CertiK

Crypto thieves steal $363M in Nov, the most ‘damaging’ month so far

The Poloniex and HTX/Heco Bridge exploits as well as the KyberSwap flash loan attack were the three largest incidents in November, according to blockchain security firm CertiK.

The cryptocurrency industry has now seen its most “damaging” month for crypto thievery, scams and exploits, with crypto criminals walking away with $363 million in November, according to a blockchain security firm.

Around $316.4 million came from exploits alone, flash loans inflicted $45.5 million in damage, and $1.1 million was lost to various exit scams, CertiK stated in a Nov.

The largest exploits in November occurred on Poloniex and HTX/Heco Bridge, with losses of $131.4 million and $113.3 million, respectively.

The third largest exploit was inflicted on a single victim who lost $27 million from a phishing attack.

Meanwhile, the $45 million KyberSwap attack accounted for nearly all damage done for flash loan attacks in the month.

The latest monthly figure has surpassed an earlier record of $329 million, set in September, caused mainly by the $200 million Mixin Network attack.

As of the end of November, about $1.7 billion has now been lost to exploits, exit scams and flash loan attacks in 2023.

Read more

Crypto thieves steal $363M in Nov, the most ‘damaging’ month this year

The Poloniex and HTX/Heco Bridge exploits as well as the KyberSwap flash loan attack were the three largest incidents in November, according to blockchain security firm CertiK.

The cryptocurrency industry has now seen its most “damaging” month for crypto thievery, scams and exploits in 2023, with crypto criminals walking away with $363 million in November, according to a blockchain security firm.

Around $316.4 million came from exploits alone, flash loans inflicted $45.5 million in damage, and $1.1 million was lost to various exit scams, CertiK stated in a Nov.

The largest exploits in November occurred on Poloniex and HTX/Heco Bridge, with losses of $131.4 million and $113.3 million, respectively.

The third largest exploit was inflicted on a single victim who lost $27 million from a phishing attack.

Meanwhile, the $45 million KyberSwap attack accounted for nearly all damage done for flash loan attacks in the month.

The latest monthly figure has surpassed an earlier record of $329 million, set in September, caused mainly by the $200 million Mixin Network attack.

As of the end of November, about $1.7 billion has now been lost to exploits, exit scams and flash loan attacks in 2023.

Read more

Allbridge offers bounty to exploiter who stole $573K in flash loan attack

Allbridge offered a hacker who pilfered $573,000 from its platform a chance to come forward as a white hat and forgo any legal ramifications.

The attacker behind a $573,000 exploit on the multichain token bridge Allbridge has been offered a chance by the firm to come forward as a white hat and claim a bounty.

Blockchain security firm Peckshield first identified the attack on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper, who was able to drain the pool of $282,889 in Binance USD (BUSD) and $290,868 worth of Tether (USDT).

In an April 1 tweet following the hack, Allbridge offered an olive branch to the attacker in the form of an undisclosed bounty and the chance to escape any legal ramifications.

“Please contact us via the official channels (Twitter/Telegram) or send a message through tx, so we can consider this a white hat hack and discuss the bounty in exchange for returning the funds,” Allbridge wrote.

In a separate series of tweets, Allbridge made it clear they are hot on the trail of the stolen funds.

With the help of its “partners and community,” Allbridge said it’s “tracking the hacker through social networks.”

“We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack,” it added.

Allbridge also stated it’s working with law firms, law enforcement and other projects affected by the exploiter.

According to Allbridge, its bridge protocol has been temporarily suspended to prevent the potential exploits of its other pools; once the vulnerability has been patched, it will be restarted.

“In addition, we are in the process of deploying a web interface for liquidity providers to enable the withdrawal of assets,” it added.

Blockchain security firm CertiK offered an in-depth breakdown of the hack in an April 1 post, identifying the method used was a flashloan attack.

CertiK explained the attacker took a $7.5 million BUSD flash loan, then initiated a series of swaps for USDT before deposits in BUSD and USDT liquidity pools on Allbridge were made. This manipulated the price of USDT in the pool, allowing the hacker to swap $40,000 of BUSD for $789,632 USDT.

Related: DeFi exploits and access control hacks cost crypto investors billions in 2022: Report

According to a March 31 tweet from PeckShield, March saw 26 crypto projects hacked, resulting in total losses of $211 million. 

