July 12, 2022
A phishing attack on users of Uniswap, a decentralized cryptocurrency exchange, has caused millions of dollars in losses.
The incident first came to light on Monday when Binance CEO Changpeng Zhao said his threat intelligence team “detected a potential exploit on Uniswap V3 on the ETH blockchain.”
“The hacker has stolen 4,295 ETH [about $4.6 million] so far, and they are being laundered through Tornado Cash. Can someone notify Uniswap?” said Zhao, who Bloomberg ranks as the 77th richest person in the world.
Uniswap’s inventor, Hayden Adams, confirmed that it was a phishing attack.
This was a phishing attack that resulted in some LP NFTs being taken from individuals who approved malicious transactions
Totally separate from the protocol
A good reminder to protect yourself from phishing and not click on malicious links https://t.co/aj3Zh8UKqF
A Uniswap Labs spokesperson would not confirm the total losses from the phishing attacks but told The Record that the company “proactively investigated the issue with an external security expert.”
“This did not take place on our platform, so to prevent users from interacting with other malicious platforms we included safety guidance in our public statements,” the spokesperson said.
Zhao later said he spoke with Uniswap officials and verified with them that it was not an exploit causing the theft but a wide-ranging phishing attack targeting the platform’s users.
Researchers from blockchain security company SlowMist pegged the losses at 7,500 ETH, worth more than $8 million.
Now it's at 7,500 #ETH.
All were sent to @TornadoCash
in transactions of 100 ETH. https://t.co/ciOn6LTu10 pic.twitter.com/GX0kzfTQbV
Uniswap did not respond to requests for comment but released a statement on Tuesday confirming that the platform was not exploited.
“Yesterday, some Uniswap LPs [Liquidity Providers] unfortunately fell for a phishing scam, a problem far too common in crypto today,” the company said.
5/ Protect yourself from phishing by checking domain names. We operate primarily under the domain https://t.co/ec6enE8aM6. Airdrops that direct you to unofficial domains are likely phishing attempts. We will never airdrop users without notice on multiple official channels.
The company said a phisher had airdropped “malicious” tokens to Uniswap users, directing them to an interface claiming they could swap them for the platform’s currency.
The malicious interface allowed the hackers to steal funds from a user’s wallet.
Harry Denley, a security analyst for cryptocurrency wallet company MetaMask, said 73,399 addresses were sent the tokens.
Phishing attacks have plagued cryptocurrency platforms in recent years. Two weeks ago, NFT giant OpenSea warned of phishing attacks after an employee of its email vendor downloaded and shared email addresses, provided by its users and subscribers to its newsletter, with an “unauthorized external party.”
A recent report from blockchain security company CertiK found that phishing attacks targeting the industry have increased by 170% since last quarter.
Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.