Unidentified Exploit Steals Over $10.5 Million in NFTs and Coins

Since December 2022, an unidentified exploit has drained more than $10.5 million in non-fungible tokens (NFTs) and coins from experienced members of the crypto community who believed they were “reasonably secure.” The alarming incident was first brought to light by MetaMask developer Taylor Monahan, who revealed that over 5,000 Ether (ETH) had been stolen. However, the extent of the losses is yet to be determined. Monahan also cautioned that no one knows how the exploit works yet.

What is particularly worrying about this exploit is that it does not target crypto newbies but rather those who are experienced in safeguarding their digital assets. As Monahan noted, the exploit is not like the usual phishing attempts or random scammers. It targets those who are “crypto native,” with multiple addresses and work within the space. Some of the known commonalities about the exploit are that it targets keys that were created from 2014 to 2022.

To safeguard their digital assets, Monahan advised crypto veterans to use a hardware wallet or migrate their funds. Those who have their assets in a single private key are especially vulnerable and should consider splitting up their assets or getting a hardware wallet. Community member Jacky Goh echoed this sentiment, stating that the unknown hack is yet another reminder to use a hardware wallet. Goh recommended moving assets worth more than $1,000 for more than a week to a hardware wallet, which can save one in the long run.

The crypto community has been grappling with cybersecurity threats, with data published by cybersecurity and anti-virus provider Kaspersky indicating that it detected over 5 million crypto phishing attacks in 2022 alone. This marks a 40% year-on-year increase compared to 2021 when the company detected around 3.5 million attacks. The rise in cyberattacks targeting the crypto community highlights the need for robust cybersecurity measures.

Moreover, the exploit highlights the need for greater awareness and education around digital asset protection. While many crypto veterans are well-versed in securing their digital assets, it is essential to stay up to date with emerging threats and vulnerabilities. The fast-paced and rapidly evolving nature of the crypto space means that vigilance is essential. By keeping a close eye on one’s digital assets and using best practices for digital asset security, one can reduce the risk of falling victim to cyberattacks.

In conclusion, the recent exploit that has stolen over $10.5 million in NFTs and coins serves as a sobering reminder of the importance of robust cybersecurity measures for crypto assets. The crypto community must remain vigilant and educate themselves on emerging threats to safeguard their digital assets effectively. By adopting best practices and staying up to date with the latest cybersecurity trends, crypto veterans can protect their assets from theft and loss.


Tagged : / / / / /

MyAlgo warns users of ongoing wallet exploit

MyAlgo, a popular wallet provider for the Algorand (ALGO) network, has issued a warning to its users amid an ongoing exploit that has resulted in the theft of an estimated $9.2 million worth of funds. The company has advised users to withdraw funds from any wallets created with a seed phrase due to the vulnerability of such wallets to the exploit. While the company is uncertain about the cause of the recent wallet hacks, it has encouraged everyone to take precautionary measures to protect their assets.

According to a tweet by MyAlgo, a targeted attack was carried out against a group of high-profile MyAlgo accounts, which has seemingly been conducted over the past week. The self-titled “on-chain sleuth,” ZachXBT, has outlined in a tweet that the exploit has pilfered over $9.2 million, with crypto exchange ChangeNOW able to freeze around $1.5 million worth of funds.

The exploit primarily affects users who had mnemonic wallets with the key stored in an internet browser, according to MyAlgo. A mnemonic wallet typically uses between 12 and 24 words to generate a private key. The vulnerability of such wallets to the exploit has been highlighted by the Algorand-focused developer collective D13.co, which released a report that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities. The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised, leading to the “targeted exfiltration of unencrypted private keys.”

John Wood, chief technology officer at the Algorand Foundation, has confirmed that around 25 accounts were affected by the exploit. He added that the exploit “is not the result of an underlying issue with the Algorand protocol” or its software development kit.

MyAlgo has stated that it will continue to work with authorities and conduct a thorough investigation to determine the root cause of the attack. The company has advised its users to take precautionary measures and to withdraw funds from wallets created with a seed phrase.

In conclusion, the ongoing exploit has resulted in the theft of millions of dollars worth of funds from the Algorand network. The vulnerability of mnemonic wallets with the key stored in an internet browser has been highlighted, and users are advised to take precautionary measures to protect their assets. MyAlgo and other relevant authorities are working to investigate the attack and determine its root cause to prevent future incidents.


