Hacker Behind Phishing Attack on Rocket Pool Transfers $10M to Tornado Cash
An incident involving a phishing attack in September 2023 has resulted in the transfer of $10 million worth of Ether (ETH) to the crypto-mixing protocol Tornado Cash. The account responsible for the attack was alerted by blockchain security firm CertiK on March 21. The funds originated from a crypto whale who fell victim to the phishing incident, losing a staggering $24 million in staked ETH on the liquid staking provider Rocket Pool.
During the attack, the hacker executed two transactions, siphoning off 9,579 stETH and 4,851 rETH from the crypto whale. The victim had unknowingly signed an "Increase Allowance" transaction, granting the hacker permission to access and spend ERC-20 tokens belonging to the victim. This feature, while useful, has raised concerns within the crypto community as it can be exploited by malicious actors deploying fraudulent smart contracts.
PeckShield, another blockchain security company, discovered that the attacker swapped the stolen assets for 13,785 ETH and 1.64 million Dai (DAI). A portion of the DAI was transferred to the FixedFloat exchange, while the majority of the pilfered funds were dispersed across various wallets.
Phishing attacks continue to pose a significant challenge for the cryptocurrency space, with Scam Sniffer's crypto phishing report revealing losses of nearly $47 million in February alone. Ethereum was the most targeted network, accounting for 78% of the thefts, and ERC-20 tokens constituted 86% of the stolen assets.
