Users of Uniswap (UNI), the biggest decentralized exchange (DEX) functioning on the Ethereum (ETH) blockchain, have reportedly lost over USD 8.1 million in assets due to a sophisticated phishing attack. Meanwhile, Binance CEO Changpeng Zhao (CZ) falsely claimed that the protocol was exploited. According to Metamask security analyst Harry Denley, the phishing attack attempted to steal users’ assets under the guise of a UNI airdrop. He claimed that a malicious token was sent to at least 73,399 addresses in order to target their assets.
The phishing campaign is said to have been carried out on a major Uniswap V3 liquidity pool by the hacker (LP). They appear to have sent a malicious token to addresses posing as a UNI airdrop in an attempt to get users to sign the transaction.
RELATED: Uniswap Breaks $1T Volume
“First, the nefarious contract contaminates the event data so that block explorers index the “From” as the legitimate “Uniswap V3: Positions NFT” contract,” Denley explained, adding that if a user notices that “Uniswap V3: Positions NFT” sent them a token, they will become curious and check the token. Users are directed to a domain that mimics the real Uniswap branding. The website then runs a function that attempts to steal the assets of the users.
According to on-chain data from the attacker’s address, a total of ETH 7,500 (USD 8.1 million) was laundered through the crypto mixing service Tornado Cash. The address currently has only ETH 70 in it.