Airdrops may be the most bewildering facet of crypto. Refering to tokens being rewarded to crypto traders that fulfill certain criteria, they often amount to free money. The amounts dropped can be immense. In April, Bored Ape Yacht Club owners received a cryptocurrency airdrop worth around $100,000 for every ape NFT they owned.
Sometimes, airdrops that sound too good to be true are actually legitimate. But not always.
On Monday, scammers made off with $8 million in bitcoin and ether after employing a phishing scheme. The scam centered on Uniswap, a decentralized crypto exchange where people trade altcoins like shiba inu and avalanche. The scammers promised a free airdrop of 400 Uniswap tokens, worth around $2,000. A few traders took the bait — connecting their wallets to a dodgy website — and two victims sustained huge losses.
Over $6.5 million was drained from one wallet, blockchain analytics firm PeckShield told CNET. Scammers took 2,444 ether ($2.46 million) and 201 bitcoin ($3.96 million) from that wallet. The other wallet lost 834 ether ($903,000) and 39 bitcoin ($774,000). PeckShield told CNET that there are four more wallets infected by the phishing attack, but that these have yet to be drained.
As obvious as the scam may seem, it’s rooted in precedent. In 2020, Uniswap sent an airdrop of 400 $UNI tokens (now worth $2,224) to every wallet that had performed a trade on the platform. Crypto whales at numerous points in 2021 received airdrops worth five and even six figures.
Uniswap is a central institution of decentralized finance, or “DeFi,” as it allows punters to trade cryptocurrency through peer-to-peer technology, eschewing authority structures that manage typical exchanges like Binance and FTX. “To be clear: there was no exploit,” the company said in a statement posted to Twitter. “The Protocol always was — and remains — secure… airdrops that direct you to unofficial domains are likely phishing attempts. We will never airdrop users without notice on multiple official channels.”
While crypto prices have taken a dive in recent months — bitcoin and ether are down 51% and 65%, respectively over the past six months — scamming activity hasn’t relented. Hackers drained $1.4 million worth of ether from an NFT lending platform on Sunday, which followed $100,000 being siphoned from NFT marketplace Quixotic at the end of June. In between those two incidents, a hacker stole around $8.8 million from Cream Finance, but eventually returned $7.1 million of that.
Monday’s scammer targeted Uniswap liquidity providers; users who earn interest by depositing cryptocurrency into Uniswap’s system. There are around 230,000 liquidity providers; the bad actors sent fake Uniswap tokens to at least 74,800 of them, according to blockchain security researcher Harry Denley. The malicious token’s name directed victims to a website where they could exchange the new tokens for other cryptocurrencies. Clicking the link on this site led to the infection and drainage of those two wallets.
Sending all those fake tokens cost the scammers $9,042 (8.5 ether), Denley said. The lost crypto was at first reported as a hack of Uniswap, whose cryptocurrency has a market cap of $4 billion, before it was discovered to be a socially engineered scam.