Category: Hackers

97% of Crypto Hacks Were Against DeFi Projects, Chainalysis

Post author By José Oramas
Post date June 8, 2022

Blockchain analytics firm Chainalysis has published a new report about criminal activities in the cryptocurrency space, stating that 97 percent of crypto hacks have targeted DeFi projects since the beginning of 2020.

North Korean Hacking Groups Largely Responsible

According to the report, DeFi protocols accounted for 97 percent of the US$1.68 billion worth of cryptocurrency stolen. Most of the stolen funds, approximately US$840 million, have gone to hacking groups associated with the North Korean government, the report says.

On March 30, Axie Infinity lost over US$600 million in the biggest DeFi hack on record. The US government linked the heist to a notorious North Korean-based hacking group called Lazarus.

Another recent incident occurred on May 3 when a hacker stole US$80 million from DeFi platform Rari Capital.

DeFi-Based Money Laundering on the Rise

DeFi protocols have also seen an uptick of illicit funds coming into their networks. According to the report, 69 percent of all funds in DeFi were sent from addresses linked to criminal activity.

DeFi protocols allow users to trade one type of cryptocurrency for another, which can make it more complicated to track the movement of funds – but unlike centralised services, many DeFi protocols provide this ability without taking KYC information from users, making them more attractive to criminals.
Chainalysis report

Another key finding of the report was the incidence of NFT wash trading. This practice consist of artificially inflating the price of an asset by buying and selling the same instrument at the same time.

Chainalysis put up as an example two wallets that generated over 650,000 WETH in transaction volume by selling the same three NFTs back and forth to one another. The wash trade was done in the same marketplace, as it rewards transactions on its marketplace.

Bored Ape Yacht Club Crypto News Hackers NFTs

200 ETH Stolen in Yuga Labs Discord Hack

Post author By Jana Serfontein
Post date June 6, 2022

Yuga Labs, the company behind the ‘blue chip’ Bored Ape Yacht Club (BAYC) NFT collection, has confirmed that its Discord servers were “briefly exploited” leading to the loss of NFTs valued at over 200 ETH (US$357,000):

Our Discord servers were briefly exploited today. The team caught and addressed it quickly. About 200 ETH worth of NFTs appear to have been impacted. We are still investigating, but if you were impacted, email us at [email protected].
— Bored Ape Yacht Club (@BoredApeYC) June 4, 2022

BAYC on the Back Foot

The news broke when Twitter user OKHotshot posted screenshots showing that a project community manager’s Discord account appeared to have been hacked, resulting in scammers being able to carry out a phishing attack:

🚨BAYC & OtherSide discords got compromised‼️

Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen

Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W
— OKHotshot (@NFTherder) June 4, 2022

As confusion reigned all over Twitter, it took the BAYC team 11 hours to acknowledge the exploit, adding in its thread that:

As a reminder, we do not offer surprise mints or giveaways.
— Bored Ape Yacht Club (@BoredApeYC) June 4, 2022

Subsequently, Yuga Labs’ co-founder Gordon Goner tweeted that “Discord isn’t working for Web3 communities. We need a better platform that puts security first.” Most didn’t take kindly to the lack of responsibility exhibited by the BAYC team, with one indignant user saying:

you didn’t lose your NFT because you used Discord. you lost your NFT because you signed a malicious transaction with your key. stop blaming Discord, another client won’t save you from repeating the same mistakes.
@stevefink via Twitter

The Wrong Kinds of Headlines

BAYC has been in the news a fair bit of late, albeit for the wrong reasons. Aside from its floor price dropping by over 50 percent in the past six months, this latest exploit is unfortunately not the first.

In April this year, BAYC’s Instagram account was compromised, resulting in US$2.8 million worth of NFTs being stolen. And in the following month, it committed what could only be described as a “minting fail” where over US$157 million in ETH was burned as part of the launch of its “Otherside” metaverse.