Tagged : / / / / /

Suspected Hackers Move Stolen Funds to Sanctioned Crypto Mixer

Blockchain security firms PeckShield and Beosin have reported that suspected hackers who exploited Lendhub, a decentralized finance lending protocol, have moved more than half of their ill-gotten gains to Tornado Cash, a crypto mixer service. According to Beosin, around 2,415 Ether (ETH), worth about $3.85 million, was sent to Tornado Cash from a wallet connected to the Jan. 12 exploit. Beosin also reported that a total of 3,515.4 ETH, currently worth over $5.7 million, has been sent to Tornado Cash by the exploiter since Jan. 13.

Tornado Cash is a crypto mixing service that attempts to anonymize Ethereum transactions by combining vast amounts of Ether prior to depositing sums to other addresses. However, the service was sanctioned on Aug. 8 by the United States Office of Foreign Assets Control (OFAC) for its alleged role in the laundering of crime proceeds. Despite the sanctions and the website for the service being taken down, Tornado Cash is still able to run and be used, as it’s a smart contract housed on a decentralized blockchain.

A January report by blockchain analytics firm Chainalysis said that hacks and scams once contributed to around 34% of all inflows to the mixer and were at times inflows reached around $25 million per day, but that dropped by 68% in the 30 days following the sanctions. However, bad actors in the space continue to frequent the service. Most recently, on Feb. 20, the exploiter behind an Arbitrum-based DeFi project transferred over $1.86 million in ill-gotten crypto to Tornado Cash.

The notorious North Korean hacker outfit Lazarus Group is also known to send significant sums to mixers such as Tornado Cash and Sinbad. An early February Chainalysis report claimed that exploited funds from North Korean hackers “move to mixers at a much higher rate than funds stolen by other individuals or groups.”

The use of crypto mixers by hackers and other bad actors has long been a concern for authorities and regulators, who are attempting to clamp down on the use of such services for money laundering and other illicit activities. The continued use of Tornado Cash by suspected hackers and other bad actors suggests that more needs to be done to curb the use of such services.


Tagged : / / / / /

FTX Users Lose Millions due to API Exploit

On Saturday, several crypto traders suffered massive losses after hackers stole millions of dollars worth of digital assets from their FTX accounts by exploiting an API linked to their trading accounts.

An FTX user was shocked when he realized that his account using the 3Commas API traded the Governance (DMG) token more than 5,000 times, resulting in a loss of about $1.6 million worth of assets, including Bitcoin, Ether, and FTX tokens.

3Commas is a crypto trading platform that allows users to build automated trading bots on FTX and many other exchanges.

The report confirmed that this was not an isolated incident, as there were three other victims who suffered the loss. The second victim of the FTX exploits disclosed that he lost $1.5 million to the incident, which occurred on October 21. While he said malicious players had traded DMG via his account on October 18th and 19th, he questioned why FTX had not put in place risk control measures to guard against illegal trading activities.

An investigation conducted by trading-bot platform 3Commas and crypto exchange FTX showed that API keys linked to 3Commas were used to carry out unauthorized trades for DMG trading pairs on FTX. Both FTX and 3Commas identified that hackers used new 3Commas accounts to perform the DMG trades, as “the API keys were not taken from 3Commas but from outside of the 3Commas platform.”

The investigation showed that fraudulent websites identifying themselves as 3Commas were used to phish API keys as users linked FTX accounts to fraudulent web interfaces. The fake websites’ API keys were then stored and later used to put the unauthorized trades on the DMG trading pairs on FTX.  3Commas further suspected that hackers used third-party browser extensions and malware to steal the API keys from users.

The duo identified suspicious accounts based on user activity and, as a result, suspended the API keys to avoid further losses. FTX users who linked their accounts with 3Commas, therefore, received a message concerning their API as being “invalid” or “requires updating” and now are expected to create new API keys.

3Commas and FTX are currently working with the victims to provide assistance and garner more information about the hacking incident.

Why Crypto Hacks Are Surging

2022 has been identified as the worst year in terms of crypto hacks, according to Chainalysis research firm. October is recognized as the worst-ever month for crypto-related crimes, with more than $718 million in overall losses. Funds were stolen from various DeFi protocols during 11 different attacks.

This year is expected to surpass 2021 as the most prolific year for hacking on record, with 125 hacks that have led to over $3 billion worth of funds stolen so far. $325 million attack on cross-chain service Wormhole, a $625 million attack on Axie Infinity’s Ronin bridge, a $200 million attack on the Nomad bridge, a $100 million hack on Binance, and many more took place this year.

