Tag: hackers

Categories
Crypto News Hackers Security

Security Firm Discovers Hackers Use Google and Microsoft to Steal Crypto

Online security company NetSkope has discovered a new crypto phishing scam that utilises Google and Microsoft Azure to trick users into handing over their information. The tactic involves using SEO techniques to distribute links to copycat pages.

https://africabusinesscommunities.com/tech/tech-news/netskope-extends-its-newedge-infrastructure-in-south-africa/
NetSkope has made a new phishing scheme discovery.

Other Big Names Not Immune

It’s been discovered that hackers have improved their strategies and are utilising specific SEO techniques to increase interaction with phishing sites for imposter wallet apps and exchanges impersonating notable names such as MetaMask and CoinBase.

These phishing sites are often built on Google Sites or Microsoft Azure and can take a user’s info in two ways. They will either acquire the private seeds of the user’s wallet by prompting data importation, or will pilfer info from the accounts of the exchanges being impersonated using error messages:

In this campaign, we found that the attackers are abusing Google Sites and Azure Web App to host the pages, likely due to cost, ease-of-use, and to slightly increase the victim’s trust.

NetSkope blog post

NetSkope has strongly recommended that “users never enter credentials after clicking on a link” and instead navigate directly to the site they wish to use, and that organisations should employ secure web gateways that can block these types of attacks.

Security Firms Have Their Work Cut Out

With crypto theft an ongoing concern on the radars of most investors and regulators, luckily security firms are keeping a watchful eye out. At the beginning of April, global cybersecurity firm ESET uncovered a criminal plot to steal users’ digital assets via apps impersonating popular cryptocurrency wallets. The plot involved more than 40 copycat crypto wallet sites intended to promote downloads of malicious apps.

Earlier in the year, blockchain security firm CertiK identified a US$10 million rug pull on Arbix Finance. The firm warned users who had engaged with the protocol to avoid it, along with its ARBX token. CertiK allegedly found several red flags in Arbix via its Skytrace tool, which analyses fraud risk.

Categories
Crypto News DeFi Hackers

DeFi Protocol Curve ‘Finance’ Exploited in DNS Spoofing Attack

Curve Finance’s front end this week became the victim of an exploit that ended with a loss of more than US$573,000. Curve took to Twitter to warn its users of the issue with its site, though luckily the spoofing exploit did not affect the Curve exchange:

Exploiting the Curve

On August 9, Twitter user @samczsun alerted the public to the exploit with a tweet that read: “@CurveFinance frontend is compromised, do not use it until further notice!” Despite the Curve team’s quick response to the issue, they were unable to prevent the loss.

The hacker(s) responsible seemingly changed the protocol’s domain name system (DNS), which then allowed them to approve a malicious contract by directing users to a fake clone. In a stroke of luck for Curve, the program’s exchange remained uncompromised, as it utilises a separate DNS provider.

An hour after the initial warning of the exploit, Curve tweeted:

While a significant sum was lost, the quick circulation of information on Twitter regarding the attack on the nameserver and front end may have prevented greater losses.

The Curve decentralised finance (DeFi) protocol is an integral part of the DeFi ecosystem, and exploits such as this prevent other protocols from accessing income sources.

Protocol Exploits Elsewhere

DeFi protocol exploits have proliferated in 2022, with two notable examples occurring in May and June. The first victim was the Fortress protocol, with the crypto borrowing and lending platform losing approximately US$3 million in stolen funds. The Binance Smart Chain (BSC)-based platform had suffered an oracle attack only days prior.

More recently, Terra-based DeFi app Mirror Protocol was the subject of a US$2 million exploit related to Terra blockchain’s recent rebrand to Terra Classic. The exploit almost completely drained the mBTC, mGLXY, mETH, and mDOT pools. Luckily the developers were able to patch the damage before all pools could be drained.

Categories
Crypto News Hackers

‘Ethical’ Hacker Returns $9 Million of the $190 Million Nomad Exploit

After cryptocurrency bridge Nomad was exploited by hackers to the tune of US$190 million earlier this week, those responsible have sent back US$9 million.

Since then, a recovery wallet has been set up for the safe return of any other funds they may wish to reimburse:

An Attack of Ethics, or Hackers’ Remorse?

Blockchain security and data analytics company PeckShield detected the initial return of stolen funds to Nomad, primarily in the form of USDC alongside USDT and other altcoins.

Then, on August 3, Nomad posted a tweet requesting the return of the remainder of the funds:

Nomad is a protocol that allows users to transfer tokens from Ethereum to other chains. The August 1 exploit appeared to be the outcome of a flaw in its smart contract. This means a multitude of users, with no technical knowledge, were able to find a transaction that worked, modify the target address with their own, and rebroadcast it.

Some of the users who raked in the stolen funds were, in fact, trying to assist the project by preventing the crypto from falling into the wrong hands. Nomad is appealing to these “ethical researchers” and “white hat hackers”, and has provided a crypto custodian (Anchorage Digital) to handle and safeguard the returned assets.