Euler Finance’s March 13 hack was responsible for over 90% of the losses, while other costly exploits were suffered by projects including Swerve Finance, ParaSpace and TenderFi. 

Cointelegraph contacted Allbridge for comment but did not receive an immediate response.

Magazine: Crypto winter can take a toll on hodlers’ mental health

$4M ‘exit scam’ suspected as Kokomo Finance flies off radar, token plunges

Kokomo Finance’s social media presence and websites are offline, while the price of the KOKO token fell more than 95% within a matter of minutes.

Optimism-based lending protocol Kokomo Finance has been suspected of a $4 million “exit scam” that has seen user funds plucked from the platform via a smart contract loophole.

Blockchain security firm CertiK alerted its followers to the “exit scam” in a March 26 tweet, noting that the Kokomo Finance (KOKO) token had plummeted 95% in value in a matter of minutes.

CertiK also noted that Kokomo Finance removed all social media accounts immediately following the alleged rug pull too.

Kokomo Finance has either deactivated or deleted its Twitter account. Source: Twitter

CertiK said the deployer of KOKO attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function.

After that, an address beginning with “0x5a2d..” approved the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).

The attacker then called another command to swap the So-WBTC to the 0x5a2d address, which produced a $4 million profit, according to the security firm.

Changes to the smart contract code of the KOKO began at about 9 am UTC on March 26. Source: Optimistic Etherscan

A CertiK spokesperson told Cointelegraph that it was the largest “incident” that the firm had detected on Optimism.

Kokomo Finance is an open-source and noncustodial lending protocol on Optimism, where investors could trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC) and Dai (DAI).

Kokomo Finance rose up the ranks quickly in recent days, with blockchain data platforms like CoinGecko and DefiLlama officially tracking it shortly after Kokomo Finance went live on Optimism on March 25.

The price of Kokomo Finance token, KOKO fell over 97% at about 4:10pm UTC time on March 26. Source: CoinGecko

Recent screenshots reveal that more than $2 million was locked into Kokomo Finance prior to it falling more than 97%.

Over 72% of the total value locked in the Kokomo Finance protocol came in the form of wrapped Bitcoin, according to data from DefiLlama.

Cointelegraph attempted to access all social media and blog websites listed on Kokomo Finance’s Linktree page, but all of these links now lead to error pages indicating they have been removed.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

Cointelegraph also came across Kokomo Finance’s smart contract audit, which was reviewed and shared by 0xGuard earlier in March.

While most aspects of the audit were passed, “typographical errors” were found, and the owner of the KOKO token was alsfound to have a one-time ability to mint 45% of the maximum supply to an arbitrary address.

Kokomo did not pass all aspects of its smart contract audit, which was reviewed by 0xGuard in March. Source: GitHub

Cointelegraph reached out to 0xGuard for comment but did not receive an immediate response.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Monkey Drainer-linked scammers possibly exposed after an on-chain quarrel

The scammer referred to their pseudonym during a blockchain message argument that may have revealed their actual identity, according to CertiK.

Blockchain security firm CertiK believes to it has found the real-life identity of at least one scammer allegedly linked to the “Monkey Drainer” phishing scam.

Monkey Drainer is the pseudonym for a phishing scammer who uses smart contracts to steal NFTs through a process known as “ice phishing.”

The individual or individuals behind the phishing scam have stolen millions of dollars worth of Ether (ETH) via malicious copycat nonfungible token (NFT) minting websites. 

In a Jan. 27 blog, CertiK said it found on-chain messages between two scammers involved in a recent $4.3 million Porsche NFT phishing scam and was able to link one of them to a Telegram account involved in selling the Monkey Drainer-style phishing kit. 

One message revealed a person referring to themself as “Zentoh” and referred to the person who stole the funds as “Kai.”

Zentoh was seemingly upset at Kai for not sending over a slice of the stolen funds. The message from Zentoh directs Kai to deposit the ill-gotten gains “at our address.”

An on-chain message from a person referring to themselves as “Zentoh,” upset they didn’t receive a portion of phished funds from a person they address as “Kai.” Source: CertiK

CertiK deduced the joint wallet was the address that received the $4.3 million in stolen crypto. The firm added there is a “direct link” between the joint wallet and “some of the most prominent Monkey Drainer scammer wallets.”

The wallet address tied to Zentoh is in turn tied to numerous addresses linked to the Monkey Drainer scam. Source: CertiK

Zentoh revealed in another message that the pair used Telegram to communicate. CertiK found an exact match for the pseudonym on the messaging app and identified it “to be running a Telegram group that sells phishing kits to scammers.”

