back to article Scammers steal $4 million in crypto during face-to-face meeting

Ahad Shams, the co-founder of Web3 metaverse gaming engine startup Webaverse, discovered in late November 2022 that someone had stolen $4 million of his cryptocurrency – during a real world interaction. Stolen crypto isn't unusual: billions of digi-dollars were stolen last year, some by crime gangs or nations like North Korea …

  1. Pascal Monett Silver badge
    Thumb Down

    Whereas, in real life . . .

    You want proof of funds ? I can provide you with a printout of my bank account balance.

    I can even give you my IBAN number, for all the good it will do you.

    If that is not enough, I can point you to my bank, where you can phone and ask questions yourself. But you won't be getting a cent either before, during or after the meeting. Not unless I actually transfer money to you, and why would I do that ?

    Only in the funny-money universe can you feel obliged to actually give someone you don't know your own money just to prove that you have it.

    1. Jim Mitchell

      Re: Whereas, in real life . . .

      If the article is correct, the victim did not give anyone any money. They showed them the "bank account" page with the balance on it, which was somehow enough information to initiate a transfer out.

      1. Mike 137 Silver badge

        Re: Whereas, in real life . . .

        This is why, in high value business transactions, escrow accounts get used by the wise.

        1. Andy The Hat Silver badge

          Re: Whereas, in real life . . .

          Didn't need to be Escrow as *no funds were apparently moved beyond the control of the owner*.

          The question is only how the scammers gained control of the wallet. It seems that everything was done correctly but the scammers were always one step ahead ... which, to be honest, is the sign of a very good scammer.

          1. Black Label1
            Black Helicopters

            Re: Whereas, in real life . . .

            Probably luring the victim to Rome, to a certain hotel, cloning his/her hotel room key, or the rfid, or bribing the cleaning lady...

            Then, using old-fashioned spying micro cameras or malware, they got the images of the seed phrases necessary to make the transfer of funds to happen.

            Better to have camera detectors before conducting cryptocurrency transactions, plus a fresh and clean PC / Macbook.

            1. waldo kitty
              Boffin

              Re: Whereas, in real life . . .

              Probably luring the victim to Rome, to a certain hotel, cloning his/her hotel room key, or the rfid, or bribing the cleaning lady...

              Then, using old-fashioned spying micro cameras or malware, they got the images of the seed phrases necessary to make the transfer of funds to happen.

              Better to have camera detectors before conducting cryptocurrency transactions, plus a fresh and clean PC / Macbook.

              according to the article, Shams created the new Trust Wallet while still *at home* before the meeting using a "device that Webaverse didn't typically use"... my understanding is also that the hotel lobby was just a convenient public place to meet... Shams wasn't staying there...

              the article does not say what the "device that Webaverse didn't typically use" was... that makes me wonder if the device was maybe intercepted in-transit and replaced with a modified one before Shams received it... i also wonder about possible wifi traffic interception to/from the device where the thieves recorded and decoded the traffic and/or maybe stole some session token(s)...

              granted, there's not a lot of detail given which is also understandable... we (TINW) don't really want the thieves knowing that their process has been cracked before they are run down... hopefully Shams or someone with him had the wherewithal to get some video/pics and voice recordings of the people they met with...

              anyway, those are my initial thoughts during 1st c0ffee of the day...

              1. Roland6 Silver badge

                Re: Whereas, in real life . . .

                I suggest a key part of this is having the wallet open . Would not be surprised if there was a NFC/Bluetooth exploit. The other out-of-band exploit would be to assume the local cell had been compromised and the bringing together of the two phones into close proximity facilitated identification etc..

                The other interesting thing is the request to use a Trust Wallet ie. a specific wallet, so there might be an insider involved...

          2. sketharaman

            Re: Whereas, in real life . . .

            It's "beyond the control of the owner" only according to the owner who realized he'd lost control shortly thereafter:)

    2. Anonymous Coward
      Anonymous Coward

      Re: Whereas, in real life . . .

      Plenty of people fall prey to fiat scams involving them logging into their bank accounts while a scammer watches, most commonly in the refund scam. In fact, it would be easier to provide secure proof of funds with a blockchain currency because you can simply give your address and transfer a tiny amount from that wallet into a designated one (absolutely no need to transfer the entire balance) in a way that's far harder to fake than a balance sheet. The balance is publicly viewable and the small transfer demonstrates control.

