Someone lost (yet another) millions of dollars worth of funds to a phishing attack while using decentralized finance (DeFi). This is a common mistake among users, affecting even investors with advanced knowledge if using cryptocurrencies that facilitate these attacks.
In this most recent event, the Ethereum address ‘0xAA1582084c4f588eF9BE86F5eA1a919F86A3eE57‘ lost 12,083.6 spEWTH, worth $32.33 million. Ethereum’s blockchain registered the transaction to two addresses labeled “Fake Phishing” on September 28 at 6:15 a.m. UTC.
Finbold consulted the Arkham Intelligence database, which suggests the address belongs to Shixing Mao, also known as DiscusFish on X. Right now, it still holds $8.25 million worth of tokens, of which $2.85 million are in DAI stablecoin.
Notably, Shixing Mao is an experienced crypto executive and co-founder of F2Pool and Cobo. If this address truly belongs to Mao, it is yet another cautionary tale about how even experts can fall victim to such attacks – urging the need to find universal solutions to avoid similar events.
1 in 7 crypto investors were victims of Phishing
A survey from WalletConnect shows that nearly one in every seven cryptocurrency users has fallen victim to a Phishing attack. According to WalletConnect, 14.4% of respondents said, “Yes, I have lost crypto due to a phishing attack or scam.”
Accounts on X have reported some of the big numbers crypto investors lost while interacting with malicious contracts or addresses. A recent example involves Scam Sniffer‘s report on July 23 of a $4.69 million loss of Pendle (PENDLE) re-staking tokens.
Also, the $55 million DAI loss to a phishing attack Lookonchain reported on August 21, urging users to double-check transactions.
A whale lost 55.47M $DAI in a phishing attack!
— Lookonchain (@lookonchain) August 21, 2024
How did it happen?👇
The whale carelessly signed an unknown transaction 13 hours ago, setting the owner of his 55.47M $DAI in Maker to the phishing address"0x0000db5c…41e70000".https://t.co/jpIz4pD043
When he later tried to… pic.twitter.com/qOkkcbYp4q
On Finbold, we have reported plenty of these cases. Namely related to the TON ecosystem, Tether freezing suspicious activity, and the attacker who returned stolen wBTC.
Yet, these are only part of a broader issue that costs users worldwide millions of dollars. Surprisingly, newer but less popular technologies and crypto protocols are already partially mitigating this issue.
How to avoid phishing attacks and wallet drains on DeFi?
Essentially, most of these attacks are due to human error, exploited in different ways. For example, connecting a wallet to a malicious application or signing a malicious permission or transaction.
The most natural way to avoid falling victim to a phishing attack or wallet drain is to double-check websites and understand what you are signing up for, literally. For that, users can prioritize wallets and protocols with easily readable transaction signing, disclosing the action in detail.
However, more advanced technologies have already developed built-in solutions for crypto protocols that help prevent human errors, focusing on security.
Native assets prevent phishing and wallet drains
Popular blockchains like Ethereum (ETH), BNB Chain (BNB), Solana (SOL), Tron (TRX), Avalanche (AVAX), Algorand (ALGO), and Near (NEAR) all use a model where tokens work differently from their native assets, functioning through smart contract calls that require a previous special permission to move the funds.
Dave, also known as DBCrypto, commented about this model with Finbold.
“The smart contract-based token model found on Ethereum, L2’s, and EVM chains is not only inefficient but also insecure, delaying Web3 adoption.”
– Dave (DBCrypto)
4/ These “tokens” are just pieces of data in a smart contract that have a hash saying you have claim to them
— DBCrypto⚡️ (@DBCrypt0) December 7, 2023
But they aren’t in your possession or in your wallet
Let’s look at an example…
Have you ever wondered why all your #ETH NFTs don’t show in your wallet sometimes?
On the other hand, chains like Cardano (ADA), Sui (SUI), MultiversX (EGLD), and Radix (XRD) use a native-asset token model. In this model, all tokens behave as native assets within the protocol, not requiring database permissions that can be exploited. Users need to sign every transaction to move tokens in their ownership, creating another layer of security.
Interestingly, users can now benefit as developers take a more careful look toward security concerns, phishing attacks, and token models. At one point, investors will inevitably need to choose whether they accept the old standards or migrate to the newer ones in the competitive and innovative free market that is crypto.