Over $4.7 Million Stolen In Uniswap Fake Token Phishing Attack

At first, some people thought that the hack was an exploit of the Uniswap V3 protocol, but it was soon made clear that it was the result of a phishing campaign.

A sophisticated phishing attempt targeting Uniswap v3 protocol liquidity providers (LPs) resulted in the theft of at least $4.7 million in Ethereum (ETH). However, the community is suggesting that the losses may be far higher.

On July 11, Metamask security researcher Harry Denley was among the first to raise the alarm about the attack, informing his 13,000 Twitter followers that 73,399 addresses had been issued fraudulent ERC-20 tokens in order to steal their assets.

According to a tweet from Binance CEO Changpeng “CZ” Zhao, at least $4.7 million in ETH was destroyed in the hack. However, there are concerns in the crypto world that the infiltration may cause more serious losses.

On July 11, prominent crypto Twitter user 0xSisyphus noted that a “big LP” holding roughly 16,140 ETH, worth $17.5 million, may also have been phished.

The phishing scam, according to Denley, operates by giving unwary users a “malicious token” called “UniswapLP” that is disguised as coming from the genuine “Uniswap V3: Positions NFT” contract by modifying the “From” field in the blockchain transaction explorer.

Users who are interested in their new tokens will be directed to a website that claims to allow them to exchange their new tokens for Uniswap’s native token UNI, which is now worth $5.34 per token.

Instead, the website would send the customers’ addresses and browser client information to the attackers’ command center, where they would attempt to drain cryptocurrency from their wallets.

According to a Reddit thread that also explained the assault, the attackers took native tokens (ETH), ERC20 tokens, and NFTs (specifically Uniswap LP positions) from victims.

When Binance CEO Zhao first raised the alarm about the attack, he referred to it as a “possible exploit” of the Uniswap protocol on the ETH blockchain.

Zhao quickly followed up with another update, revealing a conversation with the Uniswap team, who confirmed the attack was part of a phishing attack rather than a protocol flaw.

The Uniswap price fell to a 24-hour low of $5.34 as a result of CZ’s initial worrisome comments. The price of UNI has subsequently rebounded to $5.48 at the time of writing, but it is still down 11 percent in 24 hours and 87.8 percent from its all-time high (ATH).