Trust Wallet has responded to a social engineering attempt that resulted in $4 million being stolen from a metaverse firm during a face-to-face meeting.
A Rome, Italy-based criminal organisation employed social engineering to steal $4 million worth of USDC from a Trust Wallet belonging to Webaverse, a firm on Web 3.
Webaverse Tricked Into Sending $4M
The criminal reportedly convinced the victim to move funds from a multi-signature Trust wallet to a single-signature Trust wallet. With a multi-sig wallet, more than one private key is needed to sign a transaction.
The criminal provided the victim with a phony KYC and an electronic version of a non-disclosure agreement before the victim sent the money. Trust Wallet’s investigation shows that the counterfeit NDA likely contain malicious software designed to steal funds.
The perpetrator then confirmed the transfer by photographing the victim’s wallet after the money had been sent. After taking the victim’s crypto, he vanished.
Ahad Shams, the co-founder of Webaverse, was baffled by the fact that the fraudster managed to steal money from a Trust Wallet without access to the wallet’s private key. Even while it hasn’t been verified, one Twitter user speculated that the scammer may have used a QR code on the victim’s device to steal their money.
1/ This week, an organised crime unit from Rome stole $4M from one of our users.
It was stated, the thief ‘took a picture’ of the user’s Wallet balance to steal the funds.
We’ve done investigating into the events and believe this is how it happened…🧵👇
— Trust – Crypto Wallet (@TrustWallet) February 8, 2023
Subsequent inquiries uncovered six other locations where the stolen money had been sent. To further spread his fraud, the con artist exchanged the USDC for ETH, wrapped the Bitcoin and USDT, and transferred them to fourteen addresses. A single address holds 83% of the stolen cryptocurrency.
According to Trust Wallet, victims of this fraud should contact the police so that the perpetrator is prevented from withdrawing funds via a fiat on-ramp. When travelling internationally, the firm also advises against inputting login credentials through an insecure HTTP connection, such as those provided by public WiFi hotspots.
NFT Holders Encountered Similar Scams in 2021
Two similar occurrences were previously reported by consumers of different wallet suppliers in Milan and Barcelona, Spain, before the Webaverse event.
Jacob Riglin, a creative NFT artist and entrepreneur with the Twitter name @jacobriglin, had $90,000 worth of cryptocurrency stolen by a Barcelona-based firm that seemed to be a professional real estate agency.
Following some email back-and-forth over the sales of some of his NFTs, @jacobriglin says that he eventually agreed to meet three people at a restaurant. After receiving payment for the NFTs, the representatives of the supposed property business demanded a commission through email.
While having dinner together, the three discussed the commission problem and demanded @jacobriglin show he could pay them. Like in the Shams instance, @jacobriglin found his money missing from his wallet after opening it.
There was a chance that the trio had utilised WiFi to take the money, but he needed to know.
In 2022, American victims of romance scams lost $185 million. Romance scams are forms of social engineering that prey on lonely people who turn to online dating or social media to find a partner.
Scammers often create trust with their victims online before asking them to donate cryptocurrency to an untraceable location.