[HN Gopher] Social engineering scam that nearly cost me all of m...
___________________________________________________________________
Social engineering scam that nearly cost me all of my ETH
Author : floetic
Score : 281 points
Date : 2022-02-13 16:12 UTC (6 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| tasha0663 wrote:
| > a DAO working to build open-source VTOL aircraft and air taxi
| protocol
|
| The most reasonable conclusion is that the hacker was sent from
| the future to try to avert the creation of DAO-controlled flying
| cryptodrones.
| alienalp wrote:
| If you don't remember which smart contracts you have gave
| permissions of which coins you can check from debank. And you can
| also cancel one by one. It is not possible for humans to use
| ethereum without interacting with proxy. Front ends always can be
| comprimesed. When interacting with smart contracts approving
| spending is most important interaction to be careful about.
| pluc wrote:
| Don't do it if you don't understand what you're doing.
| contravariant wrote:
| I'm not entirely convinced this isn't just the same as 'don't
| do it'.
| pluc wrote:
| When it comes to crypto, 95% of the projects are by people
| who do not understand it themselves and were sold on it by
| someone whose sole purpose is to broaden crypto's financial
| reach and who worked tirelessly to make sure it's
| obscure/redundant enough that you don't understand it unless
| you're a developer attempting to implement it or seriously
| skilled at due diligence. They ran their whitepaper through
| their advisors to ensure it was clear yet didn't give
| anything away in terms of how it worked or how the authors
| get their kickbacks.
| axiosgunnar wrote:
| Some friends and acquaintances keep bugging me that I should get
| into crypto... but I would be too scared of loosing it all in one
| day, be it to a scam, sending to an non-existing address, loosing
| my hardware wallet etc.
|
| Tbh I would feel safer having 10k in cash (at home at least) than
| in crypto. At least the attack vectors (fire, burglary) are known
| and tangible.
|
| Imagine founding a startup, working your ass off living off ramen
| for a few years, every day worrying that it all might be for
| naught, and then through a combination of skill, determination
| and luck you do make it and your startup is worth a few
| millions... and then suddenly you make a small mistake and lose
| all your shares!
|
| This is how crypto feels to me.
|
| Maybe I am just not made for crypto.
| pepesza wrote:
| Financial privacy is a must-have, not a nice-to-have feature.
| Financial privacy does not prevent one from being able to pay
| taxes. But it definitely prevents this type of attacks.
| fortran77 wrote:
| And this is going to replace money?
| threeseed wrote:
| More replacing traditional money laundering and fraud.
| kelp wrote:
| This was an absolutely fascinating and chilling story.
|
| The thing that struck me about it is the scam didn't work for a
| few reasons:
|
| 1. He typically had a practice of not using his main wallet for
| things like this.
|
| 2. He got wary and actually read the smart contracts.
|
| This is a level of technical competence required that's going to
| mean most people have to offload this to a trusted intermediary.
| And then what's the point of all the decentralization ideology?
| Because we just re-invented banks.
| charcircuit wrote:
| >And then what's the point of all the decentralization
| ideology? Because we just re-invented banks.
|
| There's nothing wrong with centralized services built on a
| decentralized network. Take a look at the web. Sure you can use
| a centralized service like facebook to make a facebook page,
| but if you want you can host your own website.
| cdata wrote:
| Sorry, but that's exactly what is wrong with the web, and
| what we strive to "fix" about it when we build decentralized
| alternatives to centralized infrastructure.
|
| It is a systemic failure that most users must "fail over" to
| a centralized service to publish on the web.
|
| The conceptual improvement enabled by blockchain is that the
| data layer is a neutral plane and this theoretically gives
| users portability. But, to say that centralization is fine
| because it has happened on the web and that was also fine is
| rationalizing a bad thing as good actually.
| Barrin92 wrote:
| no it's not a bad thing at all. it's not a systemic
| failure, it's division of labor and people need to stop
| being willfully ignorant of economics. Lawyers are good at
| reading contracts, Facebook is good at running servers.
| Medium is good at publishing your things and getting you ad
| revenue.
|
| sending http and json over the internet is just as neutral
| of a technology as the blockchain. the reason people build
| centralized services on top of it is that we're
| collectively better off by specializing.
|
| As a writer you're better off writing your content full-
| time than running a server, becoming a smart contract
| expert, casual coder and server administrator. no
| technology on earth is going to change that fact and it's
| why people buy their bitcoin on coinbase and their nfts on
| opensea.
| cdata wrote:
| No-one is better off concentrating power in a centralized
| authority with the scale and (lack of) accountability of
| Facebook.
|
| Specialization doesn't come into it, although it is worth
| observing: your comment presupposes that in order to
| benefit from specialization, one must subject themself to
| exploitation.
| tylersmith wrote:
| The purpose of decentralization is solely censorship
| resistance. It has nothing to do with consumer protections,
| consumer education, or easier to check software.
| elil17 wrote:
| What exactly is censored when you use paper currency?
| randomhodler84 wrote:
| The amount. A real example is CNY, which is limit to 100
| yuan notes, deliberately to make it hard to move large
| sums.
|
| 1000 USD bills exist but are very rare. 1000 euro note
| exists but I think that's on the way out.
|
| Your point that cash is censorship resistant is good, yes
| and we need to make sure it remains, however the physical
| limitations are defacto censorship.
| logifail wrote:
| > 1000 euro note exists but I think that's on the way out
|
| EUR500 was the largest, but as of April 2019 is no longer
| being issued.
|
| https://www.ecb.europa.eu/euro/banknotes/html/index.en.ht
| ml
| randomhodler84 wrote:
| My mistake. That's that one I was referring to, the 500,
| being phased out. Thanks
| tylersmith wrote:
| Cash has pretty decent censorship resistance. It's when
| going digital that it gets difficult because you either
| need a centralized clearinghouse to prevent double spends
| (Visa, PayPal, etc) or a BFT consensus algorithm
| ("cryptocurrency").
|
| I'm fact when discussing both privacy and censorship
| resistance I often cite cash as a target goal.
| dehrmann wrote:
| Censorship and consumer protections go together since they're
| both roles regulators play.
| tylersmith wrote:
| Decentralization can't provide consumer protections
| regardless of what regulators do. The one thing it can do
| is resist censorship and things indistinguishable from
| censorship, like software failure.
| ajross wrote:
| I still fail to understand how the smart contract metaphor of
| "here is some obfuscated code from a third party, please give it
| access to all your money, kthx" has managed to survive at all. I
| mean, really, no one saw this coming?
|
| It's just the Trust Problem all over again. Decentralized
| reliance on automatic software still requires trust that the
| authors of the software won't scam you. It all comes down to
| trust. And I trust banks, mostly. Who in their right mind trusts
| contracts someone sends you on Discord? And yet...
| PretzelPirate wrote:
| > Who in their right mind trusts contracts someone sends you on
| Discord?
|
| No one.
|
| > It's just the Trust Problem all over again. Decentralized
| reliance on automatic software still requires trust that the
| authors of the software won't scam you. It all comes down to
| trust.
|
| It does, but you get to decide who you trust rather than being
| forced to trust one of a small number of large institutions. If
| you want, you can delegate your trust to a third party who will
| be responsible for vetting anything you interact with.
|
| You can also choose to trust yourself or other members of your
| community.
|
| This person shouldn't trust themselves since they are too
| willing to go along with people who say positive things about
| them.
| ajross wrote:
| > but you get to decide who you trust
|
| And if you trust the wrong people? Per the linked twitter
| thread, the author trusted the scammers! They only avoided
| the scam _because they were competent to read the contract
| code for themselves_. Is that the standard you want applied
| to all transactions? Does that seem likely to lead to good
| outcomes?
| muh_gradle wrote:
| > Who in their right mind trusts contracts someone sends you on
| Discord?
|
| Exactly. That's where the gullibility is really visible... This
| is basically a steroid version of "I am Nigerian royalty and I
| need you to give me money" emails. Your first instinct should
| always be skepticism.
