Cross-chain token bridge Nomad was breached on Monday, resulting in losing nearly all the total value of the cryptocurrency in the protocol for nearly $200 million.
In a statement published on Twitter, the trading platform confirmed the hacking incident:
“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.”
The protocol also warned that “impersonators posing as Nomad and providing fraudulent addresses to collect funds,” adding, “We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel.”
As a sort of cross-chain bridges, the protocol allows users to swap various tokens, such as Ethereum (ETH), Avalanche (AVAX), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).
Citing the data from DeFi Llama, a Defi tracking data platform, the total value locked (TVL) of Nomad reached up to $190 million before the exploit, according to the online media outlet Cryptonews. The platform showed the TVL of Nomad remains less than $11,000 at the time of writing.
Source: DefiLlama
Another cybersecurity platform BlockSec estimates the total loss in this incident is estimated around $150 million worth of Tether (USDT). The monitoring platform suggested that some loopholes among functions might exist in Nomad’s verification procedure: “Since an uninitialized storage slot is always considered as zero, the attacker can actually pass any message that has never shown before to bypass the verification procedure.”
Anonymous Terra researcher FatMan described the incident as “the first decentralized robbery,” adding that “all one had to do was copy the first hacker’s transaction and change the address, then hit send through Etherscan.”
Online media CoinDesk explained that bridges typically function by locking up tokens in a smart contract on one chain and then reissuing those tokens in “wrapped” form on another chain.
In addition, If the smart contract where tokens are initially deposited gets sabotaged in terms of Nomad’s situation, the wrapped tokens might no longer have any protection, resulting in losing their values.
Last month, Nomad announced it has secured a strategic investment of $22.4 million in April from various investors, including OpenSea, CoinBase Ventures, Crypto.com and Polygon.
Ironically, the latest security loophole might make the company feel embarrassed to keep its words and pursue ambitions as Nomad showed its determination by setting its primary goal to “create a safer crypto ecosystem where blockchains can communicate seamlessly and securely with each other,” according to its press release.
The company estimated that more than $1.5 billion was stolen this year by hackers exposing vulnerabilities in cross-chain bridges, indicating that the industry is in need of security-first solutions that maximize the safety of users, funds, and messages.
The British Army became the latest culprit of crypto scams engulfing the market after hackers breached its YouTube and Twitter accounts on July 3.
Despite regaining control, the army’s accounts were used to post non-fungible tokens (NFTs) and cryptocurrencies after being briefly hacked. The British Army tweeted:
“Apologies for the temporary interruption to our feed. We will conduct a full investigation and learn from this incident. Thanks for following us and normal service will now resume.”
Following the breach, various NFT posts were made on the British Army’s Twitter feed, which had been renamed Bapesclan.
On the other hand, the hackers changed the army’s YouTube account to Ark Invest and shared crypto videos.
With 177,000 subscribers on YouTube and 362,000 followers on Twitter, the hackers wanted to capitalize on the army’s large following, but their plans were thwarted, and investigations are underway.
“The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway. The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further.”
In 2020, Twitter went haywire after news of a Bitcoin scam hack targeting multiple high-profile figures such as Bill Gates, Elon Musk, Joe Biden, and Jeff Bezos broke out.
It was later established that Graham Ivan Clark was the teenage hacker behind the Twitter hack after he pleaded guilty in a Florida court, Blockchain.News reported.
Despite the percentage of crypto transaction volumes used for crime reduction, more needs to be done to stem scams in this sector, given that hacking is becoming rampant.
To old investors in the digital currency ecosystem, exposure to various forms of scams, frauds, and exploitation will not come as something new, as they must have learned over time that the digital currency ecosystem is filled with such negative occurrences.
New investors, particularly those who started with Non-Fungible Tokens (NFTs), may not understand the growing rate of exploitation bedevilling the ecosystem at the moment.
According to data from blockchain security firm, Slowmist, the first four months of 2022 saw as much as $52 million in losses in NFT-related hacks, a figure that surmounts the $7 million recorded throughout the whole of 2021.
While the bulk of data available to firms like Slowmist is those featuring well-publicized NFT projects, it is undoubtedly true that many more NFT holders are experiencing personalized exploitations on a daily basis.
To many following big-name projects like Bored Ape Yacht Club (BAYC), it will be recalled that the prestigious NFT brand has faced at least two different exploitations this year alone, the latest leading to the loss of over 200 ETH from Bored Ape owners. That the exploitation in the NFT world is growing is no longer debatable. CryptoMarketsBeat spoke with several industry veterans on the worrisome trend to know its root causes and possible ways investors can protect themselves.
