Category: Hackers

Categories
Bitcoin Crime Crypto News Hackers Social media

The Story of a Wannabe Rapper and How US Officials Seized $3.6 Billion in BTC

The US Justice Department has impounded US$3.6 billion in bitcoin and arrested a would-be rapper and her husband for conspiring to launder some of the funds – believed to be among the proceeds of the infamous Bitfinex hack of 2016.

According to the FBI, Heather Morgan and her husband Ilya Lichtenstein spent part of the proceeds on gold, NFTs, and other items. Each faces up to 25 years in a federal prison if convicted.

Rather than keep a low profile as you’d expect of alleged crypto criminals, Morgan in particular has a social media presence befitting her status as an aspiring rapper, published writer and influencer. She even has a website dedicated to her rapper alter-ego, named “Razzlekhan”:

Morgan’s LinkedIn profile notes her economics degree, while as a journalist the 31-year-old has been published in Inc and Forbes magazines, with the latter running an article of hers ironically titled “How to Protect Your Business From Cyber Criminals”.

How the FBI ‘Followed the Money’

The Bitfinex hack involved the theft of 119,756 bitcoin (worth just US$72 million at the time) following a security breach at the exchange. The amount stolen is now valued at more than US$5.1 billion.

In the five years since the hack, small amounts of BTC have periodically been moved in separate transactions, leaving the bulk of the funds untouched. The Justice Department traced 25,000 BTC of these transferred funds to financial accounts controlled by Lichtenstein and Morgan. Special agents were then able to gain access to and seize more than 94,000 BTC – worth US$3.6 billion at the time – from Morgan and Lichtenstein after a search warrant allowed them to view files containing private keys to several wallets, which just days ago were consolidated into a single wallet.

Morgan and Lichtenstein allegedly used a variety of methods to launder the illicit crypto, including chain hopping, depositing the coins at exchanges and darknet markets and withdrawing them, and automating transactions using computer programs. In addition, the pair set up business accounts in the US to “legitimise their banking activity”.

“[These] arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals,” said US Deputy Attorney General Lisa Monaco.

“The [Justice] department once again showed how it can and will follow the money, no matter what form it takes.”

US Deputy Attorney General Lisa Monaco

The Justice Department must, of course, still prove its allegations in court that Morgan and Lichtenstein laundered the US$4.5 billion in bitcoin stolen from Bitfinex in 2016. The hack is a separate matter.

Categories
Bitcoin Crypto News DeFi Ethereum Hackers

ETH Sidechain ‘Meter.io’ Hacked for $4.4 Million 

Blockchain infrastructure company Meter.io has confirmed that US$4.4 million was stolen in an attack on its network on February 6 and has since urged users not to trade unbacked meterBNB circulating on the Moonriver parachain. Meter added in a Tweet that it is working to compensate funds to affected users:

What Went Wrong?

Meter explained that the contract did not execute wrapped tokens correctly. A bug introduced in the automatic wrap, and the wrap of native tokens like BNB and ETH extended by the Meter team, allowed the hacker to fake BNB and ETH transfers by “calling the underlying ERC20 deposit function”.

Blockchain security company PeckShield reported that 1391 ETH and 2.74 BTC were stolen during the incident. Both the Meter network and the Moonriver network were affected by the hack. 

A user named @ishwinder provided a full explanation of the hack on Twitter:

Hacks on DeFi and blockchain platforms have become a regular occurrence. Just last month, Crypto News Australia reported that Grim Finance had been hacked for US$30 million in Fantom tokens.

Categories
Crypto News DeFi Hackers

Giant DeFi Bailout as Jump Capital Replenishes Wormhole’s 120,000 Lost ETH

Earlier this week, we saw one of the most devastating DeFi (decentralised finance) hacks on record with an estimated US$326 million stolen from blockchain bridge, Wormhole. In a remarkable turn of events, Chicago-based venture capital fund, Jump Capital, came to the rescue to the tune of 120,000 ETH:

A Hack with a Happy Ending

DeFi exploits and hacks don’t typically end well, as was the case with December’s MonoX Finance saga, in which US$31 million was stolen. However, in the case of Wormhole, things seemed to have turned out okay.

