Category: Hackers

Categories
Crypto Exchange Crypto News Crypto Wallets Hackers

Hong Kong Crypto Exchange Bilaxy Hacked for $450 Million

Hong Kong-based cryptocurrency trading platform Bilaxy has suffered a serious attack that resulted in the loss of several hundred ERC-20 tokens on its hot wallet. It’s estimated that the exchange lost about US$450 million, though Bilaxy is yet to confirm the total amount of digital assets lost to the attacker. 

Users are advised not to send any funds to their Bilaxy accounts until further notice. 

What Happened to Bilaxy?

In its official telegram channel, the Bilaxy team said they noticed the abnormal transactions from their ERC-20 hot wallet (online wallet) around 18:19 UTC on August 29. Some minutes later, they halted all services for emergency maintenance and also moved some of the tokens from the hot wallet to the cold wallet.

This was confirmed to be a security breach, and about 295 ERC-20 tokens had already been moved from the Bilaxy hot wallet to a single wallet controlled by the hacker. Hoge Finance disclosed that about one billion HOGE was stolen from the exchange, equivalent to US$145,000 at the time of writing. 

In the meantime, Bilaxy says while it’s working with third-party security and audit companies to investigate the attack, all services will remain suspended. “The time it will take to resume the platform depends on the progress of our work, [but] it will take at least two weeks or longer,” the Bilaxy team tweeted on August 30.

Crypto Exchange Attacks Are Rising

The rate of cyber attacks in the crypto space is becoming alarming. Also in August, Poly Network was drained of about US$600 million in digital assets, although the hacker has since returned all the stolen assets. 

Most recently, Japanese cryptocurrency exchange Liquid Global lost nearly US$100 million worth of cryptocurrencies in an attack that involved a hot wallet – basically any cryptocurrency wallet that functions online or requires an internet connection. Although more convenient to use, they are also more prone to attacks than cold wallets.

Categories
Crypto Wallets Cryptocurrencies Hackers

Security Warning: Hackers Can Copy Your Clipboard to Gain Your Crypto Information

If you think storing your passwords and seed phrases in your notes on your computer is safe, think again. Your computer’s clipboard keeps this information and leaves you open to hackers who can intercept it. It’s called the “clipboard hack”.

The Clipboard Hack: How It Works

If you click on the wrong thing, or visit the wrong site, you can accidentally install a malware bug that can access your computer’s clipboard. Some malware is specifically designed to target crypto users.

When dealing in crypto, users are often copying and pasting addresses and passwords to exchange tokens from one wallet or exchange to another. Some malware bugs are designed to swap out the copied text – a wallet address, say – and replace it with their own, meaning if you aren’t careful you can accidentally send your crypto straight to a hacker instead of where you intended it to go.

To avoid falling victim to this, make sure to always double-check a pasted wallet address to ensure it matches the code you originally copied. Secondly, ensure you have an updated anti-malware solution to protect your digital assets from malicious actors. If you’re on a Mac, for example, you can use an anti-malware software such as MalwareBytes. Another way to protect yourself is to clear or disable your computer’s clipboard feature.

How to Clear/Disable Your Clipboard 

How to View & Manage Clipboard in Windows 10

How to Clear Your Windows 7 Clipboard

How to view and manage clipboard history on a Mac:

More Tips on Staying Safe

Here are some extra precautions you can take to keep safe when doing crypto transactions:

  1. Always lock your wallet when you are not using it. This will prevent other websites that you visit (that could be potentially dangerous) from connecting to it. Here’s how to do that in MetaMask:
Click on Accounts, top right corner, then select Lock

Lock your wallet with MetaMask

Your MetaMask Wallet is now locked until you login in again by entering your password

Unlock and back in business

2. Use a different browser for crypto; this way you avoid forgetting to lock your wallet and minimise your exposure to other insecurities. For example, you could use Chrome for day-to-day stuff and Brave specifically for crypto.