    3. The Man Who Fell To Earth Silver badge
      WTF?

      Re: Whereas, in real life . . .

      I have been involved in a number of startups, three with successful exits (1 IPO, 2 acquisitions). While raising funds, I have never had a prospective investor ask for proof I already had money. Never. For B & later rounds, any new investors could talk to the existing investors (& often needed to be approved by the existing investors). For A-round investors, the whole point of getting investing is because you don't have the resources to boot strap the company. (Although in one case, we did boot strap the company and never needed outside investment.) If some prospective investor wanted to see our bank account, we'd have told them to take a hike.

    4. An_Old_Dog Silver badge

      Proof of Funds

      WTF? For what sane, non-scam reason would a potential investor be required to show "proof of funds"?

      If a potential investor says, "I will deposit one meeelyun Euros into your fund", and does not do so, then that potential investor will not receive interest on that (non-existant) investment, and everything is fine and fair.

      1. Andy the ex-Brit

        Re: Proof of Funds

        This doesn't seem terribly uncommon, even for an investment as pedestrian as starting a Dunkin Donuts franchise.

        https://www.dunkinfranchising.com/faq/#startup_cost

        1. An_Old_Dog Silver badge

          Re: Proof of Funds

          A franchise is majorly different from a stock- or hedge-fund investment!

      2. Anonymous Coward
        Anonymous Coward

        Re: Proof of Funds

        It wasn't the investor that was showing proof of funds, but the investee?

        How did that conversation go? "Yes, I want to invest in your company! But before I do, show me your company has $4 million in crypto by transferring it all to a new wallet and then showing me the balance?"

        Like WTF? Honestly, they deserved to get scammed, by going along with something so insane and dodgy sounding.

        1. doublelayer Silver badge

          Re: Proof of Funds

          The part where they had to prove crypto was a bit weird, but proof of funds in general is less weird. Startups aren't filing public statements about internal information, and they're things that need more diligence when you're going to invest in them, because scams are a lot easier and failure much more likely. As such, if a company claims to have a bunch of money available but it also wants yours, it's reasonable to check that they have the money, for the same reason that it's reasonable to check that they have the level of technology they claim to have. Doing that by showing a crypto wallet on a screen, a UI that is easy to fake, is the weird part of this.

          1. MachDiamond Silver badge

            Re: Proof of Funds

            I'd prefer a certified audit of the books from a known accounting firm. There are lots of ways to show a large balance in an account, but much more difficult to fool good auditors that know most of those tricks.

      3. M.V. Lipvig Silver badge
        Pirate

        Re: Proof of Funds

        I can see it, because a new investor would want to make sure he wasn't the only one investing money. If I was a scammer going after an investor, I'd talk about how we have X investors and Y money, but we still need Z money to start production. Investor deposits Z money, I retire to a nice tropical island because Z money is now ME money, matey. Arrr, arrr, arrr.

  2. Version 1.0 Silver badge
    Unhappy

    Who loves cryptocurrency?

    Cryptocurrency has just become criminal financing in recent years - I thought it was a great idea when cryptocurrency first appeared but it seems that a huge amount of criminals also thought the same thing. I've quit cryptocurrency 100% now to avoid the risks that this story describes - returning to checks, bank-transfers and credit cards is depressing but much safer and nowhere near are expensive as $4 million these days.

    1. AndrueC Silver badge
      Meh

      Re: Who loves cryptocurrency?

      returning to checks, bank-transfers and credit cards is depressing

      Is anyone still writing (sic)checks? I last saw my cheque book many years ago when I burnt it along with other old documents in a bonfire. I think in the 40 years that I've had a bank account I've only ever written a dozen cheques and none in the last 30 years.

      1. Andy The Hat Silver badge

        Re: Who loves cryptocurrency?

        yes

      2. Anonymous Coward
        Anonymous Coward

        Yes, indeed. On average about two cheques a month. When I was working in the USA I even wrote a few checks as well.

      3. cookieMonster Silver badge

        Re: Who loves cryptocurrency?

        In the supermarket on Saturday, bloke paying by cheque. I felt I was back in 1980.

