Category: Hackers

Categories
Bitcoin Crypto News Hackers Ransomware

Dutch Uni Recovers Double the Ransom it Paid in BTC During 2019

In a compelling display of how bitcoin is unsuitable for criminal activities, Netherlands-based Maastricht University has shared a positive tale of how the bitcoin it paid in ransom in 2019, since tracked and recovered, has appreciated significantly in the interim:

A Profitable Ransom

As outlined by the university, it suffered a ransomware attack in 2019 that prevented more than 25,000 staff and students from accessing critical research data, email, or library resources. The hackers encrypted hundreds of Windows servers and backup systems, denying access to business-critical services pending a ransom payment of €200,000 (US$208,000) in bitcoin.

As reported by Dutch newspaper De Volkskrant, the university agreed to pay the attackers after a week, “partly because personal data was in danger of being lost and students were unable to take an exam or work on their theses”.

After launching an investigation, Dutch police traced a Ukrainian bank account belonging to a known money launderer. Investigators were able to establish that a relatively small amount of the ransom money, some €40,000 (US$41,000) worth of bitcoin, had been paid.

Chain analysis at work, used to identify the hacker. Source: Bitquery

Prosecutors were able to seize the offending account in 2020 and, through chain analysis techniques, were able to trace the remaining bitcoin. While information remains limited on why it took so long to return the funds, it appears as if the tedious wheels of bureaucracy might have worked in the university’s favour.

Since paying the ransom, the €200,000 (US$205,000) worth of bitcoin has more than doubled to €500,000 (US$515,000), even despite bitcoin plummeting some 75 percent below its all-time high.

Needy Students to Benefit from Recovery

Commenting on the windfall, Maastricht University ICT director Michiel Borgers said it would be directed to students in need:

This money will not go to a general fund, but into a fund to help financially strapped students.

Michiel Borgers, director of ICT, Maastricht University

De Volkskrant has reported that the investigation remains ongoing as authorities search for those responsible for the exploit. As crypto crimes soared to new heights in 2021, efforts to combat ransomware attacks have been increasingly ramped up by authorities including the US Federal Bureau of Intelligence, which recently established its crypto crime unit.

Categories
Binance Bitcoin China Crypto News Data Hackers

Hacker Wants 10 Bitcoin for Stolen Data of 1 Billion Chinese Citizens

In what could be one of the biggest data breaches in history, a hacker who claims to have stolen the personal details of 1 billion Chinese citizens from a Shanghai police database is offering to sell the information for a mere 10 bitcoin – worth about US$200,000.

The anonymous hacker, identified only as “ChinaDan”, posted the following message on hacker site Breach Forums last week:

“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB [terabytes] of data and information on billions of Chinese citizens. [These include] several billion case records including names, addresses, birthplaces, national ID numbers, mobile numbers, [plus] all crime/case details.”

‘CZ’ Corroborates Intelligence Threat

In a July 4 tweet, Binance CEO Changpeng ‘CZ’ Zhao said the exchange had stepped up its user-verification processes after Binance’s threat intelligence detected the sale of records belonging to “one billion residents of an Asian country” on the dark web:

CZ blamed the leak on “a bug in an Elastic search deployment by a [government] agency”, without specifically mentioning the Shanghai police case.

Implications for Greater Crypto Industry

Kenny Li, co-founder of Web3 privacy project Manta Network – in which Binance Labs is an investor – warned the breach might have widespread implications for the crypto industry:

The stolen data could be used to exploit users and do things like [launch] phishing attacks to steal keys or [gain] unauthorised access to applications like centralised exchanges.

Kenny Li, co-founder, Manta Network

The Shanghai Police data hack claim comes as China has vowed to tighten protection of online user data privacy, instructing its tech giants to ensure safer storage after multiple public complaints about mismanagement and misuse.

China has recorded a number of data leak incidents in recent years. In 2016, sensitive information about powerful Chinese individuals, including Alibaba founder Jack Ma, was posted on Twitter.

Ransomware War Continues

In November last year, US$6 million in crypto was seized from the REvil ransomware group, and three months later the US Federal Bureau of Intelligence announced the formation of a specific crypto crime division to tackle ongoing ransomware attacks.

Categories
DeFi Hackers Solana

Solana-Based Protocol ‘Crema Finance’ Exploited for $8.7 Million, Services Suspended

Solana-based liquidity protocol Crema Finance has announced via Twitter that it suffered a US$8.7 million hack and has suspended its services to investigate the incident.

On July 2, Crema Finance announced the temporary halting of services and that it would update its users as soon as it had more information:

Flashloans Used to Drain Liquidity Pool

Crema is said to be working with blockchain audits platform OtterSec to investigate the hack. According to OtterSec, the hacker used Solend (a Solana-based lending platform) flashloans to drain the protocol’s pool.

