Category: Hackers

Binance Network Suffers $560 Million Code Exploit

Post author By Jody McDonald
Post date October 10, 2022

An exploit of a bug in the Binance-run blockchain network, BNB Chain, allowed a hacker to ‘trick’ the BNB Chain’s BSC Token Hub bridge into sending them roughly US$560 million worth of BNB tokens. This incident renewed concerns involving the security of cross-chain bridges.

The Binance team responded by suspending activity made on the Binance blockchain, freezing a majority of the stolen assets. It’s estimated that the hacker made off with roughly US$100 million worth of assets on other chains.

Within a day of suspension, BNB Chain tweeted that the bridge was up and running again:

📢BNB Smart Chain (BSC) is running ok from 20+ mins ago.

The validators are confirming their status and the community infrastructure are upgrading as well.
— BNB Chain (@BNBCHAIN) October 7, 2022

In the days following the hack, the price of BNB fell by 5-7%.

Source: CoinMarketCap

Investor funds safe, extra BNB created

BNB Chain is not the first cross-chain bridge to experience a major hack — around $US$625 million worth of WETH and USDC was drained from Ronin earlier in 2022, considered one of the biggest hacks in the history of crypto.

As the BNB Chain hack was revealed, Binance CEO Changpeng ‘CZ’ Zhao quickly moved to reassure users, tweeting that funds were safe:

An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.
— CZ 🔶 Binance (@cz_binance) October 6, 2022

The ‘extra’ BNB were essentially created from nothing, through an exploit of the bridge’s code.

A detailed analysis tweeted by security expert @samczsun explains how the hack may have been carried out, summarising by saying, “there was a bug in the way that the Binance bridge verified proofs which could have allowed attackers to forge arbitrary messages.”

Five hours ago, an attacker stole 2 million BNB (~$566M USD) from the Binance Bridge. During that time, I've been working closely with multiple parties to triage and resolve this issue. Here's how it all went down. pic.twitter.com/E0885Dc3lW
— samczsun (@samczsun) October 6, 2022

Next Steps: On-Chain Governance Vote

BNB Chain has said governance votes will determine how to approach the next steps in relation to whether to freeze the hacked funds, whether to use BNB Auto-Burn to cover the remaining hacked funds, and how to deliver a Whitehat program to find future bugs and reward hackers with bounties.

The platform also committed to contributing to a broader conversation about the vulnerabilities in cross-chain bridges, stating:

“We will openly share the details of the postmortem and all lessons on how to implement more advanced security measures to shore-up these vulnerabilities.”
BNB Chain

Bitcoin ATMs Crypto News Hackers

Hackers Target Bitcoin ATMs Through Zero-Day Attacks

Post author By Phil Stafford
Post date August 24, 2022

Adding to recent consumer consternation caused by illiquid crypto exchanges and lenders, hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal funds from customers.

General Bytes is the manufacturer of Bitcoin ATMs that, depending on the product, allow users to purchase or sell more than 40 different cryptocurrencies. However, in recent incidents that have seriously compromised their security, when customers have deposited or purchased cryptocurrency using these ATMs, the funds were instead siphoned off by hackers.

Remote Servers to Blame

The Bitcoin ATMs are controlled by a remote Crypto Application Server (CAS) that manages the ATM’s operation, which cryptocurrencies are supported, and executes the purchases and sales of cryptos on exchanges.

According to General Bytes’ security advice, the attacks were conducted using a zero-day vulnerability in its CAS:

The attacker was able to create an admin user remotely via the CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208.
General Bytes security advice

General Bytes believes the hackers scanned the internet for exposed servers running on TCP ports 7777 or 443, including servers hosted at Digital Ocean and General Bytes’ own cloud service.

The hackers then exploited the bug to add a default admin user named ‘gb’ to the CAS, and modified the ‘buy’ and ‘sell’ crypto settings and ‘invalid payment address’ to recognise a crypto wallet under the hackers’ control.

Funds Diverted to Hackers’ Wallet

Once they had modified these settings, any cryptocurrencies received by CAS were forwarded to the hackers instead. “Two-way ATMs started to forward coins to the attackers’ wallet when customers sent coins to the ATM,” according to the security advice.

General Bytes, one of the largest manufacturers of cryptocurrency ATMs with almost 9,000 machines installed all over the world, is warning customers not to operate Bitcoin ATMs until they have applied two server patch releases, 20220531.38 and 20220725.22, on their servers. It has also provided a checklist of steps to perform on the devices before they are put back into service.

