‘Haunts me to this day’ — Crypto project hacked for $4M in a hotel lobby
The co-founder of Web3 metaverse game engine “Webaverse” has revealed that they were victims of a $4 million crypto hack after encountering fraudsters posing as investors in a hotel lobby in Rome.
The bizarre aspect of the story, according to co-founder Ahad Shams, is that the crypto was stolen from a recently set up Trust Wallet and that the hack took place during the meeting at some point.
He claims that the thieves could not possibly have seen the private key, nor was he connected to a public WiFi network at the time.
The thieves somehow managed to gain access while taking a photo of the wallet’s balance, Shams believes.
The letter, which was shared on Twitter on February 7, contains statements from Webaverse and Shams, who explain that they met a man named “Mr. Safra” on 26 November after several weeks of discussions about potential funding.
“We connected with ‘Mr. Safra’ over email and video calls, and he explained that he wanted to invest in exciting Web3 companies,” explained Shams.
“He explained that he had been scammed by people in crypto before, so he collected our IDs for KYC, and made it a requirement that we fly to Rome to meet him because it was important to meet IRL to “become comfortable” with whom we all did business, he added.
While initially skeptical, Shams agreed to meet “Mr. Safra” and his “banker” in person in a hotel lobby in Rome, where Shams would show the project’s “proof of funds”, which “Mr. Safra” claimed he needed to begin the “paperwork”.
“Although we reluctantly agreed to the Trust Wallet proof, we created a new Trust Wallet account at home using a device we didn’t primarily use to interact with them. Our thinking was that without our private keys or seed phrases, the funds would be safe anyway,” Shams said.
“When we met, we sat across from these three men and transferred 4 million USDC to Trust Wallet. “Mr Safra” asked to see the balances on the Trust Wallet app and took out his phone to “take some pictures”.
Shams explained that he thought it was OK because no private keys or seed phrases were revealed to “Mr. Safra.”
But once “Mr. Safra” left the meeting room to allegedly consult his bank colleagues, he never returned. Then Shams saw the funds being drained.
“We never saw him again. Minutes later the money left the wallet.”
Almost immediately after, Shams reported the theft to a local police station in Rome and filed an Internet Crime Complaint (IC3) form with the US Federal Bureau of Investigation a few days later.
Shams said he still has no idea how “Mr. Safra” and his fraud team committed the exploit:
“The interim update from the ongoing investigations is that we are still unable to establish the attack vector with certainty. Investigators have reviewed the available evidence and engaged in lengthy interviews with the relevant individuals, but further technical information is required for them to draw conclusions with certainty.”
“Specifically, we need more information from Trust Wallet regarding activity on the wallet that was tapped to come to a technical conclusion, and we are actively pursuing them for their records. This will likely give us a better picture of how this happened,” he added .
Cointelegraph contacted Trust Wallet CEO Eowyn Chen, who said that after being in contact with the investigative team, “we have high confidence that the theft case was not caused by Trust Wallet, but likely an organized crime.”
Related: Just get phishing scammers out of the way
The Webaverse co-founder believes the exploit was carried out in a similar manner to an NFT scam story shared by NFT founder Jacob Riglin on July 21, 2021.
There, Riglin explained that he met with potential business partners in Barcelona, proved that he had sufficient funds on the laptop, and then within 30 to 40 minutes the funds were drained.
Shams has since shared the Ethereum-based transaction in which Trust Wallet was exploited, noting that the funds were quickly “split into six transactions and sent to six new addresses, none of which had any previous activity.”
The USDC value of $4 million was then almost completely converted to Ether (ETH), wrapped-Bitcoin (wBTC) and Tether (USDT) via 1inch’s exchange function.
Shams admitted that “the incident haunts me to this day” and that the $4 million exploit is “undoubtedly a setback” for Webaverse.
However, he stressed that the $4 million exploit and ongoing investigation will have no impact on the firm’s short-term commitments and plans:
“We have sufficient runway of 12-16 months based on our current forecasts and we are well on track to deliver on our plans.”