Of all the bewildering aspects of crypto, airdrops may be the most stupefying. Airdrops are when tokens are rewarded to crypto traders for free. The value of these airdrops can be immense: In April, Bored Ape Yacht Club owners recieved a cryptocurrency airdrop worth around $100,000 for every ape NFT they owned. Airdrops that sound too good to be true are often legitimate.
But not always.
On Monday scammers made away with $8 million in bitcoin and ether after employing a successful phishing scheme. The scam centered around Uniswap, a decentralized crypto exchange where people trade altcoins like Shiba Inu and Avalanche. The scammers promised a free airdrop of 400 Uniswap tokens, worth around $2,000. A few traders took the bait — connecting their wallets to a dodgy website — and two victims sustained huge losses.
Over $6.5 million was drained from one wallet, blockchain analytics firm PeckShield told CNET. Scammers took 2,444 ether ($2.46 million) and 201 bitcoin ($3.96 million) from that wallet. The other wallet lost 834 ether ($903,000) and 39 bitcoin ($774,000). PeckShield told CNET that there are four more wallets infected by the phishing attack, but that these have yet to be drained.
As obvious as the scam may seem, it’s rooted in precedent. In 2020, Uniswap sent an airdrop of 400 $UNI tokens (now worth $2,224) to every wallet that had performed a trade on the platform. Crypto whales at numerous points in 2021 recieved airdrops worth five and even six figures.
Uniswap is a central institution of decentralized finance, or “DeFi”, as it allows punters to trade cryptocurrency through peer-to-peer technology, eschewing authority structures that manage typical exchanges like Binance and FTX. Uniswap was contacted for comment but did not immediately respond.
While crypto prices have taken a dive in recent months — bitcoin and ether are down 51% and 65% respectively over the past 6 months — scamming activity hasn’t relented. Hackers drained $1.4 million-worth of ether from an NFT lending platform on Sunday, which followed $100,000 being siphoned from NFT marketplace Quixotic at the end of June. In between those two incidents, a hacker stole around $8.8 million from Cream Finance, but eventually returned $7.1 million of that.
Monday’s scammer targetted Uniswap liquidity providers; users who earn interest by depositing cryptocurrency into Uniswap’s system. There are around 230,000 liquidity providers; the bad actors sent fake Uniswap tokens to at least 74,800 of them, according to blockchain security researcher Harry Denley. The malicious token’s name directed victims to a website where they could exchange the new tokens for other cryptocurrencies. Clicking the link on this site led to the infection and drainage of those two wallets.
Sending all those fake tokens cost the scammers $9,042 (8.5 ether), Denley said. The lost crypto was at first reported as a hack of Uniswap, whose cryptocurrency has a marketcap of $4 billion, before it was discovered to be a socially-engineered scam.