        1. Version 1.0 Silver badge
          Happy

          Re: Who loves cryptocurrency?

          That's great - 1980 had everyone worshiping David Bowie so some great memories of the days back then!

          Money with excited criminals has been around for more than a thousand years now, but originally it was not as common as the events that we see these days. Highwaymen have not been seen since the late 19th century but now emailwaymen are back in the world.

        2. grandours
          Coat

          Re: Who loves cryptocurrency?

          Two ways to know someone at the supermarket checkout is really old:

          1) They pay by cheque

          2) They spend more than 5 seconds fishing through their change purse or wallet to pay in cash

          The one trying to remember which pocket his cheque book is in...

          1. KimJongDeux

            Re: Who loves cryptocurrency?

            Do they get scammed though?

            1. Cliffwilliams44 Silver badge

              Re: Who loves cryptocurrency?

              Everything you need to drain your banl accounr is printed on a check.

            2. Roland6 Silver badge

              Re: Who loves cryptocurrency?

              Well...

              The car park at my local cinema and restaurant venue charges 20p for 6pm-8am. You can pay in cash or by app. It amuses me how many people pay by app - there is a £2 admin fee.

              1. John Brown (no body) Silver badge
                Unhappy

                Re: Who loves cryptocurrency?

                Worse, I parked at a university last year and they ONLY have pay by phone and pay by app. BOTH have a surcharge so it's actually impossible to pay the advertised parking charge without paying one or other (different!) surcharges. I'm sure they must be breaking some law or other with that.

        3. Dan 55 Silver badge
          Windows

          Re: Who loves cryptocurrency?

          I think I did that when I was a student or in my first job or something at the end of the month. I had no money in my account so couldn't pay with my debit card, but the cheque guarantee card (the same physical thing as the debit card) guaranteed the cheque, but as they took five working days to clear you knew you'd have the money in your account by then.

      4. fidodogbreath

        Re: Who loves cryptocurrency?

        Is anyone still writing (sic)checks?

        Not if it can be avoided, but sometimes it can't. In our US state, some local taxing authorities still only take payments by paper check -- and if we want it credited properly (which we do), we also have to include the tear-off coupon from the bottom of the paper bill when we send our payment by snail mail. (This also means we still have to have postage stamps...)

        Wait, there's more. Seemingly every criminal in the US has keys to the postal drop boxes now, so we also have to drive to the post office and physically carry the envelope inside the building to mail it if we don't want to risk having the payment stolen (which we don't). Note: the linked article is from three years ago; the problem has gotten worse since then.

        The above is not satire. This is something that we still have to do in the year of our Lord 2023, in {Jeremy Clarkson voice, although he would never say this about the US} "the greatest country...in the woooorld" -- at least for certain agencies that remain deeply stuck in the 1970s.

        Also, many of the small contractors that we've hired to do work on our house don't take credit cards because of the transaction fees; nor do they use Venmo and its ilk, I suppose out of concern for being scammed or ripped off. So, checks for them as well.

        1. AndrueC Silver badge
          Facepalm

          Re: Who loves cryptocurrency?

          Not if it can be avoided, but sometimes it can't. In our US state, some local taxing authorities

          JFC...

          Have they not heard of Direct Debit (or whatever you guys call it). I think the only bill I've ever paid differently was my Credit Card back in the day when I'd sometimes settle that at the bank. But once I got a decent salary and savings built up even that switched to DD. Admittedly that's perhaps a little unusual but even if I wasn't paying it off in full every month I'd be paying by DD.

          The idea of actually having to do something to settle a bill is weird.

          Local traders here provide an invoice and you settle with online banking. Although some (eg; my physiotherapist and taxi drivers) also have card readers you can settle that way instead.

          1. KimJongDeux

            Re: Who loves cryptocurrency?

            If it sounds sensible giving someone your bank details and authority to charge an account in which you routinely keep money, then knock yourself out. I used them for a decade or so before realising that the beneficiaries were either dead easy to hack or took actual liberties.

        2. Jim Mitchell

          Re: Who loves cryptocurrency?

          Eh, some "small contractors" prefer non-electronic payments (cash, checks made out to "cash") because that method allows them to evade taxes.

        3. MachDiamond Silver badge

          Re: Who loves cryptocurrency?