Crypto News DeFi Hackers Mirror Protocol Terra

DeFi Protocol ‘Mirror’ Exploited for $2 Million Due to Buggy Code

Post author By Jody McDonald
Post date June 2, 2022

Terra-based DeFi app Mirror Protocol has suffered an estimated US$2 million exploit related to the recent rebrand of the original Terra blockchain as Terra Classic.

This is the second major exploit of Mirror Protocol to be revealed in the past week:

Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting – the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)
— FatMan (@FatManTerra) May 30, 2022

During the attack, the pools for mBTC, mETH, mDOT and mGLXY were virtually completely drained – and initially there were fears all asset pools could be drained, before developers belatedly patched the exploit.

What is Mirror Protocol?

Mirror Protocol is a DeFi app that allows for the creation of digital ‘mirrors’ of real-world assets, such as stocks and other cryptocurrencies, which closely track the price of the assets on which they’re based.

Mirror is built on the Terra Classic blockchain, but its assets are also available on other chains such as Ethereum and Binance Smart Chain.

Attacker Exploited Confusion Caused by New Terra Chain

The attack was initially discovered by a user of the Mirror Protocol forum known as Mirroruser and was shared on Twitter by Terra analyst FatManTerra.

FatManTerra explained the exploit was possible because many Terra Classic validators were running outdated software and reporting the price of the new Terra (LUNA), which at the time was valued at about US$9.80, rather than the price of the original Terra Classic (LUNC), valued at around US$0.0001. This discrepancy allowed the attacker(s) to acquire US$1.3 million of collateral, such as mBTC, for every US$1000 in LUNC they spent:

A bug in the pricing oracle is telling the system that LUNC is worth around 5 UST when it’s actually under a microcent. For $1k in LUNC, an attacker can now load up on $1.3m in collateral but can pull out real assets by borrowing. Example tx: https://t.co/QBxgAq8ovb (2/4)
— FatMan (@FatManTerra) May 30, 2022

There were initially fears that the exploit wouldn’t be fixed before US stock markets opened, allowing the attacker to drain stock-based asset pools such as mAAPL and mAMZN:

So far, the mBTC, mETH, mDOT and mGLXY pools have been drained. In around 12 hours, the market feed will kick in, and the attacker will be able to drain all of the mAsset pools (such as mSPY and mAAPL, mAMZN, etc.) – most of the pools can still be saved. (3/4)
— FatMan (@FatManTerra) May 30, 2022

Fix Put in Place Before Trading Begins

However, this was narrowly avoided as the developers were able to fix the incorrect pricing information just before US markets opened. The devs also disabled the usage of mBTC, mETH, mDOT and mGLXY, meaning the attackers couldn’t use their ill-gotten assets to drain any other pools.

This was the second major exploit of Mirror Protocol revealed this week. Just days ago, FatManTerra reported an attack that occurred on October 8, 2021 and went unnoticed for an astonishing seven months, resulting in the loss of more than US$88 million in assets.

The past month has been rough for DeFi, with the chaos surrounding the collapse of the Terra ecosystem causing large discrepancies across platforms in the price of Terra-based stablecoin UST, leading to significant losses for some DeFi apps such as Blizz Finance and Venus Protocol.

DeFi exploits have also become increasingly commonplace of late; just weeks ago, Fortress Lending was taken for an estimated US$3 million.

Crypto Art Crypto News Hackers NFTs Scams

NFT Artist Beeple’s Twitter Account Hacked, $438k Lost in Phishing Scam

Post author By Phil Stafford
Post date May 25, 2022

Digital artist and NFT creator Mike Winkelmann, better known as Beeple, has been targeted in a serial phishing expedition that netted scammers a total of US$438,000.

⚠️ Beeple's Twitter account has been compromised (ATO) to post a phishing website to steal funds.