Most Exposed Servers Are in Canada

While it remains unclear how many servers were breached using this vulnerability and how much cryptocurrency was stolen, according to information provided by security firm BinaryEdge there are currently 18 General Bytes Crypto Application Servers still exposed to the internet, with the majority located in Canada.

Last year, El Salvador led the adoption of bitcoin in Central and South America by launching 1,000 Bitcoin ATMs across the country for buying and selling BTC. However, less than three months later a bitcoin ATM was burned and defaced with anti-BTC messages as protesters demonstrated resistance towards El Salvador’s pro-crypto President Nayib Bukele.

Crypto News Hackers Security

Security Firm Discovers Hackers Use Google and Microsoft to Steal Crypto

Post author By Lauren Claxton
Post date August 17, 2022

Online security company NetSkope has discovered a new crypto phishing scam that utilises Google and Microsoft Azure to trick users into handing over their information. The tactic involves using SEO techniques to distribute links to copycat pages.

https://africabusinesscommunities.com/tech/tech-news/netskope-extends-its-newedge-infrastructure-in-south-africa/ — NetSkope has made a new phishing scheme discovery.

Other Big Names Not Immune

It’s been discovered that hackers have improved their strategies and are utilising specific SEO techniques to increase interaction with phishing sites for imposter wallet apps and exchanges impersonating notable names such as MetaMask and CoinBase.

These phishing sites are often built on Google Sites or Microsoft Azure and can take a user’s info in two ways. They will either acquire the private seeds of the user’s wallet by prompting data importation, or will pilfer info from the accounts of the exchanges being impersonated using error messages:

In this campaign, we found that the attackers are abusing Google Sites and Azure Web App to host the pages, likely due to cost, ease-of-use, and to slightly increase the victim’s trust.
NetSkope blog post

NetSkope has strongly recommended that “users never enter credentials after clicking on a link” and instead navigate directly to the site they wish to use, and that organisations should employ secure web gateways that can block these types of attacks.

Security Firms Have Their Work Cut Out

With crypto theft an ongoing concern on the radars of most investors and regulators, luckily security firms are keeping a watchful eye out. At the beginning of April, global cybersecurity firm ESET uncovered a criminal plot to steal users’ digital assets via apps impersonating popular cryptocurrency wallets. The plot involved more than 40 copycat crypto wallet sites intended to promote downloads of malicious apps.

Earlier in the year, blockchain security firm CertiK identified a US$10 million rug pull on Arbix Finance. The firm warned users who had engaged with the protocol to avoid it, along with its ARBX token. CertiK allegedly found several red flags in Arbix via its Skytrace tool, which analyses fraud risk.

Tags crypto theft, Google, hackers, microsoft, NetSkope

DeFi Hackers Stablecoins

aUSD Depegs by 99% Amid Hacker Issuing 1 Billion Tokens

Post author By Jody McDonald
Post date August 17, 2022

Another stablecoin has shown itself to be anything but stable after the Polkadot-based DeFi hub Acala Network was hacked on August 14, causing its stablecoin aUSD to suddenly lose around 99 percent of its value:

We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (which went live earlier today) that resulted in error mints of a significant amount of aUSD
1/
— Acala (@AcalaNetwork) August 14, 2022

According to a Twitter thread posted by the Acala Network account, the rapid plunge in value of aUSD was caused by a “misconfiguration” of its iBTC/aUSD liquidity pool that resulted in the minting of over 1.2 billion of new aUSD.

Network Paused in Aftermath

In the aftermath of the breach, an urgent governance vote was taken to pause network activity while Acala Network developers tried to trace exactly what happened and come up with a strategy to resolve the situation:

Meanwhile functions including swap, xcm, honzon-related etc on Acala have been paused via urgent governance votes until further notice; the oracle pallet has also been paused so that users do not need to concern liquidations in between time.
7/
— Acala (@AcalaNetwork) August 14, 2022

Acala Network developers also called on any recipients of the erroneously minted aUSD to transfer them to addresses under their control so they could be burned and taken out of circulation, in the hope this might restore aUSD’s peg.

Erroneously Minted aUSD Returned and Burned

Following a hastily arranged community governance referendum on August 16, nearly 1.3 billion erroneously minted aUSD were returned to Acala Network’s Honzon protocol and burned:

The recently passed community governance referendum has now been executed.

1,292,860,248 total erroneously minted aUSD have been returned to the honzon protocol and burned.

Details in thread below ⤵
— Acala (@AcalaNetwork) August 16, 2022

While this step has taken many of the newly minted aUSD tokens out of circulation, it hasn’t yet had any impact on the stablecoin’s price – at the time of writing CoinMarketCap was reporting its value as US$0.01, still down 99 percent from its intended peg of US$1.