The company found numerous other online accounts possibly linked to Zentoh, including one on GitHub that posted repositories for crypto drainer tools.

If the links between the accounts are legitimate, it reveals the identity of a French national living in Russia.

Cointelegraph reviewed accounts potentially related to the person and found public accounts that seemed to be interested in cryptocurrencies. Cointelegraph contacted the person but did not immediately receive a response.

Cointelegraph is not publishing the name of the person due to privacy concerns.

Related: Hackers take over Azuki’s Twitter account, steal over $750K in less than 30 minutes

Crypto wallet-draining phishing scams have unfortunately been used to great effect recently.

The co-founder of the Moonbirds NFT collection, Kevin Rose, fell victim to such a scam that led to over $1.1 million worth of his personal NFTs being stolen.

The influencer known on Twitter as “NFT God” suffered a similar fate after they downloaded malicious software from a Google Ad search result, with ETH and high-priced NFTs pilfered from their wallet.

$62M crypto stolen in Dec was the ‘lowest monthly figure’ in 2022: CertiK

December proved to be the month with the least crypto stolen in 2022, although there were still 23 major incidents, according to CertiK.

Cryptocurrency hackers and exploiters seemingly slowed down for the 2022 holidays as December saw $62.2 million worth of cryptocurrencies stolen, the “lowest monthly figure” of the year, according to CertiK.

The blockchain security company on Dec. 31 tweeted a list of the month’s most significant attacks. It highlighted the $15.5 million worth of exit scams as the method that stole the most value over the month, followed by the $7.6 million worth of flash loan-based exploits.

A later tweet on Jan. 1 confirmed that the 23 largest exploits were responsible for around 98.5% of the $62.2 million figure, with the $15 million Helio Protocol incident on Dec. 2 the largest of the month.

The protocol, which manages the stablecoin HAY (HAY), suffered a loss when a trader took advantage of a price discrepancy in Ankr Reward Bearing Staked BNB (aBNBc) to borrow millions worth of HAY.

At the time, the decentralized finance (DeFi) protocol Ankr suffered a separate exploit where an attacker minted 20 trillion aBNBc, causing its price to plummet. The Helio trader quickly deposited aBNBc tokens to borrow 16 million HAY, causing the loan to be significantly undercollateralized, leading to the protocol’s loss and a depeg of its stablecoin.

The second largest incident of the month was the $12.9 million exploits of Defrost Finance’s v1 and v2 protocols on Dec. 23, where an attacker carried out a flash loan attack by adding a fake collateral token and a malicious price oracle to liquidate the protocol.

Days after the exploit, the hacker returned the funds stolen from the v1 protocol to an address controlled by Defrost, though funds are yet to have been returned for the v2 hack.

CertiK labeled the exploit an “exit scam” due to the fact an admin key was required to conduct the attack. Defrost denied the allegations to Cointelegraph, claiming the key was compromised.

Related: Crypto’s recovery requires more aggressive solutions to fraud

The December figure is much lower than the month prior, seeing an 89.5% decrease from the $595 million worth of exploits across 36 major incidents CertiK recorded in November, a figure largely skewed by the $477 million hack of crypto exchange FTX.

Overall for 2022, just the largest 10 exploits of the year funneled around $2.1 billion to bad actors, largely on cross-blockchain bridges and DeFi protocols.

Defrost v1 hacker reportedly returns funds as ‘exit scam’ allegations surface

“Merry Christmas guys. We got a lump of coal from Santa Claus,” wrote one user in response to the allegations and the incident.

On Dec. 26, blockchain security firm CertiK issued a warning alleging that Defrost Finance, a decentralized leverage-trading platform on the Avalanche blockchain that recently suffered an exploit, is an “exit scam.” The move came just as Defrost announced that “the hacker involved in the V1 hack [but not the v2 hack] has returned the funds.” CertiK wrote

“On 24 December we have seen an #exitscam on @Defrost_Finance. We have attempted to contact multiple members of the team but have had no response. The team are not KYC’d but we are using all the information that we do have to assist with authorities.”

On Dec. 23, Defrost Finance suffered a flash loan attack that drained protocol users of $12 million in assets on its v1 and v2 protocols. Immediately after the exploit, blockchain analytics firm PeckShield also issued a warning, alleging the operation was a “rugpull”:

“We received community intel warning the rugpull of @Defrost_Finance.Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M.”

