PeopleDAO multi-signature wallet was attacked and lost 76 ETH

ChainCatcher news, PeopleDAO tweets show that PeopleDAO’s community treasury multi-signature wallet on the Crypto asset management platform Safe (formerly Gnosis Safe) was hacked to steal 76 ETHs through social engineering attacks when it distributed monthly contributor rewards on March 6 (approximately $120,000). This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form, and the person in charge of accounting mistakenly shared a link with editing permission in the Discord public channel. After the hacker gained editing permission through the link, he inserted a payment of 76 ETH to himself in the form address and make it invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe’s CSV Airdrop tool for reward distribution. Since there were 80 transfers in the transaction, 6 of the 9 multi-signature accounts did not notice the malicious transfer, and after the transaction was signed and executed, 76 ETH were transferred to the hacker’s address. With the assistance of SlowMist and ZachXBT, the team found that the attacked funds had been deposited in two exchanges, HitBTC and Binance, and contacted the two exchanges. In addition, PeopleDAO has reported this case to the US Federal Bureau of Investigation (FBI) and Federal Trade Commission (FTC), and will continue to cooperate with various parties to recover losses. PeopleDAO stated that if the hackers return the stolen funds within the next 48 hours, they will offer a 10% white hat bounty to them. (source link)