While the team is yet to have provided a detailed report, something expected in these types of situations, Wormhole has indicated that the vulnerability has been fixed:

While the Wormhole network went down for maintenance during the investigation, the team has now confirmed it is back up and running and that all funds have been replenished:

Responses from the community were mixed, to say the least. Some were incredibly appreciative:

Others were less so, pointing to the lack of transparency:

Wormhole initially offered a US$10 million bounty to the hacker, however the current status of the negotiations remains unclear.

DeFi With a Backstop … Contradiction in Terms?

It’s not surprising that the community is somewhat divided on Jump Capital stepping in because … wasn’t the whole purpose of DeFi to disintermediate rent-seeking middlemen and “decentralise” power away from banks and financial institutions? Isn’t DeFi supposed to be a free market, absent of manipulation, bailouts, subsidies, and zombie companies that characterise the modern financial system?

Admittedly if you happened to be a beneficiary of Jump Capital’s bailout, you’d be excited by the prospect of deep-pocketed venture capitalists coming to save the day.

Despite bailouts being inherently incongruent with DeFi principles, the more interesting question, is who would spend 120,000 ETH without some serious skin in the game? Clearly, someone who stands to gain far more by throwing in another US$331 million (120,000 ETH).

Perhaps Jack Dorsey was on to something when he said that Web 3.0 was a venture capitalist’s playground.

Categories
Crime Crypto News Crypto Wallets Google Hackers

Alert: New Malware ‘Mars Stealer’ Targets 2FAs and Crypto Hot Wallets   

A new information-stealing malware has been spotted in the wild targeting over 40 crypto hot wallets, browsers, and 2-factor authentication (2FA) plug-ins. Named ‘Mars Stealer’, it is an improved version of the older Oski malware that shut down in 2020 after customer support and the Telegram went dark.

The new malware has recently been spotted circulating on Russian-speaking hacking forums where people can purchase it for between US$140 and $160.

Screenshot of the forum. Source: 3xp0rt.com

How ‘Mars Stealer’ Malware Works

According to @3xp0rt, the security researcher who got his/her hands on the malware to conduct technical analysis on it, the Mars Stealer collects information in the memory of a device. With the ability to target 37 browsers and various crypto wallets, including Bitcoin core wallets and all their derivatives as well as Ethereum, Exodus, Binance and more, the threat is widespread:

Wallets targeted by Mars Stealer. Source: 3xp0rt.com

When targeting wallets it stores sensitive data found in wallet.dat which contains the wallet address, the private key to access the address, and other sensitive data. Mars Stealer also targets 2FA apps and more than 40 crypto extensions on Chromium-based browsers, including Google Chrome, Firefox and Brave, but not Opera.

Malware That ‘Speaks’ Only Russian

The malware also contains a function that allows it to remove itself after it has successfully executed or when the operator decides it is time. One of the quirky aspects, though, is that after infecting a system it will check the device language. If the device’s language ID matches that of Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan or Kazakhstan, the program will exit without performing any malicious acts, which is apparently common in many Russian-based malware.

Language checks for target exclusion
Source: 3xp0rt.com*

How to Protect Yourself 

Mars Stealer can be spread through many different channels such as file-hosting websites, torrent clients or any other shady downloaders. Users who hold their crypto assets on browser-based wallets or use browser extensions like Authy to utilise 2FA are warned to be cautious against clicking dubious links or downloads:

This comes after BHUNT malware also became more prominent during the past few weeks and Babadeda malware was spread in crypto discord channels last November.

Categories
Blockchain Crypto News DeFi Ethereum Hackers

Blockchain Bridge ‘Wormhole’ Suffers Possible $326 Million Exploit

Wormhole, the popular blockchain bridge for connecting Ethereum, Solana and others, has suffered a possible hack worth over US$326 million and is now attempting to negotiate on-chain with the hacker.

120,000 ETH Currently in Hacker’s Address

The team at Wormhole has reached out to the exploiter’s address on the Ethereum network and offered a US$10 million bounty for returning the money:

In a tweet, Wormhole confirmed that the bridge was down while the team investigated a potential exploit. The bridge’s official website simply reads: “Portal is temporarily unavailable”.

The hack was identified when on-chain analysts called attention to an 80,000 ETH transaction from Wormhole to an address currently also in possession of over US$250 million worth of ETH. According to the developer, the hacker also kept 40,000 ETH on Solana, where they have been selling for other assets.