          "Seemingly every criminal in the US has keys to the postal drop boxes now, so we also have to drive to the post office and physically carry the envelope inside the building to mail it"

          No problem there for me. I have all mail and shipments go to the post office. I'm at the post office a couple of times a week as nothing goes to the house. Too many two-legged rats around and I still do some journalism work time and again. I don't want anything at the house if I'm going to be gone for a couple of days on short notice. My SatNav has most of the post offices in the area programmed in. I saved them since the software also shows postal buildings with no public service. If I've sold something on eBay and I'm also going to be out for the day doing field service work, I might drop the package off in another town. It's really a matter of having a system to combine trips and make sure things get done. For things like property tax, I go in-person and combine that with some shopping since I'm rarely in that city. I want to leave the window with an official receipt of payment and be able to make sure it has been credited to my property. To do it online is a bizarre back and forth between websites as the government outsources everything. I worry that the process will get corrupted somewhere and I'll be delivered a notice that I owe 6-7x the value of the property in penalties and fees that I need to pay within 14 days or they'll seize and auction the house. Could I fight? Sure, just post the money they say is owed and be patient for a couple of years. These things take time.

      5. Kernel

        Re: Who loves cryptocurrency?

        "Is anyone still writing (sic)checks? "

        Cheques or checks - either way of spelling it, no such animal has existed in the New Zealand banking system for the best part of two years.

        1. MachDiamond Silver badge

          Re: Who loves cryptocurrency?

          "no such animal has existed in the New Zealand banking system for the best part of two years."

          Nobody was allowed out of their homes much either, were they?

      6. tiggity Silver badge

        Re: Who loves cryptocurrency?

        Yes.

        Pay a few things via post using cheques (generally invoices which are sporadic & variable amount & need me to double check* them before payment and so not really suitable for direct debit being set up) as I don't do online / phone banking & all the bank branches are shut down near me so difficult to go in and arrange a transfer (and banks don't like opening at weekends either so screwed when working Mon - Fri)

        * pun intended

      7. Sherrie Ludwig

        Re: Who loves cryptocurrency?

        Is anyone still writing (sic)checks? Yes. I write at least two every month to utilities and receive them from customers. My bank does not charge me to process them or write them, there is no transaction fee going to a third party like with a debit or credit card. There is a risk accepting a check that the funds will not be sufficient, but in thirty years of business, I have only been stiffed once.

      8. M.V. Lipvig Silver badge

        Re: Who loves cryptocurrency?

        Every time I deal with the government, who wants to charge a 3 percent convenience fee to use a card. I also use a check when paying medical bills, because I don't trust them to not slap on thousands rather than deal with my medical insurance provider. Any time I want to send money to the kids. The written check may not be what it once was, but there are still valid uses for it.

      9. MachDiamond Silver badge

        Re: Who loves cryptocurrency?

        "Is anyone still writing (sic)checks? "

        It's not a bad practice to sit down with paper bills and write out paper checks. It burns into the mind where all of the money is going. It's too easy to kill your bank account by a thousand cuts if you just whip out the plastic for lots of little things. I also give myself a budget when I'm out and about by putting cash in my pocket so when it's gone, that's it for the day. I have to stop and think if buying a packet of crisps is going to leave me short to go out for lunch even if I only have water to drink. Obviously, I wasn't making my house payments with cash when I had them. I needed to always make sure I had a good paper trail for that. Same for utilities.

    2. vcragain

      Re: Who loves cryptocurrency?

      And most people remained skeptical about the whole crypto business from day one, simply because it was obvious it would be used by crooks hiding their money transfers, and since it had so much secrecy involved how would any little guy know who to trust ? So while I had always been fascinated by the whole thing, it screamed ILLEGALITY to me !

  3. Natalie Gritpants Jr

    They're not raising any money from me

    1. Chris Evans

      Nor me. But..

      I don't know if his business is a good long term investment prospect but I applaud his openness. It doesn't sound like he did anything risky so I wouldn't hold that against him if I was considering investing.

  4. localgeek

    NFC?

    Is it possible that some kind of NFC vulnerability was exploited? If the thief had to get close enough to take photos of a small screen, would that be close enough?

    1. Blazde Silver badge

      Re: NFC?

