Crypto Whale Loses Over $24 Million in a Phishing Scam

The address to which the victim’s money was transferred is associated with at least ten websites involved in phishing scams.

A whale surrounded by floating money
A part of the stolen money has already been moved to crypto exchanges

Yesterday, a crypto whale lost nearly $24.2 million worth of Rocket Pool ETH (rETH) and Lido Staked ETH (stETH). The investor fell victim to a phishing attack carried out by an exploiter associated with at least ten phishing sites, including,,,, and others, according to Web3 scam-detecting platform Scam Sniffer.

Another cybersecurity analytics team, Meta Sleuth, also believes that "the stETH token of the user (0x13e38) was transferred to the attacker (0x693b7)" as a result of a phishing scam because "the attacker's account (0x693b7) was involved in several phishing scam incidents."

Read also: Are crypto whales good or bad?

Scam Sniffer specifically says that "the victim gave the token approvals to the scammer by signing 'increaseAllowance' transactions."

Robert Sasu of the MultiversX blockchain particularly emphasized the fact that the "allowance" function, which in all likelihood was exploited by the scammer, appears"seemingly non-malicious," while it allows attackers to relatively easily steal certain ERC tokens. In Solidity, the programming language commonly used to create smart contracts, this function returns the remaining token amount that the spender can withdraw from the owner’s account.

Some crypto users also pointed out the risks associated with holding such a large amount of funds at a single address.

Read also: DEA Got Duped! The Agency Lost $55k to a Common Cryptocurrency Scam

Meanwhile, cryptocurrency tracking platform MistTrack has recorded the movement of the loot. The platform’s team reports that some of the funds have already been transferred to the FixedFloat cryptocurrency exchange.

Furthermore, the scam-detecting browser extension Pocket Universe warned its X followers on Monday about the new Discord feature that allows users to hide links in any text. This functionality makes it possible to hide links to wallet drainers and exploit unsuspecting Discord users.

In the meantime, blockchain security firm CertiK warned its X (formerly Twitter) followers to avoid interactions with the website hxxps:// advertised specifically through the Session messenger. The website is used for a phishing scam that promises crypto users "an official USD Coin airdrop."

Other recently discovered phishing websites include hxxps://, which promotes a fake Toncoin airdrop, and hxxps://, which purports to redirect to an airdrop supposedly hosted by Compound Labs.

On top of that, fake token airdrops are still actively promoted by scammers. One of the phishing websites pretending to be the popular app is hxxps://