Apparently, the hacker was able to circumvent Crema’s security procedures by implementing an “on-chain program” and subsequently deploying the flashloans.

The attacker stole over US$400,000 in USDH and US$5 million in USDT, later swapping the tokens for SOL and sending it to an address that currently holds around 69,442 SOL:

Crema Finance is not related to Cream Finance, another DeFi protocol that has suffered multiple exploits in the past.

A day after the incident, Crema claimed to have found the hacker’s Discord account and is now working with third parties to help detect the hacker’s identity:

The hacker allegedly used six flashloans to exploit the protocol. Flashloans are a common instrument in the DeFi ecosystem. Another recent victim of a flashloan exploit was Inverse Finance, an Ethereum-based protocol that lost US$1.2 million.

And about 10 weeks ago, Beanstalk, a credit-based stablecoin also on Ethereum, lost more than US$180 million in a flashloan exploit.

Categories
Axie Infinity Ethereum Hackers

Axie Infinity’s Ronin Bridge Re-Opens, Set to Compensate Victims of $625 Million Hack

Axie Infinity’s Ronin bridge has re-opened and the company will reimburse all affected victims of the US$625 million hack on March 30, according to a tweet from officials.

The Ronin bridge is a sidechain to the Ethereum network that allowed users to transfer assets between both chains. The re-opening will take place this week, but it will require a hard fork and all validators to update their software and upgrade their nodes:

The company also shared that blockchain security company Certik had audited the Ronin bridge multiple times and came back with minor suggestions.

Important News for the Axie Community

The Axie Infinity community bled after the company’s Ronin bridge suffered the biggest DeFi hack in history, with over US$600 million stolen in just a few hours.

It was later reported that a South Korean hacking group, Lazarus, was behind the hack, according to US authorities, who found out that a sanctioned Ethereum wallet was the same wallet used to receive the stolen funds. The hackers used TornadoCash to launder over 20 percent of the funds.

Categories
Blockchain Ethereum Hackers Harmony

Harmony Protocol’s Multi-Sig Wallet Compromised in $100 Million Heist

The Harmony blockchain’s Horizon cross-chain bridge has been hacked, resulting in the theft of  approximately US$100 million worth of assets.

The Harmony team says it has identified the hacker’s wallet and is now working closely with security partners, forensic specialists and law enforcement to recover the lost assets.

During the attack – which occurred on the morning of June 23, US time – the hacker was able to steal a variety of assets including BUSD, USDC, ETH and wBTC, which have all since been swapped for ETH and remain in the hacker’s accounts on the Ethereum blockchain.

Hack Exploited Multi-Sig Wallet

According to Harmony founder and CEO Stephen Tse, the hack on Horizon bridge wasn’t due to vulnerabilities in the smart contract code. In a statement released in the days following the attack, Tse said the attacker somehow compromised several of the private keys used to sign transactions on the multi-signature wallet that controls the assets stored in the bridge:

The incident response team has found no evidence in any breaches of our smart contract codes nor vulnerabilities on the Horizon platform. Our consensus layer of the Harmony blockchain remains secure.

Stephen Tse, founder and CEO, Harmony

Tse added: “Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys.” 

Before this hack, the multi-sig wallet controlling assets in the Horizon bridge required only two of four private keys to sign a transaction, making it highly vulnerable to attack. Since the attack, Tse has tweeted saying that the multi-sig wallet has been hardened to require four of five private keys to sign any transactions:

Harmony Offers Reward, Won’t Pursue Legal Action

In the aftermath of the hack, the Harmony team tweeted an offer of a US$1 million bounty for the return of the stolen funds and said it would advocate for no criminal charges if and when the funds are returned:

This is a relatively common tactic used by crypto projects to incentivise hackers to return lost assets, and while it sometimes works it’s not a widely supported tactic as it is seen by some as rewarding criminal behaviour:

Cross-Chain Bridges Vulnerable

Cross-chain bridges like Horizon provide interoperability between various blockchains, allowing users to swap tokens between the chains and easily take advantage of different applications and services on various chains, however they aren’t without risk.

One of the primary risks of cross-chain bridges is that their assets are often held in highly centralised multi-sig wallets controlled by a small number of individuals. This centralisation of enormous quantities of crypto assets makes them very attractive targets for hackers. Already this year, several cross-chain bridges – including Axie Infinity’s Ronin bridge and Solana’s Wormhole bridge – have been hacked for a combined total of close to US$1 billion.