The Kindness of (Some) Hackers

In February this year, one white hat hacker chose a mere US$2 million bug bounty over the option of “printing unlimited ETH”. The hacker reportedly decided to warn the Optimism team of an issue rather than take the opportunity to print the ETH.

In June, another vigilante hacker was paid US$6 million for preventing a US$330 million hack. Two months earlier, the bug had been reported to Aurora via ImmuneFi, a leading Web3 bug bounty platform. All that is known about this hacker is their Ethereum domain name: pwning.eth.

Categories
Crypto News Ethereum Hackers NFTs

Hackers Make Off with $400K in ETH in PREMINT Hack

PREMINT, an NFT registration platform, has notified users via Twitter that an unknown party had stolen US$400,000 in ETH via a malicious wallet connection:

Hackers Secure Premint Bag

In this year’s most recent hack, 320 NFTs were stolen from the PREMINT site. CertiK, a blockchain security firm, analysed the situation and found that malicious JavaScript code had been utilised in the hack. This code created a pop-up within the site which prompted users to verify their wallet ownership. Despite many taking to Twitter to issue a warning, the hackers had already duped six PREMINT customers in mere minutes:

The stolen NFTs included Bored Apes, Moonbirds, and Goblintowns. Once they were obtained, the hacker sent the funds to Tornado Cash to wipe the digital trail left by blockchain transactions.

PREMINT has thanked those of its customers who have helped minimise the impact of the hack and are accumulating data on all NFTs stolen.

Other 2022 Phishing Attacks

Phishing attacks seem to be increasing in frequency this year, with multiple sizeable thefts across the end of the first quarter. A total of 35 NFTs were stolen in early April, including a Mutant and Bored Ape. The attack was carried out via several hacked verified Twitter accounts with the total stolen value exceeding US$900,000.

A month later, 29 Moonbird tokens were stolen when a malicious link wired a scammer US$1.5 million worth of Moonbird NFTs from a Proof Collective member. At the time, the Collective was working on a full report in collaboration with the FBI.

Categories
Crypto Exchange Hackers Osmosis

Decentralised Exchange ‘Osmosis’ Goes Offline After $5 Million Hack

The Osmosis decentralised exchange (DEX) has gone offline due to a US$5 million liquidity pool exploit. Core developers halted the network after a bug was uncovered by an Osmosis subreddit community member:

Network Suspended for ‘Emergency Maintenance’

Reddit user Straight-Hat3855 discovered the bug in the blockchain and shared it on the ‘Cosmos Network’ – the Osmosis subreddit. Straight-Hat3855 happened on the bug when depositing funds into the liquidity pool and immediately withdrawing them. Upon withdrawal, the value of the funds had unintentionally increased by 50 percent.

At 10:57pm EST, Osmosis’ core developers announced that the chain had been “halted for emergency maintenance”, much to the frustration of users. This emergency stoppage took 12 minutes to coordinate following the discovery of the bug:

Osmosis has since posted an update stating that the liquidity pools were not completely drained. The Osmosis token (OSMO) has been down by 6.96 percent in the past 24 hours.

Hackers Target DEXes

This year has been fraught with assaults on decentralised exchanges. In March, German DEX Li.Finance had one of its smart contracts exploited in an assault that resulted in a US$600,000 combined loss of assets taken from 29 users. Luckily the issue was rectified with a quick turnaround, and the investors were reimbursed.

At the beginning of May, DEX Saddle Finance lost US$14 million to hackers. The automated market maker began working with Bitcoin security organisation BlockSec to locate the funds. However, at the time it was deemed highly unlikely that US$10 million of the $14 million stolen would be recovered.

Categories
DeFi Hackers

DeFi Project ‘MM.Finance’ Suffers $2 Million Exploit

MM.Finance, the largest DeFi exchange on Cronos, has lost US$2 million in a recent exploitation by hackers. A Domain Name System (DNS) vulnerability is believed to be responsible, with the stolen funds being sent to Tornado Cash:

As per its tweet, MM.Finance traced the perpetrator of the cyberattack back to OKX centralised exchange. The funds stolen in the frontend breach were bridged to Ethereum using Multichain and deposited into Tornado Cash. OKX requires users to go through a ‘know your customer’ procedure, therefore the attacker had to have used fake IDs when signing up for the exchange.

While MM.Finance intends to compensate the affected addresses, the exchange has said that if 90 percent of the funds are not returned to MM.Finance within 48 hours, it will contact the FBI:

DeFi Exploits Increasing

Early April saw DeFi lender Inverse Finance suffer a US$15.6 million exploitation. The decentralised Ethereum protocol was compromised by hackers targeting its money market through the artificial manipulation of its token prices.

And, only days ago, Rari Capital lost US$80 million to hackers following a Fei protocol exploit. The assets had been held in Fuse lending pools, apparently the fault of a reentrancy vulnerability.