Category: Hackers

Trojan Hits Australia’s Android Crypto Wallets

Post author By José Oramas
Post date August 3, 2021

There’s a new malware spreading across Europe and Australia – a virus targeting Android devices to harvest login credentials for online banking apps and crypto wallets in an automated way.

Vultur Wings Its Way to Australia

Vultur, a Remote Access Trojan (RAT) that was being tested in Italy and Spain, is now rapidly spreading across Australia. The virus has been installed over 5000 times via Google Play Store disguised as an app called “Protection Guard”, so the number of victims should be the same.

[BLOG] New RAT banker #Vultur linked to infamous Google Play actor #Brunhilda using a novel MO to harvest credentials in a scalable way with screen recording an keylogging targeting banking app from: IT, AU, SE, NL, UKhttps://t.co/LNlbGBWP9o
— ThreatFabric (@ThreatFabric) July 29, 2021

Source: Twitter

A RAT malware is smuggled into a device to control it remotely, relying on the function of Virtual Network Computing (VNC). Through VNC, hackers try to obtain personal information to carry out online fraud on a massive scale.

For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way.
ThreatFabric researchers

Detecting Vulture

Outside of recently downloading any apps with the name of “Protection Guard”, ThreatFabric suggested that there was a way to detect the RAT:

You can also detect Vulture because when it’s transmitting data to its command-and-control server, the active “casting” icon will show up in the Android notifications. If you’re not casting something and the icon shows up anyway, that’s reason to worry.
ThreatFabric

To reduce the risk posed by RATs such as Vulture, Android users would be advised to ensure that they have a reputable antivirus app running in the background to detect any potential threats when new apps are downloaded.

Buy a Hardware Wallet

The attackers are targeting major crypto exchanges and mobile wallets including Kraken, Coinbase, Binance, CEX, eToro and more. While Android devices are the main target, users believe the virus may soon reach iOS.

Crypto users are warning others on social media, recommending they do not store their funds on exchanges and, if possible, get a hardware wallet and save most of their funds on it.

Scams, Hacks and Glitches on the Rise

As hacks and crypto scams become more common, newcomers should be wary when choosing their wallets. Rather than leave their funds in a crypto exchange, they should store them in a hardware wallet.

Roll, for instance, was a decentralised finance protocol attacked in March by a group of hackers that drained its wallet of over US$5.7 million. To this day, developers still don’t know how the platform got hacked.

As always, you can keep up to date with the many and varied scams out there by consulting Crypto News‘ comprehensive guide.

Tags Malware, Virus

Crypto News DeFi Hackers

Polygon YELD Token Goes to Zero as $250,000 Disappears

Post author By José Oramas
Post date July 30, 2021

Another Polygon Yield Farming token has crashed after attackers found a vulnerability in the platform’s smart contract, exploiting it and minting nearly 4.9 trillion tokens.

The YELD token – which belongs to a DeFi project called PolyYeld Finance that runs on the Polygon network – crashed to zero shortly after the attack.

Pool Drained, Rewards Inflated

PolyYeld Finance smart contract is called MasterChef, designed to distribute rewards for liquidity pool tokens by dividing the pool value by the value of tokens staked. But it seems hackers found a vulnerability in the contract that allowed them to mint xYELD, a deflationary token, reducing the pool value and inflating rewards.

@PolyYeldFinance exploited.

The attacker is still chilling with loads of $YELD and busy dumping it into $USDC and $WETH as we speak https://t.co/q25h0DRxzg https://t.co/tVKPA7fpG5 pic.twitter.com/6P1fcNoijs
— JonJon (@jonjonclark) July 28, 2021

According to Xuxian Jiang, CEO of security firm PeckShield, a deflationary token like xYELD charges a fee on every transaction, so by repeatedly depositing and withdrawing with the contract, the attackers triggered the tax collection, reducing the xYELD balance to 1 WEI.

The attackers swapped 4 percent of minted tokens to 123 ETH – worth around US$250,000 at time of writing – using various decentralised exchanges such as QuickSwap and Uniswap.

