Recent ‘$Packy’ Token Scam on X Traced Back to IFTTT

Crypto crime is hitting the industry with a bang as Super Sushi Samurai and some unsuspecting X users become the latest victims of scams and exploits.

Cyber criminals have been quite busy over the past few days. Some well known people in the crypto industry, including a16z adviser Packy McCormick, were targeted by a scam promoting a fake meme token called “$PACKY,” which compromised their accounts through outdated IFTTT connections. Meanwhile, the GameFi project Super Sushi Samurai (SSS) suffered a big exploit because of a double-spending glitch in its smart contract, leading to a loss of $4.8 million. Additionally, $10 million in ETH tokens, linked to a phishing attack from September of 2023, were transferred to the crypto-mixing protocol Tornado Cash.

$Packy Token Fraud on X

A wave of scam posts has swept across X, leading to some serious concerns about the security of third-party auto-posting services like IFTTT (If This Then That). Some well known people in the crypto industry, including a16z adviser Packy McCormick, Coinbase product director Scott Shapiro, and Twitch co-founder Justin Kan, fell victim to this scam, which promised returns on a fake meme token called “$PACKY.” The scam involved asking users to send Solana (SOL) to a specified wallet address, falsely associating these well known and influential accounts with the fraudulent scheme.

The issue came to light on Mar. 21 when affected people started noticing malicious posts promoting the $PACKY token from their accounts. McCormick quickly alerted his followers that his account was compromised and advised against clicking any links or sending money to the provided address. He later revealed that the breach happened through IFTTT, a web service he connected to his X account almost a decade ago. This connection was exploited by the hackers to post the scam messages.

Similar incidents were reported by other high-profile individuals, including Justin Kan and Scott Shapiro, who both pointed out the risks that are associated with linking older third-party applications to social media accounts. Shapiro, in particular, warned people about the dangers of having long-forgotten connected apps with potentially outdated authentication tokens.

The scam also affected Mike Demarais, co-founder of the Web3 explorer app Rainbow; Joe McCann, founder and CEO of Asymmetric Finance; and digital pop artist Bryan Brinkman. All of the victims pointed towards their IFTTT connections as the breach point. Brinkman promised to help those who lost money due to the scam.

SSS Suffers ‘Ethical’ Hacker Exploit

Meanwhile, the GameFi project Super Sushi Samurai (SSS), which is operating on Coinbase’s Base layer-2 blockchain, became one of the many crypto projects in 2024 to experience a security breach. On Mar. 21, a self-proclaimed white hat hacker discovered a double-spending glitch in the game's system, leading to a withdrawal of $4.8 million from its liquidity pools. The loophole was identified in the project's smart contract, specifically in the _update() function, which failed to correctly update balances during transfers to oneself. As a result, a user managed to exploit this vulnerability by doubling their balance of SSS tokens 25 times through repeated self-transfers, culminating in a sale of 11.5 trillion SSS tokens for approximately 1,310 Ethereum (ETH), equivalent to around $4.59 million.

After the exploit, the hacker reached out to the SSS team through a blockchain message, claiming the act was a "whitehat rescue hack" and urging discussions on user reimbursement. Despite the hacker's ‘noble’ intentions, the incident caused a very dramatic collapse in the value of SSS tokens, which plummeted by more than 99%, essentially destroying the project's financial standing.

The SSS team has since acknowledged the breach and started contact with the hacker to mitigate the fallout. Interestingly, this exploit is very similar to one that happened just about a month ago, involving the ERC-X token Miner. In that case, a double-spending glitch was exploited for infinite token minting, leading to a staggering 99% crash in its value and more than $10 million in user losses.

Following the Money

Recently, an account associated with a phishing incident in September of 2023 transferred $10 million in Ether (ETH) to the crypto-mixing protocol Tornado Cash. This move, which was first spotted by the blockchain security firm CertiK on Mar. 21, involved an account tied to a $24 million hack transferring approximately 3,700 ETH to Tornado Cash. The origins of these funds trace back to a phishing attack on Sep. 6, 2023, which resulted in a loss of $24 million in staked ETH from the liquid staking provider Rocket Pool. The attack was executed through two transactions, depleting 9,579 stETH and 4,851 rETH from the investor's holdings.

The successful phishing scheme happened when the victim approved an “Increase Allowance” transaction, inadvertently granting the hacker permission to transfer ERC-20 tokens on their behalf. After the theft, PeckShield, another blockchain security company, reported that the attacker converted the stolen assets into 13,785 ETH and 1.64 million Dai (DAI), with a portion of the DAI being transferred to the FixedFload exchange and the majority of the stolen funds moved to other wallets.

Phishing attacks continue to pester the crypto ecosystem, with Scam Sniffer’s crypto phishing report revealing that almost $47 million was lost to these scams in February alone. The report also indicated that 78% of these thefts happened on the Ethereum network.