NFTs Are an Attractive Ecosystem for Exploits to Thrive
Hackers and cybercriminals often follow anywhere there is money. While exploitation generally takes many forms, all of them are successful on the premise that there is a big financial catch. The emergence of NFTs came with the underlying goal of extending the utilities of Ethereum, and by extension, blockchain technology.
In the image above, the CoinMarketCap aggregator, the top collections, and the floor-price column show projects like Bored Ape can only be snapped up by investors with more than 88.5 ETH (approximately $137,638.74 at the time of writing). Snapping up one Bored Ape through an exploit in any form will come off as a big payday for the exploiters.
“Many NFT projects emerged on the wave of hype when piles of money were injected into this industry,” said Dyma Budorin, CEO of Hacken, a cybersecurity and audit firm. Budorin surmised that the bulk of the attacks on blockchain and NFT protocols could be linked to the misguided desire to follow the money in space.
With money being a very good attraction in space, hackers have come to understand that they can easily exploit protocols because many do not pay due diligence to their security infrastructure.
“Most common hack scenarios involve social engineering and the usage of various scripts to steal private keys or other credentials to access the critical infrastructure point,” said Andrey Pelipenko, CTO of Roach Racing Club, “On top of that, hackers seek vulnerabilities in the smart contracts that accumulate funds, so using proprietary smart contract solutions that are not tested adequately, especially those coming from inexperienced developers, is a poor solution” which consistently predispose NFT projects to attacks.
What is Bad for the Goose is also Bad for the Gander
Suppose the big NFT projects are the Geese in this context and the Ganders’ smaller ones. Experts agree on the fact that all these projects are collectively victims of these scams.
“I bet you’ve seen news headlines about NFT hacks containing a name of a big project, such as OpenSea or Bored Ape Yacht Club, just because these projects are the most famous ones and accumulate the greatest volume of assets. Small projects and individual NFT creators and buyers also fall victim to hacks,” Budorin added.
A new perspective was brought into the discourse by Dr. Dmitry Mikhailov, CSO of Farcana Gaming Metaverse, who noted that attacks are necessarily not targeted at individual collectors or NFT projects alone. He said users of big marketplaces like OpenSea are also highly susceptible to various forms of cyber attacks.
While not referring to one particular platform, Dmitry believes “such marketplaces are often developed too fast to provide the proper level of cyber defence. Vulnerabilities are caused by insufficient attention to security issues: lack of two-factor authentication, lack of readiness for phishing, and DDoS attacks.”
As it is now obvious, irrespective of the form that projects take, they can easily be exploited if the appropriate safeguards are not put in place.
Curbing Growing NFT Exploitations
Despite the fact that the broader NFT world is still being unravelled, there are a number of ways that the experts we spoke to believe can be adopted to wade off the activities of cybercriminals across the board.
While the first of the major recommendations in accordance with Dmitry is to educate NFT investors on the major causes or reasons why they fall prey to attacks, Budorin advocates close “cooperation with trusted cybersecurity vendors,” a move that will enable projects “to undergo smart contract audits and consider running a public bug bounty program.”
These recommendations have been vetted by other experts and are generally known to prevent crucial hacks in the short history of the NFT ecosystem. In all, Pelipenko advocates that investors should always do their own due diligence before injecting funds into any project, no matter the hype.
“We always recommend Doing Your Own Research (DYOR) before taking any actions: it’s a must-do in the crypto space. It is important to understand that, unlike the non-fungibles from the GameFi sector, most NFTs are just collectables without any specific utility. NFTs are risky assets, yet, most people still tend to fall for hyped projects without doing any deep research first,” he said.
The Light at the End of the Tunnel
Along with the broader digital currency ecosystem, the NFT space has a lot of bright lights at the end of the tunnel as investors are becoming more vigilant, and developers are doing their due diligence to ensure protocols are as secure as possible before launch.
Aside from the bearish correction in the industry, Venture Capital firms are injecting liquidity into security protocols like CertiK to bootstrap the security outfits tasked with safeguarding the ecosystem of tomorrow.
From current trends, scams may persist, but the growing awareness will largely tame their spread in the near future.
An emerging Ethereum stablecoin protocol, Beanstalk has come off as the latest blockchain startup that suffered a breach from hackers with a massive loss of $80 million moved from the protocol.
