In a particularly sophisticated phishing attack, Uniswap users were robbed of $8 million in cryptocurrencies. The users thought they were getting an airdrop.
Phishing: Uniswap users take the bait
The attack was described by Harry Denley, an analyst at Metamask, who explains how the phishing took place and how Uniswap users were fooled. A “malicious token” was allegedly sent to liquidity providers (LPs) with the promise of an airdrop.
Several techniques were used to make this fake airdrop appear legitimate. First, the attackers were able to get the shipment indexed on blockchain browsers such as Etherscan so that it appeared to come from a legitimate contract.
The malicious token name linked to a /uniswaplp.com domain name, which itself mimicked the appearance of regular Uniswap communications. The funds were then stolen from this secondary site. In total, more than $8 million in ETH would have been sent to the Tornado Cash blender to be laundered.
Changpeng Zhao sounds the alarm
Several people have reacted to this massive attack, including Binance Changpeng Zhao. A little too quickly? The CEO of Binance announced that his teams had “detected a potential attack on Uniswap V3, on the ETH blockchain”. Then he said that it was only a phishing attack – but a very effective one.
We will remember from this case that we must always be extremely careful, even when the site seems legitimate. We can’t repeat it enough: clicking on unknown links is not a good idea, and using “cold” wallets is the best way to protect your cryptocurrencies.