Uniswap Liquidity Providers Hit for $8.6M in Phishing Scam

This Monday (July, 11) Uniswap liquidity providers have fallen victim to a phishing attack. That resulted in $8,6 million losses worth in different crypto assets.

Hacker targeted more than 7 000 Ethereum addresses. They tricked victims into approving malicious transactions by a fake UNI airdrop link on a website mimicking Uniswap (the largest decentralized exchange).

Details of the case

All victims were redirected to the phishing site, where they willingly sent the crypto to the exchange. This way hackers get access to these wallets. Despite targeting a considerable number of Uniswap liquidity providers, most attackers’ illicit haul seems to have come from a single victim.

The indicated wallet is 0x09b5027ef3a3b7332ee90321e558bad9c4447afa. It was created on July 11, 2022, at 8:46 PM, and its last activity was on July 12 at 6:12 AM. The balance, how much was received, and how much was sent,are on the screenshot.

That phishing attack lasts less than 10 hours, which is incredibly fast for this amount of stolen money. Usually, attackers are more accurate: they tend to make fewer phishing transactions with less money to keep their profile low.

The first transaction on this wallet came from Tornado (the mixer is in the upper right corner of the picture). Many transactions, including ETH and WBTC, were made from the wallet 0xc36442b4a4522e871399cd717abdd847ab11fe88 (the next wallet on the left after Tornado).

There were also transactions from other wallets (bottom left of the picture). Most of them have many transactions, and most likely the exchangers are unverified. Manyf hackers tend to do this to “confuse the trail”.

Further, many transactions were made on the Tornado mixer (twice) from the wallet 0x09b5027ef3a3b7332ee90321e558bad9c4447afa (which is in the very center of the picture). There were dozens of transactions limited to 100 ETH each. As a result, the hacker stored 209.1332395 ETH in the wallet 0x524a924880adc8e4737e7cf6dc328408b4ae8ba3. Professionals suspect that It will be there for a very long time (months, maybe years) before the hacker starts withdrawing funds from it.

How did we find all details?

We used an AMLBot that checked both the initial sending address of a scammer and the final destination address, which he used to launder the funds. Both have a 100% risk score meaning that the scammer will not be able to use these funds on any regulated service anytime soon.