Category: Hackers

Categories
Crypto News DeFi Hackers

Algorand-Based DeFi Platform ‘Tinyman’ Exploited for $3 Million

The DeFi space has already had its first breach this year as Tinyman, an Algorand-based decentralised trading platform, was hacked and drained for roughly US$3 million.

On January 1, Tinyman announced via its Twitter account that its platform had been compromised, saying it had pulled the remaining liquidity from Tinyman on the TINY token. The platform has advised its community to withdraw their funds as the exploit is ongoing:

How the Breach Took Place

As per the investigation, the attackers managed to exploit various vulnerabilities in the platform’s smart contracts, giving them access to various liquidity pools. They started interacting with the targeted pools and swapped a portion of their funds to acquire ASAs, causing price instability in the following hours.

The attacker exploits an unknown bug in the burning of pool tokens and receives two of the same assets instead of two different assets. This worked in favour of the attacker since the gobtc asset was significantly more valuable than ALGO, which they immediately swapped against ALGO to receive more funds to continue their attack.

Tinyman blog post

The team behind Tinyman said that they were unable to block ongoing transactions on the blockchain as the contracts are permissionless. The first step, however, was to pull all of the liquidity from all Tinyman contracts and return it once the platform is clear of any attacks.

Another Day, Another Hack

DeFi protocols are always at risk of suffering smart contract exploitations on their platforms, or similar attacks such as security breaches or DoS (Denial of Service). As expected, each platform’s token drops massively after the liquidity pools are drained, leaving a wide cut on investors’ pockets.

In December 2021, the crypto community saw DeFi marketplace MonoX hacked for US$31 million, one of the largest hacks in that month. Two months earlier, Indexed Finance suffered its first hack, with US$16 million drained out of their two pools.

Categories
Blockchain Crypto News DAO DeFi Ethereum Hackers

Ethereum Sidechain Project Polygon ‘Hard Forked’ After Critical Bug Discovered

Ethereum sidechain project Polygon (MATIC) could well have lost all of its MATIC tokens, worth US$24 billion, after it discovered a “severe” bug that had gone unnoticed for some time. To offset the enormous loss, the Polygon network underwent a hard fork to save the project.

‘Critical’ Vulnerability Found in Polygon’s PoS Genesis Contract

The hard fork proceeded after a “critical” vulnerability was found in Polygon’s proof-of-stake genesis contract, which would have allowed attackers to steal 9.2 billion MATIC tokens. The total supply of MATIC is 10 billion, and any vulnerability would have put 9.2 billion of those tokens at risk, a potentially devastating loss.

The problem was reported on the bug bounty platform Immunefi by a white hat hacker known as Leon Spacewalker. Following the discovery of the bug, Immunefi informed the team at Polygon, after which they confirmed it.

However, Polygon did not come out entirely unscathed. Before the upgrade on the mainnet could be completed, an unknown black hat hacker stole 801,601 MATIC, worth about US$1.6 million.

The team at Polygon reported: “Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect.”

Co-founder Conceded Pre-existing Vulnerability

Although Polygon did not release details regarding the incident until December 29, chatter on social media had emerged mid-month about the network zero-warning hard fork. During that time, Polygon co-founder Mihailo Bjelic did concede that a vulnerability existed and that the team would subsequently release details of the problem.

Bjelic wrote at the time: “We are now investing much more on security and we’re making an effort to improve security practices across all Polygon projects.”

When asked why the project waited until this week to disclose information regarding the bug, the core development team explained its “silent patches” policy:

All in all, the team struck the best possible balance between openness and doing what’s best for the community, partners and the broader ecosystem in handling this extremely urgent and sensitive issue. But you can be the judge of that.

Polygon core development team statement

Polygon Records Exponential Growth

Polygon is undergoing a period of growth and mass adoption, and is evolving and adapting along with it. The scaling solution has seen an increasing number of decentralisation applications (dApps) running on the network. Data has also revealed that Polygon is growing at a rate two times faster than Ethereum at a comparable time in its history.

Having seen massive adoption from DeFi protocols, Polygon is also planning to launch a decentralised autonomous organisation (DAO) with the ultimate goal of improving users’ DeFi experience, while at the same time attracting more users to DeFi.

Polygon was also recently included in an exciting partnership between Exodus Wallet and SportX, which will allow its users to wager on esports and crypto prices on the network.