| kevinventullo wrote:
| Totally agree. I heard recently discussion of putting deeds to
| homes on the blockchain, but having recently purchased my first
| home, I am 1000% okay with the paperwork and oversight and
| honestly _friction_ that goes into it. The amount of regulation
| seems to make it very difficult to get totally ripped off,
| which is great since so much of the process was so opaque to
| me.
| chrisco255 wrote:
| I don't trust them. Just last week, GoFundMe rugged a bunch of
| funds sent for a legitimate political protest. They can snap
| their fingers and freeze your funds and hold it indefinitely,
| without a warrant.
|
| I admit that the Approval UX for wallets and tokens needs to be
| improved. Unlimited spend approvals should always be flagged in
| the UX. And approvals should be atomic (single transaction
| only, with a clearly listed cap, by default). There are some
| EIP proposals addressing this, but they will be a ways off from
| standardization.
| leshow wrote:
| > Just last week, GoFundMe rugged a bunch of funds sent for a
| legitimate political protest.
|
| The protest is illegally blocking much of downtown Ottawa, as
| a result GoFundMe decided to refund the donors. That's far
| from a "rug"
| matkoniecz wrote:
| Note that GoFundMe decision to refund is a change from its
| previous one that happened only after outcry.
| muh_gradle wrote:
| I don't understand why in the world Thomas wouldn't directly
| communicate via phone and video chat to any of these people first
| before doing serious business and potentially traveling across
| the country for random anonymous folks on Discord.
|
| Social engineering is so much easier when you engage in faceless,
| voiceless communication. This could've been shut down so much
| more easily if they put a real human being to match the messages.
| When things actually matter, I need more than just a Discord
| avatar and a handle to identify someone.
| kenjackson wrote:
| How would that help? Are you thinking it might be easier to
| prosecute with a voice or image file?
| brightstep wrote:
| It's way easier to lie via text. There are verbal and facial
| cues that make it much harder to maintain a convincing lie.
| e_y_ wrote:
| Scammers have plenty of time to practice compared to the
| average person, and the face to face nature can make people
| more susceptible due to a false sense of trust / thinking
| that they can judge character over video.
|
| OTOH it'll probably be harder for non-native English
| speakers to pull off a phone/video call considering that a
| lot of amateur scammers have telltale bad grammar even over
| text
| muh_gradle wrote:
| It's an extremely basic check. If I'm going to be getting on
| a plane to see someone, I want to do a basic background
| check.
| kenjackson wrote:
| But what are you checking with a call? That just seems like
| creating a false sense of security since there is virtually
| no additional "useful" information that is being sent over
| the audio channel above and beyond what is in text.
| muh_gradle wrote:
| I'm checking to see if this Linh Nguyen that some random
| Discord user referenced me is the Linh in front of me on
| Zoom. A phone call isn't ideal, but it's still better
| than nothing. At the very least, there's one more
| identifying factor though that may help with spotting any
| scams, but yes, it can be false sense of security if you
| rely purely on it.
|
| If I'm John Doe and I made some merge requests to your
| open source project for a couple of weeks, is that alone
| really enough to potentially meet me in some city far
| from yours? That's essentially what the author was
| prepared to do.
| Nextgrid wrote:
| A deepfake requires significantly more effort than just
| impersonating someone over text.
| Nextgrid wrote:
| "Discord" by itself is a pretty big red flag to be honest. I
| would personally not engage in any business or industry where
| that is the main communications platform.
| judge2020 wrote:
| Tons of business happen on WeChat and that's the 99%
| marketshare in some countries.
| Kiro wrote:
| Billion dollar deals are negotiated on Discord all the time.
| FabioFleitas wrote:
| That sounds really surprising to me. Have any references to
| share?
| chrisco255 wrote:
| This was a multi-week long social engineering scam targeted at
| Thomas. Thomas has a Discord for a drone transportation startup,
| and the scammers proceeded to embed themselves in the community
| and provide valuable labor such as web design and graphics design
| in order to earn his trust.
|
| Thomas's wallet is public and advertised on Twitter via his ENS
| domain. He had $100M+ in aETH, a derivative token provided by
| Aave when you lend out your assets for interest. The aETH is
| redeemable for the underlying asset.
|
| The scammers created a fake NFT project associated with space and
| drones, and proceeded to give Thomas a free one, but asked that
| he stake it (or deposit it into a smart contract), to earn yield
| in the form of Armstrong ETH, a token they made up that had the
| same acronym as Aave's (aETH).
|
| The catch was that when he went to stake his NFT, they asked for
| an approval for spending aETH from his wallet. Approvals such as
| this are normal when interacting with smart contracts, since the
| contract has to be "delegated" responsibility over the tokens in
| order to move them. However, what wasn't normal is that the
| approval was actually for Aave ETH.
|
| If he had only looked at the front end of the scam site, it
| wasn't obvious what was going on. However, a quick glance at
| Etherscan revealed that he had signed off on an unlimited spend
| approval for Aave ETH.
|
| Luckily, he had done so on a fresh wallet and not his main wallet
| that has $100M in aETH. When the scammers tried to get him to
| stake a second NFT from his main account, he got suspicious and
| discovered the truth.
|
| This scam was specifically targeted at Thomas, and orchestrated
| over multiple weeks, for the specific assets in his primary
| wallet.
|
| Couple takeaways:
|
| - divide your assets across multiple wallets. New wallets are
| free. Don't put all your eggs in one basket.
|
| - use a hardware wallet or an audited battle tested smart
| contract such as Gnosis Safe for storing significant sums of
| money.
|
| - always verify your transactions
|
| - avoid associating your public identity with your main wallet /
| vault address
|
| - be careful, scammers are getting more creative and advanced in
| technique including standing up professional front end websites
| to give the appearance of legitimacy
| dom96 wrote:
| For somebody with $100M+ I find it strange how excited Thomas
| got about the prospect of some strangers setting up a meeting
| with some random founders. With that much money would it be
| that difficult for Thomas to set up a meeting with them on his
| own?
| verve_rat wrote:
| He might have the wealth, but he is nouveau riche. He
| probably doesn't have the connections and hasn't experienced
| enough of the rich people world to see what those connections
| look like. He probably (subconsciously) thought this was a
| start of that sort of thing.
| djur wrote:
| Yes, isn't it interesting how people who own crypto valued at
| hundreds of thousands or millions of dollars rarely act like
| people with that much money, get involved in the kind of
| business deals or social engagements that people with that
| much money do, etc.? It's also interesting how many of the
| assets they tend to purchase are themselves part of the
| crypto ecosystem. How many people, given $300k, would go and
| buy exclusive access to an online monkey avatar?
| inopinatus wrote:
| There's a more general takeaway, and it's one every software
| developer discovers for themselves, sooner or later:
|
| - People don't read what's in front of them.
|
| I've seen this emerge in a vast array of fields. No matter how
| much you highlight specific details, for all your efforts in
| red-flagging irreversible actions, folks will often blitz past
| a confirmation dialog or notification message without
| internalising the details or the risks.
|
| Even the brightest minds can be lazy (some might even say it's
| a feature, not a bug) and you can never rely on the opposite.
| You consequently face a design choice, for all irreversible (or
| hard-to-reverse) actions, between:
|
| a) allow a grace period;
|
| b) redesign, if possible, to make it user-reversible;
|
| c) build a forcing function for diligence[1]; or
|
| d) anticipate the volume of support tickets about that feature.
| This is the default, and your helpdesk won't thank you, since
| it scales linearly with growth at a high opportunity cost.
|
| For those in financial technology, as in this specific example,
| irreversible actions extend the attack surface for fraud.
|
| [1] e.g. https://en.wikipedia.org/wiki/Two-man_rule
| secondcoming wrote:
| Incomprehensible gobbledygook.
|
| But I'm not worth $100m so I guess the joke's on me.
| MereInterest wrote:
| I like the takeaways, though I'd also add an additional one,
| that you should use systems that have reversible transactions.
| That way, when you fall victim to fraud, you can use the court
| system to recover your losses.
