Hackers stole around 7,500 Ether, worth more than $8.1 million (roughly Rs. 64.45 crore), from decentralised exchange Uniswap via a phishing attack. Spotted by several users, including Binance's threat intelligence department, the hacker managed to impersonate Uniswap's website and dupe a liquidity pool provider into signing malicious transactions. Uniswap's liquidity positions on its third iteration are represented as non-fungible tokens (NFTs), which enable users to utilise them as collateral to receive a loan paid out in stablecoins and blue-chip assets.
Binance CEO Changpeng Zhao aka CZ initially tweeted that the platform's threat intelligence team initially found a potential exploit on Uniswap V3 on the ETH blockchain.
Zhao stated in his tweet that the hacker has stolen 4,295 ETH so far, and they are “being laundered through Tornado Cash.” As per crypto tracking and compliance platform MistTrack, the stolen ETH count currently stands at 7,500 worth roughly around $8.1 million (roughly Rs. 64.45 crore).
The Binance CEO later had to correct himself after communicating with the Uniswap team that it was not an exploit on Uniswap, but rather a phishing attack.
“A phishing attack that resulted in some liquidity pool NFTs being taken from individuals who approved malicious transactions,” Uniswap founder Hayden Adams later confirmed in a follow-up tweet. "Totally separate from the protocol. A good reminder to protect yourself from phishing and not click on malicious links."
Prior to Zhao alerting users through his tweet, Metamask security analyst Harry Denley informed that 73,399 addresses have been sent a malicious token to target their assets.
The event data on the blockchain was altered by the scammers to make it seem as though Uniswap was airdropping tokens to platform liquidity providers.
When users connected their wallets to the contract's website, which resembles Uniswap, native tokens (ETH), ERC20 tokens, and NFTs (namely Uniswap LP positions) were snatched from their wallets.
Affiliate links may be automatically generated - see our ethics statement for details.