Category: Hackers

Categories
Crypto Exchange Crypto News Crypto Wallets Hackers Tokens

BitMart Exchange Hacked for $200 Million

The centralised US crypto exchange BitMart has been hit by one of the most devastating hacks to date, draining an estimated US$196 million in various cryptocurrencies.

According to a Twitter thread by Sheldon Xia, founder and CEO of BitMart, on December 5 a “large-scale breach” of its Ethereum (ETH) and Binance Smart Chain (BSC) hot wallets was discovered. The losses were estimated to be around US$200 million by security firm PeckShield, who picked it up as it was happening.

Attackers Targeting Important Private Keys

According to an official update, withdrawals have been suspended and all other wallets are secured and unharmed, as fortunately “ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart”. Xia later announced that the breaches had been caused by a stolen private key that the attackers used to gain access to the wallets.

The hacker made away with a mix of more than 20 tokens, including altcoins such as Binance Coin (BNB), Safemoon, BSC-USD and BNBBPay (BPay), as well as sizeable amounts of memecoins such as BabyDoge, Floki and Moonshot.

After the funds were leached, they were systematically swapped for Ether (ETH) using decentralised exchange (DEX) aggregator 1inch, and thereafter deposited into privacy mixer Tornado Cash, which made the hacked funds harder to track.

In August, Hong Kong-based cryptocurrency trading platform Bilaxy also suffered a serious attack, losing an estimated US$450 million.

BitMart to Compensate Affected Users

In terms of asset deposits and withdrawals, BitMart is confident that these functions will gradually begin from December 7. The affected users at least have a silver lining after BitMart made a statement that they would be compensated and pools refunded.

Categories
Crypto News DAO DeFi Hackers

DeFi Protocol BadgerDAO Exploited: $120 Million in Funds Drained

BadgerDAO is the latest decentralised finance (DeFi) protocol to be hit by hackers, draining US$120 million worth of cryptocurrencies. Hackers obtained the API key for the protocol and launched a front-end attack that had users making unwanted transactions.

On December 1, BadgerDAO received reports of unauthorised withdrawals from their users’ accounts. The team’s engineers responded by pausing all smart contracts to stop any further withdrawals. However, it turns out that the hacker(s) used malicious contract permissions to drain funds from the Badger DAO yield vault.

“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds, and that was exploited,” Badger core contributor Tritium wrote on Discord.

A Compromised Third Party

The postmortem stated that the hack didn’t involve exploiting smart contracts but rather an attack that targeted the protocol’s front end. According to a BadgerDAO support team member, it appears the attacker injected a malicious script into BadgerDAO’s front end after somehow obtaining an API key for BadgerDAO’s Cloudflare account.

The malicious script basically tricked people into giving the address rights to send the tokens to the exploiter address.

Jonto, Badger core team member

The affected users are stirring on social media, with some believing this might have been a rug-pull effort organised by BadgerDAO itself. Until the official investigation is concluded, however, there will be no way of telling who the culprit is.

Security Still Needs Work in DeFi

The growing pains felt in the DeFi sector are mostly due to how new the field is and that there are still many best practices that need to be established. Earlier this month, US$31 million was stolen in MonoX’s DeFi hack, while October’s Indexed Finance ‘incident’ cost its users US$16 million.

Matthew Green, a cryptography and computer science professor at Johns Hopkins University, wrote on Twitter that “it’s funny how little computer security people know about the [decentralised applications] ecosystem. It’s like they’re living in the hotel from [Kubrick film] The Shining and they have no idea what’s going down in Room 237.”

Categories
Blockchain Crypto News Ethereum Gaming Hackers NFTs Scams

Blockchain Gaming Company ‘Animoca’ to Repay Users 265 ETH After Fake NFT Discord Hack

Hong Kong-based gaming software and venture capital firm Animoca Brands has reassured victims of the recent hack of its upcoming “Phantom Galaxies” game’s Discord Server that the company intends to cover their losses.

Losses incurred totalled 265 Ether (ETH), worth about US$1.1 million. The details of the reimbursement have yet to be announced, according to the company’s website.

Fraudulent Minting Leaves Users Out of Pocket

The “Phantom Galaxies” game, which is being developed by Animoca Brands’ Australian-based subsidiary, Blowfish Studios, was hacked at around 3am on November 19. The hack involved stolen money in a fraudulent non-fungible token (NFT) sale on Discord.