Peckshield, a blockchain security and data analytics firm, first flagged the exploit on Twitter before the startup later confirmed it.
In the acknowledgement of the attack, the Beanstalk Farms team said it is investigating the incident and will announce to the community as soon as possible. While Peckshield pegged the loss at around $80 million, it gave an allowance that could effectively make the losses more than projected. A total of 24,830 ETH and 36 million BEAN tokens are feared to have been lost in total.
Hacks and exploits are now commonplace, especially amongst Decentralized Finance (DeFi) protocols. The rate of cybercrime involving these protocols has exceeded $1 billion this year, and more exploits are feared to be underway. The Beanstalk team said they are in contact with as many partners as possible, and an appeal has been shared in a separate tweet to Centralized Exchanges to help limit the way the attacker can utilize the funds stolen.
“We’re engaging all efforts to try to move forward. As a decentralised project, we are asking the DeFi community and experts in chain analytics to help us limit the exploiter’s ability to withdraw funds via CEXes. If the exploiter is open to a discussion, we are as well”
The concept of open discussion with a hacker has only yielded fruits with Poly Network, an interoperability protocol that was exploited for over $600 million last year. Through the openness of the hacker and the team, the entire funds stolen were returned, marking a historic moment in the history of cybercrime.
While the Beanstalk hack is obvious that more security loopholes have to be covered, outfits like CertiK have been receiving funding from investors to provide a good shield for protocols in the DeFi world.
Bored Ape Yacht Club (BAYC) announced through Twitter that its Discord server was hacked.
However, BAYC said that the hack was immediately detected and asked users not to mint and NFT using a link posted on its Discord.
“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints/airdrops etc. Other Discords are also being attacked right now,” BAYC, the largest non-fungible token (NFT) collection, tweeted.
Further details have yet to be released but it is known that a hacker was able to gain access to the official Discord server that hosts members of Bored Ape Yacht Club, Mutant Ape Yacht Club and Mutant Ape Kennel Club – the three NFT collections from Yuga Labs.
According to security firm PeckShield, the hacker was able to steal Mutant Ape Yacht Club #8662 after posting a phishing link in the Mutant Ape Kennel Club channel, disguised as a ‘stealth NFT mint’.
According to The Block, reports suggest the hacker may have carried out the attack via Ticket Tool – a Discord bot that generates support tickets automatically.
Discord server of NFT platform Doodles has faced a similar crisis, Twitter users have warned. The Block said that Doodles has yet to release a statement about it.
Phishing attacks on NFT collectors via exploiting Discord accounts have become a customary route for hackers. In a recent phishing attack, assets worth $790,000 were hacked from members of a freshly launched NFT collection Rare Bears.
In BAYC’s recent developments, it announced the release of the crypto token ApeCoin ($APE).
According to a report from Blockchain.News, ApeCoin was unveiled in the official BAYC Twitter account, which detailed initiatives planned by creator Yuga Labs.
The initiative also included a planned token tied to gaming and virtual experiences.
The underlying key feature of the token is a dedicated decentralized autonomous organization (DAO) and a supporting foundation, the report added.
DeFi protocols Bunny Finance and Qubit announced plans of “restructuring.” The joint statement revealed that the two projects, governed by the development team until recently, will now be managed by a decentralized autonomous organization (DAO).
Restructuring, Not Disbanding
According to the official blog post, the community will be granted all the relevant authority once the transition to DAO is completed. Among other tasks, the members will have the power to upgrade contracts, alter fee structure, etc.
Bunny Finance also confirmed that the team will not “disband,” and they will continue compensating the victims for the losses. The DeFi yield farming aggregator also notified that they will keep tracking the exploiter.
Changing the protocol to a DAO will also include revision of the Bunny fee structure and stopping the protocol’s vaults from minting BUNNY tokens. Besides, the leveraged farming vaults and single asset vaults operated by borrowing assets from Qubit have already been ceased.
BSC-based DeFi project, Qubit also issued a brief statement, revealing that the team will reduce the number of its employees but clarified that it is not a dissolution. The original members of the MOUND team, composed of developers and entrepreneurs, will continue to develop the compensation project and trace the exploiter.
ADVERTISEMENT
The blog post also stated,
“All of the team’s tokens will be locked in the smart contracts owned by our community and the total profit generated by this contract will move to the compensation pool.”