2/5
The hack was due to the lack of deflationary token support in MasterChef. Specifically, a deflationary token xYELD charges a fee on its transfers. With repeated deposits and withdraws, the xYELD balance of the pool becomes 1 WEI, which sets the stage for actual exploitation. pic.twitter.com/W7EQA0JVi4
— PeckShield Inc. (@peckshield) July 28, 2021

Hack Highlights the Risks of Yield Farming

This is not the first time in recent months that a yield farming project on Polygon has failed. In response, PolyYeld developers have asked users to unstake their funds, adding that they’re considering compensating all affected users and will report their advances in coming days.

Yield Farming platforms are known for providing high returns to users but, being a decentralised space with no regulations, risks of exploitations, data breaches or scams are always present.

Investors should be wary when entering the DeFi space and consider non-financial DeFi risks, as price fluctuations are not the only ones responsible for lost money.

Prior to the Polygon attack, the most recent target has been THORChain, a DeFi protocol that has been attacked multiple times in the past few weeks.

Binance Coin Crypto News DeFi Ethereum Hackers

THORChain Suffers Another Attack: $8 Million Held, Hacker Wants 10% Bounty

Post author By Caitlin Carey
Post date July 27, 2021

THORChain has been once again schooled by hackers who managed to take a further US$8 million in this latest attack, bringing the total losses to US$13 million for the month. The cross-chain crypto token exchange platform manages US$100 million in funds.

The “helpful” hackers were kind enough to leave a note explaining THORChain’s weaknesses and cautioned that the result could have been far more damaging had they gone for the vault (BTC, ETH and BNB). They added:

“Do Not Rush Code That Controls 9 Figures”

The hacker of the $RUNE chain left a note. Audits are not an option. Could have taken drained the whole damn thing. #ThorChain #RUNE pic.twitter.com/DwpJzc6yeG
— Topher ₳ (@TopherMacFurr) July 22, 2021

About the Exploit

THORChain stated that a hacker (or hackers) deployed a custom contract that was able to trick its Bifrost Protocol into receiving a deposit of fake assets, duping the network to mistakenly process refunds of real assets back to the hacker. The breach was a highly “sophisticated attack” and the hacker has requested a bounty of 10 percent of the funds stolen for services rendered.

The network has responsibly ceased operating until the code can be reviewed and deemed secure before launching again. A harsh and expensive lesson, perhaps, but events such as this are part and parcel of DeFi (decentralised finance) as the space is still in its infancy in the untamed wild west.

The THORChain team underestimated the attack surface of having a router.

Mistakes were made, funds have been lost. The team take full responsibility here.
— THORChain #BRINGBACKMCCN (@THORChain) July 24, 2021

There were really only two options. Launch and accept the risk of issues, or not launch and stay in the 90 percent complete audit-review cycle for another six months. Both are difficult.
Thorchain spokesperson

Earlier this month, THORChain lost US$4.9 million in Ethereum drained in a previous attack. Daniel Kim, head of capital markets at Maple Finance, said: “There’s a constant battle for these smart contract securities firms to keep up with hackers. That said, the DeFi industry is still nascent … these issues lead to solutions.”

The price of $RUNE fell 17 percent on the day as a result. It had been trading as high as US$20 in May, though the current value is bouncing around the US$4 mark, down over 80 percent from its peak.

Crypto News Hackers

1,000 Pro-Trump Magacoin Holders’ Personal Details Leaked by ‘Hactivist’

Post author By Dale Warburton
Post date July 24, 2021

Magacoin is a pro-Trump crypto created to support “MAGA” candidates, but things haven’t quite gone according to plan for supporters. The website connected with the crypto has been hacked, leading to supporters’ personal information being leaked.

Hackivist Attacks Magacoin’s Website

Evidently, the website hosting the crypto and users’ personal information was not as secure as the creators would have hoped. A ‘hacktivist’ was able to successfully attack the website and obtain a host of personal information. Subsequently, the information – including names, addresses, passwords and IP addresses – was leaked to The Guardian.