In a brief post-mortem analysis, project developers said that hackers also managed to steal the owner key for a much larger attack on its v1 protocol than the flash loan exploit. Defrost has offered to negotiate “sharing 20% (negotiable) of the funds in exchange for the bulk of assets and are calling on the hackers to contact us asap.”

After posting an Ethereum wallet address on its social page, close to $3 million worth of digital assets had been transferred there at the time of publication. In a Medium post published hours later, Defrost explained that the v1 hacker had returned the stolen funds to an address controlled by the project developers.

“We will soon start scanning the data on-chain to find out who owned what prior to the hack in order to return them to the rightful owners. As different users had variable proportions of assets and debt, this process might take a little. However, it will be concluded fairly swiftly.”

CertiK’s Skynet alert for Defrost. Source: CertiK

This is a developing story and will be updated accordingly.

Update (Dec. 26 at 3:50 pm UTC): Added information from Derost regarding the return of funds from the v1 attacker

How to avoid getting hooked by crypto ‘ice phishing’ scammers: CertiK

Ice phishing is a type of scam that exists only in Web3 and is a “considerable threat” to the crypto community, the firm says.

Blockchain security company CertiK has reminded the crypto community to stay alert over “ice phishing” scams — a unique type of phishing scam targeting Web3 users that was first identified by Microsoft earlier this year. 

In a Dec. 20 analysis report, CertiK described ice phishing scams as an attack that tricks Web3 users into signing permissions that end up allowing a scammer to spend their tokens.

This differs from traditional phishing attacks that attempt to access confidential information such as private keys or passwords, via methods like the fake websites that claim to help FTX investors recover their lost funds.

A Dec. 17 scam where 14 Bored Apes were stolen is an example of an elaborate ice phishing attack. An investor was convinced to sign a transaction request disguised as a film contract, ultimately enabling the scammer to sell all of the user’s Apes to themselves for a negligible amount.

The firm noted that this type of scam was a “considerable threat” and found only in the Web3 world, where investors are often required to sign permissions to decentralized finance (DeFi) protocols that could be easily faked. CertiK wrote:

“The hacker just needs to make a user believe that the malicious address that they are granting approval to is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained.”

Once a scammer has gained approval, they are able to transfer assets to an address of their choosing.

An example of how an ice phishing attack works on Etherscan. Source: Certik

To protect themselves from ice phishing, CertiK recommended that investors use a token approval tool and a blockchain explorer site such as Etherscan to revoke permissions for addresses they don’t recognize.

Related: $4B OneCoin scam co-founder pleads guilty, faces 60 years jail

Additionally, addresses that users are planning to interact with should be looked up on these blockchain explorers for suspicious activity. In its analysis, CertiK points to an address that was funded by Tornado Cash withdrawals as an example of suspicious activity.

CertiK also suggested that users should only interact with official sites they are able to verify and be particularly wary of social media sites like Twitter, highlighting a fake Optimism Twitter account as an example.

Fake Optimism Twitter account. Source: Certik

The firm also advised users to take a couple of minutes to check a trusted site such as CoinMarketCap or CoinGecko to be sure that a URL links to a legitimate site.

Tech giant Microsoft was the first one to highlight this practice in a Feb. 16 blog post, saying at the time that while credential phishing is very predominant in the Web2 world, ice phishing gives individual scammers the ability to steal a chunk of the crypto industry while maintaining “almost complete anonymity.”

They recommended that Web3 projects and wallet providers increase their security on the software level in order to prevent the burden of avoiding ice phishing attacks being placed solely on the end-user.

Front-running scams rampant on YouTube with 500% surge in 2022: CertiK

The scam lures victims to download fake front-running bot software that swipes their assets once they try to initiate a transaction.

Front-running scam bots are significantly gaining traction on YouTube, with the number of dubious videos increasing six-fold in 2022 according to a new report from blockchain security firm CertiK.

In the firm’s Dec. 1 report, CertiK explores how a wave of front-running bot scams are promising free returns as high as 10X a day but ultimately end up swiping people’s funds.

Notably, CertiK’s analysis found 84% of videos on YouTube mentioning “front running bot” were scams, with the number increasing 500% from 28 videos in 2021 to 168 videos in 2022:

“There are common themes in all of these videos: free code and huge returns. Successful runners won’t give away free code on a social media site, they will sell it for a large amount on underground forums.”

