A $5.7 Million Crypto Heist Sent Social Tokens into Free Fall
bodyguard obstructing paparazzi when celebrity going into elevator. Image: Shutterstock
Create an account to save your articles.
Create an account to save your articles.
In brief An attacker made off with $5.7 million in crypto.
They channeled the funds from a Roll wallet over to Tornado
Editor's note: This article has been updated with Roll's response.
It’s a terrible day for crypto influencers on the social money platform, Roll.
A hack in the early hours of the morning UTC sunk the value of several social tokens minted and distributed on the platform—including WHALE, RARE and PICA—by more than 50% in price as an attacker made off with almost 3000 ETH, or about $5.7 million.
At 8:16 AM UTC, MyCrypto.com tweeted that “there was some sort of widespread hack/compromise across various social coins, leading to a massive dump.”
Seems there was some sort of widespread hack/compromise across various social coins, leading to a massive dump. pic.twitter.com/45Cgca33Ap — MyCrypto.com (@MyCrypto) March 14, 2021
WHALE, a social coin backed up by NFT assets, confirmed the hack an hour later, tweeting that “2.17% of $WHALE was compromised through a hack on our social token issuer's hot wallet.” In a follow-up tweet, WHALE announced that it has secured the rest of its tokens in cold storage.
1/2 Based on information that we have currently: 1, 2.17% of $WHALE was compromised through a hack on our social token issuer's hot wallet. 2, All other $WHALE including community distributions are fully secure in cold storage, including the $WHALE Vault — WhaleShark.Pro (@WhaleShark_Pro) March 14, 2021
In response, Roll has suspended withdrawals of social money from its Roll wallets and set up a $500,000 fund to help out affected creators and communities.
What happened?
Looks like a robbery. Etherscan shows that hundreds of ETH were transferred over to Tornado Cash, a privacy tool often used by hackers to cover their tracks.
Banding together as a family here. Thanks to everyone who reached out in the past 12 hours. Our primary concern is the creator community affected by this. It is moments like these that make or break a company. Our goal is to come back stronger than ever. https://t.co/QlPKzGE92i — Bradley Miles (@Bradley_Miles_) March 14, 2021
Igor Igamberdiev, an analyst at The Block, said that the attacker forced the victims to approve the transfer of all their tokens.
4/5 The victim who lost all their social tokens gave approvals so that an exploiter could transferFrom() their tokens. This fact indicates a possible private key compromise or inside job. pic.twitter.com/bqFRMnnU2z — Igor Igamberdiev (@FrankResearcher) March 14, 2021
With the wallet’s security compromised, the attacker sold off their stolen social tokens and funneled the proceeds to a hidden destination.
Roll didn’t say how the private keys were compromised but said in a statement that it is “really sorry.”
“Today we messed up,” it added.
Social Tokens?
Social tokens are ERC-20 tokens minted by crypto’s aspiring socialites.
Through token sales to loyal fans, these influencers can generate income while offering their supporters a bespoke currency.
The coins are far from useless. Holders can redeem them for goods and services, like voting on their favorite socialite's life or career decisions (token holders forced Alex Masmej to run 5k every day for a month), or trade them with other cryptocurrencies.
There are a few social money platforms—and anyone can create a social token on Ethereum—but Roll, the creation of former Coindesk analyst Bradley Miles, was the first to put together a one-stop-social-crypto-shop. By summer last year, Roll had launched about 160 different social tokens.
Brooklyn 99 actor Terry Crews made headlines earlier this week when he launched his own $POWER token on Roll.
In response to the incident, Roll said that it’s beefing up its infrastructure, getting its code audited and working with police.
CEO Bradley Miles added, “Our goal is to come back stronger than ever.”