| koonsolo wrote:
| I guess you haven't seen "The Tinder Swindler" on Netflix?
|
| Also here in Belgium, plenty of people are getting scammed by
| wire transfer, and no way to get their money back.
|
| I think you have overly optimistic view on banks or the court
| system giving your money back.
| skim_milk wrote:
| How would one "accidentally" wire transfer millions of
| dollars? At $10k in America, KYC and AML laws force banks
| to step through extra layers of verification to wire such
| amount. It's virtually impossible for someone to
| accidentally wire millions, which would likely involve a
| mandatory in-person meeting with the bank customer to
| verify their credentials and purpose.
|
| If somehow you get through an in-person meeting with a bank
| branch manager to unwittingly wire millions of dollars, and
| the topic of how much money you're wiring and the exact
| purpose of wiring such a high amount isn't brought up, and
| you somehow still accidentally wire millions of dollars
| away without anyone ever bringing up the amount and purpose
| of the transaction, then I'm sure you'll still be able to
| recover that money back because banks are required to
| actually validate transactions of that size with KYC, AML,
| etc. laws. Only cryptocurrencies allow one the ability
| transmit this amount of money in seconds.
| maneesh wrote:
| https://www.google.com/amp/s/amp.cnn.com/cnn/2021/02/16/b
| usi...
| djur wrote:
| Notice that this was Citi making a mistake in a payment
| on behalf of Revlon, and it's Citi that's on the hook for
| the excess payment, not Revlon.
| randomhodler84 wrote:
| This is just saying "that's what you get for playing with
| crypto you degenerate".
|
| The fact is wires can also be irreversible and you cannot use
| the court system as a blunt instrument outside your
| jurisdiction. The value transmission medium isn't the problem
| here.
| fossuser wrote:
| Yeah the op comment wasn't made in good faith.
|
| Try getting your money back when getting scammed via venmo
| or PayPal - rarely any better, and if you're selling you're
| more likely to get scammed with those services than crypto.
| woodruffw wrote:
| I have done multiple clawbacks via payment processors. In
| each case, I escalated (vendor -> processor -> my bank ->
| CFPB) until the dispute was resolved to my satisfaction.
|
| In nearly all cases, no separate restitution was
| required: the processor or my bank was able to reverse or
| halt the ACH transaction before the money settled. In the
| handful of cases where settlement had already happened,
| they were able to countermand the transaction.
| reese_john wrote:
| Yes but, not sure this is a fair comparison. Doesn't ACH
| transactions take 1 to 2 business days to settle by
| design, as they are processed in batch and go through an
| intermediate clearing house ?
|
| Venmo/PayPal/Fedwire transactions should be able to
| settle in real time, which can be more convenient at the
| expense of easy reversability
| woodruffw wrote:
| Venmo and PayPal are, to the best of my knowledge,
| settled via ACH _if_ you use a bank as your source of
| funds. That 's what I've always done, since it provides
| the greatest amount of personal control over my
| transactions.
|
| If you use a payment card (debit or credit) with a
| payment service, then they _might_ use either the payment
| card 's network _or_ ACH, depending on what the card
| issuer supports.
| woodruffw wrote:
| > This is just saying "that's what you get for playing with
| crypto you degenerate".
|
| No, it isn't. It's a reminder that we have all of this
| financial structure for a reason. The person you're
| responding to didn't make any light of the potential victim
| or call them a degenerate.
|
| In traditional finance, you (Joe Shmoe) can't just wire
| someone ~100M USD, regardless of jurisdiction. There are
| controls, most of which have been written in blood or
| tears. Cryptocurrencies will also grow those controls, and
| we will all rightly question its value when it inevitably
| does.
| bko wrote:
| You ever heard of asset forfeiture? There's two sides to
| everything. Not really "owning" something is great if
| you're the victim of fraud, but has its downsides when
| you become a target and someone wants to arbitrarily
| capture your wealth
|
| https://en.wikipedia.org/wiki/Asset_forfeiture
| woodruffw wrote:
| Civil asset forfeiture is a national disgrace.
|
| But it's also not a disgrace for traditional finance:
| it's a disgrace with respect to the latitude our justice
| system gives to individual LEOs and a sign that the
| government is willing to extrajudicially punish people
| instead of pursuing justice through the courts.
|
| Put another way: assert forfeiture is not some kind of
| "gotcha" against traditional finance in favor of
| cryptocurrencies. When law enforcement seizes your bank
| account, they're going to seize your cryptocurrency
| accounts too. And if you (unadvisedly) attempt to hide
| those assets, then you will be making their job in court
| _much_ easier.
| bko wrote:
| I'm all for the legal process and there is a legitimate
| way to seize assets. But asset forfeiture is not that.
| It's only enabled because it is trivial and is done
| outside of the normal legal process. It doesn't help that
| the beneficiaries are the very people that can initiate
| the forfeiture.
|
| If someone goes through the legal process and is found to
| be guilty and their assets are seized that's fine. But if
| someone is pulled over, found to have some drugs, gets
| their car and cash on them possessed and is forced to go
| through a lengthy process that free up that money, then
| that's different.
| woodruffw wrote:
| I don't think we're in disagreement?
|
| In any case: the really egregious examples of civil asset
| forfeiture are the petty ones: the government stops
| someone for the crime of DWB[1], and seizes all of the
| property they have on their person (including, sometimes,
| the car itself.) It's a disgusting crime, but one that
| doesn't typically extend to the victim's bank accounts or
| other financial resources, _unless_ there 's a larger
| case being pursued against them. And so, once again, it's
| not clear how cryptocurrency improves the state of
| affairs: either you're carrying a hot wallet around with
| you for your day-to-day expenses (in which case you're
| subject to the same seizure), _or_ it 's roughly
| equivalent to a traditional financial produce and isn't
| subject to a spurious seizure (but _might_ be subject to
| a larger one).
|
| [1]: https://en.wikipedia.org/wiki/Driving_while_black
| randomhodler84 wrote:
| Then you missed the point of this whole thing. Some of us
| would rather die with the keys then let the State steal
| funds from them. Cryptocurrency is the first technology
| that lets you take wealth to the grave and keep it there.
| woodruffw wrote:
| Look: if you want to clutch those hashes to the grave,
| more power to you. I think the Federalist Papers' authors
| wouldn't know whether to laugh or cry, but that's the
| wonderful thing about this little American Experiment of
| ours.
|
| But don't delude yourself into thinking that any
| meaningful number of people, even cryptocurrency
| believers, share your position. It's all fun and games
| until the Men with Sticks show up, and most people
| understandably tuck tail at that point.
|
| If I'm going to be made a coward in the eyes of a few
| LARPers, I might as well pay as few middlemen as possible
| in the process. But that's just me!
| abecedarius wrote:
| Forteiture scenario 1: cops take your cash. It's on you
| to sue them and prove to a court that it's legitimately
| yours.
|
| Scenario 2: they take your hardware wallet, then they
| must prosecute you and prove to a court that the money is
| _not_ legitimately yours, to get the key. IANAL, but am I
| wrong?
| woodruffw wrote:
| The answer to this probably depends on your local
| jurisdiction, thanks to America's unique system of legal
| devolvement.
|
| Instead, I'll point out that the answer _does not matter_
| : from the moment that they have my hot wallet instead of
| me, I can no longer use it. It doesn't matter to me
| whether they can actually liquidate it or not. And, as I
| pointed out earlier, I'd harm my own case by attempting
| to liquidate my assets with a separate copy.
| cjlars wrote:
| Big difference between manually initiating the transaction
| and amount vs accidentally signing away everything because
| of one obscured line of code.
| amptorn wrote:
| Can a smart contract make a wire transfer with your
| knowledge?
| hollerith wrote:
| Brought up over and over again on HN, your point is. Also
| healthcare in the US is generally not as good as in other
| developed countries.
| bko wrote:
| You're mixing up reversible transactions and court system. If
| someone defrauds you in an irreversible transaction, you can
| still sue that person for damages if you know who they are.
