Webaverse team loses about $4 million in USDC after meeting with an ‘investor’

Hackers stole about $4 million in USDC from the gaming NFT project Webaverse after photographing the balance screen in a Trust Wallet during a face-to-face meeting.

full story https://t.co/vdkAHyBaG9

— 0xngmi (aggregatoor arc) (@0xngmi) February 6, 2023

According to Webaverse co-founder Ahad Shams, a man who identified himself as an investor in Web3 company contacted the team named Joseph Safra.

He said that he had already been duped by industry representatives, so he laid out a number of demands. ‘Safra’ proposed flying in to discuss investments in Rome and to confirm the project’s funds. Citing his limited familiarity with crypto wallets, he asked them to use Trust Wallet, whose interface he found familiar.

Shams, upon arriving in Rome, dined with ‘Safra’ and his ‘lawyer’. The following day there was a meeting involving a ‘banker’, at which the Webaverse team was to display its funds.

“We created a new Trust Wallet at home on a device we had not used to interact with them. We were confident that, without our private keys or seed phrases, the funds would be safe,” emphasised Shams.

He noted that around $4 million in USDC they had transferred to the wallet while seated opposite the ‘investor’. After that, ‘Safra’ asked to photograph the balance screen. According to Shams, the request raised suspicion, but there was no private information on the tab.

Having taken several photos, the attackers said they needed to step out to confer. They never returned.

Minutes later, funds disappeared from the wallet. The scammers converted the assets into ETH, wBTC and USDT via 1inch, dispersing the sum across 14 addresses.

Shams filed a police report in Rome and contacted the FBI.

He and the team remain unable to explain how the attackers gained access to the funds.

Ouriel Ohayon, CEO of ZenGo, the developer of the eponymous crypto wallet, suggested two possibilities:

• Downloading a deliberately infected release of the app;
• Handing over a smartphone with an unlocked wallet to the scammer, who only needs a barely noticeable finger movement to switch to the security settings tab containing the seed phrase.

this story makes no sense.

the only way the funds were stolen is either because they installed a malicious version or because the scammer had *physical* access to the phone and took it in hands and move the security settings and took picture of the seed without them noticing.

— Ouriel @ZenGo (@OurielOhayon) February 7, 2023

In December 2022, unknown hackers breached the BitKeep wallet and stole users’ assets worth around $8 million. The hackers embedded malicious code in the downloadable Android app file.