This depegging event follows on from the June collapse of the Terra-based stablecoin, UST, which triggered further failures of Terra-exposed DeFi projects including the comically named Magic Internet Money.

In the midst of the chaos sparked by Terra’s collapse, Tron founder Justin Sun decided to launch his own algorithmic stablecoin, USDD, which he subsequently had to prop up to the tune of US$2 billion just months after its launch when it too lost its dollar peg.

Tags Acala Network, aUSD

Crypto News DeFi Hackers

DeFi Protocol Curve ‘Finance’ Exploited in DNS Spoofing Attack

Post author By Lauren Claxton
Post date August 11, 2022

Curve Finance’s front end this week became the victim of an exploit that ended with a loss of more than US$573,000. Curve took to Twitter to warn its users of the issue with its site, though luckily the spoofing exploit did not affect the Curve exchange:

Don't use the frontend yet. Investigating! https://t.co/8kmtpGsLQQ
— Curve Finance (@CurveFinance) August 9, 2022

Exploiting the Curve

On August 9, Twitter user @samczsun alerted the public to the exploit with a tweet that read: “@CurveFinance frontend is compromised, do not use it until further notice!” Despite the Curve team’s quick response to the issue, they were unable to prevent the loss.

The hacker(s) responsible seemingly changed the protocol’s domain name system (DNS), which then allowed them to approve a malicious contract by directing users to a fake clone. In a stroke of luck for Curve, the program’s exchange remained uncompromised, as it utilises a separate DNS provider.

An hour after the initial warning of the exploit, Curve tweeted:

The issue has been found and reverted. If you have approved any contracts on Curve in the past few hours, please revoke immediately. Please use https://t.co/6ZFhcToWoJ for now until the propagation for https://t.co/vOeMYOTq0l reverts to normal
— Curve Finance (@CurveFinance) August 9, 2022

While a significant sum was lost, the quick circulation of information on Twitter regarding the attack on the nameserver and front end may have prevented greater losses.

The Curve decentralised finance (DeFi) protocol is an integral part of the DeFi ecosystem, and exploits such as this prevent other protocols from accessing income sources.

Protocol Exploits Elsewhere

DeFi protocol exploits have proliferated in 2022, with two notable examples occurring in May and June. The first victim was the Fortress protocol, with the crypto borrowing and lending platform losing approximately US$3 million in stolen funds. The Binance Smart Chain (BSC)-based platform had suffered an oracle attack only days prior.

More recently, Terra-based DeFi app Mirror Protocol was the subject of a US$2 million exploit related to Terra blockchain’s recent rebrand to Terra Classic. The exploit almost completely drained the mBTC, mGLXY, mETH, and mDOT pools. Luckily the developers were able to patch the damage before all pools could be drained.

Tags curve finance, DeFi, exploit, hackers, Spoofing attack

Crypto News Hackers

‘Ethical’ Hacker Returns $9 Million of the $190 Million Nomad Exploit

Post author By Lauren Claxton
Post date August 5, 2022

After cryptocurrency bridge Nomad was exploited by hackers to the tune of US$190 million earlier this week, those responsible have sent back US$9 million.

Since then, a recovery wallet has been set up for the safe return of any other funds they may wish to reimburse:

#PeckShieldAlert PeckShield has detected ～$9m has returned into @nomadxyz_ Funds Recovery Address, including 100 $ETH (~$164k) from address with ENS name bitliq.eth, ~3.78m $USDC, ~2m $USDT, ~15.8m $CQT (~$1.38m), ~1.2m $FRAX (~$1.2m), 200 $WETH (~328k), ~150k $DAI and etc. pic.twitter.com/Bpyjt7jnek
— PeckShieldAlert (@PeckShieldAlert) August 3, 2022

An Attack of Ethics, or Hackers’ Remorse?

Blockchain security and data analytics company PeckShield detected the initial return of stolen funds to Nomad, primarily in the form of USDC alongside USDT and other altcoins.

Then, on August 3, Nomad posted a tweet requesting the return of the remainder of the funds:

Nomad Bridge Funds Recovery Process

Dear white hat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens,

Please send the funds to the following wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154 pic.twitter.com/UF623JSZ8u
— Nomad (⤭⛓🏛) (@nomadxyz_) August 3, 2022

Nomad is a protocol that allows users to transfer tokens from Ethereum to other chains. The August 1 exploit appeared to be the outcome of a flaw in its smart contract. This means a multitude of users, with no technical knowledge, were able to find a transaction that worked, modify the target address with their own, and rebroadcast it.

