Scammers stole $8 million worth of Ethereum from users of the Uniswap cryptocurrency exchange, according to Sujith Somraaj at Decrypt. Notably, the attackers relied purely on social engineering to pull off the theft, despite some early claims that they exploited a vulnerability in Uniswap’s underlying protocol.

“The phishing scam promised a free airdrop of 400 UNI tokens (worth approximately $2,200),” Somraaj writes. “Users were asked to connect their crypto wallets and sign the transaction to claim the malicious airdrop. Upon connection, the unknown hacker grabbed user funds through a malicious smart contract.”

The scammers used this malicious contract to trick the victims into granting access to their cryptocurrency.

“Notably, the code was not verified for the smart contract deployed on Etherscan—something most legitimate projects do,” Somraaj says. “After deployment, for collecting their airdropped tokens, the hacker tricked users into signing a transaction. Instead, this transaction served as an approval transaction, giving the hacker access to all the Uniswap LP (Liquidity Pool) tokens held by the user.”

Somraaj explains how the attackers were able to gain access to the funds.

“Whenever users add liquidity to Uniswap, they receive LP tokens in return as a representation of their liquidity positions,” Somraaj writes. “These tokens are transferable and use the ERC-721 token standard, like all other NFTs. Hence through an approval transaction, a third- party (the hacker wallet in this case) could spend funds on behalf of the user. After gaining access from the previous approval transaction, the hacker transferred all the LP tokens to his wallet and withdrew all the liquidity from Uniswap.”

People should always be wary when they see offers that seem too good to be true, particularly when cryptocurrency is involved. We tend to think of cryptocurrency transactions as something individual speculators engage in, but increasingly they touch many businesses as well. They’re novel enough that employees may find themselves gulled through simple unfamiliarity. New-school security awareness training can give your employees a healthy sense of suspicion so they can thwart social engineering attacks.