3. For extra peace of mind, close all other tabs except the one via which you connect your wallet. This way you avoid malicious pop-ups from other possibly dodgy website pages open on other tabs, which could intercept your wallet and steal your crypto. See below – this fake MetaMask pop-up, which looks almost identical to the real thing, tricks users into entering their password and giving full control of their wallet to the hacker.

Scam Alerts

There are so many scams to watch out for online; in crypto, even more so. Beware of fake crypto trading websites. Crypto News Australia has also reported on the latest Australian crypto scams going around in 2021.

Lastly, never store your seed phrases or passwords digitally on your computer or online; keep them safe as hard copies instead. Always be careful you are accessing the legitimate sites, apps and contract addresses. Double and triple-check everything. To be paranoid is to be aware.

Categories
Crypto News Hackers

Google Removes 8 Fake Crypto Mining Apps, Users Warned to Remove Immediately

As cryptocurrencies become more popular and public interest increases, hackers, scammers and other malicious actors are taking advantage of newcomers by tricking them with fake crypto applications on Google Play Store.

Victims Tricked into Paying for Fake Subscription Service 

Google recently took down at least eight such fraudulent applications that were promoted as cryptocurrency cloud mining apps for Android devices, as detected by security firm Trend Micro. The firm said these applications tricked victims into watching ads and paying for subscription services that could amount to a monthly fee of 12 to 15 USD, without returning any kind of profit to users.

The fraudulent applications were: 

  • BitFunds – Crypto Cloud Mining
  • Bitcoin Miner – Cloud Mining
  • Bitcoin (BTC) – Pool Mining Cloud Wallet
  • Crypto Holic – Bitcoin Cloud Mining
  • Daily Bitcoin Rewards – Cloud Based Mining System
  • Bitcoin 2021
  • MineBit Pro – Crypto Cloud Mining & BTC Miner
  • Ethereum (ETH) – Pool Mining Cloud

This is the second time Google has rushed to remove fake cryptocurrency apps. In November last year, a member of the Aussie Nugget’s News community reportedly lost A$20k to a fake Uniswap application hosted on Google Play Store.

Beware of Fake Crypto Apps and Sites

All of us should be wary of where to put our capital with so many threats hanging around, especially Australians, since some fake crypto exchanges are reaching out to Aussie citizens via Gmail, Telegram and other channels to lure them into downloading fake apps or depositing money into a fake exchange.

Another method hackers are using to deceive customers is fake hardware wallets. As we reported a month ago, fraudsters have been sending fake hardware wallets to Ledger customers to gain access to their addresses, following an internal security breach about a year ago.

Some other users have reported receiving fake hardware wallets with a pre-installed recovery phrase:

A Reddit user reporting a preinstalled recovery seed

Avoid Getting Scammed

With so many threats going around the DeFi and crypto community, it’s always best to DYOR (Do Your Own Research) and seek advice from experienced members in the community. At Crypto News Australia we have outlined some of the most common scams and also the best practices to help avoid them.

Categories
Crypto News DeFi Ethereum Hackers Tether

Poly Network Hack Drama Continues – Hacker Withholds $141 Million

The Poly Network drama continues as Mr White Hat is refusing to return US$141 million left on a multi-sig wallet. 

Poly Network Waits for Hacker to Return Private Keys

The hacker has returned most assets, approximately US$427 million worth. But according to a recent update, Mr White Hat is holding hostage $141 million in ETH and WBTC (28,9523 and 1,032 respectively), and about 33 million USDT is frozen.

Poly says it is in constant communication with Mr White Hat on how to deal with the situation.

Poly Accused of Being Complicit in Hack

This back and forth between the protocol and the hacker has outraged the community, some of whom are even accusing the Poly Network team of being behind the hack or otherwise complicit. The Poly Network addressed the community concerns in its communications, claiming it is working as fast as possible can to return the assets.

We understand there are many users and projects using Poly Network’s services, and there are users who are panicking that they might lose control of their assets, and we want to minimise the impact on them, so restoring our network and our users’ assets in a secure manner as quickly as possible is our top priority.