Former US president Donald Trump with his infamous red MAGA hat. Source: BBC

Leak Shows Magacoin’s Biggest Holders and Lacklustre Sales

The information leaked also highlighted the fact that the vast majority of Magacoins went to the crypto’s founders – Marc Zelinka, a Trump-loving consultant, and a Super PAC associated with him. In response, Zelinka has claimed that he no longer controls Magacoin and that he handed it off to another pro-Trump political activist.

Self-enrichment is often the motive behind creators of new cryptos and this one appears to be no different.

This is…absolute and pure perfection pic.twitter.com/UL9zK44O9n
— Mehrsa Baradaran (@MehrsaBaradaran) July 18, 2021

Despite Magacoin’s best marketing efforts with “100 free Magacoins” aimed at radio hosts, media personalities, bloggers and grassroots groups who agree to promote the cryptocurrency, it never really took off in any meaningful sense. On average, holders only had 100 coins compared to the millions held by the founders and bigger bag holders.

It isn’t only amateur operations such as Magacoin that get hacked. Last year, Ledger experienced a massive databreach resulting in thousands of clients’ personal information being leaked. And it isn’t limited to companies, as non-profits such as Anglicare Sydney have similarly experienced it.

Crime Crypto News Hackers Monero Ransomware Zcash

US Government Offers $10 Million Bounty for Cyberattacks, Enticing with Crypto Payments

Post author By Dale Warburton
Post date July 20, 2021

Following the infamous Colonial Pipeline attack earlier this year and a slew of copycat ransomware attacks, the US government has gone on the offensive by announcing a bounty program to counteract the ongoing risk of cybercrime.

Rewards Up To $10 Million!

For information on foreign malicious #cyber operations targeting U.S. critical infrastructure.

Submit info on these illegal activities via Tor at https://t.co/WvkI416g4W

You may be eligible for a reward. ⚖ 💰 pic.twitter.com/BjftNvC5bc
— Rewards for Justice (@RFJ_USA) July 15, 2021

Reward for Attacks on “Critical Infrastructure”

In a statement, the US Department of State’s Rewards for Justice (RFJ) program noted it was offering a reward of up to “US$10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure”.

Cars queue to refuel following the “Colonial Pipeline” cyberattack which crippled the US’ biggest fuel pipeline based in Washington, DC, May 15, 2021. Source: Daily Sabah

The RFJ statement went further, saying:

Commensurate with the seriousness with which we view these cyber threats, the Rewards for Justice program has set up a Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources.
Office of the Spokesperson Source: US Department of State

Bounty May be Paid in Crypto – Bitcoin or Privacy Coins?

Recognising that potential whistleblowers may wish to be paid in crypto, the statement noted that:

The Reward For Justice program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of, and payment of, rewards to sources. Reward payments may include payments in cryptocurrency.
Office of the Spokesperson Source: US Department of State

The official statement did not specifically disclose which cryptos would be accepted as a means of bounty payment.

However, given the nature of cybercrime and the fact that the RFJ has set up a Tor-based reporting channel, it is likely that potential whistleblowers will elect to remain anonymous. Accordingly, they are likely to prefer privacy coins such as Monero or Zcash over open-source networks such as Bitcoin.

Cyberattacks have not been limited to the US. Last year, Australian television networks were impacted by various cyber attacks and, most recently, this month thousands of retailers were affected by a supply-chain ransomware attack.

Crypto News DeFi Ethereum Hackers

DeFi Project Thorchain Attacked, Draining $4.9 Million Worth of Ethereum

Post author By Robert Drage
Post date July 17, 2021

Thorchain has suffered a second attack, draining millions in assets from the protocol. The attack was brought on by an unforeseen exploit in the ETH Bifrost allowing for an intuitive attack vector.

Initially it was thought that close to 13,000 Ethereum (ETH) had been stolen but according to an update posted by Runebase, it is now estimated at about 2,500 ETH. The update also stated that “the discrepancy may be due to additional loss from arbitrageurs taking advantage of the price manipulation”.

