More than $4.7M stolen in Uniswap fake token phishing attack
![](data:image/svg+xml;utf-8,<svg xmlns="http://www.w3.org/2000/svg" width="717" height="478" />)
A sophisticated phishing campaign targeting liquidity providers (LPs) of the Uniswap v3 protocol has seen attackers make off with at least $4.7 million worth of Ethereum (ETH). However, the community is reporting the losses could be even greater.
Metamask security researcher Harry Denley was one of the first to raise the alarm bells of the attack, telling his 13,000 Twitter followers on July 11 that 73,399 addresses had been sent malicious ERC-20 tokens to steal their assets.
the phishing attack works by sending unsuspecting users a “malicious token” called “UniswapLP” — made to appear as coming from the legitimate "Uniswap V3: Positions NFT" contract by manipulating the “From” field in the blockchain transaction explorer.
Users curious about their new tokens would be directed to a website purporting to allow them to swap their new tokens for Uniswap’s native token UNI, worth $5.34 each at the time of writing.
The website would instead send the users’ address and browser client info to the attackers’ command center, which would also attempt to drain cryptocurrency from their wallets.
A Reddit post also explaining the attack noted that the attackers had stolen native tokens (ETH), ERC20 tokens, and NFTs (namely Uniswap LP positions) from victims.
Source:
3 comments