This essentially means that the fees and reserves of the protocol will be allocated to existing holders while all the relevant users will be compensated. Additional profits will not be shared with the team anymore.
The Hack
X-Bridge, the cross-chain bridge of Qubit Finance, was exploited recently, resulting in a loss of $80 million worth of BNB tokens. For the uninitiated, the X-Bridge facilitates swapping tokens from the Ethereum blockchain to Binance Smart Chain, meaning when a user receives a BSC compatible BEP-20 token upon depositing an ERC-20 token to the bridge.
The blockchain security firm CertiK revealed that an error in the X-Bridge’s smart contract code allowed the bad actor(s) to withdraw tokens on BSC despite no tokens being deposited on Ethereum.
SPECIAL OFFER (Sponsored)
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.
Barely two days after the U.S. Department of Justice (DOJ) seized about $3.6 billion worth of BTC related to the 2016 Bitfinex hack, dozens of individuals have started laying claims on the bitcoin fortune.
According to a Bloomberg report, the DOJ has seen a massive surge in the number of people who wish to regain their funds after it revealed plans to set up court proceedings for victims of the hack.
Speaking to Bloomberg, David Silver, a lawyer who specializes in financial and crypto-related fraud, noted that since the DOJ recovered the $3.6 billion worth of BTC on Tuesday, he has been approached by dozens of people claiming to have been affected in the hack.
“The world has changed dramatically since 2016, and everyone is going to lay claim to this newfound bag of Bitcoins,” Silver noted.
Bitfinex Wants it
Bitfinex has also joined the long list of those vying for rights to the recovered bitcoins. The exchange noted that it had fully settled all affected users after the hack.
Following the attack, which led to the theft of over 119,000 BTC from Bitfinex, the exchange generalized the losses to more than 30% of all users’ accounts and moved to compensate the victims.
It created and issued BFX coins to customers, one BFX token for every $1 lost, and they could either exchange the tokens for the U.S. dollar or the company’s stock.
Bitfinex also created a Recovery Right Token (RRT), which will allow customers who had converted the BFX coin to the company’s shares to lay claims on the stolen bitcoins if they were ever recovered.
According to Bitfinex, there are currently about 30 million RRT tokens outstanding. With a ratio of one RRT to $1, the exchange has to reimburse $30 million to holders of the RRT token.
In a statement on Tuesday, the crypto exchange explained it would ensure that it solidified its rights to the recovered funds.
“Bitfinex will work with the DOJ and follow appropriate legal processes to establish our rights to a return of the stolen bitcoin,” the company said.
Affected Users Disagree
Several customers have expressed their opposition to Bitfinex getting rights to the recovered bitcoins, considering how much the asset has appreciated over the past five years.
The stolen bitcoins, which were worth an estimated $71 million at the time of the hack, are now more than $4.5 billion.
Speaking on this, Alan Aronoff, a victim of the hack who claims to hold about $50,000 worth of Bitfinex stock, said,
“I think that’s ridiculous. That’s my Bitcoin that they took from my multisig wallet. I would like my Bitcoin back… They can have their equity back. I’ll take my Bitcoin, thank you very much.”
Who Gets the Bitcoin Fortune?
With many people seeking to get the funds, former assistant U.S. Attorney Kellen Dwyer noted that the legal processes involved in the case could likely take a couple of years.
“That process could take the heck of a long time. It certainly could be multiple years before anybody sees any cash,” he said.
SPECIAL OFFER (Sponsored)
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.
Dego Finance was hacked on February 10. Shortly after, it joined forces with prominent cryptocurrency exchanges such as Binance, Kucoin, and Gate.io to close deposits of its native governance and equity token, DEGO. The protocol also urged Uniswap, Poloniex, PancakeSwap, WazirX, etc., to do the same to mitigate the losses.
Dego Finance Hackers Withdraw $10M
Dego Finance’s official Twitter handle claimed that its own address providing liquidity on popular decentralized exchanges – Uniswap and PancakeSwap – was compromised. As a result, DEGO pairs liquidity provided by the team was drained.
The DeFi platform also urged the hackers to come forward and communicate with it.
“We’ll keep all stakeholders updated on the latest developments, as well as talk to reputable security teams on how to identify the hacker and retrieve loss. We would ask the hacker to come forward and communicate.”