Some of the users who raked in the stolen funds were, in fact, trying to assist the project by preventing the crypto from falling into the wrong hands. Nomad is appealing to these “ethical researchers” and “white hat hackers”, and has provided a crypto custodian (Anchorage Digital) to handle and safeguard the returned assets.

The Kindness of (Some) Hackers

In February this year, one white hat hacker chose a mere US$2 million bug bounty over the option of “printing unlimited ETH”. The hacker reportedly decided to warn the Optimism team of an issue rather than take the opportunity to print the ETH.

In June, another vigilante hacker was paid US$6 million for preventing a US$330 million hack. Two months earlier, the bug had been reported to Aurora via ImmuneFi, a leading Web3 bug bounty platform. All that is known about this hacker is their Ethereum domain name: pwning.eth.

Tags Hack, hackers, Nomad, white hat hackers

Crypto News Crypto Wallets Hackers Solana Trust Wallet

Solana Mobile Wallet Exploited, Millions Drained from Over 8,000 Users

Post author By Jana Serfontein
Post date August 5, 2022

Solana users this week reported that their funds had been drained from more than 8,000 internet-connected “hot” wallets, including Phantom, Slope, and TrustWallet, amassing losses exceeding US$5 million according to blockchain auditing firm OtterSec:

Over 5000 Solana wallets have been drained in the past few hours. https://t.co/8XS7oGrJQP pic.twitter.com/oNWgtZm2oS
— OtterSec (@osec_io) August 3, 2022

Hardware Wallets Not Compromised

No evidence was found that the Solana protocol or its cryptography were compromised, nor were its hardware wallets. According to a Solana Status Tweet, engineers from across several ecosystems, in conjunction with audit and security firms, were continuing to investigate the “root cause” of the attack:

Engineers from across several ecosystems, in conjunction with audit and security firms, continue to investigate the root cause of an incident that resulted in approximately 8,000 wallets being drained. 1/2
— Solana Status (@SolanaStatus) August 3, 2022

Blockchain investigation firm PeckShield posted on August 2 that the hack was most likely due to a “supply chain issue”, which was exploited to steal user private keys behind the affected wallets. The exact cause of the attack remains unclear, although it appears that mobile wallet users were impacted most. The attackers were able to sign transactions on behalf of users, suggesting that a trusted third-party service might have been compromised.

The Solana Status Twitter account shared its preliminary findings via developers and security auditors, saying that “it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications”:

After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2
— Solana Status (@SolanaStatus) August 3, 2022

The thread continued: “This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure … While the details of exactly how this occurred are still under investigation, private key information was inadvertently transmitted to an application monitoring service.”

Yet Another Setback for Solana

Over the past nine months, Solana has suffered some severe downtime on its network caused by “excessive duplicate transactions” and “high levels of congestion”. It also suffered a distributed denial-of-service attack in December last year that jammed the network and led to huge delays, leading many to question the security of the network.

Crypto Exchange Hackers Security

‘World’s Most Secure Exchange’ ZB.com Hacked for $5 Million

Post author By Jody McDonald
Post date August 5, 2022

Formerly China-based ZB.com, which touts itself as the world’s most secure digital asset exchange, has had US$4.8 million pilfered from its hot wallet in a suspected hack:

The total funds being transferred out from @ZBexchange are ~$4.8M and here is the detailed breakdown of tokens: https://t.co/uMpkvxtOAo pic.twitter.com/xo373Zyge1
— PeckShield Inc. (@peckshield) August 3, 2022

Blockchain security firm PeckShield disclosed the suspected hack on August 3, identifying that large volumes of more than 20 different digital assets had been transferred out of the exchange’s hot wallet to another address. Most of the transferred assets have since been sold for ETH.

In response to the incident, ZB.com suspended customer withdrawals for what it describes as “temporary maintenance”, explaining in a statement:

Due to the sudden failure of some core applications, it still takes time to troubleshoot the problem. Deposit and withdrawal services are now suspended. Please do not deposit any digital currency before recovery.
ZB.com statement

Wide Range of Digital Assets Taken

Among the 21 digital assets stolen in this suspected hack were over US$800,000 in Tether (USDT), almost US$300,000 in MATIC and over US$200,000 in IMX.

After being funnelled out of ZB.com’s hot wallet, the majority of the funds were subsequently sent to a number of decentralised exchanges by the hacker and sold for 2,224 ETH, currently valued at US$3.6 million. Another wallet PeckShield believes is also controlled by the hacker still holds just over US$1 million worth of stolen assets, which haven’t yet been sold.

