hotel lobby
The co-founder of the Web3 metaverse game engine “Webaverse” revealed that they were the victims of a $4 million cryptocurrency hack after meeting scammers posing as investors in a hotel lobby in Rome.
The odd aspect of this story, according to co-founder Ahad Shams, is that the cryptocurrency was stolen from a newly created Trust Wallet and that the hack happened during a meeting at some point.
He claims that the thieves couldn’t see the private key and it wasn’t connected to a public Wi-Fi network at the time.
Shams believes that the thieves were somehow able to gain access by photographing the balance of the wallet.
The letter that was general The Feb. 7 tweet contains statements from Webaverse and Shams explaining that they dated a man named “Mr. Black.” Safra on November 26 after several weeks of potential funding discussions.
“We contacted ‘Mr. Safra via email and video calls, and he explained that he wanted to invest in interesting Web3 companies,” Shams explained.
“He explained that he had been scammed by people in crypto before, so he collected our IDs for KYC and made it a requirement that we fly to Rome to meet him because it was important to meet in real life to ‘get comfortable’ with those with whom we each did business,” he added.
full story https://t.co/vdkAHyBaG9
— 0xngmi (aggregate or arc) (@0xngmi) February 6, 2023
Initially skeptical, Shams agreed to meet with “Mr. Safra” and his “banker” in person in the lobby of a hotel in Rome, where Shams had to show the “proof of funds” of the project, which “Mr. Safra” stated that he needed to start “paperwork”.
“While we reluctantly agreed to Trust Wallet ‘proof’, we created a new Trust Wallet account at home using a device we didn’t primarily use to interact with them. We thought that without our private keys or seed phrases, the funds would be safe anyway,” Shams said.
“When we met, we sat across from these three men and transferred $4 million into the Trust wallet. “Mr. Safra” asked to see the balance in the Trust Wallet app and took out his phone to “take some pictures”.
Shams explained that he thought everything was fine because no private keys or seed phrases were revealed to “Mr.” Safra.
But one day “Mr. Safra left the conference room to ostensibly consult with his bank colleagues, but never returned. Shams then saw the money being pumped out.
“We didn’t see him again. A few minutes later, the funds left the wallet.”
Almost immediately afterward, Shams reported the theft to the local police station in Rome and filed an Internet Crime Complaint Form (IC3) with the US Federal Bureau of Investigation a few days later.
Shams said he still has no idea how “Mr. Safra” and his fraudulent team accomplished the feat:
“An interim update of the current investigations is that we still cannot establish the attack vector with certainty. Investigators have reviewed the evidence and conducted lengthy interviews with relevant individuals, but they need more technical information to come to firm conclusions.”
“In particular, we need more information from Trust Wallet about the activity on the wallet that was leaked in order to reach a technical conclusion, and we are actively pursuing them for their records. This will probably give us a better idea of how it happened,” he added.
Cryptooshala reached out to Trust Wallet CEO Eowyn Chen, who said after interacting with her investigative team, “we have high confidence that the theft case was not caused by Trust Wallet, but likely by organized crime.”
Sad to hear about the Webaverse theft case. After interacting with the investigation teams, we are confident that the theft case was NOT called @TrustWallet application, but most likely organized crime. Unfortunately, in Europe, especially in Rome, there have been several over-the-counter scams. https://t.co/KbIPjz01uB
— Eowync.eth (@EowynChen) February 6, 2023
Just get phishing scammers out of your way
The Webaverse co-founder believes the exploit was carried out in a similar fashion to the NFT scam story shared by NFT entrepreneur Jacob Riglin on July 21, 2021.
There, Riglin explained that he met with potential business partners in Barcelona, argued that he had enough funds on the laptop, and then within 30-40 minutes the funds were debited.
Full history of NFT fraud;
After responding to my previous tweets about the $90,000 scam I was involved in, I wanted to share more details about it to warn others that they may be victims of it.
Philippe Maloof from Canbury Properties Limited contacted me. He said that he has
— Jacob (@jacobriglin) July 21, 2021
Shams since then general an Ethereum-based transaction that used his trust wallet, noting that the funds were quickly “divided into six transactions and sent to six new addresses, none of which were previously used.”
US$4 million worth of US dollars was then almost entirely converted into Ether (ETH) packaged in Bitcoin (wBTC) and Tether (USDT) via the 1inch swap feature.
Shams admitted that “this event haunts me to this day” and that the $4 million exploit is “undoubtedly a setback” for Webaverse.
However, he emphasized that the $4 million exploit and pending investigation would not affect the firm’s short-term commitments and plans:
“Based on our current forecasts, we have a sufficient runway for 12 to 16 months and we are already working on fulfilling our plans.”
Credit : cointelegraph.com