0x7b69c4f2ACF77300025E49DbDbB65B068b2Fda7D
0xF305F6073CFa24f05FF15CA5b387DD91f871b983 pic.twitter.com/0MPNwOPlEu
— harry.eth 🦊💙 (whg.eth) (@sniko_) May 22, 2022

Hackers Railroad Louis Vuitton Raffle

In a series of tweets over the weekend, purportedly from Beeple, links posted to a fake Louis Vuitton NFT raffle were made to capitalise on a recent real collaboration between Beeple and the luxury fashion brand.

Earlier this month, Beeple designed 30 NFTs for LV’s ‘Louis The Game’ mobile game, embedded as rewards to players. Scammers posted phishing links from Beeple’s Twitter account to fake Beeple collections that seduced unsuspecting users with the promise of a free mint for unique NFTs.

The phishing links were up on Beeple’s Twitter for several hours, with the first netting the scammers 36 ETH, or roughly US$73,000 at the time. The second link snared US$365,000 worth of ETH and NFTs, bumping the total value of the scam to about US$438,000.

Beeple later tweeted that he had regained control of his account and reminded his followers that “anything too good to be true IS A F*CKING SCAM”:

ugh we’ll that was fun way to wake up. 😫

Twitter was hacked but we have control now. Huge thanks to @garyvee ‘a team for quick help!!!! 🙏🙏🙏
— beeple (@beeple) May 22, 2022

Beeple Makes Himself a Scam Magnet

Having created three of the top 10 most expensive NFTs released to date, including one that sold for US$69 million, Beeple has made himself a prime target for hacks. Last November, his installation artwork Human One, paired with an NFT, sold for almost US$29 million at auction. That same month, an admin account on the artist’s Discord channel was hacked, with users losing 38 ETH to a fake NFT drop remarkably similar to the latest exploit.

Earlier this month, Beeple made the news for an entirely different reason, partnering with pop icon Madonna on an explicit NFT collection that possibly raised more eyebrows than it did money.

DeFi Hackers Scams

GoDaddy Website Hack Leaves DeFi Protocol ‘SpiritSwap’ Compromised

Post author By Jana Serfontein
Post date May 17, 2022

Multiple DeFi protocols have been compromised after an attack on the world’s biggest domain registrar, GoDaddy. Unconfirmed reports suggest the hacker(s) may have used GoDaddy’s account recovery method to target crypto domains.

SpiritSwap, one of Fantom’s biggest DeFi exchanges, has been left vulnerable as a result:

URGENT ANNOUNCEMENT

SpiritSwap has been compromised. At this stage early diagnosis is suggesting a hacker has exploited AWS where they have changed the swap parameters so swaps go to a specific address. We have caught this early and at this time only $18,000 has been lost.
— SpiritSwap (@Spirit_Swap) May 13, 2022

SpiritSwap Manages to Mitigate Disaster

SpiritSwap managed to quickly take action as the attacker(s) manipulated the swap parameters and were able to take away an amount not exceeding US$18,000. SpiritSwap provided updates stating it had disabled swapping in order to prevent the hackers from stealing further funds and assured users that their contracts and funds were safe, but the domain spiritswap.finance has been compromised. Since the attack, SpiritSwap has suspended all transactions:

1/3 QuickSwap devs have regained access to the domain.

We are the first affected protocol to regain access.

🚨While we run more tests, we advise users to continue waiting before using our DEX. 🚨

We stand in solidarity with others affected by this large-scale attack.

More👇 https://t.co/HVakEhpdQX
— QuickSwap (@QuickswapDEX) May 14, 2022

Swapped Funds Redirected Across DeFi Protocols

Several crypto projects use GoDaddy to host their domains, and at the time of writing the full extent of the damage was not yet clear. That said, this attack differs from the recent ‘Coinzilla Ad’ hack in which an ad caused a pop-up on sites such as CoinGecko that, when clicked, could drain a user’s wallet. In the case of GoDaddy, the attacker used the hosting platform to redirect swapped funds on DEXes such as QuickSwap and SpiritSwap:

To clarify, there are 2 crypto hacks atm.

