The Curious Case Of The $4M Webaverse Hack
- Posted on February 8, 2023
- News
- By Mark Otto
- 189 Views
Raising capital in the crypto environment can bring a unique and unparalleled set of challenges. Look no further than the ever-curious case of Webaverse, a firm building a game engine and MMO (massive multiplayer online game) inspired by metaverse characteristics.
The Webaverse team took a brutal hit recently after suffering a ~$4M social engineering exploit. However, this wasn’t your ‘run of the mill’ hack – or at least, it hasn’t been presented as such. While the executional details of the hack are still very much in question, one thing is for sure: this was the result of a sophisticated ‘long game’ of social engineering backed by fake KYC info, fraudulent websites, and topped off with an in-person meeting.
Exploits Reach New LevelsThese days, curious minds can’t be inquisitive enough – and due diligence just can’t be diligent enough. We covered an exploit that resulted in the theft of over a dozen Bored Ape Yacht Club NFTs just two months ago, and another recent story with similar strokes tell us that one thing is for sure: with the dollar amounts in today’s crypto landscape, hackers and exploiters are willing to go to unbelievably great lengths to scam digital assets.
December’s NFT heist featured an elaborate fake casting director who utilized a fake website, fake email domains, fake pitch decks, and more – all to build a façade of trust, and combat efforts of due diligence. The result was over $1M in immediate losses for the owner.
This ‘similar but different’ story came to light this week, first amplified by well-respected DefiLlama coder 0xngmi.
A Curious Case Of Crazy CircumstancesLinked in 0xngmi’s tweet is the official statement from the Webaverse team, a 4-page Google Doc that was drafted by the firm’s co-founder and CEO Ahad Shams. Shams detailed that in November of 2022, after weeks of dialogue with a sophisticated crew of scammers that posed as potential investors, a meeting was arranged between them in Rome.
The scammers requested ‘proof of funds,’ and Shams sought to protect himself by only exposing a screenshot of a self-custodied and independent Trust Wallet with the funds, claiming that no keys or vital account details were exposed and that the wallet was a self-created, self-controlled and self-custodied one utilized for solely this occassion.
Other incident-preventing efforts were put in to place from Shams around this interaction, but in this case, the steps Shams took to protect his organization’s funds were seemingly not enough.
In all, as Shams notes, this is not a situation of a DAO or other pool of public funds rugging a user. It’s merely a company owned feeding curious crypto minds information about an unfortunate circumstance that was no result of a lack of due diligence or care. That doesn’t mean, however, that Shams didn’t make a mistake along the way.
In fact, today’s common logic would imply that we’re missing a vital piece of the puzzle here.
Trust Wallet CEO Eowyn Chen released a tweet in response on Monday. Don’t be surprised if market sleuths uncover more with due time.
Sad to hear about the Webaverse theft case. After engaging with investigation teams, we have high confidence that the theft case wasNOT caused by @TrustWallet app, but likely an organized crime. Sadly there have been a few in-person OTC scams in Europe, specifically in Rome. https://t.co/KbIPjz01uB
— Eowync.eth (@EowynChen) February 6, 2023
Source: Bitcoinist.com