Poly Network statement
Categories
Blockchain Crypto Exchange Crypto News Hackers Japan

Japan’s Liquid Exchange Hacked for Almost $100 Million

Close to US$100 million has been stolen by hackers from Japan’s Liquid Global exchange, which has since suspended deposits and withdrawals while also moving its assets into offline storage.

According to an August 19 tweet, Liquid exchange confirmed that it had been breached and its hot wallet compromised. The exact amount still needs to be verified, but estimates place it upward of US$90 million.


With such a large amount of crypto compromised, the exchange has moved its digital assets into cold storage. According to Eddie Wang, senior researcher at OKLink, hackers made off with BTC, ETH, TRX, XRP and other ERC-20 tokens.

The cold wallet used for segregation management is safe, and no impact on the assets entrusted to us by our customers has been confirmed.

Liquid (via Quoine)

Blockchain analytics company Elliptic says US$45 million in tokens were being converted to Ethereum through decentralised exchanges – blockchain-based platforms that require no intermediaries – such as Uniswap.

Destination Wallets Blacklisted by KuCoin

In the meantime, the wallets that received the stolen tokens have been blacklisted by KuCoin and other exchanges are expected to soon follow suit.

Liquid exchange also announced that “under these circumstances, we will suspend the warehousing and withdrawal of cryptographic assets until the security of all wallets is confirmed”.

How It Was Done

According to a blog post by Liquid, “the MPC wallet [used for warehousing/delivery management of cryptographic assets] held by our Singapore subsidiary Quoine was damaged by hacking. The impact on us is currently being confirmed.”

MPC is an advanced cryptographic technique in which the private key controlling funds is generated collectively by a set of parties, none of which can see the fragments calculated by the others. Liquid Global’s blog post did not explain how this security arrangement was circumvented. However, an investigation is under way.

This breach comes in the same week as a record-breaking DeFi hack against PolyNetwork, which siphoned off around US$600 million from the protocol.

Categories
DeFi Ethereum Hackers

White Hat Hacker Group Prevents $350 Million SushiSwap DeFi Heist

A collective effort from the crypto community has saved SushiSwap’s token fundraising platform from a potential US$350 million heist. A vulnerability was found in the code by a partner of Paradigm, which could have led to an auction being hacked if discovered by a malicious actor.

SushiSwap’s token fundraising platform, MISO, had one of its smart contracts used in a “Dutch auction”. The vulnerability created a ticking time bomb situation for the platform to potentially lose 109,000 ETH (US$350 million) before the auction ended.

According to a post published by SushiSwap on Monday, Paradigm security researcher Sam Sun (aka samczsun) and colleagues Georgios Konstantopoulos and Daniel Robinson worked together to solve the problem with the “Dutch auction” contract on the Miso platform. Sun was scanning through the code when he came upon the vulnerability:

Complex Smart Contracts in DeFi Need to be Secure

In Sun’s words: “Unfortunately, while composing two components might be safe most of the time, it only takes one vulnerability to cause serious financial damage to hundreds if not thousands of innocent users.”

This incident shows that even safe contract-level components can be mixed in a way that produces unsafe contract-level behaviour. There’s no catch-all advice to apply here, like ‘check-effect-interaction’, so you need to be cognisant of what additional interactions new components are introducing.

Samczsun

According to SushiSwap, the issue created a “two-pronged issue where a user can both put up a commitment higher than ‘msg.value’, thereby draining any unsold tokens, and additionally drain the raised funds on the contract as refunds if the auction has reached max commitment”.

“Users could over-bid and get a refund of the difference between the current bid and the amount they submitted, but the refund could be repeated to drain the auction contract,” adds Duncan Townsend, CTO at Immunefi, a bug bounty platform for DeFi that was also recruited to help solve the issue.

I had gone from encounter to discovery in a little over half an hour, disclosure in 20 minutes, war room in another 30, and a fix in three hours. All in all, it took only five hours to protect 350 million USD from falling into the wrong hands.

Samszsun

Preventing Attacks with Secure DeFi Contracts

In the case of the SushiSwap vulnerability, many in the crypto community have taken to social media to praise and show support for the collective rescue efforts led by the research arm at Paradigm.

