The co-founder of the Web3 metaverse game engine “Webaverse” has announced that he was the victim of a $4 million crypto hack after meeting scammers posing as investors in a hotel lobby in Rome.
The strange aspect of the story, according to co-founder Ahad Shams, is that crypto was stolen from the newly established Trust Wallet and the hack happened during a meeting at some point.
He claimed that the thief could not see the private key, nor was he connected to a public WiFi network at the time.
Thieves were able to gain access when taking photos of the wallet balance, believes Shams.
The letter, shared on Twitter on February 7, contains a statement from Webarverse and Shams, explaining that they met with a man named “Mr. Safra” on November 26 after several weeks of discussions about potential funding.
“We connected with “Mr. Safra” via email and video call and he explained that he wanted to invest in an exciting Web3 company,” explained Shams.
“He explained that he had been cheated by someone in crypto before and that he collected our ID for KYC, and made it a condition that we fly to Rome to meet him because it is important to meet IRL to ‘have fun’ with anyone. they do business with, ” he said.
full story https://t.co/vdkAHyBaG9
— 0xngmi (aggregate arc) (@0xngmi) February 6, 2023
While initially “skeptical,” Sham agreed to meet “Mr. Safra” and the “banker” in a hotel lobby in Rome, where he would show them “proof of funds” for the project – which Mr. Safra claimed was a requirement. start “paper”.
“Although we do not agree with the ‘proof’ of Trust Wallet, we created a new Trust Wallet account at home using a device that we do not use to interact with them. Our thinking is that without a private key or a seed phrase, the funds will be safe,” said Shams.
However, it turns out that Sham was wrong:
“When we met, we sat in front of these three people and transferred 4m USDC to Trust Wallet. “Mr. Safra” asked to see the balance in the Trust Wallet app and took out his phone to “take some pictures”.
Shams explained that he thought it was okay because no private key or seed phrase was revealed to “Mr. Safra.”
But after “Mr. Safra” took a photo and stepped out of the meeting room to ask banking colleagues, the crew disappeared and Shams saw the funds siphoned out.
“We never saw it again. Minutes later the money left the wallet.”
Soon after, Shams reported the theft to a local police station in Rome and then filed an Internet Crime Complaint (IC3) form with the US Federal Bureau of Investigation (FBI) a few days later.
Shams said he still doesn’t know how “Mr. Safra” and his fraud crew carried out their exploits:
“The interim update of the ongoing investigation is that we still cannot establish the attack vector with confidence. Investigators have reviewed the available evidence and participated in lengthy interviews with relevant people, but more technical information is needed to be able to draw conclusions with confidence.
“Specifically, we need more information from Trust Wallet about the activity in the wallet that has been weakened in order to reach technical conclusions and we are actively working on the record. This will give a better picture of what is happening,” he said.
Cointelegraph reached out to Shams and he confirmed that he was not connected to the hotel lobby WiFi when he opened his funds in the Trust Wallet.
related: Just get the phishing scammers out of the way
The founders of Webaverse believe that the exploit was carried out in a similar way to the NFT scam story shared by NFT entrepreneur Jacob Riglin on July 21, 2021.
There, Riglin explained that he met with a potential business partner in Barcelona, proved that he had enough funds on his laptop, and then in 30-40 minutes the funds were drained.
NFT Scam full story;
After responding to my previous tweets about the $90,000 scam I was involved in, I wanted to share more details about it to help warn others from becoming victims.
I was contacted by Philippe Maloof of Canbury Properties Limited. He said he had a
– Jacob (@jacobriglin) July 21, 2021
Shams began sharing Ethereum-based transactions where his Trust Wallet was exploited, stating that the funds were quickly “split into six transactions and sent to six new addresses, none of which had previous activity.”
$4 million worth of USDC was then almost entirely converted into Ether (ETH), wrapped-Bitcoin (wBTC) and Tether (USDT) via the 1inch swap address feature.
Shams admitted that “the event haunts me to this day” and that the $4 million exploit was “definitely a setback” for the Webaverse.
However, he stressed that the $4 million exploit and the pending investigation will not affect the company’s short-term commitments and plans:
“We have enough runway for 12-16 months based on current forecasts and we are on track to implement our plans.”
Cointelegraph has also reached out to Trust Wallet for comment