In a tweet, prominent pseudonymous Paradigm security researcher “samczsun” confirmed that the Wormhole team had offered the hacker(s) a bounty for returning the stolen funds:

Exploit Sounds Alarm in the DeFi World

The exploit has caused alarm in DeFi circles because it means Ethereum that has been bridged to Solana may be unbacked. Cross-blockchain bridges often take assets, such as Ethereum, and lock them in a contract to issue a parallel asset on the bridge’s chain.

Massive Exploits Continue to Plague the Industry

Earlier this month, decentralised lending platform Qubit Finance suffered a hack of its smart contract governing deposits on the Ethereum-Binance Smart Chain bridge, losing 206,809 BSC in the biggest hack of the year so far. Last October, CREAM Finance was exploited for a third time during 2021 for a whopping US$130 million.

Categories
Bitfinex Crypto News Hackers

Bitfinex Hackers of 2016 Move $3.5 Billion Worth of Bitcoin

Billions of dollars’ worth of bitcoin (BTC) stolen in the infamous Bitfinex hack of five years ago have been aggregated into a single wallet in 23 transactions from various addresses. Law enforcement and top analytics firms are still trying to recapture the spoils.

Stolen Bitfinex BTC Resurfaces

On February 1, an estimated US$3.5 billion in BTC was moved from wallets associated with the infamous Bitfinex hack into a single wallet. The Bitfinex hack was one of the worst in history with the perpetrators getting away with 119,756 BTC (now worth nearly US$5 billion).

According to blockchain analytics firm Elliptic, “so far this morning, 94,643.29 bitcoins [worth] US$3.55 billion have been moved in 23 transactions from a wallet associated with a theft from Bitfinex in 2016 to a new address”.

Flagged account sending 26 tx. Source: Blockstream

The number of BTC transferred amounts to only 79 percent of the total bitcoins drained from Bitfinex in 2016. According to Elliptic, the funds were laundered through darknet markets like Hydra and the privacy-focused Wasabi wallet, but the majority have now again seen the light of day.

Movement Detected Last April

The last time hackers moved some of the bitcoin was in April 2021, when they transferred over US$700 million worth to an unknown wallet during the same time Coinbase was being listed on Nasdaq.

Since the hack, Bitfinex has been trying to recover the stolen funds, stating that to this day that “Bitfinex continues to work globally with law enforcement agencies, digital token exchanges, and wallet providers to recover the Bitcoin stolen in the 2016 hack”. To date, it has recovered about 50 bitcoins (worth nearly US$2 million at current prices), a spokesperson told Decrypt.

Difficulty Trying to Sell Stolen BTC

If the thieves were ever able to onsell all those bitcoins, it has been suggested that it could have an impact on the market as more than 100,000 BTC would come on stream, potentially bringing down the price.

However, as storing and moving bitcoins between unknown wallets is considerably easier than actually selling them, these funds are being carefully monitored with many of the associated wallets blacklisted, making any sale extremely difficult.

Bitfinex itself has also offered a US$400 million bounty for the return of the stolen funds. The Bitfinex hack made the multimillion-dollar hacks of Bilaxy (August 2021) and Mitmart (December 2021) look like small fry in comparison.

Categories
Crypto News DeFi Hackers

Qubit Finance Suffers $80 Million Loss in Protocol Exploit

Decentralised lending platform Qubit Finance has suffered an exploit of its smart contract governing deposits on the Ethereum-Binance Smart Chain (BSC) bridge, losing 206,809 Binance Coin (BNB) in the biggest hack of the year so far.

Qubit’s losses were estimated at US$80 million on January 27, according to security firm PeckShield. According to Qubit’s own exploit report, the hacker(s) took advantage of a logical error in the code which allowed them to maliciously withdraw tokens from the Binance Smart Chain bridge without depositing Ethereum (ETH).

Even though the contract had zero ETH deposited into it, the attacker’s address had access to 77,162 qXETH (worth US$185 million) to use as collateral against loans on Qubit.

Funds Still Sitting in Hacker’s Wallet

According to the breakdown posted by CertiK, the funds were then used to borrow “15,688 wETH ($US37.6 million), 767 BTC-B ($US28.5 million), approximately $US9.5 million in various stablecoins, and $US5 million in CAKE, BUNNY, and MDX”. Thereafter, the funds were converted to just over 200,000 BNB, which is still sitting in the hacker’s wallet.

In summary, the deposit function was a function that should not [have been] used after depositETH was newly developed, but it remained in the contract. The team is cooperating with security and network partners, including Binance. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available. We are continuing to investigate and are in communications with Binance.

