‘Haunts me to this day’ — Crypto project hacked for $4M in a hotel lobby
4 min read
In a shocking turn of events, the co-founder of Web3 metaverse game engine, Webaverse, revealed that they were the victims of a massive $4 million crypto hack. The incident took place during a meeting with supposed investors in a hotel lobby in Rome.
According to Ahad Shams, the co-founder, the theft was even more peculiar because it occurred from a newly established Trust Wallet.
Shams claims that the hackers couldn’t have seen the private key and that he wasn’t connected to any public WiFi network at the time. Despite these precautions, the thieves managed to gain access and steal the funds.
In a letter shared on Twitter on February 7th, Webaverse and Shams detailed the events leading up to the hack. They had been in discussions with an individual named “Mr. Safra” for several weeks about potential funding.
“Shams established a connection with ‘Mr. Safra’ through a combination of email correspondence and virtual meetings. During these interactions, Mr. Safra conveyed his eagerness to invest in the flourishing Web3 space,” reported Shams.
“He revealed that he had fallen victim to fraudsters in the crypto space before, thus the request for our identification documents for KYC purposes. He emphasized the significance of an in-person meeting in Rome, as it allowed them to build a personal connection and establish trust with those he were conducting business with,” he said.
full story https://t.co/vdkAHyBaG9
— 0xngmi (aggregatoor arc) (@0xngmi) February 6, 2023
“Initially wary, Sham decided to arrange a physical meeting with ‘Mr. Safra’ and his associate, who was referred to as the ‘banker,’ in a hotel lobby in Rome. During the meeting, ‘Mr. Safra’ planned to present the “proof of funds” to Sham as a prerequisite for starting the necessary “paperwork” for the project.”
“Despite reluctantly accepting Trust Wallet’s proof, we took proactive measures to secure our funds by setting up a new Trust Wallet account from a secondary device, ensuring that our private keys and seed phrases were not stored on the device we primarily use for interacting with the platform,” explains Shams.
However, turns out Sham he was thoroughly mistaken:
“When we met, we sat across from these three men and transferred 4m USDC into the Trust Wallet. “Mr Safra” asked to see the balances on the Trust Wallet app and took out his phone to “take some pictures”.
Shams explained that he thought it was okay because no private keys or seed phrases were revealed to “Mr. Safra.”
However, tragedy struck when “Mr. Safra” left the meeting room to consult with his banking colleagues after taking a photo. The funds were suddenly drained and Shams realized the crew had disappeared.
“We never saw him again. Minutes later the funds left the wallet.”
In response to the theft, Shams promptly reported the incident to a local police station in Rome and later followed up by submitting an Internet Crime Complaint (IC3) form to the U.S. Federal Bureau of Investigation (FBI) a few days later.
Despite the efforts, Shams remains uncertain about the details of how “Mr. Safra” and his scamming team were able to carry out the exploit.
“The interim update from the ongoing investigations is that we are still unable to confidently establish the attack vector. The investigators have reviewed available evidence and engaged in lengthy interviews with the relevant persons but further technical information is necessary for them to come to confidently establish conclusions.”
“We are seeking additional information from Trust Wallet regarding the activity on the drained wallet in order to reach a technical conclusion,” says Shams. “We are actively pursuing them for their records, as this will likely provide a clearer understanding of how the theft occurred,” he adds.
Cointelegraph contacted Shams, who confirmed that he was not connected to the hotel’s WiFi when he displayed the funds on his Trust Wallet.
The Webaverse co-founder believes that the exploit was executed in a manner similar to the NFT scam story shared by NFT entrepreneur Jacob Riglin in July 2021.
Riglin had recounted out the details of how he had met with potential business partners in Barcelona, showed them the funds on his laptop, only to have them drained within 30-40 minutes.
The complete story of the NFT scam:
After the response to my previous tweets about the $90,000 scam I was involved in, I wanted to share more details on it to help warn any others of falling victim to it.
I was contacted by a Philippe Maloof from Canbury Properties Limited. He said he had a
— Jacob (@jacobriglin) July 21, 2021
Shams has revealed the Ethereum transaction in which his Trust Wallet was hacked, showing that the funds were swiftly divided into six separate transactions and transferred to six newly created addresses with no previous activity.
The stolen USDC, valued at $4 million, was promptly converted into Ether (ETH), Wrapped-Bitcoin (wBTC), and Tether (USDT) through the swap address function of 1inch.
Shams admitted that “the event haunts me to this day” and that the $4 million exploit is “undoubtedly a setback” for Webaverse.
However, he stressed that the $4 million exploit and pending investigation will have no impact on the firm’s short term commitments and plans:
“We have sufficient runway of 12-16 months based on our current forecasts and we are well underway to deliver on our plans.”
Cointelegraph has also contacted Trust Wallet for comment
