From April 12 to 21, dozens of Terra network users fell victim to a phishing attack. Crypto assets worth $4.31 million were transferred to the attacker’s address, according to SlowMist researchers.
According to the SlowMist intelligence zone, numerous users on the Terra network had their funds stolen recently.
From 4/12 to 4/21, close to $4.31 million in assets were maliciously transferred to terra1fz57nt6t3nnxel6q77wsmxxdesn7rgy0h27x3 from about 52 different addresses.
— SlowMist (@SlowMist_Team) April 21, 2022
The attacker used phishing ads on Google. According to the firm’s analysts, the plan was that users would search for well-known Terra ecosystem projects such as Anchor or Astroport.
The search results in the top lines resembled a real site. In some cases, even a correct domain name was shown, but it changed after following the link.
Our security team conducted an analysis of this incident and discovered that the bulk of this attack was from google phishing ads. Users would search well know projects on the Terra blockchain such as @anchor_protocol or @astroport_fi only to click on the first link by google. pic.twitter.com/aucIcnsCd7
— SlowMist (@SlowMist_Team) April 21, 2022
In the opened window, victims were prompted to connect their wallet and enter their seed phrase. This allowed unauthorized withdrawal of assets.
These may look like normal ads and some even show the same domain names, but once you click on the link, the domain name actually changes. When clicked, it”ll prompt you to connect your wallet, however instead of connecting, users are asked to input their seed phrase. pic.twitter.com/OZjifaJ17m
— SlowMist (@SlowMist_Team) April 21, 2022
SlowMist specialists recommended Terra users not to click on Google ads or links to dubious resources.
“This should help reduce the likelihood of becoming a phishing victim,” they emphasised.
Within ten days, funds were received by the attacker’s wallet from 54 different addresses.
The non-custodial wallet MetaMask warned users about the risks of storing data in Apple iCloud due to possible phishing attacks.