Ethereum whale falls victim to social engineering scam, nearly $130 million in ETH almost stolen

Author: Overnight Porridge/DeFi Path

Ethereum whale thomasg.eth fell victim to a meticulously planned social engineering scam due to his wallet holding over $130 million worth of ETH. The scammers disguised themselves as community contributors and attempted to trick thomasg.eth into granting wallet authorization to steal ETH by offering free NFTs. Fortunately, the cautious thomasg.eth managed to evade this crisis.

（Image: thomasg.eth's wallet address）

Here is the account of the events as told by thomasg.eth:

Over the past two weeks, I became the target of an extremely thorough social engineering scam that nearly caused me to lose all my ETH. Fortunately, I came through this ordeal unscathed, and here is the whole story.

First, a brief introduction to the background: I am the founder of Arrow, a DAO dedicated to building open-source VTOL aircraft and air taxi protocols. Two weeks ago, a user named "heckshine" joined the project Discord and introduced himself. He claimed to be currently working at Ubisoft and was willing to offer help with 3D design and animation. His messages seemed a bit odd, but I attributed it to a language barrier.

Heckshine also had a friend who was passionate about VTOL and was working on a metaverse project, claiming that his brother-in-law was a vice president at Boeing, which was quite a connection!

In the following days, heckshine began creating various animation projects for Arrow. He designed a very clean hero image version for our website and started producing some aircraft renderings. His dedication to the project left a deep impression on us.

During this time, heckshine also contacted his friend Linh, who was evidently very interested. Heckshine asked me to send her an email. From what heckshine told me, Linh seemed to have a good network.

Linh replied with a very thoughtful email, telling me about her own metaverse project, Space Falcon. I wasn't particularly fond of the project, but as I'm not a true NFT expert, I had no reason to think it was a bad idea.

She also shared more about her connections with Boeing and Wisk Aviation, providing some ideas regarding Arrow. She seemed eager to help us establish potential partnerships. The tone of the communication in the emails was a bit strange, but I still thought it was due to a language barrier.

Linh and I shifted the conversation to Discord, where we talked more about our backgrounds and ultimately decided to invite her to be our advisor. She proactively offered guidance and advice to help us with partnership issues, and I was excited about her support.

Then, she told me more about the Space Falcon project, which seemed a bit like a get-rich-quick scheme, but similarly, that's the approach many NFT projects take. Given everything she had done for Arrow, showing a bit of support didn't seem like a bad idea.

Space Falcon used something called Armstrong wrapped ETH, which I really didn't understand and was too lazy to research. Apparently, users would have to rent the NFTs, which could provide some passive income for holders. I told her that the idea sounded good and asked her to keep me updated.

Then, I searched for Space Falcon; I had never heard of this project before, but it seemed to be a fairly popular gaming project on Solana. I saw Linh's name on the team page, and Linh agreed to keep in touch, after which I continued with other tasks.

In the next 10 days or so, heckshine was active in Discord every day, presenting some high-quality renderings. These renderings weren't particularly suitable, but he was very happy to help, and I thought we would improve through some iterations.

Throughout the process, I cannot emphasize enough how sincere heckshine appeared. We were very aligned in our vision, and I was glad he was so passionate about our work.

Then yesterday, things started to get crazy. Heckshine and I had been discussing the design of the v1 aircraft for some time. He had the entire configuration and was ready to start rendering when he woke up in the morning.

As we were wrapping up, Linh conveyed some exciting news to me. She said she was going to visit Wisk and invited me to meet the team. She also provided a screenshot of an email communication with Sebastien, who was the vice president at Wisk.

In hindsight, this seemed a bit ridiculous, but at the time, I had no reason to think it was all fake. We confirmed the date for the visit, and Sebastien would reply to me with a formal invitation via email. I was very grateful for Linh's arrangements.

After that, Linh mentioned that their staking application had launched. She suggested sending the NFT to me, and testing the application was the least I could do!

I asked her to send the NFT to my hot wallet, but she sent it to my main wallet address, claiming that this NFT was very valuable. No big deal, right?

She sent me some instructions about the staking application, and the website looked nice. It had three transaction prompts: NFT approval, Armstrong wrapped ETH token approval, and a staking feature. The token approval seemed a bit strange, but I didn't hold it, so I wasn't worried.

Then came my stroke of luck. Since this was a new project, I decided to transfer the NFT to a new ETH address before staking, in case the project was attacked or something else happened. Next, the staking was completed, and I started earning rewards.

I told Linh that I had completed the staking and said it was easy. She suggested sending me other NFTs while hoping I would keep the NFTs in my main wallet account to help them grow. This was a bit annoying, but I accepted.

I told Linh that I would review the entire contract before staking with my main account, and then she started to become aggressive. At this point, I finally realized something was off.

So, I opened etherscan to look for the new address where I first staked the NFT, and what happened next sent chills down my spine.

The aWETH I approved was actually not Armstrong ETH, but Aave's aWETH, and my main wallet held almost all my ETH in Aave…

Recognizing this as a scam, they eventually started deleting all Discord messages. As a last-ditch effort, she even sent me 0.2 ETH and asked me to return the NFT, which made no sense.

I further investigated the contract that approved spending aWETH and discovered that this terrifying function allowed the scammers to transfer any amount of aWETH from my account.

As I continued browsing the scammer's address on etherscan, I eventually found their source of funds— a 100 ETH deposit from Tornado Cash. These guys not only had deep pockets but were also particularly clever.

I have to assume they hired a 3D design contractor who handled most of Heckshine's work. From what I know, they also built a custom contract and frontend specifically for this scam.

What about Space Falcon? It seemed like a legitimate project, right? As far as I know, it is a real gaming project on Solana. But the official domain used by the real Space Falcon is spacefalcon.io, while the scammers somehow acquired the domain spacefalcon.com.

So, the Linh I had been chatting with might just be an impersonator of the real Linh.

Well, what are the lessons here?

1. Token approvals can be very dangerous, and I always treat them with extreme caution. Setting limits on approvals makes sense whenever possible.
2. Scammers are becoming increasingly clever. The scams I encountered before were basically "Hello, this is tech support, please share your private key so we can help you."

Regarding this meticulously planned scam, some have commented that the guy's ENS identity binding attracted this scam to him. What are your thoughts?