Unibot, a popular Telegram trading bot, has been exploited, resulting in user accounts getting exploited.

Scopescan, an on-chain research team, flagged the exploit on Twitter, noting that the hacker is offloading the assets for ETH using decentralized exchanges. Losses have exceeded $600,000 roughly one hour after the exploit took place.

“Please check and revoke the approvals for [Unibot’s] contract,” Scopescan said. “Move your funds to a new wallet ASAP.”

Beosin Alert attributed the exploit to a CAll injection, allowing the attacker to transfer assets from wallets that have not revoked approval for Unibot’s smart contracts.

The official Unibot Twitter account is yet to acknowledge the hack.

The price of the bot’s native token UNIBOT is down more than 29% in one hour after the hack, according to CoinGecko. The token’s market cap currently sits at around $45M, down from an all-time high of $200M in August.

Unibot hosted 1,300 active accounts in the past 90 days, according to Dune Analytics. Unibot currently ranks as the second most popular Telegram bot with 16% of users.

Trading Bot Perils

While Telegram trading bots have enjoyed a recent surge in popularity, users must take on significant security risks by relinquishing control over their private keys to the bot.

Last week, hackers ransacked $500,000 from Maestro, then the top Telegram trading bot with a 49% market share. Affected users were later refunded.

In September, a smart contract glitch resulted in the native token for Banana Gun, the current leading bot with 75% dominance, crashing 98% in a single day. Banana Gun later relaunched the token.