Despite this recent spate of hacks on cross-chain bridges, DeFi remains by far the crypto sector most vulnerable to exploits. A recent report from blockchain analytics firm Chainalysis found that since the start of 2020, 97 percent of crypto hacks have targeted DeFi applications. Just weeks ago, the decentralised exchange Osmosis was forced offline after a US$5 million hack was identified by a Reddit user.

Categories
Crime Crypto News Hackers

Chainalysis Launches 24/7 Hotline for Crypto Crime Victims

Blockchain research firm Chainalysis has announced the launch of a 24/7 hotline accessible to victims of crypto crime. The Crypto Incident Response hotline will work to support organisations under attack from ransomware demands or targeted by crypto cyber-attacks:

Hotline Independent of Chainalysis

With crypto hackers responsible for US$3 billion of lost crypto value via theft and ransom demands from just 251 attacks in 2021, Chainalysis’ announcement is a welcome one:

https://www.remotejobs.lk/employer/chainalysis-inc/

We’re investing in this service not just to assist organisations in their times of need, but also to help bring bad actors to justice and demonstrate that crypto is not the asset class of anonymity and crime.

Chainalysis blog post

The hotline will be independent of the analytics service and will not require victims to be existing Chainalysis customers. This rapid-response strategy aspires to turn up the heat on hackers, making it more difficult for them to cash out. The Chainalysis team has also indicated its willingness to liaise with law enforcement on victims’ behalf.

Despite many organisations having called for the implementation of the hotline, just as many voices on Twitter seem to be on edge about what this could mean for their money and their privacy:

Regardless, with time of the essence in these cases, Chainalysis is hoping that its strategy will decrease the quantity and severity of crypto crime in the industry.

Chainalysis Monitors Crypto Crime

Earlier this month, Chainalysis published a report stating that DeFi projects were most often the target of crypto attacks. As many as 97 percent of all crypto attacks have been directed at DeFi projects since the beginning of 2020, with the biggest DeFi hack on record – in which Axie Infinity lost over US$600 million – happening on March 30 this year.

Chainalysis also announced in February that ‘criminal whales’ were holding US$25 billion in digital assets. Defined as private wallets holding over US$1 million of crypto, where a minimum of 10 percent of these funds are obtained from illicit addresses, criminal whales are commonly associated with fraud, malware, and scams.

Categories
Crypto News DeFi Hackers

‘Inverse Finance’ Exploited Again in $1.2 Million Flash Loan Attack

Inverse Finance, a decentralised lending protocol built on Ethereum, has lost over US$1.2 million in the industry’s latest DeFi hack:

To make matters worse, this is the second such incident for Inverse Finance after US$15.6 million was stolen in an exploit just three months ago.

Flash Loan Attack

Flash loans are DeFi-specific crypto loans in which large amounts of capital can be borrowed with little collateral, provided the loan is paid back within the same transaction.

While typically used by traders, hackers have demonstrated success in being able to trick a protocol’s smart contract into manipulating prices and then taking over the liquidity pool’s assets.

This is a so-called “flash loan attack”, a technique utilised by the exploiter in this latest incident, confirmed by security firm PeckShield:

On-chain data reveals that the culprit flash-borrowed 27,000 wrapped bitcoin from lending protocol Aave to conduct the attack. The funds were subsequently routed through swap service Curve for various stablecoins before being used to remove DOLA, a stablecoin, from Inverse Finance pools.

CoinDesk - Unknown
Evidence of the flash loans. Source: Etherscan

In total, the exploiters managed to steal more than 53 bitcoin, worth US$1.1 million, and 10,000 tether (USDT). As a result, Inverse implemented a temporary pause on its lending:

Since the exploit, an address tagged “Inverse Finance Exploiter” has apparently been sent 900 ETH, worth around US$1 million, to Tornado Cash, a privacy mixer often used when attackers wish to conceal their funds.

‘Generous Bounty’ Offered

In a post-mortem, Inverse Finance encouraged the person(s) behind the incident to return the funds for a “generous bounty”. And to mitigate the risk of further incidents, it added that it had retained the services of security experts to not only further understand the breach, but also to prevent further such instances in the future.

Categories
Crypto News Crypto Wallets Cryptocurrency Law Hackers NFTs

Anon Hacker Gets Served with Restraining Order Via an NFT, a World First

In a world first for both the crypto space and the legal profession, a defendant in a hacking case has been served with a temporary restraining order by means of a non-fungible token (NFT).

International law firm Holland & Knight served the defendant on-chain using a “service NFT“. The hacker, who cannot be named, stole US$7.94 million in digital assets from a hot wallet belonging to LCX, a Liechtenstein-based fintech company.

Method Approved by NY Supreme Court

The service method was approved by the New York Supreme Court and “is an example of how innovation can provide legitimacy and transparency to a market that some believe is ungovernable”, according to LCX.

