- Multiple theories have been suggested as to how Webaverse lost $4 million in stablecoins to a fake investor
- The ‘investor’ met them in person and asked for a proof of funds involving a fund transfer to a new wallet
- The wallet was drained shortly after from the company device
A $4 million hack on Web3 metaverse game engine Webaverse has led to crypto sleuths trying to work out how the hack took place. Webaverse posted a detailed breakdown of the event, which took place in a hotel in Rome in December 2022, and saw $4 million in stablexcoins stolen from sham investors, with no access to the device on which the coins were stored.
Webaverse Sent $4 Million to Brand New Wallet
Webavsere explained in a company update how the hack happened, whereby company representatives were convinced to send the funds to a new Trust Wallet in the presence of the investors, set up and controlled by themselves, as proof of funds. The ‘investors’ took photos of the money in the wallet and nothing else, left the room for a ‘discussion’, and never returned. Moments later, the $4 million left the newly created wallet.
When the update was revealed by someone on Twitter, theories about how the hack could have been performed began to do the rounds. The situation was complicated by the fact that the private keys had never left the new wallet or the phone it was on, and the only clue was the fact a photo was taken of the funds in the wallet.
Device Already Compromised?
One suggestion was that the device on which the wallet was created was already compromised and the scammers needed to “prove they were the ones that scammed this specific individual in order to get their commission”, with the wallet draining conducted by a third party.
Another suggestion put forward was that because the hacker picked the physical location and the app, they either had a copy of the encryption keys for Trust Wallet, they intercepted the device to force it to download a compromised wallet, or Trust Wallet itself has an undocumented API that was abused by NFC from the attackers. One respondent replied that they had seen something similar with Exodus wallet.
A third theory was put forward that involved something simpler – malware plus social engineering:
The tl;dr of what happened:
1. Team had been in contact with the attackers for a while before the meetup.
2. Team shared documents (some in the form of PDF) through communications from a now-defunct website.
3. Funds were originally stored in a multi-sig gnosis safe.
— IOE 🦇🔊 (@CT_IOE) February 7, 2023
Whatever the method, the fact that $4 million was taken so easily should make project leaders extremely wary when potential investors are making demands of money transfers and then having any kind of access to the device they are on.