Qubit Finance report

Qubit Negotiates for Stolen Funds

Following the incident, the Qubit team tried to contact the hackers to offer a bug bounty of $US250,000 on ImmuniFi, but are also still prepared to negotiate:

As chains and protocols utilise the multi-chain environment, bridges will only become more important. People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers. In December, MonoX was also hacked for an estimated US$31 million.

Categories
Bitcoin Crypto Hardware Wallets Crypto News Crypto Wallets Hackers Theta

Hacker Helps Recover $2 Million in THETA from Trezor Wallet

Hacks don’t typically have a happy ending. Fortunately, for one New York-based crypto investor who forgot the PIN to his Trezor One hardwallet, a hacker was able to help him recover over US$2 million in THETA.

The Story

In 2018, Dan Reich and his friend Jesse decided to make a concentrated bet on a new crypto. They both cashed out around US$25,000 in BTC and and bought US$50,000 in THETA at a time when it was trading at just 21 cents.

Jesse was going to custody the THETA and things were going swimmingly, until word spread of China cracking down on exchanges. This prompted them to transfer their THETA to a safer alternative, a Trezor One hardware wallet.

Dan Reich (right) with his friend Jesse. Source: Danreich.com

Then came the infamous crypto winter, which saw their investment annihilated. Dan wanted out but Jesse had forgotten the PIN to the Trezor One, which would self-destruct if they guessed the PIN incorrectly too many times. He had also somehow misplaced the piece of paper with the 24-word seed phrase that could have otherwise restored his wallet.

After writing off the investment, the pair then watched their investment recover and soar, eventually to over US$1 million and, at one point, touching US$3 million. After contacting a range of international experts, they settled on a reputable hacker, Joe “Kingpin” Grand, who claimed he could assist.

Kingpin to the Rescue

Kingpin spent the better part of 12 weeks trying to hack the Trezor One and, remarkably, found a way to recover the lost PIN.

Kingpin’s Trezor One hack circuit. Source: Danreich.com

According to Grand, the key to his success related to the hardware wallet’s firmware update that temporarily moved the PIN and key to RAM, only to later move them back to flash once the firmware was installed. For the particular firmware on Reich’s wallet, the information about the PIN was stored in flash.

After using a technique altering the voltage of the chip, known as a “fault injection attack”, Grand surpassed the security of the microcontrollers and obtained the PIN needed to access the wallet and the funds. Grand explained:

We are basically causing misbehaviour on the silicon chip inside the device in order to defeat security. And what ended up happening is that I was sitting here watching the computer screen and saw that I was able to defeat the security, the private information, the recovery seed, and the pin that I was going after popped up on the screen.

Joe “Kingpin” Grand, hacker

No doubt proud of his effort, Kingpin later created a video in which he provided a full account of how he managed the feat:

For its part, Trezor expressed relief for Grand having been able to access the funds but noted that the vulnerability identified had already been fixed:

What’s the lesson here? Remember your 4-digit PIN (make it hard to forget), write down your seed phrase and put it somewhere safe, and also keep your hardware’s firmware updated. If you happen to be one of those unfortunate souls who have lost their crypto, it could be worse – you could be the guy who is still looking for his 7,500 BTC.

For Australians keen to up their crypto security game, Crypto News Australia recommends Coinstop as its preferred hardware wallet provider. Users can get A$5 off their order with the code CRYPTONEWS.

Categories
Crime Crypto News Cryptocurrencies Hackers Scams

Report Shows $33 Billion in Crypto ‘Money Laundering’ by Cybercriminals

New research by blockchain data firm Chainalysis shows there has been an estimated US$33 billion laundered through crypto in the past five years, mainly through centralised exchanges, but as of 2021 there has been a major increase in money laundered through DeFi.

Chainalysis has released a preview of its 2022 Crypto Crime Report detailing how illicit funds have been moved over the blockchain and its various services. The total value of cryptocurrencies laundered by services in 2021 was estimated at US$8.6 billion.

Total crypto laundered. Source: Chainalysis

That figure was up 30 percent on the previous year, which was expected, given the boom in both legal and illegal activities in the crypto space. However, the figure is down 23 percent from 2019, which was the most significant year for laundered crypto.