The hack involved 1,571 fake minting transactions over the course of three hours. According to Animoca, there was no evidence that smart contracts were compromised, and no money was stolen from the game, its developer, or its publisher. Hackers directed users to a website charging users a 0.1 ETH fee, which then sent the funds to the hackers’ Ethereum address.

The Phantom Galaxies Discord server has about 94,000 members to date. Animoca Brands has said the method of compensation for their lost ETH will be determined following discussions within the Phantom Galaxies community. Both Animoca and Blowfish took to Twitter to apologise to their users:

Hacks and Scams on the Rise

Hacks on Discord are becoming increasingly common. Similar to this hack, earlier in the year MetaMask wallet was hacked for US$10,000 by a deceptive Discord member. One user lost about US$10,000 from their MetaMask Wallet at the hands of a scammer in Discord using a fake WalletConnect app.

Last month, Crypto News Australia reported on a 17-year-old who sold fake NFTs in a US$500,000 scam. Iconic Sol, an NFT project built on the Solana (SOL) blockchain, had apparently rugged investors after failing to deliver the promised NFTs and disappeared with US$500,000.

The teenager had promised to deliver 8,000 NFT artworks on the project’s Discord channel, and some of the tokens were supposed to be available in a presale on October 1. A total of 2,000 NFTs were up for grabs for a price of 0.5 SOL each, and many of them sold out quickly.

Categories
DeFi Economics Hackers Tokens

CREAM DeFi Token Falls 43% Amid News Hack Compensation Will Increase Supply

When Decentralised Finance (DeFi) lending protocol Cream Finance suffered a devastating US$130 million attack two weeks ago, the team decided to compensate users for their losses in CREAM by pushing up the total supply and in return pulling down the price.

Following the hack, the Cream team moved to redistribute 1,453,415 coins from its treasury to the impacted users. In September, Cream also paid back its users for a different attack that cost the protocol US$19 million.

In terms of changes in security, Cream has tightened its token listing strategy to no longer include long-tail assets or tokens that can be wrapped/unwrapped.

Collateral Cap limits are deployed across all markets to increase security, while additional monitoring and alerting solutions are undergoing assessment and implementation.

CREAM Finance

Price Drops as Compensation Inflates Token Supply

While Cream has 9 million coins in its total supply, according to CoinMarketCap only 150,000 of those are in circulation. A rapid increase in supply was bound to have an effect on demand, and therefore the price per coin.

CREAM price chart. Source: CoinGecko

The price of the coin had fallen from around US$88 to as low as $49.80 at the time of writing – a 43 per cent drop, according to CoinGecko. Before the October 27 exploit, Cream was trading above $152, suffering a 66 per cent drop in price since then. This is now the second significant drop in price the protocol has seen in a short span of time, and the mood among users is dark:

Individuals hit by the attack seem to have divided into two camps: some of those seeking recourse also seek to undermine the effort to compensate Cream’s users, while others realise the risk of DeFi and that it’s their responsibility to do their own research and understand the risks associated with the nascent technology.

Most of the time victims of such attacks never see anything in terms of compensation, which makes Cream quite the gift-giver, having paid out its users twice after attacks.

Categories
Bitcoin Crypto News Europe Hackers Ransomware

European Electronics Giant ‘MediaMarkt’ Victims of $50 Million Bitcoin Ransomware Attack

German multinational electronics chain MediaMarkt has suffered a ransomware attack disrupting the organisation’s IT systems globally, rendering all in-store computers inaccessible to employees. The business has been brought to a standstill unless it pays a US$50 million bitcoin ransom.

Multimillion-Dollar Ransom Demand

MediaMarkt suffered a Hive ransomware attack on November 7, causing network outages in its IT infrastructure across all branches in the Netherlands and Germany, with the attackers demanding a multimillion-dollar ransom in bitcoin (BTC). The attack has allegedly encrypted and blocked various key services of the retailer, including its ability to accept credit cards and accept returns in some stores. Online sales are reportedly unaffected. 

According to a report from Dutch news channel RTL, on every hacked computer there is a file containing the message: “Your network has been hacked, and all data has been encrypted. To regain access to all data, you must purchase our decryption software”.

