Event Highlights: GoPlus "Web3 Ghost Stories" Episode 1 Space

Author: GoPlus

Column Introduction

GoPlus "Web3 Ghost Stories" is a chat program that shares a "ghost story" about a Web3 asset theft in each episode. By unraveling the details of the story, it aims to provide listeners with a deeper understanding of the various dangers and risks in the Web3 world, enabling them to avoid similar risks when they encounter them.

Space Theme: Terrifying 14 Days! What made the people of Panama finally return the over 20 ETH that was stolen from me?

Host:

GoPlus Chinese Community: Represents Web3 "newbies" asking questions.

Speakers:

Baoge: Ghost story sharer, Web3 entrepreneur, 8-year Web3 veteran

IsabelShi: Bitrace CEO

Box: Security expert

Information Capture Hand: Well-known KOL

Biubiu: Well-known KOL

GoPlus Fangtouzi

Baoge's Twisted Experience of Wallet Theft

More than a month ago, hacker A impersonated an investment manager from a Web3 investment company and, through a friend of Baoge, expressed interest in investing in Baoge's startup project. They agreed to have an online meeting for in-depth communication. Hacker A scheduled the meeting time on Baoge's Calendly (a commonly used appointment scheduling software in Web3), but on the day of the meeting, hacker A claimed he couldn't enter the meeting room and provided Baoge with a meeting link that had his company's domain name, inviting Baoge to join. Without thinking much, Baoge clicked the link. As a Web3 veteran, Baoge quickly realized something was wrong, disconnected from the internet, and hurriedly transferred assets from over 40 wallets on his computer, spending a total of 12 hours.

Just when Baoge, exhausted, thought he had outsmarted hacker A, he discovered that there was still some money in a DeFi protocol, but by that time, the protocol no longer allowed withdrawals. So, Baoge entered the official Discord of the protocol seeking help, where he encountered hacker B.

Hacker B saw Baoge's plea for help in the group, impersonated customer service, and tricked Baoge into giving away his wallet's private key under the guise of helping him withdraw funds. Realizing he had been scammed, Baoge immediately contacted GoPlus for assistance. GoPlus promptly reached out to its security partner Bitrace, and with everyone's help, they began the rescue operation for the over 20 ETH that had been stolen.

By discovering on-chain information that the hacker had transferred the assets to a certain exchange, the security company quickly helped Baoge contact the exchange to freeze the assets and provided necessary evidence to assist Baoge in filing a case with the police in multiple locations. Baoge attempted to send an email to the exchange's provided address, informing them that he had obtained the police's case filing document and warning them to return the funds promptly. Fortunately, the recipient was a token swap service hired by the hacker, and upon realizing it was stolen money, they returned it in full.

Thus, Baoge successfully recovered most of his stolen assets, and the ghost story had a happy ending.

Exciting Dialogue Sharing

• Hacker A Incident

Baoge: In hindsight, I realized that this phishing attempt was targeted at me. They had investigated my identity information in advance and meticulously crafted an image of a Silicon Valley investor, first approaching my friend, but the ultimate target was always me.

In fact, many people encounter similar phishing attempts; hackers provide various links for different reasons to lure you into clicking.

Host: We have encountered similar situations. Someone claimed to be a reporter from Coindesk and privately messaged us on X wanting to collaborate, but since we are in the security field, our operations team is experienced, so we ultimately did not fall for it.

IsabelShi: Nowadays, Web3 criminals are very well-prepared and no longer cast a wide net like before. They study the social networks of "big clients" and create traps specifically targeting those individuals. For example, we encountered a case where the victim simply clicked on an article about a competitor in the industry and had their Telegram hacked. The criminals then logged into their Telegram, contacted the company's finance department, and demanded a transfer to a wallet. The finance department sensed something was off and requested a voice call, but the criminals used AI to mimic the victim's voice and deceived the finance team, resulting in a loss of 10 million dollars.

GoPlus Fangtouzi: That's terrifying. Since the advent of AI, personalized attacks like this have emerged in Telegram. We had an investor who frequently communicated with me about security issues. One day, he reached out to discuss a security matter, providing me with a link to a security incident. During the conversation, he seemed just like usual, but in reality, his Telegram had already been hacked, and I was communicating with the hacker.

