Tweetstorm, an occasional series of enlightening threads...
For the past two weeks, I've been targeted in an extremely thorough social engineering scam that nearly cost me all of my ETH. I'm super lucky to have made it through unscathed. Here's the story 👇
1/ First a quick background. I'm the founder of Arrow, a DAO working to build open-source VTOL aircraft and air taxi protocol. We're still fairly early-stage and focused on growing the team. We're open to contribution and don't turn anyone away if they're excited to help.
2/ So two weeks ago, this user "heckshine" joins the Discord and introduces himself. He's currently working at Ubisoft and offers to help with 3D design and animation. The message seems a little strange, but I just attributed that to a language barrier.
3/ Heckshine also has a friend that is really passionate about VTOLs, and is working on a metaverse project. Her brother in law is a VP at Boeing. Wow, what a connection!
4/ Over the next few days, heckshine starts working on various animation projects for Arrow. He designs a really neat animated version of the hero image for our website and begins working on some aircraft renderings. We're all super impressed by his dedication to the project.
5/ While this is happening, heckshine also reaches out to his friend, Linh. She's apparently interested and heckshine asks me to send her an email. From what he has told me, Linh seems like a great connection.
6/ Linh gets back to me with a very thoughtful email. She tells me a bit about her metaverse project, Space Falcon. I'm not really sold on it, but I'm not really an NFT person so I didn't have any reason to think it was a bad idea either.
7/ She also tells me a bit more about her connection with Boeing/Wisk and offers some thoughts on Arrow. She seems eager to help with a potential partnership for us. The tone of the email is a little strange, but I assume it's also just the language barrier.
8/ Linh and I move the conversation over to Discord. We talk more about our backgrounds and end up deciding that she can best help out as an advisor. She offers to provide guidance and advice around what would work well regarding partnerships for us. I'm excited for her support.
9/ She then tells me more about Space Falcon. It seems kind of like a get-rich-quick scheme, but again, that's kind of how I see a lot of NFTs. With all that she's doing for Arrow, there's no harm in showing a little support.
10/ Space Falcon uses something called Armstrong wrapped ether. I don't really get it but I don't bother to do the research. Apparently, users will have to lease the NFTs and it can provide some passive income to the holders. I tell her that it sounds neat and to keep me updated.
11/ Somewhere in here I actually look up Space Falcon. I had never heard of it, but it seems like a fairly popular gaming project on Solana. I see Linh's name on the team page. Linh and I agree to stay in touch, and I move on to other things.
12/ For the next 10 days or so, heckshine is active in Discord every day. He puts out some super high-quality renderings. They're not particularly airworthy, but he's super excited to be helping and I figure we'll improve with some iterations.
13/ I can't overstate how committed and authentic heckshine has seemed through this entire process. We're super aligned on vision and I'm feeling great that he's so enthusiastic about what we're working on.
14/ Yesterday is when things started to get really crazy. Heckshine and I had been DMing back and forth for a while about the design for our v1 aircraft. He gets the entire configuration and he's ready to get started on a rendering when he gets up in the morning.
15/ As we're wrapping up, Linh reaches back out to me with some crazy exciting news. She's going on a tour of the Wisk facility and has invited me along to meet the team. She includes a screenshot of an email thread with Sebastien, who is actually a VP at Wisk.
16/ In hindsight, this is kind of absurd, but I had no reason to think that any of this wouldn't be real. We set a date for the trip and Sebastien is going to get back to me with a formal invite over email. I'm pumped and incredibly grateful to Linh for setting this up.
17/ This is when Linh mentions that their staking app has launched. She offers to send me the NFT. At this point testing out the app is the least that I can do! I ask her to send it to my hot wallet, but she sends it to my primary because it's so valuable. No big deal, right?
18/ She sends me some instructions on the staking app. The site seems fine and it has prompts for three transactions: The NFT approval, a token approval for Armstrong wrapped ETH, and a stake function. The token approval seems little strange but I don't hold it so I don't worry
19/ Now here is where I got incredibly lucky. Since it's a new project, I decided to move the NFT to a fresh eth address before going through the staking process - just in case they get exploited down the road or something. The stake goes through and I'm earning yield on it.
20/ I let Linh know that I'm staked and that it was easy. She offers to send me one of the other NFTs, but she wants me to stake it on my main account to help them with their growth. A little annoying, but I'm fine with it.
21/ I let Linh know that I'm going to read through the contracts before I stake it on my main account, and she starts getting pushy. This is when I finally realize that something sketchy is going on.
22/ So I pull up etherscan for the new address where I staked the first NFT and my blood goes ice fucking cold. The aWETH that I approved was not Armstrong ETH, but rather Aave's aWETH. On my main address, almost all of my ETH is sitting in Aave...
23/ At this point I ghost the scammers and they eventually start deleting all of their Discord messages. As some sort of final attempt, she sends me 0.2 ETH to cover gas fees and asks for the NFTs back. Not sure what the logic is with that.
24/ I dig further into the contract that I almost approved to spend my aWETH and find this truly terrifying function. This is where the scammers would have been able to transfer any amount of aWETH out of my account. I'm at the limit for this thread. Stand by for part 2
25/ As I continue poking through the scammers addresses on etherscan I eventually find the source of their funds - a 100 ETH Tornado Cash deposit. These guys were incredibly well funded and super smart.
26/ I have to assume that they hired a 3D design contractor that was putting out most of Heckshine's work. They also had built custom contracts and the front end that are entirely specific to this scam as far as I can tell.
27/ And what about SpaceFalcon, that seemed super legit, right? As far as I can tell it is a real project on Solana. The real project is using the (spacefalcon . io) domain where the scammers somehow acquired the .com.
28/ So the Linh that I've been interacting with is probably just an imposter of the real Linh working on the real space falcon...
29/ Ok, what are the takeaways here?
1. Token approvals can be super dangerous. I'm always going to be extremely cautious with them going forward. It makes sense to always put a cap on approvals when you can.
2. Scammers are getting smarter. Before now, the best scam I've really encountered is basically "hi this is tech support please share your private key so we can help"
3. Always verify, no matter how much you trust. These guys spent two weeks targeting my own specific weaknesses, and I was extremely close to falling for it. You can't be too paranoid