MediaMarkt (Belgium) spokeswoman Janick De Saedeleer told local news channels: “We are investigating everything at the moment; I can only confirm that this is an international attack.”

The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible.

MediaMarkt statement

Up to 3,100 Servers Possibly Affected

With over 1,000 stores across Europe and reported revenues of nearly US$25 billion per year, MediaMarkt is Europe’s largest and most profitable electronics retailer, making it a big red target for cyber criminals. Screenshots posted from Twitter claim that 3,100 servers were compromised, though this information is yet to be verified.

Copy of the ransom not found on MediaMarkt computers

Initially, the ransom demand was US$240 million, according to tech website Bleeping Computer, but that amount dropped almost immediately when MediaMarkt began negotiating.

Hive Hacker Group Behind the Attacks

While there are many groups that have active hacking campaigns, the MediaMarkt’s attackers are known as Hive. The group, which has previously hacked hospital computer systems, among others, handles its business quite professionally. It even has a sort of “customer service” division where victims can chat with the hackers to negotiate the ransom and get a few hostage files back as proof. Those who fail to pay in time will find that their information will be up for grabs on the group’s website. By leaking this data, the hackers put pressure on their victims.

Alongside the rise in crypto prices this year, ransomware attacks have also increased in frequency and levels of damage. According to blockchain data company Chainalysis, by May the tally of stolen crypto from ransomware attacks had already reached US$81 million.

In July, Australian software provider Kaseya was hit by a ransomware attack affecting various Aussie retailers. Members of the REvil group were found to be responsible and police seized more than US$6 million in stolen funds.

Categories
Crypto News DeFi Hackers

DeFi Lender bZx Loses $55 Million in Private Key Leak

The bZx DeFi protocol has had funds drained from its Binance Smart Chain (BSC) and Polygon contracts after one of the developers had his private key stolen in a phishing attack.

Late last week, Ethereum-based bZx was hacked for an estimated US$55 million. The project tweeted that “the private key controlling the Polygon and BSC deployments was compromised, leading to loss of funds”. This comes after bZx was hacked in 2020 for US$6 million and US$8 million on two separate occasions.

On the morning of November 5, the company received a series of notifications about suspicious activity, and a flagged wallet address behind the actions. The team later found that a hacker had used the stolen private key to access BZRX contracts on BSC and Polygon, as well as the developer team wallet. The code in the contracts was then updated to enable the extraction of tokens from any wallet that had granted token approvals to the affected contracts. Lastly, the hacker used all the funds as collateral to borrow against other funds on the protocol.

“Roughly 25 percent of this figure is personal losses from the team wallet that was compromised,” bZx said on Twitter. And according to a further breakdown by SlowMist, these funds are stored in seven separate addresses believed to be controlled by the hacker. However, bZx has claimed that it has the funds in its DAO treasury to cover the exploit.

Since the project’s Ethereum deployment is under the governance of a decentralised autonomous organisation (DAO), funds on that particular chain are reportedly safe from the incident.

Developer Targeted With Phishing Attack

The targeted bZx developer had their private key stolen through a phishing email, sent to his personal computer with a malicious script hidden in a Word document. Disguised as a legitimate email attachment, when opened the document ran a script which led to the developer’s personal mnemonic wallet phrase being compromised.

As soon as the team noticed, they notified Circle and Tether, requesting to freeze the stolen USDC/USDT in the hacker’s wallet, then contacted KuCoin to identify the hacker’s KuCoin account to pursue further action.

There’s Still Work to Do in DeFi

Last year, the protocol was caught off-guard by a margin-lending exploit, one of the first instances of a flash loan exploit – flash loans allow people to borrow huge sums of cryptocurrency to make an arbitrage trade, so long as they instantly pay back the funds. As the nascent DeFi industry evolves, there will be many growing pains for developers and investors alike.

In the past year there have been many hacks and exploits in the DeFi sector, including multimillion-dollar hacks of Indexed Finance, Zabu Finance and C.R.E.A.M Finance, to name a few.

Categories
Australia Crypto News Hackers Ransomware Regulation Scams

Australian Police Seize $1.6 Million of Cryptos Acquired Through Stolen Netflix Accounts

The Australian Federal Police (AFP), in collaboration with the US Federal Bureau of Investigation (FBI), has uncovered cryptos and cash to the value of A$1.66 million during an investigation of a convicted Sydney-based hacker. The man was arrested and subsequently ordered by the Supreme Court of New South Wales to forfeit the ill-gotten gains to the Commonwealth, according to the AFP.