Update on the THORChain MCCN Exploit.

"Approx ~$4.9mm USD was taken in the exploit, far less than the intitial figures posted earlier. A granular breakdown is being developed by the community."https://t.co/61abO3SC0w https://t.co/M4eROyjhBI
— RUNΞBASΞ.ORG (@runebase_org) July 16, 2021

While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery.
Thorchain Telegram administrator

Other protocols like Rari have also been able to reimburse their proponents after being hacked.

Decentralised Community Protecting the Network

When trying to attack an open-source decentralised protocol, you’re not just attacking the developers but the community as well. Communities and node administrators have various incentives to protect the network, not just for the value they have pumped in, but the value they get out from time and effort spent building and securing the network.

RUNE down 14% after @THORChain suffered a ~4,000 ETH attack ($7.8 million.) The network’s reserve ($109 million) is making users whole.

Obviously better if it never happens, but in the long run network is now more secure and the transparency remains unparalleled.
— Zack Guzmán (@zGuz) July 16, 2021

The issue was discovered by a community developer and when anonymous nodes started voluntarily using the “make halt” command to stop their nodes, the emergency was made clear. Once more than a third of the nodes had been halted, the network itself was halted. This was a decentralised action taken by node operators to protect the network.

The bug in the code has been found by the team and a PR has already been opened to resolve the prob. If the community approves the change, the fix to @THORChain will be pushed out and trading resumed in ~24hrs I'm guessing. $RUNE https://t.co/g3AYszG8Gi
— Chad Barraford #BRINGTHECHAOS (@CBarraford) July 16, 2021

DeFi Targeted by Attackers

As DeFi is one of the more recent innovations in blockchain and distributed ledger technology (DLT), much of what is happening in the space is innovative. In spaces such as these, there will always be room for improvement and considerations not yet made, but as the space matures so will the knowledge and experience of risks.

So far this year, millions have been stolen in DeFi hacks, in various ways ranging from coding errors to rug pulls. Thorchain was in good stead after its price dropped only 14 percent following the attack. Other tokens like FinNexus (FNX) had dropped 90 percent after being hacked.

As the space matures many lessons will be learnt, but as these exploits occur developers are documenting and fixing them, strengthening protocols and best practices. In the long run, this will work to the advantage of the crypto industry as a whole.

Crime Crypto News Hackers Investing Scams

Founders of South African Crypto Investment Company Vanish with $3.6 Billion Worth of Bitcoin

Post author By Dale Warburton
Post date June 25, 2021

Ameer and Raees Cajee, the brothers behind Cape Town-based crypto investment platform Africrypt, have disappeared under suspicious circumstances, together with 69,000 Bitcoins belonging to their clients.

Africrypt Investor Presentation 2020: Moneyweb

The Promise of Exceptional Returns and Where Things Started Going Wrong

The company was founded in 2013 and over the years had managed to secure a lot of support from investors, including some prominent local celebrities. Ostensibly, it was a well-run business that continued to grow on the back of “sophisticated algorithmic trading” that promised returns of 10% per day.

Things took a strange turn in April when investors were sent an email alleging a hack. The email noted that the platform would be shut down and investors’ accounts, wallets and nodes frozen. Most surprisingly, investors were requested not to contact law enforcement authorities as this would “slow the recovery process”.

Investors Appoint Investigators as Suspicion Grows

Shortly thereafter investors hired specialist legal practice Hanekom Attorneys who established that the company had moved 69,000 Bitcoins from their clients’ wallets through a crypto tumbler, making them virtually untraceable. Investigators also found that Africrypt employees had lost access to the back-end platforms seven days before the alleged hack.

We were immediately suspicious as the announcement implored investors not to take legal action.
Derek Hanekom, Hanekom Attorneys

Hanekom indicated it was unlikely that all funds came from South Africans, saying it looked more like an international money laundering operation. The South African Police has been assigned to the case and has contacted exchanges to ensure the funds aren’t liquidated. It is alleged that the Cajee brothers have since decamped to the UK, but that remains unclear.