Categories
Bitcoin Crypto News Hackers Illegal Monero Scams

New Spider-Man Movie Torrent Contains Malicious XMR Mining Program

Cybercriminals have to keep up with the latest trends in order to continue running their scams, so it comes as no surprise they’re exploiting the popularity of blockbuster movie Spider-Man: No Way Home as a way to launch crypto-malware attacks.

Fans are urged to be careful when downloading pirated copies of the newest edition of the film as cybercriminals have uploaded a Monero miner code on a torrent download file.

Scammers Hiding Crypto Miner Malware in Torrent Files

Experts from ReasonLabs have reported details of a new malware attack in which scammers embed a Monero (XRM) miner code on a torrent download file for the Spider-Man film. The warning was first issued on December 23, along with details that the torrent file for the movie is named “spiderman_net_putidomoi.torrent.exe” in Russian.

The name translates to “spiderman_no_wayhome.torrent.exe” and the filename has led experts to believe that the malware did in fact originate from a Russian torrenting website.

Once the file is downloaded, the crypto-malware exploits the computer’s power to mine Monero, a privacy coin that operates with untraceable transactions. This type of attack is not as severe as others and does not affect computer performance, but will drive a victim’s power bill sky-high due to its massive energy consumption. Police agents have conceded that hackers are using legitimate names, so the program tends to go unnoticed by antivirus software.

Researchers at ReasonLabs have provided an example of the malware’s details:

What the malware file meta looks like. Source: ReasonLabs

In order to keep from downloading the malware, users are urged to look carefully at aspects such as the file type. A real film should end with the suffix “.mp4” while a crypto-malware file ends with “.exe”. Fans should be especially cautious when downloading content from the internet and are discouraged from downloading a file in Torrent and from other non-official sources.

News of the scam came soon after Bitcoin penny stock BitTorrent soared 80 percent ahead of its Mainnet Launch, which took place earlier this month.

Crypto Scams Continue on the Rise

As more crypto projects launch, more opportunities are created for scammers to take advantage of unwitting users. Late last month, Crypto News Australia published an article detailing a Threat Horizons report released which indicated that 86 percent of hacked accounts were being used to mine cryptocurrencies. Poor security measures were cited as the main reasons for malicious actors being able to infiltrate accounts.

Although the scam found in the Spider-Man torrent is not particularly dangerous, last month an insidious and highly sophisticated crypter was found in the crypto community. Named the “Babadeda” crypter, the malware is still targeting crypto enthusiasts on the popular community chat app Discord.

Categories
Blockchain Crypto News DeFi Hackers

Bent Finance Confirms Pool Exploit, $1.6 Million Rug Pull Suspected

Another day, another DeFi rug pull when, on December 20, Bent Finance discovered there had been an exploit of its staking and farming platform.

Everybody Out of the Pool!

Bent Finance immediately called for investors to withdraw their pool funds and announced it had disabled the reward claims while the attack was being investigated, adding it would “make this right” and confirming it would recover all stolen funds from the Bent curve pool:

We recommend you withdraw from the protocol until further notice. We are not going anywhere and will recover from this one way or another.

Bent Finance tweet

Bent Hires White Hats to Decipher Exploit

Bent hired the services of two white-hat hackers to help uncover the details of the exploit. Crypto fraud investigator Joe McGill confirmed that approximately 440 ETH (US$1.75 million at the time of writing) was stolen by the hackers. Full details of the attack are explained on the Bent Finance medium.

DeFi is still in the teething stages of development and attacks such as these are common and frequent. Just two weeks ago DeFi protocol BadgerDAO suffered a similar attack, losing US$120 million in funds.

Categories
Airdrop Crypto News Hackers NFTs Solana

Twitch Co-Founder’s NFT Drop Went Badly, Users Lose $154,000 in Discord Scam

Fractal, a Solana-based NFT marketplace created by Twitch co-founder Justin Kan, has lost roughly US$150,000 worth of SOL after suffering a security breach this week.

Ahead of its debut, Fractal had around 100,000 users on its platform waiting for the NFT airdrop, but someone managed to hack the startup’s Discord channel, specifically the announcement bot, causing it to send out fraudulent links to a website that used the ‘i’ instead of an ‘l’, as in “Fractai” – prompting them to pay for non-existent NFTs.

Kan acknowledged the situation on Twitter, urging users to not follow any link in the Discord channel.

On the other hand, Fractal said it was working to “make things right” and will reportedly reimburse affected users.

Discord Scams on the Rise

Fractal users can only be patient and hope to be reimbursed sometime soon. Some protocols have had to reimburse their users after their platforms were attacked – such was the case with Animoca, which had to repay users 265 ETH after its Discord channel was hacked last month.

