Highlight Review: GoPlus "Web3 Ghost Stories" Episode 1:
14 days of shock! What made the people of Panama finally return my stolen 20+ ETH
GoPlus "Web3 Ghost Stories" is a chat column that shares a "ghost story" of Web3 asset theft in each episode. By unraveling the details of the story, the audience can have a deeper understanding of the evil spirits and ghosts in the Web3 world, thereby dispelling the mysteries and being able to successfully avoid similar risks in the story.
The tortuous experience of Brother Bao's wallet being stolen
More than a month ago, hacker A pretended to be an investment manager of a Web3 investment company. He found Brother Bao through the introduction of his friend and expressed his intention to invest in Brother Bao’s startup project. The two agreed to have an online meeting for in-depth communication. Hacker A booked a meeting time on Brother Bao’s Calendly (a commonly used Web3 meeting appointment software). However, on the day of the meeting, hacker A said that he could not enter the meeting room and gave Brother Bao a meeting link with his company’s domain name, inviting him to the meeting. Brother Bao clicked on the link without thinking too much. As a Web3 veteran, Brother Bao immediately realized that the situation was not good, so he quickly disconnected from the Internet and transferred the assets in more than 40 wallets on his computer one by one, which took a total of 12 hours.
Just when Brother Bao was exhausted and thought he had defeated Hacker A, he discovered that there was still a sum of money in a DeFi protocol, but the protocol no longer allowed withdrawals. So Brother Bao entered the official Discord of the protocol to seek help, where he met Hacker B.
Hacker B saw the help message sent by Brother Bao in the group, pretended to be a customer service DM Brother Bao, and stole the wallet private key in the name of helping him withdraw money. After realizing that he was cheated, Brother Bao immediately contacted GoPlus for help. GoPlus immediately contacted its security partner Bitrace, and with the help of everyone, it started the rescue operation of more than 20 stolen ETH.
After discovering through on-chain information that the hacker had transferred the assets to an exchange, the security company immediately helped Brother Bao contact the exchange to freeze the assets, and at the same time provided necessary information and evidence to help Brother Bao file a case with the police in multiple places. Brother Bao tried to send an email to the email address provided by the exchange, informing him that he had obtained the police filing documents and warning the other party to return them as soon as possible. Fortunately, the other party was a token exchange service found by the hacker, and when they learned that it was stolen money, they returned it in full.
At this point, Brother Bao successfully recovered most of the stolen assets, and the ghost story had a happy ending.
Wonderful dialogue sharing
Hacker A incident
Brother Bao: When I thought about it afterwards, I realized that this phishing attempt was aimed at me. They investigated my identity information in advance and deliberately designed the image of a Silicon Valley investor to approach my friends first, but the target was always me.
In fact, many people will encounter similar phishing. Hackers will provide you with various links for various reasons to induce you to click.
Host: We have encountered similar situations. Someone claimed to be a reporter from Coindesk and sent us a private message in the background of X, wanting to cooperate. But after all, we are in the security field and our operations staff are experienced, so we were not fooled in the end.
Isabel Shi: Web3 criminals now have very thorough preparations in advance and no longer cast a wide net like before. They will study the social networks of "big customers" such as their friend circles and set traps that only target the target objects. For example, in a case we encountered, the victim just clicked on an article about his competitors in the industry, and his tg was stolen. Then the criminals logged into his tg, contacted his company's finance department, and asked him to transfer money to a wallet. The finance department noticed something was wrong and asked for voice communication, but the criminals used AI to imitate the victim's voice and deceived the finance department again, and finally lost 10 million US dollars.
GoPlus Fang Tou Zai: This is terrible. Since the birth of AI, such personalized attacks have appeared in Telegram. We used to have an investor who would often communicate with me about security issues. One day he contacted me to discuss security issues again and provided me with a link to a security incident. During the communication process, he was just like usual, but in fact his tg had been stolen and the person communicating with me was a hacker.