One is the "Coinzilla Ad" hack where an ad causes a popup on sites like CoinGecko or Etherscan, which can drain your wallet if you agree.

Two is the "GoDaddy" hack, which redirects swapped funds on DEXes like Quickswap, SpiritSwap. pic.twitter.com/1mYOg5JhPT
— TechLead (@techleadhd) May 14, 2022

DeFi Scams on the Rise in 2022

DeFi scams are nothing new but are becoming ever more brazen. Here is a recent list of the scams that happened in DeFi this year:

Crypto News DeFi Hackers

DeFi Protocol ‘Fortress Lending’ Exploited for $3 Million

Post author By Robert Drage
Post date May 12, 2022

The Fortress decentralised finance (DeFi) protocol – a crypto borrowing and lending platform – has seen an estimated US$3 million of its funds drained. The Binance Smart Chain (BSC)-based platform fell victim to an oracle attack last weekend with the loss of “all funds”:

We are absolutely devastated. We will provide updates as soon as any information is available.

This is the address that implemented the attack: https://t.co/w50Hllxffn

Transaction that started the oracle attack: https://t.co/AGAqCVc1f1
— Fortress Protocol (@Fortressloans) May 9, 2022

Price Oracle Targeted by Hackers

Both PeckShield and BlocSec have noted that the oracle used by Fortress “can be hijacked by anyone due to the lack of power verification”. PeckShield also warned the oracle network Umbrella about its involvement in the incident. This exploit could be used against anyone using the same Umbrella oracle, the firms warned.

In response, Umbrella released its own statement saying it was “aware of the recent exploits that may have stemmed from an Umbrella Network price feed error”.

The attacker was able to call the function and change the price of the native Fortress token (FTS) manually, then buy a large enough amount of FTS to pass a vote for a proposal to allow FTS tokens to be taken as collateral. As a result, the attacker used 100 FTS as collateral to borrow all other assets in the protocol.

The stolen 1,048.1 ETH and 400,000 DAI were then promptly bridged to the Ethereum network and washed through TornadoCash.

FTS Price Takes a Tumble

Considering the market-wide crash that’s been happening during the hack, Fortress’s native token has taken quite a beating, dropping over 60 percent in the past two weeks and down 99 percent over the past year, according to CoinGecko:

Hackers have been a major thorn in the side of the DeFi sector this year. According to PeckShield, as of the beginning of May more than US$1.57 billion in cryptocurrency had been stolen from DeFi platforms in 2022:

The weekend was hot!🔥
$4.64 million stolen in four incidents: @Fortressloans hack – $3,050,000@HUNTER__Global rug pull – $1,200,000@FuryofTheFurNFT rug pull – $303,000@CasheraOfficial rug pull – $90,000 – @web3isgreat #rugpull #Hacked #exploit
— Hacker{n} Headlines (@HackenHeadlines) May 9, 2022

During the past week alone, Rari Capital was hacked for more than US$80 million and MM.Finance for US$2 million, only adding to the year’s negative tally.

Hackers NFTs OpenSea Scams

OpenSea Discord Hacked, NFTs Stolen Using Fake YouTube Site

Post author By José Oramas
Post date May 10, 2022

OpenSea has suffered a security breach on its main Discord channel, allowing hackers to promote a fake YouTube partnership with the NFT platform. OpenSea Support warned the community not to click on any links in its Discord channel, and that it would investigate the situation:

Do not click links in our Discord.