These numbers only account for funds obtained from “cryptocurrency-native” crime, meaning activities such as darknet market or ransomware attacks in which profits are virtually always denominated in cryptocurrency. In spite of the billions of laundered dollars, money laundering accounted for only 0.05 percent of all cryptocurrency transaction volume in 2021.

Destination of funds leaving illicit addresses by crime type. Source: Chainalysis

One thing that stands out is the difference in laundering strategies between the two highest-grossing forms of cryptocurrency-based crime in 2021: theft and scamming. Researchers think this might be because more cryptocurrency was stolen from DeFi protocols than any other type of platform last year, as well as the technical skills required to launder money. For example, a DeFi hacker would have better technical skills and use different means to launder money than a scammer using a centralised exchange.

Easier to Track Laundering on the Blockchain

It’s considerably more difficult to track illicit funds when they are first converted to crypto from fiat. But due to the inherent transparency of blockchains, analysts can more easily trace how criminals move cryptocurrency between wallets and services in their efforts to convert funds into cash.

Destination of funds leaving illicit addresses between 2016 – 2021. Source: Chainalysis

Since 2018, centralised exchanges have been the main conduit for money laundering, with 58 percent of laundered crypto funnelled into just five trading platforms.

Increase in Laundering Through DeFi

Last year, for the first time since 2018, centralised exchanges did not receive the majority of funds sent by illicit addresses. Instead, DeFi protocols are making up much of the difference. The report states that DeFi protocols received 17 percent of all funds sent from illicit wallets in 2021, up from 2 percent the previous year. 

YoY % growth in value by category. Source: Chainalysis

This phenomenon translates to a 1,964 percent year-on-year increase in total value received by DeFi protocols from illicit addresses, reaching a total of US$900 million in 2021.

North Korea at the Forefront of Money Laundering

Kim Grauer, Chainalysis’ director of research, says that “there are certain types of criminals in particular that lean into technological advancements more quickly”, adding that “North Korea is always the first to use a new kind of tech solution for laundering money. We follow them each year, and this year they’ve used a lot of mixers. Last year, they were using DeFi.”

This year “is already off to a big start for NFT crime”, Grauer says, pointing to the rise in wash trading on NFT platforms. “This is definitely going to continue.”

Categories
Crypto News Hackers Social media

Leading Crypto YouTube Channels Hacked with ‘One World Cryptocurrency’ Message

A coordinated attack has allowed hackers access to multiple YouTube accounts of more than 30 popular cryptocurrency influencer channels.

At the same time on the same day, January 23, the hackers uploaded a fraudulent video titled “One World Cryptocurrency”, posting it across numerous crypto influencers’ YouTube channels. In the video and description, there was a contact address provided and the scammers called for people to send USDT/USDC/BNB/ETH to receive new crypto called OWCY.

Screenshot of One World Cryptocurrency. Source: Coin Bureau

According to data from BscScan, the scam caused minimal financial damage, with only 2.3 BNB transferred to the hacker’s wallet. In total, there were only 10 transactions worth around US$850 at the time of writing.

How Did the Hackers Gain Access?

Many, if not all, of the hacked YouTube accounts were secured with very strong passwords and Google security keys, which would normally make it almost impossible for a hacker to gain access.

Attacks such as these can be carried out by a process known as SIM swapping, where hackers take control of the phone number linked to an account. Porting the victim’s number to a new SIM allows hackers to get past 2FA (two-factor authentication). This does not appear to have been the case in this instance, as many accounts were breached at one time, raising suspicions of an inside job.

All the accounts the hacker gained access to were logged in from an IP address in the Philippines. YouTube brand accounts are connected to personal accounts. Michael Gu (@boxmining) was one of the YouTubers whose account was hacked. Gu said he conducted an internal sweep after the breach but found no viruses or bugs that might have given the hackers access, adding there had been no logins on his personal Google account, nor was access to his phone compromised. “Seems like YouTube might be responsible,” he said.

Very likely, this is either a hack on YouTube’s side or a rogue employee. That’s how they got so many people at the same time.

Michael Gu (@boxmining)

Account Holders Hint at an ‘Inside Job’

Ivan on Tech was also targeted in the attack, and posted his account in a video below, suggesting that it could have been an inside job.

While Google’s Threat Analysis Group (TAG) continues to step up efforts to make the platform more secure, this latest attack raises huge concerns over YouTube’s ability to protect users from foul play, especially in a case where the culprit has most likely come from within its own walls.