A cryptocurrency whale has fallen victim to a massive phishing attack, losing millions of dollars in staked Ether (ETH) on the liquid staking provider Rocket Pool.
The investor lost their entire address balance of Lido Staked ETH (stETH) and Rocket Pool ETH (rETH) on Sept. 6, the cryptocurrency security firm PeckShield reported.
The hack was completed in just two transactions, with 9,579 stETH stolen in one and 4,851 rETH in another. At the time of the attack, the amount stolen was worth $15.5 million in stETH and $8.5 million in rETH, a staggering $24 million combined.
According to PeckShield, the phisher subsequently swapped the assets for 13,785 ETH and 1.64 million Dai (DAI).
A significant portion of the DAI stash has already been transferred into the fully automatic cryptocurrency exchange FixedFloat, PeckShield reported.
SlowMist’s crypto tracking team, MistTrack, reported that most of the remaining stolen funds were transferred to three addresses.
Related: MetaMask scammers take over government websites to target crypto investors
According to anti-scam source Scam Sniffer, the victim enabled token approvals to the scammer by signing “Increase Allowance” transactions.
Allowance or access permissions are a feature of ERC-20 tokens that enable a third party to have the right to spend some tokens that belong to a different owner, using smart contracts. Some cryptocurrency observers have warned against risks associated with approving ERC-20 allowances, noting that anonymous developers could deploy malicious smart contracts to scam users.
The news comes shortly after at least five Ethereum liquid staking providers — Rocket Pool, StakeWise, Stader Labs and Diva Staking — imposed or started working to impose a self-limit rule in which they promise not to own more than 22% of the Ethereum staking market.
Magazine: Asia Express: Thailand’s national airdrop, Delio users screwed, Vietnam top crypto country