Scammer Gets Hacked after Stealing $3.4 Million

Following successful phishing attacks, the malicious actor lost stolen ETH during a front-running sandwich attack.

Money surrounding a hanging fish
SlowMist has detected two recently surfaced phishing scams: one involving a small verification transaction and another specifically targeting influencers.

Today, cybersecurity firm PeckShield detected unusual on-chain activity. First, a phishing scammer stole nearly $3.4 million in cryptocurrencies and then, fell victim to a hacker while swapping ETH.

Read also: Weekly Losses from Web3 Exploits Exceeded $138 Million

The sandwich attack is a form of front-running that strategically targets decentralized finance protocols and services. Its modus operandi requires a malevolent trader to explore the network to identify pending transactions. Just before a user's intended transaction takes place, the attacker places one order to precede the trade and another to follow it closely. These simultaneous front-running and back-running maneuvers effectively sandwich the original pending transaction, allowing the hacker to manipulate asset prices.

Transaction details
Source: SlowMist, X

Next, the malicious actor acquires the asset that the unsuspecting user intends to swap to, anticipating an increase in value. By exploiting the knowledge about the expected growth in the value of a cryptocurrency, the attacker can secure coins at a lower price, while the victim will be purchasing the currency at an artificially inflated value.

After setting such a trap, the attacker proceeds to sell the cryptocurrency at the elevated price point, whereas the attack victim ends up receiving a reduced amount of cryptocurrency due to the price manipulation.

Read also: New V2 Money Market Protocol May Help Onyx Recover from Hack

New Telegram phishing scam

While PeckShield has not disclosed specific details about the phishing scam, another Web3 security team, SlowMist, has issued a warning regarding a new phishing technique using URLs disguised as legitimate transfer addresses.

"Scammers on chat apps like Telegram are now using a sly method to steal your funds. They trick users into transferring small amounts, like 0.1 USDT, to a 'public chain' address," the team cautioned the X community today, emphasizing that inputting such an address can allow scammers to steal the entire funds stored in a user's account.

In a more comprehensive explanation on its Medium blog, SlowMist detailed the scam's initiation through off-exchange transactions. Scammers induce victims to transfer a nominal amount, like 0.1 USDT, pretending that it is a safety measure for verifying the safety of their address. The trap is set when the scammer provides a "public chain" address, insisting it must be entered into the wallet browser for the transaction to proceed. Unfortunately, this seemingly logical and harmless action can lead to substantial financial losses.

According to SlowMist, engaging with the address triggers the signing of an increaseApproval. "Once the user clicks Confirm, their tokens can be stolen by the scammer using the transferFrom method," SlowMist further explains in the blog post.

New scam: fake journalist phishing attacks

In addition to the aforementioned phishing scam, SlowMist has recently uncovered a new phishing scam involving fake journalists. The reported incidents indicate that this phishing scam specifically targets users for account and funds theft.

Perpetrators, masquerading as journalists from reputable news agencies, initiate contact with Key Opinion Leaders (KOLs) under the guise of arranging interviews. SlowMist underscores the considerable persuasiveness of these malicious actors in their efforts to establish trust with their victims. For example, the attacker may create the illusion of being a part of the same community by sharing many mutual followers on X with the victim.

SlowMist further explains that to enhance this impression, the attacker goes as far as scheduling an interview and guiding the victim to join on Telegram, even providing an interview outline.

Following the interview, the scammer urges the victim to fill out what appears to be a harmless form. The malicious actor asserts that dragging a misleading "Verify" button to the bookmark bar is an essential verification step to prevent impersonation.

"Once a user opens the bookmark containing the malicious JavaScript script on the page, the malicious code is designed to deceive and steal the user’s password (i.e.,’s 2FA), as well as the tokens associated with the embedded wallet Privy used by the account," SlowMist states, stressing that "both the user’s account and the related funds are at risk of being stolen."

SlowMist emphasizes the seriousness of this attack, highlighting the potential theft of the private key plaintext. This risk occurs "if your independent password, for example, the 2FA for, is stolen, and you have configured information related to and its embedded wallet Privy (including other pertinent details in localStorage)."