We still need to raise awareness of safety precautions.
This article is based on the views of Arrow founder thomasg.eth on his personal social media platform, and the rhythm BlockBeats organizes and translates it as follows:
Note, because there are more than 100 million US dollars of ETH in the ENS wallet , thomasg.eth was targeted by fraud gangs, and all personal assets were almost defrauded.
Over the past two weeks, I have been targeted by an advanced scam gang that has cost me almost all of my ETH. I was very fortunate to have escaped this disaster unscathed, so I wanted to share with you what happened.
I’m the founder of Arrow (RhythmNote, a DAO dedicated to building an open source air taxi platform). We’re still in the early stages and focused on developing the team, so we’re open to contributors, and we won’t turn anyone down if they’re willing to help.
Two weeks ago, a user named “heckshine” joined our Discord and started introducing himself. According to him, he is currently working at Ubisoft, providing services in 3D design and animation. The language of the message is a bit odd, but I just blame it on the language barrier.
Heckshine has another friend who is very interested in Arrow. She is working on a Metaverse project, and her brother-in-law is also the vice president of Boeing. Is it good enough?
Over the next few days, heckshine started working on various animation projects for Arrow, including designing an anime hero for the website, making some airplane renderings, etc. We were impressed with his dedication to the project.
At the same time, heckshine also contacted his friend Linh, who was also clearly interested in our project. Heckshine asked me to email her, and from what he told me, Linh seemed to be his Boeing-connected friend.
Linh sent me a very decent email back, telling me about the Metaverse project she was working on, Space Falcon. I’m not actually interested in this project, but I’m not a real NFT player either, so there’s no reason to reject her idea.
Sure enough, she told me about her connections to Boeing and Wisk, and offered some thoughts on Arrow. Linh seems eager to help us forge a potential partnership with Boeing. Also, the tone of her emails was a bit odd, but I still think it was a language barrier.
After moving the conversation to Discord, we started talking more about our respective backgrounds and finally decided to have her as a consultant on the project. I’m excited for her support as she proactively offered guidance and advice to help us with our partnership issues.
Later, she told me more about Space Falcon, and I felt that this NFT project was similar to other “get rich quick” projects. But given her contribution to Arrow, I also have to show some support in return.
Space Falcon uses a Token (aWETH) called Armstrong Wrapped Ether. I am lazy and have no specific research, but its basic logic is that users rent NFTs, and holders get corresponding passive income. I told her that the model sounded great and would love to stay updated. Linh agreed to keep in touch with me, and I moved on to other things.
I privately checked Space Falcon, it seems to be a fairly popular game project on Solana, and I saw Linh’s name on the team page as well.
For the next 10 days, heckshine was active in Discord every day, coming up with some super high-quality renderings, not particularly seaworthy, but he was very happy to be able to help, so I thought I could Improve these designs with some iterations.
I can’t describe the dedication and sincerity that heckshine has shown throughout the process, and our personal visions are largely aligned, and I’m glad he’s so passionate about what we’re doing.
Until yesterday, things started to get a little weird.
Heckshine and I had been discussing blueprints for our v1 aircraft at the time. He got the parameters for the entire configuration and was ready to start rendering when he woke up in the morning. But Linh suddenly told me that Wisk executives agreed to invite me to their workshop.
It’s ridiculous now, but at the time I had no reason not to believe Linh, we were really touched by what he did for us. We set a specific itinerary, and the Wisk executive sent me a formal invitation via email.
While chatting, Linh started telling me about the staking app they just launched, and proposed to send me the NFT. At this point, I should at least provide them with some experience support, right?
So I asked her to send the NFT to my hot wallet, but she sent it to my main wallet citing the high value of the NFT, which I didn’t think was a big deal at the time.
She sent me some instructions on the staking app, and the website page looks pretty good, too, with three transactions: Approve NFT, Approve aWETH, and Staking. Approving aWETH This step seems a bit odd, but since I don’t have aWETH, no worries.
Next is why I consider myself very lucky: since this is a new project, I decided to transfer the NFT to a new ETH address before staking, just in case it gets used by someone else. The staking process was very smooth, and I also benefited from it.
So I fed back my experience to Linh, who then offered to send me some other NFTs, but wanted me to deposit them into my main account to help their community grow further.
It’s a bit annoying, but I agree. But after I told Linh that she would read through the contract before depositing the NFT into the main account, she started getting aggressive, and that’s when I started to realize that something wasn’t right.
I quickly opened etherscan and looked at the address of the NFT pledged before, but my whole body became cold in an instant…
The aWETH I approved is not Armstrong WETH, but Aave’s Aave WETH. If I complete the approval on my main wallet, I will lose all my ETH…
I blocked both of them right away, and they started deleting their Discord messages after realizing the question was wrong. As a sort of last-ditch attempt, Linh sent me 0.2 ETH to pay the gas fee, asking me to refund their NFT, although I don’t know the logic of that…
Later I dug further into the contracts that approve spending aWETH and discovered a really scary feature. These scammers were able to transfer any amount of aWETH from my account using the function in the image below.
I eventually found their source of funding on etherscan – a Tornado Cash deposit of 100 ETH. These guys are well-funded and super savvy.
I have to assume they hired a 3D design contractor who did most of Heckshine’s work. As far as I know, they also built a custom contract and front end specifically for this scam.
So what happened to SpaceFalcon? As far as I can tell, this is a real project on Solana, but the real project uses spacefalcon.io and the scammers use “.com”. So the “Linh” I’ve been interacting with before may just be the real Linh himself.
Through this, I also summed up some lessons learned:
1. Approving tokens can be very dangerous, and they must be treated with great care. If possible, try to limit approvals.
2. Liars are getting smarter now. The best scam I’ve come across before this is basically “Hi, I’m tech support, please share your private key so we can help.”
3. Always do a good job of checking, no matter how much you trust a project. These guys spent two weeks focusing on specific weaknesses that targeted me, and I almost fell for it.
Although I was very lucky to get through this with minimal damage, be careful everyone!
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/i-gasped-after-reading-it-how-i-almost-got-scammed-out-of-100-million/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.