Investors Cautioned: Do Your Own Research

The crypto space remains a very new market that is highly volatile and experimental, and investors are advised to always DYOR (do your own research).

Some recent scams we have seen:

Despite the discernible scams occurring, crypto remains an exciting prospect for the African continent with projects like Cardano developing blockchain solutions for decentralised identity and financial systems.

Crypto News Crypto Wallets Hackers Scams

Scam Warning: Fake Crypto Hardware Wallets Sent to Ledger Customers

Post author By José Oramas
Post date June 24, 2021

Last year, hardware wallet provider Ledger suffered an internal breach of security resulting in the exposure of 250,000 to 1,000,000 customer email addresses. In some cases, the information leaked included full names and addresses. A class action is under way, but the after-effects linger.

Initial Concern Regarding Bad Actors

Since self-custody and privacy remain crypto’s greatest drawcards, the initial concern was that the information would be used by malicious actors to separate users from their crypto holdings.

Within a short space of time, Reddit users described various phishing attempts (such as links to the “latest software upgrade”) and death threats (so-called “$5 wrench attacks”). At the time, users quite reasonably began asking questions as to whether or not Ledger was a secure hardware wallet.

Unsurprisingly, once leaked private information becomes available in the public domain, the consequences are likely to linger. Ledger’s 2020 data breach is no different as the ramifications persist.

Latest Fraudster Activity

Recently, Ledger customers have revealed a new and sophisticated effort by fraudsters involving fake hardware wallets being sent to exposed Ledger customers’ addresses.

https://twitter.com/BitcoinMagazine/status/1405572965480153095

Overlooking the fact that Ledger is unlikely to ever send a “new” unsolicited hardware device to its users (much less one that is unsealed/damaged), the clear giveaway in this instance was a single use of slang in the letter:

… For this reason, we have changed our device structure. We now guarantee that this kinda [emphasis intentionally added] breach will never happen again.
Extract from fake Ledger letter

In addition to examples such as that outlined above, some users have also described fake hardware being sent with a pre-installed recovery seed:

https://www.reddit.com/r/CryptoCurrency/comments/o609v2/hardware_wallet_scam/

How to Avoid Getting Scammed

Unfortunately, scammers continue to thrive and innovate within the crypto space. In 2020 alone, Australians lost $26 million in Bitcoin to scams.

The good news, however, is that there are some basic principles within the domain of hardware wallets that dramatically reduce the prospects of being scammed:

Only buy hardware directly from the manufacturer or authorised reseller
Never buy a used device
Make sure the packaging has not been tampered with
When starting the device up, make sure there aren’t any error messages that could be evidence of tampering
Remember that no hardware wallet comes pre-installed with a 24-word recovery phrase.

Bitcoin Hackers Scams

$11 Million Ransom Paid in Bitcoin By World’s Largest Meat Producer

Post author By Cristian Lipciuc
Post date June 12, 2021

JBS SA – a Brazilian company that processes meat largely sourced from Australia in order to sell it in the Americas and Europe – paid a ransom of $11 million worth of BTC to cybercriminals in order to stave off future attacks.

The cyberattack was identified on May 30 and caused about a full work day’s worth of damages across all plants. However, the company’s encrypted servers were not affected, allowing them to ramp production back up without too much of a hassle.

JBS SA in Brazil [source]

‘It Was Very Painful to Pay the Criminals’

Andre Nogueira, CEO of the company’s US division, JBS USA Holdings, said JBS SA decided to pay the ransom in order to prevent more attacks like those that knocked out its plants last week.

It was very painful to pay the criminals, but we did the right thing for our customers.
Andre Noguiera, CEO, JBS USA

However, he also stated that the payment was made only after functionality was restored to most of the processing plants with the aid of encrypted backup systems.

