Crypto-Sec is our bi-weekly round-up of crypto and cybersecurity stories and tips.
Phish of the week: Turbo Toad enthusiast loses $3,600
Memecoin collector and X user Tech on Ivan lost over 1 million TURBO, worth over $3,600 at the time, when he became the victim of a phishing attack, according to a post he made on July 11. “I’m completely devastated,” Ivan stated.
He lost the tokens after receiving a phishing email containing a link he subsequently clicked on. Ivan did not explain what happened after clicking the link, but he was most likely sent to a malicious web app connected to a drainer protocol.
Blockchain data shows that two separate wallet-draining transfers were conducted against him. The first drained 863,926 TURBO ($3,113.45) and sent it to an address ending in Aece. The second drained 152,458 TURBO ($549) and sent it to a known malicious address that Etherscan labels “FakePhishing 328927.”
Given that the second transfer was much smaller than the first, the “FakePhishing” address probably belongs to the drainer software developer, whereas the “Aece” address is more likely to be owned by the person who conducted the scam. Drainer software developers usually charge a small percentage of the stolen loot as payment for allowing scammers to use their service.
The user had previously called the “increase allowance” function on the Turbo contract, giving an unverified smart contract address ending in 1F78 as the “spender” and authorizing it to spend a large number of tokens. The attacker later used this malicious contract to drain the tokens.
Turbo drain authorization. (Etherscan)
Because the user had previously authorized the malicious contract, the Turbo contract recognized it as legitimate and failed to block the attack. According to his statement, Ivan did not know he was authorizing his tokens to be spent by a malicious app when he initiated this…
..
