Cryptocurrency theft is common in the industry. Last year, almost BRL 20 billion worth of crypto was lost in such attacks. However, a hack that happened during a face-to-face meeting challenges the community’s imagination.
Ahad Shams, co-founder of Webaverse, says through a document that he lost $4 million (R$20.8 million) during a face-to-face meeting with bogus investors in Rome, Italy.
Basically, Shams was approached by a group of investors who wanted to inject money into his startup. In a conversation ahead, the scammers asked the director to meet them in Rome to show the wallet with the company’s money.
“I was looking for a fundraiser for Webaverse. I was approached by a man claiming to be a lawyer representing Joseph Safra’s grandson who was eager to invest in Webaverse.”says Ahad Shams in the document. “While we were skeptical, the email appeared to be from a legitimate looking law firm (based on their website) and they were able to provide us with KYC information (which we now understand is incorrect).”
The conversations continued, both via email and video. Shams increasingly believed in the truthfulness of the information provided by the scammers.
“He made it a requirement that we fly to Rome to meet him because it was important to meet him in order to ‘feel comfortable’ with whom each of us was doing business”continued Shams.
“He also wanted ‘proof of money’; he explained that he only had a “basic understanding” of cryptocurrencies and didn’t understand the interface of hardware wallets, but that he had used Binance’s Trust Wallet and if he could see the funds in a Trust Wallet account that we manage, would he feel comfortable.”
The meeting in Rome
Still at home, the Webaverse CEO then transferred $4 million in USDC to his newly created Trust Wallet address, believing the money would be safe.
As early as November 26, Shams reports, he and a friend of his encountered the men posing as Safra, his banker and his lawyer, in a hotel lobby in Rome. “We were ready to close the fundraising at this meeting”noted the executive.
“Safra” asked to see the balances in the Trust Wallet and pulled out his cell phone to “take some pictures”. We thought this was odd, but since no private key or seed phrase was displayed, we agreed in.said Shams.
“Mr. Safra said he was pleased and told him to leave to discuss next steps with his colleagues and we never saw him again. Minutes later the money came out of the wallet.”
The coup then came to an end. Shams lost $4 million in a face-to-face meeting with no idea how it happened, but his troubles were just beginning.
Face-to-face hack investigations
On the same day as the coup, Ahad Shams reported the theft to the Italian authorities. The next day, he also contacted the FBI to try to recover his $4 million in cryptocurrency.
“We’re still not 100% sure how this technically happened, but in short, the scammers convinced us to move funds to a new wallet (which we create and monitor) to provide ‘proof of money’.”
Finally, the director says he is concerned about the fact that he shared his personal documents with the scammers. Shams continues, highlighting his failed attempts to get clues as to how he was hacked.
“I have spoken to several research firms and law firms”says the executive. “But no one could do more than guess and they were all expensive, suggesting all sorts of options, including suing Binance and for me to take out ‘kidnapping insurance’.”
What Trust Wallet says
In a post published on Twitter, Eowyn Chen, CEO of Trust Wallet, regrets the matter. However, after investigation, it came to the conclusion that the cause of the incident was not the wallet, but external reasons.
“It is sad to hear about the Webaverse theft case. After interacting with the investigative teams, we are confident that the theft was not caused by the Trust Wallet app, but most likely by a criminal organization. Unfortunately, there have been some face-to-face scams in Europe, particularly in Rome.”
The community is doing its own research
Since the case of a personal hack is quite anomalous, the community itself is looking for answers. The most logical one so far seems to be the hypothesis of Ouriel, CEO of ZenGo, another cryptocurrency wallet.
“I went to see”says Ouriel. “It is possible to clearly access the seed phrase in Trust Wallet without additional security verification (PIN or biometrics).”
“1. Get owner’s phone number from Trust [Wallet] Open;
2. Quickly go to the security setting with one hand while picking up the other phone [para tirar a foto];
3. Done.”
I went and checked. It is possible to access the seed phrase in a ‘clear in trust’ wallet without any additional security check (PIN or biometrics).
1. Open the owner’s phone with confidence
2. Quickly go to the security setting with one hand while grabbing your other phone.
3. Done pic.twitter.com/Zsk5LSuU2a— Ouriel @ZenGo (@OurielOhayon) February 7, 2023
Therefore, if scammers follow this path, it is possible that Trust Wallet and other wallets add this extra protection mentioned by Ouriel to prevent similar scams. Until then, this case serves as a warning to other entrepreneurs.
Source: Live Coins
Barry Siefert is an accomplished journalist and author at The Nation View. He is known for his expertise in the field of cryptocurrency, and has written extensively on the topic. With a background in finance and economics, Barry has a deep understanding of the underlying technology and market forces that drive the crypto industry.