Poorly protected protocols and unaudited decentralized apps are easy pickings for hackers who take advantage of their highly vulnerable locks.

Image source: Shutterstock


Tagged : / / / / /

Transit Swap Losts $21m on Code Bug Exploit, Hacker Returns 70% of Stolen Funds

Transit Swap, a multi-chain decentralized exchange (DEX) aggregator platform, announced via Twitter social media that it has lost $21 million after a hacker exploited an internal bug on its swap contract.

Following the incident, Transit Swap issued an apology statement to the users, saying that efforts are underway to recover the stolen funds. “After a self-review by the TransitFinance team, it was confirmed that the incident was caused by a hacker attack due to a bug in the code. We are deeply sorry,” the DeFi platform stated.

The DEX aggregator said it is working with cybersecurity specialists such as SlowMist, PeckShield, Bitrace, and TokenPocket security and technical teams to track down the hacker and recover the funds.

Transit Swap said a bug in the code allowed a hacker to run away with an estimated $21 million. PeckShield, a blockchain security company, gave a further explanation that the attack might have occurred due to a compatibility issue or misplaced trust in the swap contract.

Transit Swap further disclosed that while they have been able to get the hacker’s IP, email address, and associated on-chain addresses, they have encouraged the hacker to get in touch to return the funds. “We now have a lot of valid information such as the hacker’s IP, email address, and associated on-chain addresses. We will try our best to track the hacker and try to communicate with the hacker and help everyone recover their losses.”

Latest developments showed that their efforts have become successful as the hacker returned 70% of stolen funds. Transit Swap gave an update, confirming that the hacker has returned 70% of the funds via two addresses. And said the security experts are still working to recover the remaining funds.

Meanwhile, users have asked Transit Swap to cover the remainder of the stolen funds if the hacker fails to return the rest. They reasoned that the exploit was due to the DEX’s fault and otherwise would not have occurred.

According to Chainalysis, the total revenue for crypto crime in the first half of this year stood at $1.6 billion, less than the figure recorded in the first half of 2021. The drop in crypto crime figures has coincided with a fall in crypto values. However, some forms of crypto-crime have risen in the last year, such as the value of hacked crypto assets has increased from $1.2 billion to $1.9 billion.

The rise in fraud and scams correlates to massive activity growth within cryptocurrencies worldwide. Companies such as PayPal, Meta Inc. (formerly Facebook), Mastercard, and many more have shown an increased interest in cryptocurrencies.

Image source: Shutterstock


Tagged : / / / / / /

Polygon stablecoin QiDAO exploited for $13M on Superfluid vested contract

Polygon’s native stablecoin protocol QiDAO faced an exploit on its Superfluid vesting contract leading to a 65% drop in the price of the governance token QI. QI price fell from $1.24 to $0.18.

QiDAO took to Twitter on Tuesday to acknowledge the exploit on the Superfluid vesting contract but assured that users’ funds are safe and no funds from QiDAO have been affected. Superfluid also confirmed the exploit on QiDAO and said they are investigating the situation and will update accordingly. The protocol enables users to move assets on-chain in a constant flow in real-time from one wallet to another.

While there was no impact on the user’s funds, the hackers behind the attack managed to get away with $20 million worth of tokens including 24 WETH, 562,000 USDC, 44 SDT, 1.5 million MOCA, 23,000 STACK and nearly 40,000 sdam3CRV. Early information suggested that the stolen funds belonged to some of the early backers of the project and included team vested tokens as well.

Reported Hacker Wallet Activity Source: Polygonscan

Crypto analytic group SlowMist created a fund tracker with the balance of each token stolen. After analyzing the wallet transaction data, they estimated that the hackers managed to steal about $13 million worth of cryptocurrencies.

Hacker’s reported balance Source: SlowMist

The hackers behind the attack started dumping stolen QiDAO on Quickswap DEX with high slippage, leading to a 65% decline in the price of the governance token. The Polygon community took the opportunity to buy the dip which has already helped the governance token reach up to $0.6 after falling below $0.18. It is important to note that the exploit was carried out using a vulnerability in Superfluid, and QiDAO wasn’t exploited.

QiDAO had temporarily paused its bridge after the exploit and hoped to resolve the issue soon. The exploit comes within 24 hours of Polygons’ $450 million fundraise, however, the community showed immense support in the native stablecoin protocol and stressed that it was because of the third-party vulnerability rather than an issue with stablecoin protocol.