This event took place after the biggest DeFi exploit to date last week when cross-chain DeFi site Poly Network was attacked, losing more than US$600 million worth of cryptocurrencies, due to a bug.

Other recent instances such as the Thorchain attack or ICX coding flaw exploit have also been due to vulnerabilities in code.

The DeFi space is one of blockchain’s newest innovations with lots of potential for growth and wealth creation. However, the industry is in its infancy with much to be learned, and since there’s so much money on the table there will usually be vultures circling around.

Categories
Crypto News DeFi Hackers

Poly Network Attack Update: Hacker Returns $477 Million in Stolen Crypto

Following the biggest hack in DeFi history, the Poly Network Hacker has already begun returning most of the seized funds, referring to the exploit as “one of the best moments” in his life.

For those who do not understand the motivation behind a white-hat hack attack, it’s important to point out why the crypto space cannot progress without them. They actually help the space evolve. It seems the point of the “attack” on the Poly Network was not to steal everyone’s money, but to expose serious security weaknesses in the company’s code and thus “save the world”. As the hacker explained:

When spotting the bug, I had a mixed feeling. Ask yourself what to do if you were facing such a fortune? Asking the project team nicely so that they can fix it? Anyone could be the traitor given one billion! I can trust nobody! The only solution I can come up with is saving it in a trusted account while keeping myself anonymous and safe.

“The Hacker”

The Thrill of Cracking the Code

White-hat hackers are driven more by ego than anything else and live for the thrill of cracking the code. Hacking is no easy task. It requires a lot of brainpower and hours and hours of beta testing, probing highly sophisticated networks and finding holes.

Unfortunately, in the unregulated playground of decentralised finance, hackers are forced to break the law to perform their services. They bring a high level of personal risk to themselves, facing criminal charges if caught. Their role is to help correct fundamental flaws in code that needs to be absolutely bulletproof, especially when the managed funds of billions of dollars of everyday crypto investors’ money is at stake.

The more-than US$600 million seized in the Poly Network hack represents a record amount in DeFi history. It was said by the hacker that he could have taken over a billion if he’d have gone for the shitcoins, but thoughtfully didn’t because he did not want to disrupt the price action of these fragile low-market-cap tokens. Instead he went for ETH, WETH, WBTC, UNI, RenBTC, USDT, USDC, DAI, SHIB, FEI, BNB and various other BEP-20 tokens.

The Poly Network hack has gained worldwide recognition, not only from the crypto community but also mainstream news outlets. The hacker left notes on the blockchain in messages attached to transactions, providing some entertaining reading and becoming the talk of the town on Twitter. The hacker even conducted a little Q&A session with himself and posted it for all to read, explaining why he was compelled to carry out the hack.

It should be a relief for the Poly Network team that most of its liquidity has now been restored. It could have been much worse in the event of a black hacker attack.

Kelvin Fichter (an Ethereum programmer) tweeted a breakdown of how the exploit worked. In his own words, “pretty genius”.

Categories
Blockchain Crypto News DeFi Hackers

$600 Million Drained as Poly Network is Attacked in Largest DeFi Hack on Record

Poly Network, a multi-chain platform that provides interoperability between blockchains, reportedly suffered an attack on Binance Smart Chain, Ethereum and Polygon, losing over US$600 million, making it the biggest DeFi heist in history.

The protocol urged all miners of the affected blockchain and crypto exchanges to blacklist tokens coming from a list of addresses from the hacker (or hackers). However, one user told the attacker(s) to try depositing the stolen funds without Tether – which they did, placing all the addresses into Curve.

As a show of gratitude for the help, the hackers gifted the user US$45,000 in Ethereum.

Hacker Returns $258M

At about 4:00 am UTC, the hacker sent an ETH transaction to himself with a private note saying “ready to return the fund”. In a subsequent message, he asked for a multisig wallet to transfer the funds to after failing to contact Poly.

The protocol provided the hacker with three different addresses from BSC, ETH and Polygon to return the funds. “We are preparing a multisig address controlled by known Poly addresses,” Poly Network said in a private message embedded in an ETH transaction to the address provided by the hacker(s).