A few hours prior to the Fractal incident, another Solana-based project was hacked for over 1.3 million worth of SOL. The project, called Monkey Kingdom, suffered a similar security breach on Discord.

One of the biggest and most frustrating rugs for the Solana community occurred in October when an alleged 17-year-old artist promised to deliver 8000 NFT artworks on the project’s Discord channel but failed to deliver and instead absconded with US$500,000 worth of investors’ funds.

Categories
Crypto News DeFi Factom Hackers

Grim Finance DeFi Protocol Hacked for $30 Million in Fantom Tokens

Grim Finance is the latest DeFi (Decentralised Finance) protocol to fall victim to a hack in which attackers exploited a flaw in the vault contract to drain millions.

On December 19, Grim Finance, a compounding yield optimiser on the Fanton blockchain, was targeted by an “advanced attack” where hackers drained an estimated US$30 million in Fantom (FTM). In a series of tweets, Grim explained that the unknown attackers exploited a flaw in its vault contract.

Smart Contract Exploited

The hackers used a reentrancy attack, which in this case allowed an attacker to fake additional withdrawals out of a smart contract while the initial transaction was still in progress and never updated the balance of the receiver, effectively allowing the loop to continue.

In reality, the attack can be prevented with not too much effort, mainly by updating a balance after a transaction is sent rather than before. According to Quantstamp senior research engineer Martin Derka, “if no internal state updates happen after an ether transfer or an external function call inside a method, the method is safe from the reentrancy vulnerability”.

As of December 19, all deposits into Grim Finance vaults remain paused to prevent further theft. The Grim team has contacted Circle (USDC), DAI, and AnySwap regarding the attacker’s address to potentially freeze any further fund transfers.

Attacker’s address

Rough Month for Some DeFi Investors

Grim Finance is the newest addition to the list of protocols that have been hacked, bringing the total up to over US$600 million stolen this month alone. The US$31 million MonoX hack just missed the cut, taking place at the end of November.

According to a tweet by RugDoc, “Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand”, adding that “if you haven’t acquired this yet, don’t build multimillion-dollar projects”.

Categories
Blockchain Crypto News Crypto Wallets Gaming Hackers Scams

96 Private Keys Stolen From Vulcan Forged Crypto Gaming Platform in $140 Million Theft

A hacker who exploited Polygon gaming platform and NFT marketplace Vulcan Forged was able to steal a total of over 4.5 million of the $PYR native token, valued at US$140 million at the time of the December 14 attack. A total of 96 users’ wallets were accessed by the hacker via private keys.

‘Darkest Day in our History’

CEO Jamie Thomson described the situation as “the darkest day in the Vulcan Forged history” in this video posted on the company’s Twitter account:

The hacker was able to attack the Vulcan Forged servers, gaining access to the vending credentials of the semi-custodial wallets and then extracting the private keys of the game’s users. To prevent any repeat of the exploit, Thomson says the platform will in future be using nothing other than decentralised wallets “so we never have to encounter this problem again”.

Full Refunds and a Heartfelt Apology

Refunds have been made to every wallet that had the game’s native $PYR tokens stolen, and Vulcan Forged will also be reimbursing the loss of any Matic and Eth tokens stolen from users. Ending with a sincere apology to the community, Thomson said: “obviously sorry doesn’t cut it, but we are sorry”.

It has been a disappointing outcome for the Vulcan Forged team, not to mention players and investors. $PYR dropped in value by over 30 percent in the 24 hours post the hack.

In a similar incident last month, the bZx DeFi protocol had funds drained from its Binance Smart Chain (BSC) and Polygon contracts after one of the developers had his private key stolen in a phishing attack.

Categories
Blockchain Crypto News Ethereum Hackers Solana

Solana Reportedly Suffers DDOS Attack Casting Doubt on Proof-of-History

Solana has suffered a distributed denial-of-service (DDoS) attack that jammed the network and led to huge delays, but managed to stay online through it all.

A DDoS attack is generally when an organised “botnet” (a large number of coordinated devices) take to a blockchain’s network at once in order to overload the system and choke traffic speeds to the point that it causes the network to fail and go offline.

As the new cool kid on the block, Solana is currently the fastest blockchain in the crypto space and has been hailed as the “Eth Killer”. Praised as the answer to Ethereum’s network congestion issues during times of high traffic, Solana offers much faster processing times and lower transaction fees.