| Similarly if someone defrauds you in reversible transactions,
| you can't just wave a wand and get your money back. You can
| sue them if you know who they are, or you can request a
| reversal from your bank/cc provider (may or may not be
| honored) but you're not completely safe. Most fraud happens
| in fiat and there are real victims out here.
| woodruffw wrote:
| > Most fraud happens in fiat and there are real victims out
| here.
|
| We had multiple threads about base rate error on HN just
| yesterday!
|
| _Most financial activity_ happens in fiat, and so of
| course it stands to reason that most fraud is also done in
| fiat. The _real_ question is whether the legitimate-to-
| fraudulent ratio is higher in cryptocurrencies than in
| fiat.
| rmbyrro wrote:
| Like she did with bank wire transfer fraud when she lost
| +300k? [1]
|
| I could find literally thousands of other stories like this
| in a minute scraping the web.
|
| [1] https://youtu.be/9cJxpKu_P0A
| TacticalCoder wrote:
| > that you should use systems that have reversible
| transactions.
|
| OTH I'm pretty sure that if the mark had been using such
| systems years ago, he wouldn't have $100m+ worth of ETH now ;
| )
| [deleted]
| ReactiveJelly wrote:
| Almost nobody has $100M worth of anything, so...
| hashimotonomora wrote:
| charcircuit wrote:
| Even without reversible transactions the other person can
| just send you back the assets you sent them.
| xwdv wrote:
| To be honest, if they got this close, it's only a matter of
| time before they take it all. He should strongly consider
| cashing out and leaving only an amount he is willing to lose in
| ETH.
|
| Hell, given my distaste for crypto, if I were more unethical I
| may even attempt such scams, but I'd balance it out by donating
| the stolen money to environmental initiatives to combat global
| warming (after giving myself some fair compensation, I don't
| have the skills to get away with hiding $100+ million).
| randomhodler84 wrote:
| It's like the televangelist. Money affinity scamming. You
| need to conspicuously show your wealth on chain so people
| think God (vitalik) made them rich.
|
| Unless you flex with your $100M in aave on your main with an
| ENS name, how will your victims know you are rich and worthy?
| xwdv wrote:
| If I had $100M, I find it hard that I'd care that much
| about things. I barely give a fuck now and my net worth is
| only 1/58th of that. I'd probably just build a passive
| income stream and chill the rest of my life.
| paulluuk wrote:
| Couldn't you already do that right now? If you put your
| wealth into S&P 500 you should be able to live from
| roughly 170K USD per year.
| randomhodler84 wrote:
| Which might not actually be that much in some parts of
| the world. For real. A few million is nice but that
| doesn't even get you a house in nice places.
|
| The 4% rule is fairy tales, especially post pandemic
| economy. we will be working more for less as time goes
| on.
| [deleted]
| xwdv wrote:
| Ah yes, a world where taxes don't exist and the S&P
| always returns 10%-20% a year and everything you _really_
| want in life is dirt cheap.
|
| Nah, I want cars, some homes, a yacht and a hot ass babe
| to pleasure me and raise nice children as we travel the
| world and dress fancy.
| bryans wrote:
| > scammers are getting more creative and advanced in technique
| including standing up professional front end websites to give
| the appearance of legitimacy
|
| It seems like this is becoming the minimum standard for scam
| operations. For example, there is currently a BTC phishing scam
| going around that tries to convince the user they've
| accidentally received an email meant for someone else, which
| just happens to include a link to a million dollars worth of
| BTC. The website looks legitimate, albeit amateurish, to the
| point that it could even be convincing to another web
| developer. The rest of it is much like the OP's scam.
|
| It starts with an email from the hacked account of a real bank
| manager in an Italian town, and is addressed to a real self-
| proclaimed stock market "guru" from the UK, now living in the
| US. The email states that 19 BTC has been deposited into an
| account that was created for them on a site called Coinlux, and
| they provide the username and password for the account. The
| Coinlux name was even used by an actual company at one point,
| so searching for any of the names or details surrounding the
| scam generates very real and convincing results.
|
| Upon visiting the page, you're presented with a moderately
| professional-ish looking site that asks which fiat currency you
| want to use and lets you login. You're then prompted to enter a
| phone number to "secure the account" which, surprisingly,
| initiates an actual phone call from a number in the UK using a
| Twilio-like service. After confirming the verification number,
| you're allowed to view the account, which has some realistic
| dummy transactions in the history and other features that make
| the site somewhat believable (it even has a fake chat system
| and working account recovery).
|
| After initiating a withdrawal of any amount, it provides a
| warning that you should make a small test transaction first (of
| 0.0001/$4), to ensure that you're sending to the correct BTC
| address -- after all, you wouldn't want to send 19 BTC to the
| wrong place and lose it all. It takes much longer than a normal
| transaction (likely because the scammers are manually
| initiating them), but it does eventually go through, and
| they've now succeeded in convincing the user that there is real
| BTC in the account and you can actually withdraw it.
|
| However, if you try to make a larger withdrawal (or a second
| one at all), you're now presented with an error stating that
| you're not withdrawing enough, because of a "minimum withdrawal
| amount" defined when the account was created. This minimum
| amount happens to be 19.01 BTC, or 0.01 more than is in the
| actual account currently. So you've successfully withdrawn ~$4,
| but you have to deposit ~$400 if you want to access the entire
| 19 BTC.
|
| As if it weren't obvious enough at this point, checking the
| address[1] which sent the 0.0001 makes the entire scam plain as
| day. This means that anyone with any amount of tech knowledge
| is probably not susceptible to the scam, though I do think that
| certain personality types could get caught up in the excitement
| of potentially "stealing" a million dollars. On the other side,
| non-techies will likely fall for this in droves, and the
| transaction history on that address does show there have
| already been successful victims -- though this particular
| person's scam has been massively unsuccessful so far, and they
| may actually be in the red overall.
|
| [1]
| https://www.blockchain.com/btc/address/bc1qt80xra3r2df8gvzr0...
| sillysaurusx wrote:
| Does Thomas actually have $100M of assets in a single wallet?
| Or is it spread out over, say, ten wallets?
|
| I'm interested to know whether the con artists could have
| realistically nabbed $100M, or if there was effectively never
| any chance of that due to other precautions. I would hope it's
| the latter, but crypto's strangeness stopped surprising me.
|
| Fabulous comment, by the way. Easily one of the top ten in the
| last month. Thank you for the breakdown.
| negamax wrote:
| Yes, he has $100M+ in Aave Eth in one wallet. You can see
| this on etherscan
| randomhodler84 wrote:
| There is over $160M in his address. https://etherscan.io/addr
| ess/0xb1e9d641249a2033c37cf1c241a01...
|
| He could have approved a malicious contract to drain the lot.
| [deleted]
| aqme28 wrote:
| Easier to see assets on something like debank or zapper htt
| ps://debank.com/profile/0xb1e9d641249a2033c37cf1c241a01e7..
| .
|
| https://zapper.fi/account/0xb1e9d641249a2033c37cf1c241a01e7
| 1...
| sillysaurusx wrote:
| I see.
|
| But.. why? Isn't that a remarkably bad idea?
|
| Or is there some crypto advantage to keeping every last
| coin in the same basket? Other than it being a flex.
| vmception wrote:
| people have always used wallets in a way very different
| from the best practices described 10 years ago
|
| no address reuse is almost impossible as the wallets make
| it very hard as well
|
| people don't really seem to know that Metamask gives you
| unlimited addresses, fwiw it is expensive to do approvals
| in each address
| yardstick wrote:
| Maybe it's only a fraction of his coins in that wallet?
| Maybe he does have other wallets with similar amounts or
| more, but just doesn't admit to it?
| randomhodler84 wrote:
| It's got an ENS address associated which is only used by
| flexers.
|
| It's a giant flex.
| PretzelPirate wrote:
| There's no advantage, just laziness. A wallet like that
| shouldn't be easy to access and should never be used for
| for anything other than funding their other hot wallets.