We are continuing to investigate this situation and will share information as we have it. https://t.co/jgtHcXifer
— OpenSea Support (@opensea_support) May 6, 2022

The scam was first pointed out by a Twitter user called Serpent, who shared a screenshot of the marketplace’s hacked Discord, showing the scammers promoting an NFT mint pass as part of a fake partnership with YouTube and a link to a phishing site:

🚨 OPENSEA DISCORD IS HACKED 🚨 pic.twitter.com/7lePPC99fa
— Serpent (@Serpent) May 6, 2022

Webhooks Used for Phishing

Apparently, the hacker(s) used webhooks – a technique used to augment or alter the behaviour of a web page in real-time – to access server controls.

The hacker(s) was able to stay on the server for a considerable amount of time before OpenSea staff were able to regain control. It appears that at least 13 wallets had fallen victim to the scam, as per on-chain data on Etherscan.

Another Discord Channel Hacked

Compromised Discord servers aren’t that uncommon, and more users are demanding better security protocols from the messaging platform.

It seems NFT channels are the biggest target for scammers. A month ago, Crypto News Australia reported how $APE dropped over 20 percent after the Bored Ape Yacht Club (BAYC) Discord channel got hacked.

Five months ago, blockchain gaming company Animoca had to repay users 265 ETH, or US$1.1 million, after several victims fell for fake NFTs, draining a considerable amount of money out of investors’ pockets.

DeFi Hackers

DeFi Project ‘MM.Finance’ Suffers $2 Million Exploit

Post author By Lauren Claxton
Post date May 7, 2022

MM.Finance, the largest DeFi exchange on Cronos, has lost US$2 million in a recent exploitation by hackers. A Domain Name System (DNS) vulnerability is believed to be responsible, with the stolen funds being sent to Tornado Cash:

1/ We have been investigating the onchain tx & also engaged partners w/ extensive connections & expertise in escalating this in terms of real world consequences. We have traced your funding to OKX exchange & we need everyone's help to RT this post to get @okx & @Jay_OKX pic.twitter.com/4PhBrR5yfu
— MM.Finance – #1 Defi Ecosystem on #Cronos (@MMFcrypto) May 5, 2022

As per its tweet, MM.Finance traced the perpetrator of the cyberattack back to OKX centralised exchange. The funds stolen in the frontend breach were bridged to Ethereum using Multichain and deposited into Tornado Cash. OKX requires users to go through a ‘know your customer’ procedure, therefore the attacker had to have used fake IDs when signing up for the exchange.

While MM.Finance intends to compensate the affected addresses, the exchange has said that if 90 percent of the funds are not returned to MM.Finance within 48 hours, it will contact the FBI:

📍 We have collated the addresses that have lost funds during the attack earlier via the data onchain. Over $2,000,000 USD will be compensated and reimbursed.

✅ To check if you qualify, you can head to https://t.co/XamyJ444g2 and key in your wallet address. pic.twitter.com/SYWMYPbfs6
— MM.Finance – #1 Defi Ecosystem on #Cronos (@MMFcrypto) May 5, 2022

DeFi Exploits Increasing

Early April saw DeFi lender Inverse Finance suffer a US$15.6 million exploitation. The decentralised Ethereum protocol was compromised by hackers targeting its money market through the artificial manipulation of its token prices.

And, only days ago, Rari Capital lost US$80 million to hackers following a Fei protocol exploit. The assets had been held in Fuse lending pools, apparently the fault of a reentrancy vulnerability.

Tags DeFi, exploit, hackers, MM.finance, Tornado Cash

Crypto News Hackers Reddit Scams Security Social media

Redditor Issues Warning After Phone’s Predictive Text Guessed His Seed Phrase

Post author By José Oramas
Post date May 5, 2022

An IT professional from Germany has warned fellow Reddit users after discovering that his mobile phone’s predictive text feature enabled it to correctly predict his entire recovery seed phrase after typing in the first word.

Complete list of 2048 BIP-39 Seed Recovery Phrase Words — Example of BIP-39 recovery seed phrase list. Source: Bitcoin Safety

Guessing Seed Phrases: Impossible?