      Someone should go over the Trusted Wallet app with a fine-toothed comb. Could be some kind of NFC vulnerability, or I was thinking a backdoor inserted that leaks the private key bits via the display?

      1. Anonymous Coward
        Anonymous Coward

        Re: NFC?

        Wow that would be super sneaky... like use two very subtly different fonts, and pass one bit of the private key per character displayed based on which font it uses, that can be decoded in a screenshot. The perils of trusting closed source software, like... Trust wallet.

      2. MachDiamond Silver badge

        Re: NFC?

        If instead of taking a photo of a display, a video was made, a screen of details that only flashes very briefly could be extracted from the video while not looking like anything more than a small glitch on the display.

    2. zuckzuckgo Silver badge

      Re: NFC?

      Since they insisted on a new account, created on the spot, it could also be some kind of man-in-the middle attack using the local wifi.

      1. The Oncoming Scorn Silver badge
        Coat

        Re: NFC?

        from the story, he created this at home on a private device, prior to the meeting.

        Icon - Wheres me f**king (crypto) wallet?

        1. zuckzuckgo Silver badge

          Re: NFC?

          I missed that. Thanks for pointing it out.

          A man in-the-middle ploy might still be able to intercept the current security token, which combined with the picture, might get them access. The location could have been chosen (whose chose it?) for its bad cell reception and the ability to setup a rogue hot spot. Obviously not a good idea to rely on restaurant WiFi but there was a security failure somewhere.

          I don't know if NFC or Bluetooth are more likely but the criminals risked meeting in person so proximity and/or location were key.

          1. M.V. Lipvig Silver badge

            Re: NFC?

            It could also be a red herring. For a target worth 4 million, it would be worthwhile breaking into his house and office to load a keylogger and remote terminal access, then set up a meeting where you take a picture and the money's gone. Now you have the whole world trying to figure out how someone stole 4 million with a photograph while you remote into his computers and remove the keyloggers.

            1. MachDiamond Silver badge

              Re: NFC?

              "It could also be a red herring. For a target worth 4 million, it would be worthwhile breaking into his house and office to load a keylogger and remote terminal access,"

              It would be worth a pretty good investment to return 4mn. One could employ all sorts of tactics and experts. Some of the biggest heists have been pulled off by syndicates that have the resources to put into them.

      2. jollyboyspecial

        Re: NFC?

        "Since they insisted on a new account, created on the spot, it could also be some kind of man-in-the middle attack using the local wifi."

        Shirley nobody is foolish enough to carry out any form on financial transaction on public wifi?

        1. DJO Silver badge

          Re: NFC?

          Shirley nobody is foolish enough to carry out any form on financial transaction on public wifi?

          Meanwhile in the real world - Yes of course they would, possibly through a VPN but then you are just transferring trust to an additional player which is no problem, until it is.

          Seeing as the raison-d'etre of crypto-currency is to avoid regulatory oversight (or in plain English - money laundering & tax evasion) expecting people involved in crypto-currency to be honest and trustworthy is, to use a technical term, "fucking idiocy".

        2. doublelayer Silver badge

          Re: NFC?

          There's always the chance that they didn't, using instead their mobile data, only the attacker had a stingray that captured their traffic. However, there's a healthy chance that people are just unaware of security and do stupid things and this guy could have been one of them. Things that we know not to do aren't as common knowledge as they should be.

        3. MachDiamond Silver badge

          Re: NFC?

          "Shirley nobody is foolish enough to carry out any form on financial transaction on public wifi?"

          With such frequency that we should all be leeching money from them daily instead of working for a living.

          There was a news story recently where a 6yo used daddy's phone to order up all sorts of posh snack food to be delivered. Dad was stupid enough to hand his phone to the kid as a toy and even less bright to have apps that require no authentication to place orders for things. Lucky the kid didn't take the phone down to the local car vending machine and buy that fast looking red model on the 6th floor to see the machinery go. The kid was found out when the deliveries started showing up. Dad was still stuck with the bill since they don't often let you slide for prepared food.

  5. Anonymous Coward
    Anonymous Coward

    They should have been a little more

    Web-averse.

    Couldn't wait till Friday :)

  6. Timop

    Cryptocurrency - to the people who are capable of auditing everything properly themselves just to prevent getting scammed.