The hack, which took place in January this year, saw assets including Ether, USDC, Sandbox and more stolen from LCX, whose blockchain tracing specialists were subsequently able to identify the addresses of the hacker’s wallets.

LCX has been working with law enforcement authorities in Liechtenstein, Ireland, Spain and the US to trace the funds, which were initially appropriated via Tornado Cash, a crypto mixer protocol for concealing the digital trail of blockchain transactions. LCX traced the funds and wallets through what it describes as “algorithmic forensic analysis”.

Could Legal Precedent Save NFTs?

Perhaps this legal first could be the saviour of NFTs. Earlier this month, crypto analytics firm IntoTheBlock reported that Ethereum transaction volume was down 80 percent on the same period last year due in large part to plummeting interest in NFTs. Google search data showed a concurrent 75 percent reduction in searches for the term NFT, contributing significantly to the drop in transaction volume.

Categories
Crypto Exchange Hackers Osmosis

Decentralised Exchange ‘Osmosis’ Goes Offline After $5 Million Hack

The Osmosis decentralised exchange (DEX) has gone offline due to a US$5 million liquidity pool exploit. Core developers halted the network after a bug was uncovered by an Osmosis subreddit community member:

Network Suspended for ‘Emergency Maintenance’

Reddit user Straight-Hat3855 discovered the bug in the blockchain and shared it on the ‘Cosmos Network’ – the Osmosis subreddit. Straight-Hat3855 happened on the bug when depositing funds into the liquidity pool and immediately withdrawing them. Upon withdrawal, the value of the funds had unintentionally increased by 50 percent.

At 10:57pm EST, Osmosis’ core developers announced that the chain had been “halted for emergency maintenance”, much to the frustration of users. This emergency stoppage took 12 minutes to coordinate following the discovery of the bug:

Osmosis has since posted an update stating that the liquidity pools were not completely drained. The Osmosis token (OSMO) has been down by 6.96 percent in the past 24 hours.

Hackers Target DEXes

This year has been fraught with assaults on decentralised exchanges. In March, German DEX Li.Finance had one of its smart contracts exploited in an assault that resulted in a US$600,000 combined loss of assets taken from 29 users. Luckily the issue was rectified with a quick turnaround, and the investors were reimbursed.

At the beginning of May, DEX Saddle Finance lost US$14 million to hackers. The automated market maker began working with Bitcoin security organisation BlockSec to locate the funds. However, at the time it was deemed highly unlikely that US$10 million of the $14 million stolen would be recovered.

Categories
Aurora Crypto News Ethereum Hackers

Whitehat Hacker Paid $6 Million After Preventing $330 Million Hack

Aurora, an Ethereum bridging and scaling solution that runs on the NEAR Protocol, announced on June 7 that it had paid a reward valued at US$6 million to a whitehat hacker for finding a bug that could have resulted in the loss of up to US$330 million worth of users’ funds:

The bug was reported to Aurora on April 26 through ImmuneFi, a leading Web3 bug bounty platform. The hacker who found the bug has been identified only by their Ethereum domain name, pwning.eth. 

Aurora has confirmed that this bug was patched before any user funds were lost.

Bug Would Have Allowed Attacker to Mint Infinite ETH

The bug was described by Aurora as an “inflation vulnerability”. If exploited, the bug would have allowed an attacker to mint an unlimited supply of artificial ETH, which they then could have used to completely drain the real ETH from Aurora’s bridge contract – over 70,000 ETH, valued at more than US$200 million. 

Other assets with ETH pairs valued at around US$130 million also would have been at risk. In total, up to US$330 million of assets could have been stolen.

Fortunately for Aurora, the hacker decided to report the bug and claim the US$6 million reward, the largest offered by Aurora and the second-largest bug bounty paid in crypto history.

The Aurora payout follows a US$2 million bug bounty paid in February to a whitehat hacker who identified a vulnerability in the Ethereum scaling solution, Optimism, which if exploited would have allowed an attacker to mint unlimited ETH.

Vulnerability Patched, Source Code Released

The vulnerability has since been patched on both the Aurora testnet and the mainnet, and the source code has been added to GitHub so external developers can confirm the bug no longer exists.

Aurora Labs, the organisation responsible for Aurora’s development, expressed disappointment that it allowed this bug to get into a mainnet release, but was happy the bug bounty program worked as intended:

Such a vulnerability should have been discovered at an earlier stage of the defence pipeline, and Aurora Labs has already started improving its methods to achieve that in the nearest future. However, this event ultimately proves that the ecosystem created around Aurora Labs’ security mechanisms actually works. 

Aurora Labs statement

Bug bounty platform ImmuneFi says it has paid out more than US$40 million in bounties to date, which it claims have prevented over US$20 billion in potential damage from hacks.