Hacker B incident
Brother Bao: I hope everyone can remember one thing about the private key being stolen by hacker B. Afterwards, I think I would never click on this phishing link even if it happened 100 times, but I was extremely tired at the time, and the momentary crash of my brain made the situation irreversible.
Box: I think phishing is very common in Telegram groups. A while ago, a MOD in the ENA Discord group was stolen. A phishing link was sent, and one of my friends clicked on the phishing link without thinking too much, and was stolen. This is not the first MOD stolen in the cryptocurrency circle, and everyone should still pay more attention.
GoPlus Fang Tou Zai: I think the incident with Brother Bao has sounded the alarm for us, that is, these criminals have appeared in every link. They have different fishing methods in every link. I hope users can stay calm and be vigilant in every link.
Happy Ending
Isabel Shi: In fact, many victims do not have the awareness of the fort, and will not immediately find out that they have been stolen. Even if they find that they have been stolen, they do not understand the reason for the theft. Therefore, when we help users recover stolen assets, the first step is often to help them recall the reason for the theft. In addition, when communicating with local law enforcement agencies, you also need to be able to present the full picture of the incident on paper, so you must be able to restore the process of the theft and the flow path of funds. The monitoring of funds must be fast, because hackers will not let funds stay in one place for too long, they need to clean and cash out the funds as soon as possible. This is the most critical node for us to help victims intercept and recover funds. When funds enter a place that can be intercepted, we must act in time to stop the money.
So when money is stolen, the first thing for the victim is to figure out the whole story; the second is to find the local law enforcement agency, report the case and file a case as soon as possible; the third is to closely monitor the flow of their funds.
Brother Bao: There is a big difference between the FBI and domestic case filing. You only need to fill out a form and they will accept your case. There will be no situation where they will not be accepted as in China. I later reviewed it and found that this is very important. It delayed a lot of time for me to let the domestic police handle my case. The FBI case filing documents helped me to let the exchange freeze the stolen funds for 14 days. Later, I took the mainland case filing documents and froze them for a longer time. The FBI also has a special economic investigation department to handle virtual asset cases, so the FBI has the ability to solve cases. So the United States has a very complete processing capability, but their processing speed is extremely slow, so slow that my money has been recovered, and the FBI has not yet taken any substantial investigation actions.
GoPlus Fang Tou Zai: Here I want to remind everyone that Brother Bao's ability to recover assets depends a lot on luck. If the money is stolen, it is a very passive thing. Once a link is broken in the process, the money will most likely not be recovered. There are several important points. The first is to be able to obtain the link of funds and the information of the attacker, etc.; the second is to be able to obtain the FBI documents and freeze the money in the exchange account.
Side Story / Tragic Story
Information Capture: I posted a tweet some time ago, telling the story of a close friend of mine who was robbed. The protagonist is my college classmate and also a good friend in real life since I entered the circle. After graduation, he opened an e-commerce company with two friends. Unfortunately, two months ago, the company went bankrupt. The other two partners cheated him and took away the money. He took out a loan to start the company, and the last money he had was only a few hundred Solana in his wallet. He created a new wallet and put all the money in it. One morning, he found that all the money in his wallet had been stolen by hackers.
He sent me a message saying: My wallet was stolen, remember to burn paper for me next year at this time. The next day, he really jumped off the building.
Those hundreds of Solana became the last straw that broke the camel's back.
Host: After hearing this story, I feel that our "Web3 Ghost Stories" column is very meaningful. By sharing each story, we can let everyone know how to be careful about asset theft and how to save assets after theft, which may really save a life.
GoPlus Fang Tou Zai: GoPlus has helped many Web3 users, most of whom are in their 40s or 50s and don’t know much about the market. In the end, all their assets were stolen, and some of them even had their own retirement funds. In the end, they could only rely on a few credit cards to make ends meet. This is one of the reasons why we have always insisted on walking on the road of Web3 user security. I hope to help more ordinary users.