In order to make up for lost time, some of the processing plants scheduled 10-hour shifts – including weekends. By June 10, all JBS plants were reported to be functioning normally.

Cyber Security Needs Improving

Following the attack, lawmakers in US states reliant on agriculture have spoken out about the need to overhaul practices in the industry, claiming antiquated procedures leave the door open to attacks like these.

This problem affects multiple industries, though – the bad actors who shut down a major US gas pipeline last month were most likely able to gain access due to obsolete cybersecurity measures.

Every hack that is successfully paid off with a cryptocurrency becomes an advertisement for more hackers to try more cyberattacks.
US Senator Elizabeth Warren

Last year, Aussie TV stations were taken down by bad actors demanding BTC as a ransom, and new malware known as Egregor has been making the rounds of companies in the gaming industry.

Bitcoin Crypto News Hackers

BTC Wasn’t Hacked; the FBI Just Seized Control of the Bitcoins via the Server

Post author By Dale Warburton
Post date June 10, 2021

Following a ransomware attack last month, US investigators have seized close to 64 Bitcoin valued at approximately A$2.73 million. Bitcoin’s price dropped by almost 10 percent on the news and commentators were left speculating as to how this might have occurred. Some claimed the Bitcoin wallet was hacked, but this was not the case.

How It Was Reported

Mainstream commentators and cryptosceptics were vocal from the outset, some implying that Bitcoins could be seized by law enforcement agencies at will:

News that the government has figured out how to snatch bitcoin from the online wallets of cyber criminals surely reduces the use cases for Bitcoin even further.
— Justin Wolfers (@JustinWolfers) June 8, 2021

Clarification via @KenDilanianNBC: While Bitcoin isn’t stored on a server, the private keys to unlock the Bitcoin may have been. In any event, an FBI official just told reporters that it doesn’t matter where the Bitcoin wallet is—the FBI still can get access. They won’t say how.
— Geoff Bennett (@GeoffRBennett) June 7, 2021

Bitcoin Community’s Response

The Bitcoin community, in characteristic fashion, fired back promptly with a barrage of tweets, some charitable and others less so:

So Russian hackers were intelligent enough to take down the largest oil pipeline on the east coast, but dumb enough to send their bitcoin to a custodial wallet in California? 🤔🤔🤔https://t.co/eD4nyQbdac
— III Capital 🔑 (@IIICapital) June 7, 2021

The gubmint didn’t break bitcoin. This is in the category of “ppl spooked by something about bitcoin they don’t understand” along with hashrate variance, the phony “double spend” etc. No emergency presser from me just stop panicking thank u
— nic carter (@nic__carter) June 8, 2021

What Really Happened

In the end, it was Blockstream CEO Adam Back who offered a considered response to help clear things up:

#Bitcoin was NOT hacked
No bitcoin wallet was hacked, nor is even known to be possible. Ransom hackers used a rented cloud server. FBI got a subpoena and took control of it and recovered coins. That's it.
— Adam Back (@adam3us) June 8, 2021

Bitcoin commentator Marty Bent, however, remained somewhat suspicious:

How could these attackers be smart enough to take down a vital piece of energy infrastructure but too dumb to run their own full node with a connected xpub associated with a dedicated device?
https://tftc.io/martys-bent/issue-1008/

While we may never know all the details as to how the Bitcoins were recovered, Bitcoiners were quick to point out that the episode proved how unsuitable Bitcoin is for illicit activity.

As to how this may occur, respected BTC developer Matt Odell offered a neat summary:

1) Bitcoin is easily traceable if you do not take privacy practices into account.

2) Nobody has the capability of cracking a bitcoin private key, including the US gov.

3) If you figure out the owner of an address you can pressure them into handing over their private key.
— ODELL (@ODELL) June 7, 2021

4) If private keys are on a server or other internet connected device then that can get hacked and keys taken.

5) If bitcoin is on an exchange or a custodial wallet then the service provider holds the private keys. They can be forced to hand them over, steal them, or lose them.
— ODELL (@ODELL) June 7, 2021

Related reading: