Categories
Crypto News Hackers Scams

Beware of “The Dusting Attack” Hackers Are Using to Break Blockchain Privacy

Dust attacks have become a popular way of malicious activity for hackers trying to break blockchain privacy. Dusting was used at first by programmers performing stress tests on a network and email blasts, but scammers are now using it to unmask address anonymity.

What is a Dusting Attack?

Crypto dust is referred to a very small amount of a certain coin or token, which could accumulate in a wallet for example as a result of airdrops or rounding of transactions.

Users sometimes don’t notice crypto dust because it tends to have very little fiat value. Certain wallets and exchanges even have functions to hide small balances. For example, the smallest unit into which a Bitcoin (BTC) can be subdivided is 0.00000001 BTC (by design). Usually referred to as 1 satoshi, it is currently worth around $0.0005 AUD – in other words, it would take about 20 satoshis for 1 cent AUD.

Dusting basically means sending a tiny amount of cryptos to various wallet addresses in an attempt to deanonymise them. By linking together the addresses of a given crypto asset, the hackers then track down the transactional activity of the corresponding wallets, analysing every address while looking for clues to identify the person or company behind each wallet.

An example of dust attack transaction [source]

This manuver does not give the attacker access to your funds, as if you were under attack instead. Dusting could only allow guessing the identity behind those addresses.

Scammers and criminals are not the only ones to perform these kinds of activities, though. Law enforcement agencies could use this technique to bind an individual or even criminal organizations to an address, for example to target money launderers, contraband, or any large criminal network.

Dusting Attacks on the Rise

A reason why these malicious attacks are becoming so popular for hackers is that traders and large holders don’t seem to pay much attention to the small amount of tokens showing up in their wallet addresses.

Dust attacks were first seen on the Bitcoin network but are quickly expanding to Litecoin, BNB (Binance Coin) and other cryptocurrencies. A popular example of a dust attack occurred in late October 2018, when Samourai Wallet developers warned some users were under dusting attacks.

How to Protect Yourself Against Dusting?

First, get an export of your addresses and review the balances in each one. Check your addresses on a block explorer like Etherscan.io or Blockchair.com to see if you’re under attack.

To spot one, a dust transaction typically has one address on the sender side and hundreds or thousands of addresses on the other with the same small traces ent to them.

If you have been “dusted”, look for wallets that show dusty UTXOs (unspent transaction) and mark them as “do not spend” if your wallet or exchange allows you to do so. This will prevent them from being used for later transactions.

Notice the BTC trace behind the pop-up window [source]

You can also use a hardware wallet to protect yourself as well – while expensive, they can be safer storage for your private keys.

Categories
Crypto News DeFi Hackers Scams

DeFi100 Goes Down, Claiming They Were Hacked And Haven’t Rug-Pulled

DEFI100 (D100), a DeFi project dealing with virtual assets, has gone down.

At the time of writing, visitors to the DeFi project’s website are being displayed a “404 – Not Found” message.

Error "404 - not found" on Defi100.org
Error “404 – Not Found” on Defi100.org

It is not clear whether D100 has gone down as a result of a hack, or if instead the project has done a so-called rug pull – that is, an exit scam by intentionally becoming unavailable, disappearing with all of the funds.

$32 Million USD Estimated Vanished

Similar to other times where DeFi projects were messed with, the bad actors accompanied their misdeeds with a little taunting. An analyst know as CryptoWhale on Twitter has shared the news, speculating $32 million USD in investor funds have been siphoned off.

The team behind D100 claims instead they have been hacked, with the malicious actors leaving a message (which has been taken down).

They have also publicly stated that the rumours of rug-pulling are utterly false and they are trying to bring the project back up and running.

It is worth remembering that this is not the first time a DeFi project is suffering this kind of situation. However these claims are being treated with great suspicion by Twitter users, with some arguing this is just a cover-up before maybe an even bigger heist is pulled off.

DYOR Reminder

Whether the project stole the funds or just suffered an attack by anonymous bad actors, the website remains down and the price of D100 has plummeted by over 50 percent, currently being traded around $0.08 AUD.

The same analyst who broke the news also reminded everyone to be wary of shady projects with anonymous devs, especially in periods of bear market – which might encourage malicious players to take their bags and go home. As always, Do Your Own Research.

Categories
Binance Crypto News Hackers

Flashloan Exploit On Binance’s PancakeBunny Leads to $45 Million USD Drained

An economic exploit on PancakeBunny’s decentralised finance (DeFi) protocol was used on Wednesday which saw the attacker drain $45 million USD from the ecosystem.

How Did The Attack Happen?

According to the post-mortem analysis of the attack published by bunny, the attacker:

  • The exploiter staged (and exited) the attack using PancakeSwap (PCS)
  • By exploiting a difference in PCS pricing, the hacker intentionally manipulated the price of USDT/BNB and Bunny/BNB, acquiring a huge amount of Bunny through the use of Flash Loans.
  • The exploiter dumped all the Bunny in the market (Ethereum), causing the price of Bunny to plummet
  • The exploiter then exited the attack by paying back the remaining BNB (by having exploited the price difference from before) on PCS.

Flash loans allow anyone to borrow an unlimited supply of funds without providing any collateral as long as they pay back the sum in the same transaction.

Bunny price plummets after the executed exploit [poocoin]

The attack pumped the price of BUNNY from $150 to $240 before plummeting to $0 in just 30 minutes. No vaults were compromised in the event, with the main issue being the driven down price affecting all investors.

Moreover, we are committed to providing a solution by which we can restore the value lost by our community and restore their confidence in the project.

Bunny Finance

Increased Attacks On DeFi

In April, crypto data aggregator Messari reported that flash loans had become the most popular attack vector in the DeFi ecosystem, accounting for roughly half of the $285 million worth of DeFi exploits identified on the Ethereum DeFi-market since 2019.

Attacks on other DeFi protocols:

Categories
Crypto News DeFi Hackers

FinNexus Token (FNX) Tanks 90% After Contract Was Allegedly Hacked

FNX, the native token of FinNexus protocol, suffered a massive hit on Monday, plummeting over 90 percent after the contract was supposedly hacked.

FinNexus Team Says Crypto Contract Was Hacked

FinNexus is an application layer DeFi protocol that allows developers, service providers, and project participants to easily interact with blockchains. FinNexus has its own utility token called FNX, which plays an important role in the functioning of the ecosystem and it relies on an ERC-20 smart contract.

The development team confirmed the incident in a tweet, saying that the ERC-20 contract was hacked. They instructed FNX investors and traders to withdraw their funds from the pool for safety reasons.

Although the FinNexus team claimed that the token’s contract was compromised, DeFi researcher Chris Blec suggests otherwise.

According to Blec, someone stole the admin key, which enabled them to change ownership of the contract to a new address. They were able to create more FNX tokens, only to sell them a few minutes later. This resulted in a massive decrease in the token’s value.

FNX Price Update

At the time of writing, the FNX token was trading at around $0.06 USD on CoinMarketCap. After dropping over 90% in price, it has recovered a little but it’s still more than 80 percent decrease in the token’s value over the past 24 hours. The market capitalization is also down to around $2.2 million USD.

FinNexus (FNX) price chart [CoinMarketCap]
Categories
Bitcoin Crypto News Hackers

$7 Billion Dollars Could Crash Bitcoin With a DoS Attack, Expert Explains

Doctor Matthew Green, part of the team that created Zcash, stated in a debate that if there were a malicious party willing to spend $7 billion USD it could start a cyber attack that could crash the network, effectively making it impossible for any transactions to be processed by the network.

However that would require the resources (power, money) of a nation-state or some secret billionaire to get the ball rolling, and since there is no monetary incentive it would possibly be for malicious reasons.

The way this Denial of Service (DoS) would be done is like a 51% attack, where if some entity spent $7 billion USD to create empty blocks it could flood the system. Therefore, that would stop other transactions from being validated and “deny service” to others wanting to use the network. That amount of money spent would produce the largest cumulative difficulty chain, with blocks that are empty (which is valid).

DoS attack to Bitcoin: the end?

Since a prolonged attack will be so expensive in both power and monetary cost it would be impossible to sustain it indefinitely. This means that it wouldn’t necessarily bring Bitcoin (BTC) down completely, but the price will probably drop temporarily and people won’t be able to use the network until the attack is over.

There are some counter measures that can be implemented to prevent instances like these. Project horizon created one such solution after they were hit by a 51% attack. Because a 51 percent attack requires a miner to produce blocks in secret before posting them to the blockchain, they added a delay penalty if a block takes too long to be created. Other methods include adding an element of Proof-of-Stake so that members that don’t own any of the digital asset can’t “grief” the network.

The way blockchain is designed also intrinsically helps against standard DoS attacks according to Alexandre Francois of PenTest Magazine.

For starters, it eliminates the risk of having a single point of failure. It can maintain a list of compromised IPs in its ledger, and this would be resistant to disruption attempts. As soon as a server with the list is compromised, a user can switch to any other node on the network to access a safe copy.

Alexandre Francois, PenTest Magazine

Bitcoin Mining Pools Have Been Targeted in The Past

A report published by U.S. technology company Neustar, for example, estimates a 200% increase in DoS events against their customers in Q1 2019 compared to the same period in 2018.

AntPool, BW.com, NiceHash, CKPool and GHash.io are among a number of Bitcoin mining pools and operations that have been hit by Distributed Denial of Service (DDoS) showing that this is not a rare occurrence.

However, as Bitcoin becomes more decentralised and mining power is spread over various continents it seems clear that even a nation state with a massive amount of resources could not crash Bitcoin permanently. The aggressor would arguably just incur massive costs to achieve a debatable result.

Categories
Crypto Wallets Cryptocurrencies Hackers Illegal

Ledger And Shopify Hit With Class-Action Lawsuit Over 2020 Data Breach

One of the most popular hardware wallet companies, Ledger suffered a massive blow to their reputation last year when a massive data breach occurred, causing somewhere between 250,000 and 1,000,000 customer email addresses to be leaked – and among the affected customers, 9500 also had more personal information leaked, such as their names and addresses.

ID Tag Team Theft

It turns out that the incident was actually part of a coordinated effort by two rogue Shopify employees to harvest data from Shopify users, with slightly less than 200 distinct merchants affected.

As Ledger used Shopify’s platform to create their online store, both companies are now being sued in a class-action effort.

The lawsuit will be coordinated by Roche Freedman, a company known for taking on crypto-related cases.

Although Pascal Gauthier – the CEO of Ledger – took to Twitter at the time to reassure customers that the cryptocurrencies stored in the hardware wallets – also known as cold wallets – were not affected in the least, his statement was not well-received by several users who received threatening e-mails rife with promises of midnight visits and the like.

Ledger’s general counsel Antoine Thibault commented on the case, stating that although they will not comment on ongoing legal cases, the company would like to remind Ledger customers that their cryptocurrency stashes were safe.

“Ledger does not comment on ongoing legal issues. Ledger would however like to take this moment to remind our customers, yet again, never to divulge their 24 words and validate the identity of the recipient of your transactions. You are in sole and total control of access to your funds.”

In turn, Kyle Roche of Roche Freedman stated that the class-action lawsuit had been in preparation for a while – and that he and his firm had been consulting with blockchain experts ever since the incident had taken place.

Categories
Crypto News DeFi Hackers

Force DAO Protocol Hacked, Token Plunges 95%

Force DAO, a DeFi hedge fund, suffered an attack by a hacker that found a bug in the xFORCE contract, draining 14.8 millions worth of FORCE token (around 34 million on this Sunday morning).

The attack happened after the protocol organised an airdrop yesterday, distributing FORCE tokens to its users. The token plunged at least 95% after the protocol confirmed the attack, going from $2.30 to $0.26.

The protocol confirmed the attack via Twitter and published a post-mortem analysis a few hours later. Accordingly, Force DAO is currently working with two different security firms to review and analyse the contracts.

Other Attackers Took Advantage

The first hacker found a bug in the xFORCE contract’s code that returned a false value when the amount transferred exceeded the account’s balance instead of reverting it.

According to technical advisor Mudit Gupta, this allowed anyone to call the “Deposit” function without holding FORCE tokens. The attacker minted xFORCE tokens from the contract without locking them in the vault.

According to Force DAO, the hacker returned the funds to the pools after founding the contract’s code’s vulnerability. Other attackers took advantage of it and drained millions of dollars, exchanging the funds on Uniswap and Sushiswap.

Other attackers soon followed, draining the pool’s liquidity and taking over $20 million FORCE tokens in just a few hours.

Force DAO is the latest DeFi protocol subject to millions of funds lost. A few days ago, TurtleDex, a Binance Smart Chain-based protocol rug pulled its investors, draining $2.5 million out of the liquidity pools.

Categories
DeFi Hackers

PancakeSwap Has Been Hacked, Do Not Enter Your Seed Phases

Recently announced on their Twitter, PancakeSwap might have been DNS hacked along with Cream Finance. DeFi users are urged to stay safe by not entering your seed words or private keys into the website.

This highlights the chaotic world of DeFi and traders should be aware of how to stay safe when trading cryptos in order to protect their funds.

Categories
Crypto Exchange Cryptocurrencies Hackers

Cryptopia Hacked Again While Under Liquidation

Back in January of 2019, Cryptopia was hacked — leading to losses worth $1.97 million. 

The New Zealand-based exchange has since started liquidation procedures —  but they’ve been hit yet again.

Losses From First Hack Still Not Recovered

Following the 2019 hack that cost them nearly 2 million dollars, their liquidator, Grant Thorton, has started allowing former users of the exchange to send them claims for cryptocurrency lost back in 2019.

This incident alone constituted a loss of 15% of their entire digital currency stash and is considered the most damaging incident of theft in the history of New Zealand — and the proceeds are worth far more now than at the time of the theft, due to the explosion of multiple cryptocurrencies, Bitcoin chief among them. 

Stakenet — a U.S.-based creditor — stated that $45k worth of XSN had been transferred out of its cold wallet on the 1st of February. 

However, Grant Thorton stated that the transaction was not authorized — which makes one wonder how the hack could have occurred, as an attack on a cold wallet is much harder to pull off than an attack on a hot wallet, due to its intentional lack of connectivity to the Internet. 

Stakenet commented that Grant Thorton should take responsibility for the incident, assuming it happened on their watch.

“If this unauthorized transaction has happened under Grant Thornton’s watch then they need to explain to the users why they failed to secure … [their] assets like they were supposed to do and how someone was able to access them.”

Although Grant Thornton did not make a public statement regarding the issue, it’s been understood that they have contacted the police about the security breach and are investigating it internally. 

Categories
Crypto Wallets Hackers Scams

Death Threats And Fake Emails: Ledger Users In Danger As Hackers Start Massive Attacks Following The Database Leak


The Sim Swap attacks have begun following Ledger’s database leak, now that hackers have all the personal information of at least 270,000 users. Now scammers are sending apology messages on Ledger’s behalf, tricking users into installing the “latest version”.

Hackers are sending malicious links into tricking users to “Download the latest version” with a convincing letter. One of Ledger’s user fell into the trap and reported losing $4,000 thanks to a modified metatask extension.

Below is a screenshot uploaded by a Twitter user who received the message from the hackers. People on Twitter are alarmed by how compelling and convincing the message is, despite a minor spell error at the end.

But the outrage is even greater since the affected users have reported that Ledger has not commented nor provided assistance of any kind on these messages.

A user from Reddit that goes by the name u/goldcakes reported receiving several death threats over his ledger:

Taken from: Reddit

At least 1 million users were exposed on Raidforum since the attacks on Ledger began. According to the staff, the attack only leaked the personal data of 9,000 users. The company downplayed the issue, saying it was “old data.”

Now it turns out that those 9,000 users became 270,000 people which have all their personal info in hands of cyber-thieves, and are exposed to these types of messages. Likewise, Ledger could be in serious trouble if affected users take legal action, which might start soon.