The scam itself generally sees victims being guided to downloaded fake bot software, which is designed to swipe their assets once they try to initiate a front-running transaction.

Even when they are not scams, front-running bots cause problems as they can give the deployer a distinct advantage over other crypto traders in certain circumstances.

The bots generally scan blockchains for unconfirmed transactions and then pay a greater gas fee to squeeze in ahead of said transactions, “essentially beating it to the punch and taking all the profit on offer” from a trade.

The report identified videos using dubious titles such as “$15,000 Front Running Crypto Bot Leak! – 50X HUGE RETURNS!” and “Uniswap Front Running Bot 2022 – EASY TUTORIAL (Huge profits)” in which scammers give fake tutorials on downloading and using the bots.

The videos’ comment sections are, of course, swarmed with countless bot comments praising the content so that real comments sounding alarm bells are buried under the noise.

An example of the typical comments found on front-running bot scam videos. Source: CertiK

Scam reports have been rife of late, as Cointelegraph reported on Nov. 22 that deepfake videos using Sam Bankman-Fried’s likeness were circulating online aiming to dupe people impacted by FTX’s bankruptcy.

Related: Metaverse exploitation and abuse to rise in 2023: Kaspersky

CertiK released a separate report on Nov. 17 outlining that crypto scammers have been using identities bought on the black market to put their names and faces on fraudulent projects. Described as “Professional KYC actors,” CertiK found that their identities could be purchased for as low as $8.00.

On Reddit on Dec. 1, members of the r/Metallica community were also sending out warnings over fake Metallica live streams featuring all the band members that linked to crypto giveaway scams.

Some members even claimed that the YouTube algorithm had been recommending the videos to them in their top recommendations.

Comment on r/Metallica: Reddit

Crypto scammers are using black market identities to avoid detection: CertiK

The blockchain security firm has uncovered a new tactic used by crypto scammers as the industry continues to improve its fraud detection capabilities.

Crypto scammers have been accessing a “cheap and easy” black market of individuals willing to put their name and face on fraudulent projects — all for the low price of $8.00, blockchain security firm CertiK has uncovered. 

These individuals, described by CertiK as “Professional KYC actors,” would, in some cases, voluntarily become the verified face of a crypto project, gaining trust in the crypto community prior to an “insider hack or exit scam.”

Other uses of these Know Your Customers (KYC) actors include using their identities to open up bank or exchange accounts on behalf of the bad actors.

According to a Nov. 17 blog post, CertiK analysts were able to find over 20 underground marketplaces hosted on Telegram, Discord, mobile apps and gig websites to recruit KYC actors for as low as $8.00 for simple “gigs” like passing the KYC requirements “to open a bank or exchange account from a developing country.”

Pricier jobs involve the KYC actor putting their face and name on a fraudulent project. CertiK noted that most actors are seemingly exploited as they are based in developing countries “with an above-average concentration in South-East Asia” and paid around $20 or $30 per role.

Meanwhile, more complex requirements or verification processes could fetch an even higher asking price, particularly if the KYC actors are residents of countries considered a low money laundering risk.

Some roles paid up to $500 a week if an actor was to play the role of CEO for a malicious project but the KYC actor market was “marginal” compared to the market for already KYCed bank and crypto exchange accounts, according to CertiK.

Crypto to fiat — or vice-versa — conversions were also cited as a significant percentage of the transactions seen on these marketplaces with CertiK calculating that more than 500,000 members in marketplace sizes ranging from 4,000 to 300,000 were buyers and sellers on these black markets.

Related: Scary stats: $3B stolen in 2022 as of ‘Hacktober,’ doubling 2021

CertiK warned that over 40 websites claiming to vet crypto projects and offer “KYC badges” are “worthless,” as the services are “too superficial to detect fraud or simply too amateur to detect insider threats.”

They added the teams behind these websites are “missing the needed “investigation methodology, training, and experience,” meaning these badges are then leveraged by scammers to mislead the community and investors.

That being said, the industry has been working hard and is gaining ground in its fight against crypto scammers. A tool released in October by traditional finance giant Mastercard combines artificial intelligence and blockchain data to help find and prevent fraud.

Contrary to popular belief, the open nature of blockchain transactions means it’s harder for fraudsters to hide the movement of funds. Another recent example has been the work of French authorities using on-chain analysis to find and charge five people who stole nonfungible tokens (NFT) through a phishing scam.