• Hacker B Incident

Baoge: Regarding being scammed by hacker B, I want everyone to remember one point. In hindsight, I feel that even if it happened 100 more times, I wouldn't click that phishing link, but at that moment, I was in an extremely fatigued state, and a momentary lapse in my brain made the situation irreversible.

Box: I think phishing in Discord groups is very common. Recently, a mod in the ENA Discord group was hacked and posted a phishing link. A friend of mine clicked the link without much thought and got hacked. This isn't the first mod to be hacked in the crypto space; everyone needs to stay vigilant.

GoPlus Fangtouzi: I believe Baoge's incident serves as a wake-up call for us; these criminals have infiltrated every aspect. They have different phishing methods at each stage, and I hope users can remain calm and vigilant at every step.

• Happy Ending

IsabelShi: In fact, many victims do not have Baoge's awareness and do not realize they have been hacked immediately. Even if they do realize they have been hacked, they often do not understand the reason behind it. Therefore, when we help users recover stolen assets, the first step is often to help them recall the reasons for the theft. Additionally, when communicating with local law enforcement, you need to present the complete picture of the event on paper, so it's essential to reconstruct the theft process and the flow of funds. Monitoring the flow of funds must be swift because hackers do not let the funds stay in one place for too long; they need to quickly launder and cash out the money. This is the most critical point in helping victims intercept and recover funds; when the funds enter a place that can be intercepted, we must act promptly to stop the money.

So when money is stolen, for the victim, the first step is to clarify the sequence of events; the second is to find local law enforcement and report the case as soon as possible; the third is to closely monitor the flow of their funds.

Baoge: There is a significant difference between the FBI and domestic case filings. You only need to fill out a form for them to process it; there won't be situations like in the domestic context where they refuse to accept it. In hindsight, this is still very important; it delayed me a lot of time to get the domestic police to handle my case. The FBI's case filing document helped me extend the freeze on the stolen funds at the exchange for 14 days, and later I used the mainland's case filing document to freeze it for an even longer time. The FBI also has a dedicated economic investigation department that specifically handles virtual asset cases, so the FBI has the capability to solve cases. Therefore, the U.S. has a very complete handling capability, but their processing speed is extremely slow, to the point that by the time I recovered my money, the FBI had not yet taken any substantial investigative action.

GoPlus Fangtouzi: Here, I want to remind everyone that Baoge's ability to recover assets was largely due to luck. If money is stolen, it is a very passive situation; if there is a break in any link during the process, it is highly likely that the money cannot be recovered. There are a few important points: first, being able to obtain the links to the funds and information about the attacker; second, obtaining the FBI's documents to freeze the money in the exchange account.

External Transmission / Tragic Story

Information Capture Hand: I recently posted a tweet telling the story of a close friend of mine who was hacked. The protagonist is my college classmate and a good friend in real life since I entered the circle. After graduating, he started an e-commerce company with two friends. Unfortunately, two months ago, the company went bankrupt, and the other two partners betrayed him and took the money. To run the company, he also took out loans, and in the end, he was left with only a few hundred Solana in his wallet. He created a new wallet and put all his money into it. One morning, he discovered that all the money in his wallet had been stolen by hackers.

He sent me a message saying: "My wallet has been hacked; remember to burn paper for me this time next year." The next day, he really jumped off a building.

Those few hundred Solana became the last straw that broke the camel's back.

Host: Hearing this story, I feel even more that our "Web3 Ghost Stories" program is very meaningful. By sharing each story, we let everyone know how to be cautious about asset theft and how to rescue assets after being stolen, which might really save a life.

GoPlus Fangtouzi: GoPlus has helped many Web3 users, most of whom are in their forties or fifties and not very familiar with the market, ultimately losing all their assets, and some even their retirement funds, having to rely on a few credit cards to make ends meet. This is also one of the reasons we continue to focus on the safety of Web3 users, hoping to help more ordinary users.