| nootropicat wrote:
| Concentration of funds is a great advantage for
| borrowing.
| whatshisface wrote:
| Why would someone borrow when they already have funds?
| For example I heard of one guy locking up $600k
| collateral to borrow $300k. Makes no sense.
| nootropicat wrote:
| Most farms require stablecoins, so the tactic is to
| borrow on your eth and farm with it
| randomhodler84 wrote:
| There are reasons, firstly tax advantage in that there is
| no capital gain from selling the cryptocurrency; the
| other is that you don't lose your position on the
| cryptocurrency, ideally over time you can increase your
| borrow as the underlying collateral increases in fiat
| value.
|
| One can also use the borrowed funds to speculate on other
| cryptocurrency, as a collateralized margin loan. Many
| lending systems offer incentives too, where you can be
| paid to borrow.
| ricardobeat wrote:
| > use the borrowed funds to speculate on other
| cryptocurrency
|
| If you want to maximize your potential losses, that's a
| great idea.
| randomhodler84 wrote:
| True that!
| addandsubtract wrote:
| There is one advantage, which is only needing to fund and
| spend gas fees from that one wallet. At $100m+ this
| shouldn't be a concert to you, though.
| ricardobeat wrote:
| I'm curious, does anyone know Thomas, or how did they amass
| 100M in ETH? The websites provide absolutely no identity of
| anyone involved (as is very common for crypto). The Twitter
| account is 4 months old.
|
| No mention of the person or the Arrow company on the internet
| previous to this episode seems to exist. Other than looking at
| the chain records, how should we believe that any of these
| stories are true?
| ttiurani wrote:
| "She tells me a bit about her metaverse project, Space Falcon.
| I'm not really sold on it, but I'm not really an NFT person so I
| didn't have any reason to think it was a bad idea either.[...] It
| seems kind of like a get-rich-quick scheme, but again, that's
| kind of how I see a lot of NFTs. With all that she's doing for
| Arrow, there's no harm in showing a little support."
|
| The real takeaway from this is that it's dangerous to break your
| moral compass and sense of reality to the point where you think
| helping out people who are pushing an obviously fraudulent
| business, is ok and normal.
| grp000 wrote:
| I don't see it that way at all. The NFT vector is arbitrary.
| The point was to drain his accounts and nothing more. If a less
| suspicious method was available, I'm sure the scammers would
| have taken that one.
| KennyBlanken wrote:
| I think parent commenter might feel the same way I do, which
| is that when I read him say "eh, a scam but she's helping us,
| no harm in me voicing support" my sympathy for him diminished
| significantly.
|
| If you don't know much about NFTs but think they're kinda
| scammy, maybe you shouldn't default to "support / lend your
| reputation to them."
| matkoniecz wrote:
| Is there any case of NFT that is not some combination of get-
| rich-quick scheme, Ponzi scheme, search for a bigger fool,
| FOMO-powered stupidity, extracting money from naive people or
| satire of NFT?
|
| And NFT part adds anything substantial and is not replaceable
| by regular transfer (either transfer of money or BTC-like)?
| MPSimmons wrote:
| I'm not convinced it isn't crypto itself, and NFT is just
| an extension of that.
| randomhodler84 wrote:
| It's degrees of suspension of disbelief. Software is just
| tricking sand into to thinking.
|
| I have no issue believing that an imaginary consensus
| stored ledger in thousands of computers all secured by
| massive amounts of energy and limited to 21M units over
| 100 years might be valuable.
|
| The ability for people to copy this software idea? Not
| valuable. The ability for people to issue new tokens on
| existing chains? Not valuable. The ability for people to
| post and sell jpegs, Not valuable.
|
| Only original ideas are scarce. It's the first step vs
| the n-th step.
| woodruffw wrote:
| > I have no issue believing that an imaginary consensus
| stored ledger in thousands of computers all secured by
| massive amounts of energy and limited to 21M units over
| 100 years might be valuable.
|
| It's not "secured" by energy. You can't convert a Bitcoin
| into the original amount of power required to produce it,
| which is the defining quality of a financial security.
|
| It's more accurate to say that Bitcoin's value is
| _retained_ by the ongoing commitment of power into the
| network. But that correctly suggests that the network
| collapses without a perpetual source of electricity,
| which is not the kind of positive connotation that I
| think you meant to supply.
| randomhodler84 wrote:
| Hmmm, you do agree it has value then!
|
| It's a little more nuanced, while some component of
| maintaining hashrate/energy, it's best be be thought of
| as a point in time expenditure given the network size,
| participants and technology available. Once a block is
| minted at a given difficulty, it can never be undone
| (with a negligible probability), as a chain
| reorganization would need to put in more energy than that
| to undo it.
|
| It's a conversion, abstractly. Probabilistic finality at
| a given level of technological and economic resource
| exploitation.
| woodruffw wrote:
| The wonderful thing about economic value is that, for
| better or worse, we get to decide what has it. A large
| number of people have decided that Bitcoins have economic
| value, and it's not particularly salient to my arguments
| as to whether that's true or not.
|
| The rest of what you've written doesn't really concern
| me, because all I was interested in was pointing out that
| Bitcoin doesn't securitize energy.
| birdyrooster wrote:
| I think SV libertarians saw the scam of world finance and
| thought, y'know what if we could get in on this too and
| then we would never have to innovate again.
| Animats wrote:
| If anyone knows of one, please post. As far as I know,
| there are none in the Metaverse area of NFTs.
|
| Discussion on Reddit's r/metaverse [1]
|
| [1] https://www.reddit.com/r/metaverse/comments/sr0sqz/what
| _meta...
| whatshisface wrote:
| NFTs could be used to manage domain names, which might be a
| helpful replacement for ICANN.
| ryan29 wrote:
| I own one. All the blockchain domains are a dream come
| true for squatters and scammers. I'll take the oversight,
| stability, accountability, and mutability of ICANN and
| the current registry/registrar system every single time
| given the choice.
| Grustaf wrote:
| How would it work and what aspect would it improve?
| whatshisface wrote:
| The NFT part keeps track of who owns what domain. It
| would improve the situation by getting rid of the
| questionable organization running things presently. (See:
| the .org scandal)
| Grustaf wrote:
| Obviously the NFT would "keep track of", but you have to
| be more specific.
|
| And changing the organisation is a completely separate
| question from which database technology they use. IF you
| just switch from SQL to NFT the organisation will not
| suddenly become less corrupt, or whatever the issue with
| them is.
| whatshisface wrote:
| If you're asking for the implementation details, there's
| a group trying to do it right now. You should look them
| up if you're interested.
|
| > _IF you just switch from SQL to NFT the organisation
| will not suddenly become less corrupt, or whatever the
| issue with them is._
|
| It's true that it won't make the managing organization
| less corrupt - it will make them nonexistent. That's the
| idea behind decentralized decision-making. The people
| running the database don't have to have the power to
| change it or bend the rules: that's what this whole
| crypto thing is about.
| Grustaf wrote:
| How would you be able to get rid of the organisation? So
| many people talk about various crypto use cases but they
| can almost never explain how it would work.
|
| From land deeds to insurance to domain registration to in
| game assets etc etc, people have all these wonderful
| ideas. It would be interesting to one day have at least
| one of these ideas explained.
| ryan29 wrote:
| It's literally whoever owns the keys listed as the
| registrant owns the domain. If you lose your keys you
| lose your domain. You have no recourse if someone squats
| on your domain, uses a lookalike domain for phishing,
| steals your domain, etc.. And for the privilege of having
| a judgement proof blockchain with no oversight you get to
| buy your domain from an early adopter that's squatting
| (investing) and you get to pay fees every time you blink.
|
| All the crypto bros printed (mined) a bunch of monopoly
| money (coins), invented assets (NFTs), bought (allocated
| to themselves) all the assets (NFTs) using their monopoly
| money (coins), and want us to buy into these crappy
| systems with real money so they can sell us the assets
| (NFTs) while still being the landlords (transaction
| processors) that charge us rent (fees) on everything
| forever.