Media Outlets Scramble to Cover Biggest Ever Heist

This is the most controversial theft in the history of DeFi, so much that media outlets like Bloomberg, the Wall Street Journal, CNBC and Reuters have covered it too. Other heists amounted to relatively small sums, such as the US$25 million stolen from Popsicle Finance or the $13 million stolen from THORChain.

After the hacker(s) showed intentions to return the funds, software developer O3 Labs suggested the person(s) behind the hack might be a white hat hacker – an ethical hacker that specialises in penetration testing and other testing methodologies to ensure the security of an organisation’s information system.

The hacker left a final message saying: “It’s already a legend to win so much fortune. It will be an eternal legend to save the world. I made the decision, no more DAO.

Categories
Crypto News DeFi Hackers

DeFi Project ‘Popsicle Finance’ Loses $25 Million in Apparent Hack

A hacker this week managed to execute a transaction that drained 85 percent of the deposit pools of Popsicle Finance, a multi-chain yield-generating platform for liquidity providers. 

According to the post-mortem, the attacker targeted the Sorbetto Fragola contracts (UniswapV3 optimiser) while other contracts like nICE staking and ICE Farming were left unaffected. He/she managed to drain over US$20 million using flash loans to borrow US$30 million in USDT, along with $32 million in ETH.

$1 Million Bounty Offered for Return

In response to the attack, the protocol addressed the hacker, offering a US$1,000,000 bounty if he/she returns the funds. Deposits to all pools have since been locked.

The protocol is working out a compensation plan, asking for feedback from its community to spurt ideas. Two months ago, Rari Capital reimbursed up to US$26 million after suffering a similar hack for 2600 ETH.

Popsicle Finance’s community showed itself to be supportive instead of accusing the protocol of an exiting scam. Before the launch of Sorbetto, the community voted to release the contract unaudited, yet the team decided to wait for data analytics companies CertiK and PeckShield Inc to audit the project.

A Commonly Exploited DeFi Bug

SushiSwap core developer Mudit Gupta said the hacker found a bug in the smart contract that allowed anyone to receive rewards and claim them multiple times for the same shares from much further back in time than they should have been able to. Gupta added that this was a common bug in most exploited DeFi protocols.

Popsicle Finance’s hack adds to the list of over 20 DeFi hacks this year, amounting to a total of US$310 million lost since 2020. Since DeFi hacks have become a common topic in the industry, many in the community believe most of them are undercover rugpulls.

Two months ago, DeFi100 went down – its official website displayed an “Error 404” message, and more than US$32 million vanished. Despite the protocol insisting it didn’t rug-pull its investors, the incident raised concerns over a potential exit scam.

Categories
Bitcoin BSV Crypto News Hackers

BSV Reportedly Suffers Another ‘Massive’ 51% Attack

Bitcoin Satoshi Vision (BSV) suffered another 51% attack on August 3, around 11:46 am Eastern Time Zone, as confirmed by analytics provider Coin Metrics.

The attack resulted in a catastrophic event for the network, which already had gained a bad reputation in the crypto space. An unidentified group reportedly reorganised over 100 blocks, creating three versions of the chain and mining them simultaneously.

Coin Metrics confirmed the attack after Lucas Nuzzi, an active member of the crypto community on Twitter, shared the news:

The attack continued for 12 hours, and was ongoing at press time. At first it was reported that 14 blocks were reorganised, but that number now amounts to over 100, according to Nikita Zhavoronkov. The BSV price – which was already in a downtrend – lost 7 percent in the last 24 hours, reaching lows of US$133.

Bitcoin Association Responds

The Bitcoin Association responded by recommending node operators to “mark the fraudulent chain as invalid”, which, according to the association, will return their nodes to the “chain supported by honest miners”.

However, some people were not convinced:

This attack further stains the image of BSV, created and promoted by Australian programmer Craig Wright. The protocol was originally intended to be an immutable ledger that would overcome Bitcoin’s original protocol limitations.

However, several exchanges have been delisting BSV in response to the continuous 51 percent network attacks.