Last updated:
The Tapioca Foundation has extended a $1 million bounty to the attacker responsible for stealing $4.7 million from its decentralized finance (DeFi) protocol.
The foundation described the incident as a “social engineering attack,” which led to the significant loss.
In an on-chain message sent on October 20, Tapioca addressed the attacker directly, offering a settlement that would allow the attacker to walk away with $1 million in Tether (USDT), no strings attached.
Tapioca Requests Return of Remaining $3.7M
The $1 million bounty is considerably higher than the typical 10% bounty offered in such cases.
In exchange, the foundation requested the return of the remaining $3.7 million.
The attack, which took place on October 18, involved the theft of 591 Ether (ETH) and $2.8 million in USD Coin (USDC).
According to Tapioca, the attacker exploited a vulnerability in the vesting contract for its TAP token and the UDSO stablecoin.
The attacker managed to claim and sell vested TAP tokens and then manipulated the USDO stablecoin by adding a minter to create an infinite supply, draining a liquidity pool of USDO and USDC.
Tapioca co-founder Matt Marino revealed more details in a message on the project’s Discord channel.
He explained that his fellow co-founder, pseudonymously known as “Rektora,” had been phished during an interview process.
Rektora inadvertently downloaded malicious software that altered a transaction, giving the attacker access to critical contracts.
In a surprising twist, Marino later announced that Tapioca had managed to “hack the hacker” and recover 1,000 ETH, worth more than $2.7 million, which had been collateral backing the USDO stablecoin in a liquidity pool.
Despite the recovery of some funds, the attack caused significant damage to the TAP token’s value.
Prior to the incident, TAP was trading at around $1.40. Following the attack, it plummeted to just 2 cents, according to CoinGecko.
The attacker’s wallet still holds funds on the BNB Chain, but it remains to be seen whether they will return the remaining stolen assets.
Crypto Users Lose $46M to Phishing Scams in September
Phishing attacks remain a major issue for crypto users, resulting in substantial losses.
In September alone, more than 10,000 individuals lost over $46 million to such scams, as reported by Scam Sniffer, a Web3 anti-scam platform.
The platform revealed that 10,805 victims suffered losses amounting to $46.7 million from various crypto phishing scams last month.
Just recently, it was revealed that cybersecurity scammers are using automated email replies to compromise systems and deliver stealthy crypto mining malware.
This comes on the heels of another malware threat identified in August.
The “Cthulhu Stealer,” which affects MacOS systems, similarly disguises itself as legitimate software and targets personal information, including MetaMask passwords, IP addresses, and cold wallet private keys.
In another instance, a fraudulent crypto wallet app on Google Play has stolen $70,000 from users in a sophisticated scam that has been described as a world-first for targeting mobile users exclusively.
The malicious app, named WalletConnect, mimicked the reputable WalletConnect protocol but was, in fact, a sophisticated scheme to drain crypto wallets.