PeopleDAO multi-signature wallet was attacked and 76 ETHs were lost

On March 12, PeopleDAO tweets showed that when PeopleDAO’s community vault on the digital asset management platform Safe (formerly Gnosis Safe) issued a monthly contributor award on March 6, it was stolen 76 ETHs (about $120000) by hackers through social engineering attacks. This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form. The accounting principal mistakenly shared a link with editing rights in the public channel of Discord. After the hacker obtained editing rights through the link, he inserted a payment of 76 ETHs to his address in the form and set it as invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe’s CSV Airdrop tool for reward distribution. Since there were 80 transfers in the transaction, 6 of the 9 multi-signature accounts did not notice the malicious transfer. After signing and executing the transaction, 76 ETHs were transferred to the hacker address.

Interpretation of this information:

On March 12, PeopleDAO tweeted that their community vault on the Safe platform was hacked and 76 ETHs worth about $120000 were stolen through a social engineering attack. The hacker gained editing rights to the Google Form used for monthly contributor reward information and added their own payment of 76 ETHs, which they set as invisible. The payment was concealed well enough that the team leader didn’t notice it during the review process. When the csv file with the added data was submitted for reward distribution, 76 ETHs were transferred to the hacker’s address. Due to the number of transfers in the transaction, six of the nine multi-signature accounts involved did not detect the malicious transfer.