  7. Anonymous Coward
    Anonymous Coward

    When Crypto Currency first became a thing a recall a lot of its fans telling us that one of it's major plus points was that because every single "coin" was unique and traceable theft was impossible.

    How's that working out for them?

    1. Glenn Amspaugh

      Ownership entry of said "coin" is something else.

  8. Inventor of the Marmite Laser Silver badge

    The information to make the heist must have come from SOMEWHERE. I Wonder if setting airplane mode would have made a difference.

  9. Anonymous Coward
    Anonymous Coward

    only 2 ways it happened I see

    Since the funds were transferred out so fast, seems they already had access to the account. I expect his home PC or phone was already compromised. 99% likely once they had access to the account, they removed any spyware to hide their tracks - before transferring the funds. NFC,, could be but, that means a huge can of worms is about to burst open on NFC vulnerabilities to wallet apps, which they should have discovered by now if that was the case.

    1. jollyboyspecial

      Re: only 2 ways it happened I see

      The thing about any vulnerability is you can always say on day zero that should have been discovered by now

      1. nintendoeats

        Re: only 2 ways it happened I see

        log4j should have been discovered before it was even written.

  10. Arthur the cat Silver badge

    As Oscar WIlde remarked

    you'd have to have a heart made of stone not to laugh.

  11. DS999 Silver badge

    Not very "Trusted" I guess

    I wonder if one of these guys was involved with the creation of this Trusted Wallet thing, and either knew of or added a backdoor for this type of theft.

    But I'm still laughing at the fool who lost $4 million in play money. Once again showing why crypto is not, should never be, and never will be a replacement for fiat money.

    1. grandours

      Re: Not very "Trusted" I guess

      Foolish people (and even some not so foolish) have always been and will always be susceptible to scams. If crypto didn't exist, they would just use one of many other methods.

      1. waldo kitty
        Boffin

        Re: Not very "Trusted" I guess

        Foolish people (and even some not so foolish) have always been and will always be susceptible to scams.

        reminds me of The Wizard's First Rule: "People are stupid; given proper motivation, almost anyone will believe almost anything. Because people are stupid, they will believe a lie because they want to believe it's true, or because they are afraid it might be true. People's heads are full of knowledge, facts, and beliefs, and most of it is false, yet they think it all true. People are stupid; they can only rarely tell the difference between a lie and the truth, and yet they are confident they can, and so are all the easier to fool."

        granted, it is from a fantasy novel series (yes, i've actually read the first 13 books in the series) but all of the Wizard;s Rules do actually fit in today's world and they make a lot of sense...

        1. MachDiamond Silver badge

          Re: Not very "Trusted" I guess

          "reminds me of The Wizard's First Rule: "People are stupid; "

          They are lazy too. Advertise convenience and the ability to get things they want with the least amount of effort and they'll beat a path to your door. They'll never cotton on to the fact that the more convenient a financial transaction, the more likely they've sacrificed a ton of security.

    2. MachDiamond Silver badge

      Re: Not very "Trusted" I guess

      "Once again showing why crypto is not, should never be, and never will be a replacement for fiat money."

      If you aren't trying to evade the tax man and treaties, what advantage does crypto give you? Most large purchases and transactions still have a ton of paperwork and tracking that goes along with them. Paying my utility bills with crypto doesn't help. Neither will paying a home or auto loan. Most governments won't take it for payment of taxes, fines and fees. If you are fleeing a country and worry about being stopped and searched for currency or your bank account might have a block on it for out of country transfers, you might want to put your money in crypto and extract it in usable currency someplace else. That sort of thing hasn't been a problem for me and I'm not expecting that I'll need that sort of dodge in the future. Besides, there are plenty of ways to do the same thing without crypto that don't require obvious software and electronics.

  12. Marty McFly Silver badge
    Holmes

    Pineapple attack?

    Lured to a known location. A salacious Wi-Fi access point running in the briefcase of the 'investor', using the same SSID credentials as the 'dinner location'. A little Man In The Middle action, and away they go.

  13. Anonymous Coward
    Anonymous Coward

    Trust wallet think they know how it happened now

    https://twitter.com/TrustWallet/status/1623355786557632512

    1. Steve Aubrey
      Stop

      Re: Trust wallet think they know how it happened now

      From the comments to the 17-part tweet: "With all due respect, you did not explain what happened but repeated the narrative."

