• J McGlynn and S Pettigrove

NFTs stolen in Phishing Attack on Uniswap v3


A group of hackers has pulled off a major phishing scam on a Uniswap v3 liquidity pool, making off with NFTs worth roughly US$3.56m in ETH. The hackers impersonated Uniswap’s website and deceived liquidity providers into signing malicious transactions.


Positions in Uniswap v3 liquidity pools are represented as NFTs which liquidity providers can use as collateral for loans paid out in stablecoins and other assets.


On chain data tied to the scammer's account reveals that all but 70 ETH of the amount stolen has already been transferred through a cryptocurrency mixing service, Tornado Cash, in an attempt to obscure the destination of the stolen digital assets.


The hack follows not long after a much wider attack against Uniswap users. According to MetaMask security analyst Harry Denley, a malicious actor targeted over 73,000 wallet addresses by sending them a token under the guise of a UNI airdop, hoping to steal the credentials of those who logged in to inspect the free token.


Following the latest incident, Hayden Adams, founder of the Uniswap protocol, confirmed in a tweet that the loss of NFTs was the result of a phishing attack which was:

totally separate from the protocol (and) a good reminder to protect yourself from phishing and not click on malicious links.

These incidents demonstrate the increasing sophistication of phishing scams where bad actors seek to deceive users by impersonating well known websites and offering seemingly plausible inducements to gain access to users' accounts.