In a daring heist in Rome, Italy, an elusive criminal organization made off with $4 million worth of USDC from the Trust Wallet of a Web3 startup, Webaverse. The masterminds behind the theft utilized the art of social engineering to pull off their audacious exploit.
The villain hoodwinked the unsuspecting victim into transferring funds from a multi-sig Trust wallet, which required multiple signatures, to a single Trust wallet under their control.
The sly tactics used by the criminal
The thief presented the unsuspecting victim with a digital copy of a non-disclosure agreement and some false customer information, seemingly harmless in nature.
However, Trust Wallet has reason to believe that the counterfeit NDA was harboring malware that allowed the criminal to steal the crypto.
The brand new newsletter with insights, market analysis and daily opportunities.
Let’s grow together!
To add insult to injury, the thief snapped a photo of the emptied wallet before slipping away with the stolen funds.
Surprisingly, according to Webaverse Cofounder Ahad Shams, the con artist made off with the funds without ever laying eyes on the Trust Wallet’s closely guarded private key.
Moreover, a Twitter user suggests that the thief may have gotten their hands on the money through a rogue QR code displayed on the screen, though this remains unconfirmed.
Plenty of breadcrumbs left to follow
Further sleuthing uncovered that the stolen funds had been cunningly divided into six separate addresses. Then, the thief masterfully converted the USDC into ETH, wrapped Bitcoin, and USDT, before shuffling the loot to fourteen wallet addresses.
These, in turn, were funneled to four others, with one address holding an alarming 83% of the stolen crypto.
Trust Wallet has issued a warning to all who may have fallen victim to this devious scam. In addition, they are urging crypto holders to sound the alarm with law enforcement to prevent the thief from exchanging the stolen crypto for fiat.
Finally, the firm also advises against tempting fate by using public WiFi hotspots while traveling abroad or entering sensitive login information over an unsecured HTTP connection.