      And I'd agree.

      1. rjstua

        Re: Trust wallet think they know how it happened now

        They actually suggest that the fake KYC PDF contained malware which compromised his computer/device. What that malware did, they don't explain though! As someone has said before, the physical meet-up must have be required to make this work.

        1. Dan 55 Silver badge

          Re: Trust wallet think they know how it happened now

          Some ideas:

          1. Camera somewhere around recording scammee entering wallet passcode.

          2. PDF malware got the passcode from wallet app or by recording keyboard taps or screen recording.

          3. Wifi MITM attack and the wallet app either just warns (scammers bug the scammee enough to tap through the warning) or waves through any old certificate without complaining and they get the passcode that way.

          2 and 3 don't look very good for the app.

  14. tmTM

    *Web3* *Metaverse*

    Groan

  15. Steve B

    Why?

    If they have $4m kicking about spare, why do they want more? Sounds sus to me.

    Meanwhile, wouldn't wifi snooping etc catch the login dialogue?,

    Quick bit of reprogramming and the encrypted strings can be inserted into a login dialogue from a different app.

    It always seemed a fairly trivial task to me.

    1. MachDiamond Silver badge

      Re: Why?

      "If they have $4m kicking about spare, why do they want more? "

      Perfection in business lies in not using your own money for your business ventures. ~Sun Tsu (I might be wrong on the attribution).

  16. Chris Coles

    The entire operation used a clone phone

    It would seem the majority do not fully understand how wireless networks work. the signal from the local tower does not target your device, it broadcasts everything in EVERY direction. All that was needed would have been the MAC Number of his phone and to obtain that was the reason for all the earlier contacts, that had been made during the run up to that face to face meeting . . . which were to establish for certain the relevant MAC and associated code numbers for the phone. From that point all they needed to do is create a clone, using the information already obtained and required to do that. From then onwards, EVERY aspect of the creation of the new webaverse wallet would have also been set up on their clone, and that clone would not have needed to be anywhere other than within reception of the local tower. As creating a clone is a simple thing to implement, using their team to ensure everything was correctly set up; creating the wallet in the clone was entirely under the full control of webaverse, and as such was as easy as it was for the eventually scammed. All they had to do is use the fully available facilities within the clone to immediately move the funds onward under their clones full control. It is the never admitted aspect of all mobile telecommunications; the only thing that differentiates your phone from all others are the MAC address and associated settings. Indeed, it is possible to do that for EVERY such device. ANYONE could do that at any time at their convenience. All they need is the MAC address and associated settings. Period!

    1. Dan 55 Silver badge
      Facepalm

      Re: The entire operation used a clone phone

      That's... a remarkable explanation.

    2. razorfishsl

      Re: The entire operation used a clone phone

      Yep... I keep telling HSBC about this in HK that thier shitty SMS messages about all the bank transfers can be listened into...

      they say it is for security of their customers...

      more like they are providing a feed to the HK government...

      but they insist phones are secure devices if they have not been rooted....

    3. abetancort

      Re: The entire operation used a clone phone

      I’m sorry but you seem to know very little about how https’ encryption and authentication works. Spoofing the MAC address of a device doesn’t allow you to perform a MiM attack over wifi if the app uses https encryption and certificate authentication.

      1. Roland6 Silver badge

        Re: The entire operation used a clone phone

        “Take a few photos” I.e. Screen shots

        That would suggest use of NFC…

        Although bringing the phones close together might be sufficient for the victims phone to try and switch to a different Wi-Fi AP.

        As to the next step of the exploit… Although, I suspect it might involve causing the wallet app to resend credentials as part of keeping the session live, hence why the specific wallet was suggested.

  17. Securitymoose
    Holmes

    A plot straight out of 'Hustle'?

    One of the last great shows the BBC ever did before they went all weird on us.

    https://www.imdb.com/title/tt0379632/

  18. razorfishsl

    They must have done it by intercepting the WIFI traffic....

    bet they have found a way to merge data into a transaction to redirect it...

  19. RuffianXion

    How to spot a scam

    How do you spot a crypto scam?

    Simply ask, 'Does it involve crypto?'

    If the answer is 'Yes', then it's probably a scam.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like