| Grustaf wrote:
| > It's literally whoever owns the keys listed as the
| registrant owns the domain.
|
| Sure, but even so, how is this implemented? Presumably
| some organisation needs to uphold this connection. Simply
| "owning" a domain, in the sense that you "own" an NFT, is
| not very helpful, you need some kind of actual control
| over it. Presumably a server is needed to forward the
| domain to your IP, and someone needs to run that server,
| right?
| jozvolskyef wrote:
| That sounds a bit harsh. Did OP break their moral compass, or
| did they just give the wrong person the benefit of the doubt?
| zucker42 wrote:
| Yeah it's pretty ironic that a "legitimate" NFT venture and a
| project invented solely for social engineering are
| indistinguishable even for someone who presumably knows a lot
| about the crypto space.
| Grustaf wrote:
| Sure, NFTs and crypto in general may be get rich schemes at the
| core, but a lot of people do believe in them, so a charitable
| view would be that HE saw it as a scheme, but he thought that
| perhaps SHE believed in it.
|
| And FWIW I'm not sure "fraudulent" is the right word. NFTs are
| not a fraud, you usually get what you pay for, a mediocre jpeg,
| and perhaps a really primitive game.
|
| And to be fair, what are the odds his VTOL company will ever
| produce anything either?
| [deleted]
| ryan93 wrote:
| His opensource VTOL project may be one the most delusional crypto
| projects out there.
| lifeisstillgood wrote:
| A couple of things shook me about this - firstly I guess is the
| amount that was up for stealing - 100M just "sitting there" seems
| crazy - how many other multi-multi millionaires have their wealth
| just sitting in one bank account?
|
| Second scam is the wrong word. A confidence scam originally mean
| the mark had to bring a suitcase of cash to give confidence to
| the scammers that he had the means to join their get-rich scheme
| - and of course he would walk away with a suitcase of old
| newspapers.
|
| But this is almost a new kind of crime - he did not present or
| move his money, he did not give away any keys. it is the very
| mechanism of money transmission that is the issue.
|
| SWIFT is rarely seen as part of crimes - but crypto is pointing
| towards a new world. Imagine "permissioned blockchains" ie Bank
| Of England coins, this would still be a real viable scam. Proving
| you did not mean for people to take your 100M and rapidly move it
| would be a slow process. Stop orders would be a common place
| activity, potentially holding up long chains of transactions.
|
| Even without permission-less crypto the move to a digital native
| currency is a long process
| raverbashing wrote:
| "extremely thorough social engineering"
|
| Not really, it seems like the usual being extra flattering to
| earn favours (or worse). The first two messages would have raised
| several red flags with me.
|
| > He's currently working at Ubisoft and offers to help with 3D
| design and animation
|
| Like if I worked for Ubisoft I'd have time to do 3D design for
| free for some other company.
| Kiro wrote:
| Most people helping out like this have normal day jobs. Why
| would working at Ubisoft be different?
| jsnell wrote:
| > Like if I worked for Ubisoft I'd have time to do 3D design
| for free for some other company.
|
| Why is that so hard to believe? It's like suggesting that no
| professional software engineer would ever contribute code for
| free into an open source project in their free time. My basic
| assumption if somebody send a patch to an open source project
| is not that I'm being social engineered -- it is that they're
| either using the software or interested in the domain.
| Nimitz14 wrote:
| I think because the stereotype is that in a gaming company
| work life balance tends to not be that good.
| birdyrooster wrote:
| Boo fuckin hoo
| karmakaze wrote:
| When I hear "NFT", my mind goes into binary options mode, then
| tunes out.
| cmckn wrote:
| > The aWETH that I approved was not Armstrong ETH, but rather
| Aave's aWETH. On my main address, almost all of my ETH is sitting
| in Aave...
|
| Just one example, but this entire thread is Greek to me. What the
| hell is "staking an NFT"? I am feeling so left behind by this
| crypto nonsense. Is this what getting old is like? (I'm not yet
| old)
| ajkjk wrote:
| No, it's what not being embedded in a peculiar subculture is
| like.
| progval wrote:
| This seems to be vocabulary invented by a specific app
| (probably to sound cool by association, because of Proof of
| Stake), described in the screenshot here:
| https://twitter.net/thomasg_eth/status/1492663229784408065
|
| As far as I understand, it's just a synonym for "lending" here.
| They even use the word "leasing" for the people on the other
| side.
| nfw2 wrote:
| Same, and I am probably younger than this guy.
|
| My really basic understanding after reading very slowly is he
| got some crypto asset from scammer, and he needed to approve
| lending it out to get some sort of crypto interest on it. But
| approving the "lending X out" action apparently looks exactly
| like the same as the "give Y away" action if you don't look
| closely at the contract.
|
| Maybe it's just ignorance, but the whole system seems like a
| mess to me.
| The_rationalist wrote:
| sireat wrote:
| I am curious why is all of Thomas 100M+ in a single wallet ?
|
| Also it seems strange to hold most of it in aETH, wouldn't you
| want to diversify a bit?
| randomhodler84 wrote:
| Note; dude has $123M in aave wrapped ethereum that he almost
| granted a scammer access to.
|
| Scammers ripping off scammers.
|
| Why would you waste time with open source aircrafts. Aircrafts
| are a regulated thing. Nobody wants to fly in your science
| project. Put some of that 123 million into starting an actual
| company. DAOs are bullshit.
| hanniabu wrote:
| > Put some of that 123 million into starting an actual company
|
| Yeah, start an actual company so you can raise billions with no
| profits and then IPO and dump on retail traders
| NicoJuicy wrote:
| I'm a sceptic of crypto usage.
|
| But DAO's do look attractive to me fyi. I wish I could do
| something similar in regular "fintech" ( and with c#)
| randomhodler84 wrote:
| Why are DAOs attractive to you? They are plutocratic
| institutions.
| NicoJuicy wrote:
| Programmatical organization would define the attractiveness
| for me.
| randomhodler84 wrote:
| If you remove the plutocratic and cryptocurrency
| components, all you have software, and as you are a
| developer, you already have everything you need.
|
| Don't fall for the DAO trap, it's a pit for fools to
| throw their money into.
| NicoJuicy wrote:
| Well, it's also about "what's possible".
|
| Banks in my country don't have a reasonable API. There is
| CODA, but it's restricted to business accounts too ( and
| you have to pay for it).
|
| Additionally, accountants make a huge part of the
| workforce. So I don't think it will be possible in the
| short term to "replace them" by traditional means.
| nfw2 wrote:
| I had never heard of DAOs before this and am struggling
| to wrap my head around it. It seems similar to any other
| venture with shareholders, except the shareholders need
| to reach consensus for any sort of financial transaction.
| Is that right?
|
| So the DAO is blocking this guy with $100M sitting around
| from just hiring an actual designer for his air taxi
| project?
| negamax wrote:
| That's a horrible take on a legit person and project.
| Nextgrid wrote:
| The aircraft and/or taxi service might be legit but all the
| crypto around it is useless complexity at best or a complete
| scam at worst.
|
| If you legitimately wanted to develop an aircraft taxi
| service, you do not need to involve crypto in any way. Even
| if you wanted to accept it for payments it's an auxiliary
| component that merely accounts for it and converts to fiat at
| some point.
|
| The DAO or whatever crypto bullshit is intertwined with it is
| absolutely a scam.
| randomhodler84 wrote:
| Yeah. I agree with you completely.
|
| I am not a cryptocurrency skeptic, but my level of trust
| for a "DAO driven aircraft / taxi service" is exceedingly
| low.
| randomhodler84 wrote:
| You would honestly ride in his 'open source' VToL? and use
| his air taxi service?
|
| I don't think this is legit at all.
| PKop wrote:
| He didn't grant them access on his main wallet which holds the
| amount you describe, he granted them access on a different
| wallet that didn't hold those assets. Thus "nearly" in the
| title.
| keithalewis wrote:
| News flash: you were social engineered into buying ETH in the
| first place.