Largest Commonwealth Forfeiture of Cryptocurrencies

Evan McMahon, 23, who was convicted earlier this year of selling stolen Netflix and Spotify subscriptions, has been ordered to hand over proceeds in the form of cryptocurrencies and cash to the value of A$1.66 million, of which A$1.2 million are cryptos – the largest forfeiture of cryptos to date in Australia.

The court was told McMahon conspired with US accomplice Samuel Joyner to steal the log-in details and passwords of streaming service customers, subsequently selling them online at a cheaper rate. McMahon pleaded guilty to various offences in October 2020 and was sentenced to two years and two months’ imprisonment in April 2021.

The investigation began in 2018 when the FBI passed on information to the AFP about an account generator website called WickedGen that sold stolen account details for online subscription services such as Netflix, Hulu and Spotify.

Following sentencing, the AFP-led Criminal Assets Confiscation Taskforce (CACT) obtained restraining orders over cryptos, PayPal and bank accounts held in false names, which were suspected to be controlled by McMahon.

Australia’s Home Affairs Minister Karen Andrews says the funds will be redistributed to support crime prevention, community safety-related initiatives, and law enforcement. Andrews added:

Good work by the AFP has seen a criminal stripped of their ill-gotten gains, and this money redirected to enhancing the safety and security of communities right around Australia.

Karen Andrews, Minister for Home Affairs

AFP Clamps Down on Cryptos

Many criminal organisations have turned to cryptos in an effort to hide their profits, but authorities are now moving to seize cryptos linked to illegal activities.

In the UK, police recently seized 48 bitcoin from a 16-year-old who ran an operation that scammed thousands of victims after extracting their personal details via a copycat website of gift voucher platform Love2Shop.

In Australia, the AFP has executed a series of an initiatives designed to decentralise organised criminal syndicates away from illegally obtained profits by confiscating cryptocurrencies, designer items, homes and luxury vehicles.

The government recently passed amendments to the Surveillance Legislation Bill, granting the AFP and Australian Criminal Intelligence Commission (ACIC) new powers to surveil, intercept data, and also alter data online.

The Australian government has also mapped out plans to permit the seizure of cryptos amid a 15 percent increase in ransomware attacks. The “Ransomware Action Plan”, released last month by the Department of Home Affairs, outlines several measures in an effort to deter and punish cybercriminals. Part of the plan includes confiscating illicit cryptos.

Categories
Blockchain DeFi Hackers Tokens

CREAM Finance Exploited Again, This Time for $130 Million

DeFi lending protocol Cream Finance has been attacked again, this time to the tune of US$130 million, in what is its third and biggest hack by far.

Flash Loan Attack on 68 Different Assets

As highlighted by blockchain security firm PeckShield, the attacker managed to exploit the platform through a flash loan attack that involved at least 68 different assets and cost around 9 ETH. Of the estimated US$130 million drained, at press time US$92 million was held in the attacker’s contract while US$22 million was held by the contract creator’s address. 

Cream Finance confirmed the event on October 27, revealing that the C.R.E.A.M. v1 marketplace on Ethereum had been attacked. The hacker took mostly Cream LP tokens and some other ERC-20 tokens: 

However, it appears that Yearn Finance, a group of DeFi protocols running on the Ethereum blockchain, had salvaged US$9.42 million from the hacker:

Third-Biggest Hack in DeFi History

A few months ago, Cream Finance suffered its second flash loan exploit in which it lost US$19 million. While the team promised to pay back its affected users, it’s unclear as to whether there’s going to be another compensation program.

This hack positions Cream Finance among the biggest DeFi hacks in history. And while Rekt’s leaderboard has not been updated, this attack relegates EasyFi’s US$59 million exploit to fourth spot, while Poly Network and Compound are at the top.

Compound has also been hit hard by malicious actors. As Crypto News Australia reported earlier this month, Compound Labs suffered its second major blow after another bug in the platform was found, putting US$162 million at risk.

DeFi hacks accounted for 76 percent of cyberattacks in 2021, causing users to lose more than US$470 million in DeFi platforms. This clearly suggests that while the space is an emerging ecosystem full of opportunities, there is cause for caution as it’s also a lucrative target for malicious actors.