According to the blockchain security and analytics company Peckshield, the exploiters withdrew more than $10 billion from Dego Finance as well as from GameFi Incubator Cocos-BCX. The company’s data showed that funds from 13 addresses were drained, which belonged to Binance Smart Chain (BSC), Ethereum, and Cronos.
The exploiters withdrew more than $10 million from @dego_finance & @CocosBCX !
The illegal assets are currently here ETH&BSC: 0x118203b0f2a3ef9e749d871c8fef5e5e55ef5c91
Here is the drained wallets list: pic.twitter.com/xEyjNztAib
— PeckShieldAlert (@PeckShieldAlert) February 10, 2022
ADVERTISEMENT
DEGO Takes Nearly 20% Plunge
Dego Finance’s token, DEGO took a severe beating following the hack. It slumped by almost 20% from $4.50 to $3.65 in the wee hours of Thursday morning.
For the uninitiated, Dego Finance saw the light of day in 2020 and offered both DeFi and NFT tools. It claimed to be an open-NFT ecosystem that allowed users to mint non-fungible tokens initiate NFT mining in addition to auctions and trading.
It also offers a cross-chain infrastructure to facilitate blockchain ventures to ramp up the user base, distribute tokens, as well as develop more diverse NFT-based apps. In March 2021, Binance announced listing the project in the Innovation Zone.
Rug pulls and hacks have continued to wreak havoc in the DeFi space in recent years. 2021 has been a monumental year for DeFi and an equally monumental year for bad actors in the space. In fact, rug pulls accounted for 37% of all scam revenue last year as opposed to just 1% in 2020. This year as well, little has changed as such events continue to grab headlines.
CryptoPotato recently reported about Pecksheid detecting more than 50 potentially dubious projects on Binance Smart Chain(BSC).
SPECIAL OFFER (Sponsored)
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.
After it became clear that several branches of US law enforcement agencies apprehended a man and a woman for conspiracy to launder nearly 120,000 BTC stolen from Bitfinex in 2016, the exchange’s crypto token skyrocketed by double digits.
The 119,754 bitcoins stolen in 2016 from Bitfinex is one of the largest and most discussed heists in the cryptocurrency industry. While the swiped amount was worth around $70 million six years ago, today it’s more than $5 billion due to BTC’s massive price appreciation.
The anonymous hackers have attempted numerous transfers of the stolen coins throughout the years but have failed to cash out substantial quantities as all associated wallets were blacklisted.
After nearly six years, the US Department of Justice highlighted a highly positive development on this front yesterday.
A joint investigation by IRS-CI Washington, FBI’s Chicago Field Office, HSI-New York, and others led to the arrest of Ilya Lichtenstein (34) and his wife – Heather Morgan (31) – for conspiring to launder the proceeds of the stolen bitcoins.
Keeping in mind the significance of this event, Bitfinex’s native cryptocurrency reacted in a highly positive manner.
LEO traded around $5 ahead of the DOJ’s announcement but skyrocketed by more than 60% in the following few hours.
By doing so, it surpassed a price tag of $8 and charted a new all-time high at that point. Despite retracing to just over $7 as of now, the token is still up by double-digits since yesterday.
LEOUSD. Source: TradingView
SPECIAL OFFER (Sponsored)
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.
The FBI has arrested a husband and wife in Manhattan for allegedly conspiring to launder swaths of Bitcoin connected to the 2016 Bitfinex exchange hack. According to Reuters, over $3.6 billion worth of the asset has already been recovered by law enforcement.
The couple allegedly responsible is Ilya Lichtenstein (34) and Heather Morgan (31).
They are accused of conspiring to launder 119,754 Bitcoin after an attacker stole them through over 20,000 unauthorized transactions at the exchange in 2016.
Though the funds were worth just $71.8 million at the time of the hack, they are valued today at over $4.5 billion. This total even rivals MicroStrategy’s Bitcoin holdings, which are currently near 125,000 Bitcoin.
Deputy Attorney General Lisa Monaco remarked on the seizure, asserting that cryptocurrency is “not a safe haven for criminals”.
The arrest comes a week after tens of thousands of Bitcoin– about the same amount seized today – were caught moving from the initial hacker’s wallet in 2016, across 26 separate transactions.
“The FBI and federal prosecutors were able to trace the movement of Bitcoin from this hack,” said Matthew Graves, the U.S. Attorney for the District of Columbia.
The couple is expected to appear in Federal court at 3 pm EST today.
SPECIAL OFFER (Sponsored)
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to get 25% off trading fees.
