The curious case of the $4 million Webaverse hack

Raising capital in the crypto environment can present a unique and unprecedented set of challenges. Look no further than the ever-curious case of Webaverse, a company developing a game engine and MMO (Massive Multiplayer Online Game) inspired by Metaverse properties.

The Webaverse team recently suffered a brutal blow after suffering a roughly $4 million social engineering exploit. However, this wasn’t your usual hack – or at least it wasn’t presented as such. While the execution details of the hack are still highly questionable, one thing is certain: this was the result of an elaborate “long game” of social engineering, aided by fake KYC information, fraudulent websites and topped with an in-person meeting.

Exploits reach new levels

Curious people can’t be curious enough these days – and due diligence can’t be diligent enough. We reported on an exploit that led to the theft of over a dozen Bored Ape Yacht Club NFTs just two months ago, and another recent story with similar strokes tells us that one thing is for sure: with the dollar amounts in today’s crypto Landscape, hackers and exploiters are willing to make incredible efforts to cheat digital assets.

December’s NFT heist featured an elaborate fake casting director using a fake website, fake email domains, fake pitch decks, and more — all to build a facade of trust and combat due diligence efforts. The result was over $1 million in immediate losses to the owner.

This “similar but different” story came to light this week, first boosted by respected DefiLlama programmer 0xngmi.

The Webaverse hack has curious minds wondering how keys to a wallet containing around $4 million in stablecoins were stolen. The primary stablecoin, USDT, has seen less dominance as some users have switched to non-stablecoin assets. | Source: CRYPTOCAP:USDT on TradingView.com

A strange case of crazy circumstances

0xngmi’s tweet links to the Webaverse team’s official statement, a 4-page Google doc designed by the company’s co-founder and CEO, Ahad Shams. Shams explained that after weeks of dialogue with a sophisticated crew of scammers posing as potential investors, a meeting was arranged between them in Rome in November 2022.

The scammers demanded “proof of funds” and Shams tried to protect himself by only posting a screenshot of a self-custodial and independent trust wallet containing the funds, claiming that no keys or key account details were disclosed and that the wallet was own wallet traded -created, self-directed and self-managed device used only for this occasion.

Around this interaction, other incident prevention measures were taken by Shams, but in this case the steps Shams took to protect his organization’s funds did not appear to have been sufficient.

All in all, as Shams notes, this is not a situation where a DAO or other pool of public funds is tricking a user. It is merely a company owned company that is providing curious crypto minds with information about an unfortunate circumstance that is not due to a lack of care or diligence. But that doesn’t mean Shams didn’t make a mistake.

Indeed, current logic would imply that we are missing a crucial piece of the puzzle here.

Trust Wallet CEO Eowyn Chen posted a tweet in response Monday. Don’t be surprised if market sleuths discover more over time.

Source: bitcoinist.com