| throwaway8174 wrote:
| I paid off all my student loan debt and bought a house last
| summer because I got scammed into buying ETH about 2 years ago.
| Thanks for your insight though.
| pessimizer wrote:
| That just means that you were part of the scam. Hell;
| somebody approvingly reading this comment might be the
| bagholder of the future, shooting himself after all of his
| savings have evaporated into some ETH tycoon's pocket who
| dumped before the market locked up.
| throwaway8174 wrote:
| whatshisface wrote:
| Now that the bag holders include major investment houses...
| Well, if it's possible for a scam to have a successful
| "exit," that's what happened. They used their funny money
| to tap in to the _real_ funny money. If all
| cryptocurrencies went to 0 tomorrow I wouldn 't be
| surprised at all if some part of the "real" financial
| infrastructure got caught and there had to be bailouts,
| which we've learned is what happens when the wrong people
| lose a bet.
|
| There's too much money in the system now for it to all be
| from mom-and-pop marks. That's just not a viable
| explanation at these market capitalizations. That's not to
| say that average people aren't going to _find out_ that
| they 're long crypto - but it'd be in the way they found
| out they were long real estate.
| Grim-444 wrote:
| As a thought experiment, replace crypto in this situation for
| beanie babies. You managed to buy a bunch of beanie babies
| before a beanie baby craze started, and sold them at
| exorbitant prices to other people coming in that were
| convinced that beanie baby prices would only keep
| skyrocketing. You took their money, and now I guess as long
| as they're the bag holders still holding beanie babies when
| it all falls apart and they become worthless, and not you,
| it's all good. As long as you managed to make a profit and
| get out in time it wasn't a scam.
| samarama wrote:
| Except beanie babies have no inherent value, but ETH has
| vast inherent value in numerous ways
|
| 1. Immutability
|
| 2. Decentralization
|
| 3. Cheap, fast, secure cross-country money transfers
|
| 4. Protection against inflation
|
| 5. Independence of banks or arbitrary freezes of your funds
|
| 6. Access to a vast variety of financials services
|
| 7. Is quite likely the replacement of money
|
| The fact that people still don't get that in 2022 is
| astonishing.
| secabeen wrote:
| YMMV. I don't put any value on most of the above.
| buttocks wrote:
| If a scammer scams you out of a scam, do you come out ahead?
| keithalewis wrote:
| It worked for PT Barnum.
| [deleted]
| selestify wrote:
| Low-quality comment.
| bitcharmer wrote:
| I'd say GP's comment contributes more to the discussion than
| yours.
| randomhodler84 wrote:
| Eth is a premine scam sure, but the dude has $130M Of it, so I
| don't think he is crying over that part
| hanniabu wrote:
| Given your username and how salty you are, I'm going to
| assume you invested in Bitconnect and lost everything b/c you
| didn't do your own research.
| randomhodler84 wrote:
| Haha nice one!
|
| the world is not anymore the way it used to be, mm mm NO NO
| No! Bitconeeeeeeeeeeeeeeeect wooo bitconnect! We are coming
| and we are coming in waves. We are starting and to actually
| go all over the world. We all built the entire world.
|
| Me? Im just out there fiat mining, stacking sats...
| MPSimmons wrote:
| How much purchasing power does that afford? If he wanted to
| buy an island, pay for it to have infrastructure added, and
| then also hire security and business payroll, could he
| actually exchange the Eth to the applicable currencies? I
| know the numbers line up, but is that amount of liquidity in
| the system?
| randomhodler84 wrote:
| Good question. Mostly yes, but it would take some
| coordination.
|
| At $100M you would want to split trade across exchanges and
| probably some defi too, but yeah, you could. Eth has about
| $10M/-2% on major exchanges.
|
| Not that you would need to convert to fiat. If you ran your
| own island, just pay for goods and labor in Bitcoin or
| Ether directly.
| capableweb wrote:
| > could he actually exchange the Eth to the applicable
| currencies? I know the numbers line up, but is that amount
| of liquidity in the system?
|
| Yes, Coinbase, Binance and other big exchanges offer OTC
| trading where you can trade pretty large amounts without
| impacting the market at large.
| sidcool wrote:
| I feel incredibly dumb for not getting the details of how it
| happened.
| scyclow wrote:
| He had $130 million wrapped up in an ERC20 token called Aave
| wETH (aWETH). ERC20 tokens let you approve another address to
| spend those tokens on your behalf. Basically, the scammers
| tried to trick him into approving all of his Aave wETH by
| creating a fake website designed to make him think that he's
| approving a different token with the same aWETH symbol.
| magicalhippo wrote:
| So besides getting scammed, what use are these ERC20 for?
| sidcool wrote:
| So he spent $130 million to buy the NFT in the first place?
| randomhodler84 wrote:
| He has loaned ETH to a money market. The NFT was a Trojan
| horse that tricked the user into giving away their loan
| claim tickets.
| vmception wrote:
| Hacker sends NFT to Thomas.
|
| Since NFT's are subject to heavy criticism of their existence,
| a lot of people are developing extra things you actually can do
| with them. The market is interested in that being done right,
| so its interesting to be a part of projects that are trying.
| This extra thing required Thomas sending the NFT to another
| service they developed. Smart contracts in Ethereum Virtual
| Machine environments (EVMs) have to be primed to recognize
| asset. So there is something called an Approval. When Thomas
| interacted with this contract it did the approval for the NFT,
| and also an approval for aWETH a token associated with that
| project.
|
| aWETH is the ticker symbol for a token that project created
| called Armstrong ETH. The namespace for ticker symbols has many
| collisions as there are many tokens. So people aren't too
| worried about that, a token's ID is its contract address which
| does not have collisions.
|
| In this case, this was the actual phishing attempt.
|
| Their project did indeed use a token called Armstrong ETH, but
| their approval was for aWETH which is Aave Eth, an asset
| collateralized by liquid valuable actual Ether. It is also
| redeemable for actual Ether.
|
| So if Thomas approved the use of their project from his main
| account, the hacker would have been able to use another
| function written in their smart contract that leveraged the
| approval of aWETH (the Aave Eth) to take it all away from
| Thomas. He has $100m of that.
|
| Very close one for him.
| sbierwagen wrote:
| > a lot of people are developing extra things you actually
| can do with them
|
| To be clear, the "thing" in this instance is NFT staking: a
| ponzi upon a ponzi where you buy a NFT and then lend it to a
| platform, which pays you fees. Platforms can advertise
| ridiculous yields (200% APY) because deposits go right out
| the door again as fees to people higher up in the pyramid.
|
| https://learn.bybit.com/defi/what-is-nft-staking/
| ratsmack wrote:
| I have a feeling that it's all going to end really bad.
| vmception wrote:
| That often happens, yes.
|
| Imagine if they got his $100m! That would be an article
| for a whole half of a week!
| tylersmith wrote:
| He has around $130mm of a token called aWETH, which stands for
| Aave Wrapped ETH and means he has that much ETH deposited into
| the Aave app. The attacker tried to trick him into giving their
| contract control over his aWETH under the guide of being a
| different, useless, token that they were just trying out.
|
| If he approved their contract to be allowed to control his
| aWETH they'd take it all.
| [deleted]
| oefrha wrote:
| This highlights how scary it is to interface your savings with
| these "smart contracts". Most people have no way to know what
| they're actually going to do; the tiny slice of people capable of
| investigating can hardly remain vigilant at all times. Like, if
| you ask me to log into something with my bank account, all alarm
| bells would go off; if you ask me to stake this, approve that
| with my eth wallet, well, just another weird smart contract
| thing, right?
| sterlind wrote:
| Yeah this makes me terrified of Ethereum.
|
| This kind of scam just wouldn't work on BTC. You're passing
| tokens around. At fanciest you're time-locking wallets or using
| M of N signatures. You're not like, installing arbitrary code
| in your bank account.
|
| I find ETH very technically interesting but it feels like it's
| full of sentient foot-guns.
