Ahad Shams, a co-founder of the Webaverse Web3 metaverse game platform, has revealed how they became victims of a $4 million crypto hack in November 2022 after meeting with scammers posing as investors in a hotel lobby in Rome.
a crypto scam stole 4m by just taking a photo of a trust wallet screen, with no seed phrases or any private info on sight pic.twitter.com/yOQGbReF1I
— 0xngmi (aggregatoor arc) (@0xngmi) February 6, 2023
They reported the theft the same day to a local Rome police station, then to the FBI a few days later using an IC3 form. Additionally, they hired “@wassielawyer” and a reputable investigative firm immediately to arrange a neutral investigation of the circumstances.
They took the appropriate measures to ensure that only those engaged in the event were aware of the inquiry because they wanted to handle it “professionally.” The team has informed all important stakeholders, including their investors, the executive team, and specific area inhabitants.
“We refrained from making this public in order to avoid affecting the investigation,” Webaverse noted.
How did the Webaverse team lose its assets to scammers?
The Webaverse team connected with “Mr. Safra,” the alleged scammer, over email and video calls, and he explained that he wanted to invest in Web3 companies. He subsequently collected their IDs for KYC and stipulated that the team fly into Rome to meet him.
Although they aren’t certain how it happened technically, they believe the scammers convinced them to move money into a new wallet they created and maintained to provide evidence of funds. “Mr. Safra” claimed that he would feel certain that the project was in fact funded if he could see money in a Trust Wallet account that Webaverse had control over.
However, at the meeting in the hotel, the supposed investor took out his phone and took some pictures of just the funds on the wallet’s dashboard.
“Mr. Safra” said he was satisfied, said he needed to step outside to discuss [the] next steps with his colleagues, and we never saw him again,” Ahad Shams said. “Minutes later, the funds left the wallet.”
The strange part of the story is that the USD stablecoins were taken from the new Trust wallet and that the hack happened without disclosing their seed phrase or private keys.
Sadly, the Webaverse team has not been able to determine the attack vector with certainty. Even though the investigators carefully examined the facts and extensively questioned the relevant parties, additional technical information is still needed before they can confidently draw judgments.
Ahad Shams emphasized, however, that the $4 million exploit and ongoing investigation would not have an influence on the company’s short-term ambitions and that they are happy to provide rewards to anybody who can help them find the criminals and retrieve the stolen money.