Has Solana Sacrificed Network Security For Speed?

The DDoS attack has raised the question over whether Solana has sacrificed network security for speed. The issue of Solana’s proof-of-history consensus model not being sufficiently secure against attacks such as this one has opened up discussion online. Justin Bons, founder and CIO of crypto funds investment management company CyberCapital, breaks down the concerns over the security of the Solana blockchain in the Twitter post below. He says that due to the Solana network’s deterministic block creation mode, it is possible to predict and attack the next block producers in line.

In this week’s Grayscale Investments report, the world’s largest crypto fund management firm also voiced its concerns over the Solana blockchain’s consensus mechanism as a potential risk: “The Solana consensus mechanism uses a new blockchain technology that is not widely used, and may not function as intended. There may be flaws in the cryptography underlying the network, including flaws that affect the functionality of the Solana network or make the network vulnerable to attack.”

This is not the first time Solana has suffered a DDoS attack. In September the network suffered two attacks that stopped processing transactions and took Solana offline for a short time. The project’s developer has tweeted that these outages from attacks are all just “growing pains” and that he is still insanely bullish for Solana.

Many DApps have been integrating Solana into their projects, including the recent partnership with Brave browser announced on stage at Breakpoint 2021 (a crypto conference organised by Solana) in Portugal last month.

Solana Proof of History Explained

If you’re keen to get a sense of how Solana’s consensus mechanism works, be sure to check out this explanatory video below.

Categories
Crypto News Crypto Wallets Cryptocurrencies Hackers Stablecoins Tokens

Crypto Exchange AscendEX Loses $80 Million in Hot Wallet Exploit

Crypto exchange AscendEX has lost over US$77 million worth of several high-profile cryptocurrencies, including Ether (ETH), Binance Coin (BNB) and various Polygon tokens, in a breach of its hot wallet.

Three Blockchains Affected

On December 11, AscendEX tweeted about the incident, reporting that it had detected a “number of ERC-20, BSC, and Polygon tokens transferred from our hot wallet”. More than US$77 million worth of various tokens across three blockchains was drained by the hacker(s).

$60 Million in ETH Stolen

The amount stolen was known after security firm PeckShield conducted research on the incident. According to the firm’s experts, the estimated losses were: US$60 million on Ethereum, $9.2 million on Binance Chain, and $8.5 million on Polygon. Stolen tokens included several stablecoins such as Tether (USDT) and USD Coin (USDC), along with DeFi tokens including Compound (COMP), Aave (AAVE), and the popular memecoin Shiba Inu (SHIB).

The event comes shortly after Crypto News Australia reported the US$200 million hack on centralised US crypto exchange BitMart, which suffered one of the biggest security breaches in crypto history on December 4.

Another exchange to have suffered a major security breach is Hong Kong-based platform Bilaxy, which lost US$450 million worth of several ERC-20 tokens in an August incident.

Categories
Crypto News Crypto Wallets Hackers

Users of Pirated Windows Software Could Be Losing Bitcoin to Crypto Malware

Software pirates that use the KMSPico tool to activate Windows on their computers might also be inadvertently opening the doors for malware to steal crypto right out of their wallets.

Red Canary in the Coalmine

The issue, first spotted by security research firm Red Canary, was that users who installed cracked software – in this case a fake KMSPico installer – had opened up their computers to malware that could steal credentials straight off a PC.

KMSPico is a tool used to activate the full features of Microsoft Windows and Office products without the user actually owning a licence key. Alongside the difficulty in finding a clean download, the antivirus disabling instructions prepare unwitting victims to receive malware.

Crypto Wallets Beware

A classic stowaway on cracked software like KSMPico is Cryptbot, which harms people and organisations by stealing credentials and other sensitive information from affected systems. Cryptbot is able to collect sensitive information from a wide range of applications, including browsers and wallet applications such as:

  • Brave browser
  • Opera web browser
  • Google Chrome web browser
  • Mozilla Firefox web browser
  • Atomic cryptocurrency wallet
  • Electrum cryptocurrency wallet
  • Exodus cryptocurrency wallet
  • Monero cryptocurrency wallet

The list goes on, but you get the point.

Given the potential profitable rewards involved in cryptocurrency, malware, hacking and other forms of intrusion have been a continual thorn in the side of crypto users. Schemes have ranged from ‘Babadeda’ targeting users on Discord to fraudulent crypto apps designed to steal users’ private keys. According to a report from Google, 86 per cent of Cloud accounts hacked are then used to mine crypto.