Seed phrases, a random selection of 2048 words originating from Bitcoin Enhancement Protocol (BIP) 39, enable users to back up or recover access to their crypto holdings. The prospect of correctly guessing the correct 12- or 24-word seed phrase is virtually impossible, even with quantum computing. To give a sense of how low the probability is, one Reddit user ran the numbers.

Imagine then the surprise of Andre, also known as u/Divinux on Reddit, when he noticed that his phone accurately guessed the 12–24 word seed phrase, in the right order. “First, I was stunned. The first couple of words could be a coincidence, right?” he said, adding:

This makes it simple to assault, get your fingers on a telephone, begin any chat app, and begin typing any phrases off the BIP39 record, and see what the telephone suggests.
u/Divinux on Reddit

However, being IT literate and recognising the risk, he decided it would be best to put word out to the community.

Different Keyboards, Different Results

To properly assess the risk, Andre decided to evaluate how a range of different keyboards performed. His findings revealed that Google’s GBoard was the least vulnerable, since it did not predict every word in the correct order. However, both Microsoft and Samsung’s keyboards were able to predict the seed phrase word-for-word by default.

He then proceeded to issue a warning to fellow crypto enthusiasts:

Not your keys not your coins, do your own research, don’t FOMO, never invest more than you are willing to lose, always double-check the address you are sending to, always send a small amount beforehand and disable your PMs in settings.
u/Divinux on Reddit

Perhaps more pertinently, he concluded that users should “do [themselves] a solid [favour] and prevent that [predictive text guessing the seed phrase] from happening by clearing [their] predictive type cache”. Others however, such as u/babaossa77, thought even that didn’t go far enough: “If you typed your seed phrase into your mobile phone I’d already consider that seed as unsafe and wouldn’t use it for any bigger funds, even after clearing the cache.”

Just two weeks ago, MetaMask issued a phishing attack notice to its users, suggesting that when it comes to security, it’s ultimately a matter of degree since one can never be truly immune to the risk of a breach.

Blockchain Crypto News Hackers Solana

Solana Suffers 7 Hours’ Downtime as Bots Attack NFT Minting Tool ‘Candy Machine’

Post author By Lauren Claxton
Post date May 3, 2022

The beginning of May has seen a nearly seven-hour Solana crash, believed to be the result of a bot attack that targeted the company’s NFT minting tool ‘Candy Machine’ and has left users questioning the competence of the blockchain:

Solana Mainnet Beta lost consensus after an enormous amount of inbound transactions (4m per second) flooded the network, surpassing 100gbps. Engineers are still investigating why the network was unable to recover, and validator operators prepare for a restart.
— Solana Status (@SolanaStatus) May 1, 2022

Candy Machine Suffers Sugar Hit

A tidal wave of traffic slammed Solana’s ‘Candy Machine’ on April 30. The bots responsible caused four million transaction requests, totalling 100 gigabits of data per second and setting a record for the platform, which could not keep up.

Later that night, the validator operators performed a cluster restart of its Mainnet Beta network. However, it wasn’t fast enough to stop the criticism that echoed around social media from Solana users and onlookers:

it wasn't "paused" or "halted" – better to say it "crashed"
— Austin Federa (@Austin_Federa) May 1, 2022

Solana’s plans to combat these crashes involve a botting penalty that is soon set to deploy to the program. It will only be the beginning of a broader effort but should work to stabilise the network, hopefully preventing similar issues in the future and stopping Solana from, negatively, being the talk of the town:

Basically, you guys turned it off and turned it back on again.
— ₿itcoin Gandalf The Orange 🟧 (@BTCGandalf) May 1, 2022

Not Solana’s First Outage

Solana has quite the track record of network outages. Notably, on January 4 the network was temporarily down due to a DDoS attack, causing huge transaction delays. Shockingly, this was followed by a second crash within the same week, believed to be a knock-on effect of the first attack.

Tags Bots, Candy Machine, Solana