| vmception wrote:
| The other thing to understand is that legitimate interactions
| look just like this in the crypto space.
| randomhodler84 wrote:
| Scammers ripping each other offer on discord. Today it's apes,
| next week it will be houses. I can't believe they can convince
| people to lend liquidity to bridges, myself.
| blueboo wrote:
| Houses? How about pension funds, top-flight companies,
| countries... a lot of smart and powerful folks are face-
| planting into this griftspace
| vmception wrote:
| Its the wealth redistribution people have been hoping for
|
| Cant keep your assets? Someone else who can code can!
|
| Looking forward to the technocrat plutocracy
|
| I'm being facetious as I think there will continue to be a
| balance and cat / mouse game.
| randomhodler84 wrote:
| My fear is it just becomes another side show. Ethereum is
| going to become ebay. Yeah you can trade rare coins but
| it's mostly just trash changing hands and clogging up the
| mail system.
| axiosgunnar wrote:
| We should make it blatantly clear and public that we will
| not he bailing out banks, pension funds etc that will
| inevitably get burned on some crypto scam.
| solveit wrote:
| No way to credibly signal that while decisionmakers can
| be voted out.
| randomhodler84 wrote:
| I would rather make it clear that the cryptoeconomy will
| not bail out fiat currencies when they fail. The first
| government to get a fat stack of Bitcoin probably wins.
| Game theory intensifies.
| TigeriusKirk wrote:
| These scammers went to impressive lengths. They say that often
| the secret of a magic trick is to put in far more prep work than
| anyone thinks is reasonable. Con games work the same way. In this
| case, the effort is worth since the target has something like
| $175 million in a wallet. The payoff is massive.
|
| Worth noting, though, that for all the fancy footwork the point
| of failure for the scam is him being willing to work with his
| main wallet rather than a one-off, and when he showed hesitation,
| they got too impatient. Good security practices were still the
| answer.
| badRNG wrote:
| > when he showed hesitation, they got too impatient.
|
| This seems to be the common factor among scams, cons, and
| social engineering strategies. Rushing people will have them
| bypass protocol, training, and security practices. It's a
| universal "hack" for our brains; we do things we otherwise
| wouldn't when rushed. Security practices are like a rituals,
| standards of behavior that _we just don 't have time for right
| now._
|
| "The funds are only available for the next hour"; "You will be
| prosecuted if you don't do X"; "Per the CFO, we need to spend
| these funds before end of day."
| kenjackson wrote:
| I do wonder if they were more patient and said to themselves
| "let's build more trust over the next three months" if they
| would've been able to get him to use his main wallet?
|
| Great story though. I never realized these smart contracts
| could be so obtuse and malicious. That needs to be fixed.
| Nextgrid wrote:
| Yes - they could've just kept churning out more NFTs for
| him to "stake" and catch him off-guard when he used his
| main wallet by accident or maybe even give him legitimate
| returns (that they bankroll) to convince him to use his
| main wallet intentionally to get higher returns.
| nfw2 wrote:
| The lengths they went through were mind-boggling to me until he
| mentioned he has 9 figures sitting in a public wallet. Then it
| made a lot of sense. At first I thought he had maybe a few
| hundred thousand, partly because he was happy to accept the
| free help from a stranger.
|
| It's still pretty impressive how competently these scammers
| were able to discuss and deliver the VTOL work, the Space
| Falcon game, and entrepreneurial strategy.
| frontman1988 wrote:
| With 9 figures at stake I wouldn't be surprised if state
| sponsored hackers of desperate countries like North Korea are
| involved.
| dpeck wrote:
| Generalizing, anytime someone is giving you a "gift" but is
| putting expectations on how you receive it (in this case the
| wallet destination) that should be a huge red flag.
|
| Whether that's cryptocurrency or a sandwich.
| HWR_14 wrote:
| Most people who invite me over for a sandwich would be insulted
| if I entered their house, took the sandwich they made me and
| left. In fact, I probably would never get invited over again.
| randomhodler84 wrote:
| I'd be more worried about being poisoned. Who is giving away
| free sandwiches? Ya'll far too trusting. Zero trust is the
| only way to go.
| brightstep wrote:
| The number of people who'd do something like this is
| miniscule. Human society is built on trust for a good
| reason. We know that rules are imperfect and trust our
| fellow humans to do the right thing. They don't always but
| most of the time, the average person will.
| openknot wrote:
| Location and culture plays a factor. If the average
| stranger in New York City or Miami, Florida offered me a
| free sandwich, I would be skeptical. If I were visiting a
| small town that wasn't known for a negative reputation, I
| wouldn't automatically decline or be as skeptical when
| offered a sandwich.
| randomhodler84 wrote:
| Who is we? I don't trust my fellow humans to do the right
| thing. Average don't matter, what matters is, are you
| offering me a sandwich? Is it poisonous? Would you tell
| me if it was?
| brightstep wrote:
| Your incredibly low level of trust, thankfully, is just
| as rare as sandwich poisoners.
| paulluuk wrote:
| Zero trust is an impossible way to live.
|
| Do you trust your neighbour with your spare key?
|
| Do you trust your doctor with your medical history?
|
| Do you trust your pizza delivery guy to deliver you pizza's
| that aren't poisoned?
|
| Being skeptical is sometimes a good idea, like when it
| comes to "online research" or "alternative medicine". But
| having zero trust in even the most basic human interactions
| sounds like hell.
| randomhodler84 wrote:
| Unsolicited pizza, no trust. No keys for neighbors.. no
| way.
|
| I don't trust most Doctors either, and you probably can't
| trust any medicinal organization with keeping records
| confidential, plenty of examples of breach of that trust.
|
| I think you are not skeptical enough.
| sillysaurusx wrote:
| Meanwhile I wish someone would come over to take one of my
| sandwiches. It turns out that human contact in covid's era is
| hard to come by.
|
| You're probably right though. But if you ever find yourself
| near Lake St Louis, MO, feel free to raid our fridge.
| shbooms wrote:
| true, but if they invited you in and told you had to go stand
| on a very specfic place in the room, facing a certain
| direction and to only start eating when they said so, that
| would be very suspicious and likely result in you opting out.
| nightfly wrote:
| Like sitting at the dining room table, and eating only
| after saying grace?
| radicalriddler wrote:
| Surprised this hasn't been commented already but:
| https://threadreaderapp.com/thread/1492663192404779013.html
|
| God I hate twitter threads, especially 32 tweets long!
| adam_arthur wrote:
| Imagine Bill Gates stored all his money in cash in a room in his
| house.
|
| That's probably more secure than crypto, where click of a button
| can siphon it all away. At least with physical money you have to
| be able to carry it, and physically present to steal.
|
| I'm sure there are strategies like using multiple wallets etc,
| but overall it will never be mainstream if you put the onus of
| security on the individual. Literally just typo-ing an address
| can disappear all of your money.
| CommieBobDole wrote:
| A good rule of thumb is if somebody you've just met introduces
| you to someone with an exciting new NFT project that they want
| your help testing, you're probably being scammed.
|
| While NFTs probably have some useful purpose that will emerge
| eventually, for now you should consider any proposal or offer
| that involves the term 'NFT' as having about the same value as
| any offer involving the term 'Nigerian prince'.
| Nextgrid wrote:
| The "problem" in this case is that the victim himself is all-in
| on NFTs and crypto.
| dshpala wrote:
| Could someone please explain what's terrifying in the function
| spendWalletAWETH()?
|
| Just two lines... Is the idea that tokenToBeApproved.allowance()
| can do bad things?
|
| Code:
| https://twitter.com/thomasg_eth/status/1492663290715152384/p...
| randomhodler84 wrote:
| Onlyowner modifier means the contract creator can call this
| function and transfer all the funds from the victims wallet (if
| they have previously approved).
|
| Tokentobeapproved is a variable declared in the contract. It
| will be pointing at the aWETH contract, which is the claim
| token for ETH on aave, a money market.
___________________________________________________________________
(page generated 2022-02-13 23:01 UTC)