Categories
Crypto News Google Hackers Scams

Warning: Hackers Are Hijacking YouTube Channels to Run Crypto Scams

Google’s Threat Analysis Group (TAG) has been fending off hackers attacking the accounts of YouTubers to hijack and repurpose them to run ads for cryptocurrency scams.

According to an update from TAG, the team has been disrupting phishing campaigns targeting YouTubers with Cookie Theft malware since 2019. The team has recently shared details about these “financially motivated phishing campaigns” that are used to trick YouTubers in various ways to hijack their accounts and then “either sell [them] to the highest bidder or use [them] to broadcast cryptocurrency scams”.

A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming. On account-trading markets, hijacked channels ranged from US$3 to US$4,000 depending on the number of subscribers.

Ashley Shen, Threat Analysis Group (TAG)

The channels would be customised to look like those of large crypto firms or crypto exchanges where the attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

Google’s Steps to Protect Users

In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, TAG’s protective measures have “decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts”.

As a result, attackers are starting to move to non-Gmail providers, “mostly email.cz, seznam.cz, post.cz and aol.com”. Phishing emails can be remarkably deceptive, and once the wheels start turning on the process it can be very difficult to stop and recover an account. 

How Accounts Can Be Hacked

TAG had found that the perpetrators of the campaign were recruiting hackers from a “Russian-speaking forum”. The hackers would “lure their target(s) with fake collaboration opportunities”, usually in the form of a demo for anti-virus software, VPN, music players, photo editing or online games, and then gain access to their accounts through Cookie Theft, also known as “pass-the-cookie attack”.

Once the target agreed to the deal, a malware landing page disguised as a software download URL [would be] sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically.

Ashley Shen, Threat Analysis Group (TAG)

There have also been cases of malware that can copy information on your clipboard to get your crypto information.

Some of the other tactics and known procedures to hack accounts are:

  • social engineering YouTubers with advertisement offers;
  • planting fake software landing pages and social media accounts;
  • delivering cookie theft malware;
  • cryptocurrency scams and selling; and
  • hack-for-hire attackers.
Categories
Bitcoin Crypto Exchange Crypto News Hackers

Infamous Mt Gox Hack Draws to a Close, Creditors Expect 150,000 in BTC Within a Month

The end may well be in sight for creditors of the now-defunct Mt Gox, which between 2011 and 2013 was hacked to the tune of an estimated 600,000 bitcoin or approximately US$53 billion based on today’s values.

In a statement issued this week, 99 percent of creditors voted in favour of a resolution distributing bitcoins in custody back to the creditors.

Creditors wait outside Mt Gox offices. Source: The Verge

The Notorious Mt Gox Heist

At one stage, Japanese exchange Mt Gox handled over 70 percent of all bitcoin transactions worldwide. The industry was in its infancy and, soon enough, the exchange’s security was quickly exposed as being woefully inadequate. Through a combination of ignorance, naivety and mismanagement, around 850,000 BTC were stolen between 2011 and 2013, the vast majority belonging to its customers.

Today, we have a plethora of user-friendly applications that make it incredibly easy for non-technical users to take control of their keys. This naturally reduces the financial harm experienced by users when exchanges are hacked, as was the case in Hong Kong earlier this year. Unfortunately for Mt Gox customers, at the time there simply wasn’t a convenient and uncomplicated way for non-technical users to take custody of their bitcoin.

After a series of hacks and growing negative press, Mt Gox ultimately filed for bankruptcy in 2014. Since then, creditors have been embroiled in various court cases in an attempt to recover their funds.

The End May Be in Sight for Creditors

According to the statement released, the Mt Gox trustee indicated that around 99 percent of the 24,000 creditors impacted by the exchange’s collapse approved the draft rehabilitation plan originally filed in the Tokyo District Court in February. Furthermore, claimants representing roughly 83 percent of total voting rights voted in favour of the plan.

The trustee indicated that he expected the distribution of assets to commence within a month or so, once the rehabilitation plan became “final and binding”.

Unfortunately for the creditors, although unconfirmed, the trustee is said to only have 150,000 BTC to repay the affected users. While some are undoubtedly going to feel aggrieved, for some it may well have been a blessing in disguise in the sense that they are likely to have sold a long time ago.