- Arrow DAO founder Thomasg.eth has described how he was almost socially engineered into surrendering all his ETH
- Scammers even went to the trouble of working for the project before engaging him in a new NFT project
- Thomasg.eth was only saved because he used a new Ethereum wallet instead of his existing one
The founder of air transport DAO Arrow has described how he was nearly socially engineered into losing all his ETH. Known on Twitter as Thomasg.eth, the founder detailed the lengths the would-be hacker went in order to try and con him out of his holdings, including producing work for his project and engaging in discussions over several days and between multiple parties. Thomasg.eth was only saved because he used a brand new Ethereum wallet when carrying out a favor for the scammers.
For the past two weeks, I’ve been targeted in an extremely thorough social engineering scam that nearly cost me all of my ETH. I’m super lucky to have made it through unscathed. Here’s the story 👇
— thomasg.eth (@thomasg_eth) February 13, 2022
Hackers Worked on Arrow Project to Ingratiate Themselves
Thomasg.eth reported how the hacker, who went by the name ‘heckshine’, joined the group’s Discord group claiming to have contacts in the industry and offered to help the project for free, preaching his love of the project. Heckshine carried out tasks for Arrow, designing various animations and impressing everyone with his dedication to the project.
Heckshine soon put Thomasg.eth in touch with his supposed industry connection, Linh, who convinced Thomasg.eth to test out the staking aspect of the NFT project she was heading up – Space Falcon, which is an actual game on Solana. This involved sending him an NFT to his ETH address which could be staked through the site.
Fortunately for Thomasg.eth he set up a new Ethereum wallet and asked the NFT to be sent there before staking it “just in case they get exploited down the road or something.” This completed, Linh began pestering him again to stake another NFT, this time from his main ETH account, which is where Thomasg.eth says he realized that “something sketchy” was going on.
Thomasg.eth Saved by New Ethereum Wallet
Pulling up his newly created Ethereum address on Etherscan, Thomasg.eth noticed that while aWETH rewards were entering the wallet as expected, these were not Space Falcon’s Armstrong ETH but instead Aave’s version of wrapped ETH. Digging further into the contract, Thomasg.eth noticed that the smart contract included a command where all the aWETH could have been withdrawn at any time by the scammers.
In the case of his active stake this would have meant he would have lost the staking rewards, but the story would have been very different if he had gone with his main account as he was asked – all his personal ETH holdings were in aWETH, all of which could have been removed at a trice.
Scammers Hired Freelancers to Carry Out Work
Eventually after ghosting them the scammers removed traces of their existence, and Thomasg.eth says that he now believes they hired a graphic artist to pretend to do the work while they were trying to hoodwink him into staking NFTs from his wallet. Fortunately Thomasg.eth took the precaution of using a new Ethereum wallet, which is something everyone should do with a new project.
As he says, “Scammers are getting smarter”, and this near miss is a reminder to be ultra-cautious when dealing with people or projects you don’t know.