Exchange Has Long History in Crypto

ZB.com is one of the oldest crypto exchanges currently operating, having been founded in China as CHBTC.com in 2013. Following China’s crackdown on crypto in 2017, the exchange ceased its activities inside China, rebranded as ZB.com and moved its headquarters to Switzerland.

Despite this recent hack, ZB.com continues to flaunt its supposed status as the world’s most secure crypto exchange on its Twitter bio:

In the past year, exchange hacks have become increasingly frequent. In December 2021, US-based exchange BitMart was hacked for almost US$200 million, and in January Liechtenstein-based exchange LCX had one of its hot wallets hacked, losing almost US$8 million.

Tags ZB.com

Blockchain Crypto News Hackers

Nomad Cross-Chain Bridge Drained by Over $150 Million

Post author By Jana Serfontein
Post date August 3, 2022

Nomad has suffered an exploit resulting in the loss of up to US$190 million worth of crypto assets. Nearly the entire fund has been drained from the bridge, leaving only US$651.54 left in the wallet:

1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022

Nomad Still Investigating

Nomad, a token bridge that allows transfers of tokens between the Avalanche, Ethereum, Evmos, Milkomeda C1 and Moonbeam blockchains, is still investigating the incident. Some of the funds lost in the attack were taken by so-called “white hat friends” who removed the funds with the intention of safeguarding them.

The first transaction came at 9:32 pm UTC when someone managed to remove 100 Wrapped Bitcoin tokens, worth about US$2.3 million, with holdings of Wrapped Ether and the USDC stablecoin also subsequently affected.

It was later confirmed by security firm PeckShield that as much as US$190 million worth of cryptocurrencies were taken. Blockchain data suggests that transactions may have been constructed to make it appear that multiple actors were involved:

Nomad bridge getting actively hacked. WETH and WBTC being taken out in million-dollar increments. Withdraw all funds if you can, still $126m remaining in the contract that's likely at risk pic.twitter.com/oDo7oT1glW
— foobar (@0xfoobar) August 1, 2022

Crypto Bridges Security Remains a Concern

In January this year, cross-chain protocol ‘Multichain’ reported an attack in which hackers managed to exploit various vulnerabilities in the protocol, stealing over US$1 million. When the Multichain team announced the hack, it prompted attackers to steal more funds, raising the total amount lost to roughly US$3 million.

In June, Axie Infinity’s Ronin bridge finally re-opened after losing US$625 million in a similar attack. Victims were said to have been fully compensated.

Axie Infinity DeFi Hackers

Axie Infinity CEO Moved $3 Million Before Disclosing Record $622 Million Hack: Report

Post author By Jana Serfontein
Post date August 2, 2022

Trung Nguyen, co-founder and CEO of Sky Mavis, the studio behind the Axie Infinity blockchain game, reportedly moved around US$3 million in cryptocurrencies before the company disclosed the details of a US$625 million hack.

In March, Axie Infinity weathered one of the all-time largest DeFi hacks when the bridge connecting its Ronin network sidechain to Ethereum was exploited. Now Nguyen has come clean on exactly what took place before the hack was disclosed:

As many of you know, I prefer to operate behind the scenes, but there is a story that dropped today that I want to address with the community, personally.
— Trung Nguyen (@trungfinity) July 28, 2022

Bloomberg analysed blockchain data to discover that a crypto wallet controlled by Nguyen transferred around US$3 million worth of the game’s AXS governance token from the Ronin sidechain to the Binance crypto exchange. Nguyen’s transfer took place just three hours before Sky Mavis disclosed the hack, almost a week after the attack took place.

Funds Transferred From Nguyen’s Own Wallet

According to Sky Mavis representative Kalie Moore:

At the time, we (Sky Mavis) understood that our position and options would be better the more AXS we had on Binance. This would give us the flexibility to pursue different options for securing the loans/capital required.
Kalie Moore, Sky Mavis

Moore added that the funds were transferred from Nguyen’s own wallet so that AXS short sellers “would not be able to front-run the news”. She also dismissed accusations of other motives regarding the nature of the transfer as “baseless”.

The attack on the Ronin network took place on March 23 but was not discovered until March 29. The attackers stole 173,600 Wrapped Ethereum (WETH) and 25.5 million USDC stablecoins, worth US$625 million at the time of disclosure. They used hacked private keys to gain control of five of the network’s nine validators to sign fraudulent transactions and transfer the funds.

All Users Reimbursed

In the wake of the attack, Sky Mavis announced that it had raised US$150 million to facilitate user refunds. All users were reimbursed after the Ronin bridge was reopened.