Cybersecurity

NFT Trader’s stolen Apes returned after bounty payment

The hacker returned 36 BAYC and 18 MAYC after receiving a 120 Ether bounty payment from Yuga Labs co-founder Greg Solano.

All Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) nonfungible tokens (NFTs) stolen from the peer-to-peer trading platform NFT Trader have been returned after a bounty payment. 

NFTs worth nearly $3 million were stolen in the hack on Dec. 16. As per public messages, the attacker attributed the original exploit to another user. “I came here to pick up residual garbage,” they wrote, requesting ransom payments to return the NFTs.

“If you want these NFT’s back then you need to pay me 120 ETH […] and then I will send you the NFT’s, it’s as simple as that, and I never lie, believe me […],” reads one of the messages.

Read more

Bitcoin inscriptions added to US National Vulnerability Database

The United States National Vulnerability Database (NVD) flagged Bitcoin’s inscriptions as a cybersecurity risk.

The National Vulnerability Database (NVD) flagged Bitcoin’s inscriptions as a cybersecurity risk on Dec. 9, calling attention to the security flaw that enabled the development of the Ordinals Protocol in 2022.

According to the database records, a datacarrier limit can be bypassed by masking data as code in some Bitcoin Core and Bitcoin Knots versions. “As exploited in the wild by Inscriptions in 2022 and 2023,” reads the document.

Being added to the NVD’s list means that a specific cybersecurity vulnerability has been recognized, cataloged, and deemed important for public awareness. The database is managed by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce.

Read more

Meta releases ‘Purple Llama’ AI security suite to meet White House commitments

Meta believes that this is “the first industry-wide set of cyber security safety evaluations for Large Language Models (LLMs).”

Meta released a suite of tools for securing and benchmarking generative artificial intelligence (AI) models on Dec. 7.

Dubbed “Purple Llama,” the toolkit is designed to help developers build safely and securely with generative AI tools, such as Meta’s open-source model, Llama-2.

The release, which Meta claims is the “first industry-wide set of cyber security safety evaluations for Large Language Models (LLMs),” includes:

Read more

Trust Wallet to reimburse users after $170,000 security incident

A vulnerability impacted wallet addresses created through the browser extension between Nov. 14 and 23, resulting in nearly $170,000 in losses.

Crypto wallet Trust Wallet has disclosed a security vulnerability that resulted in nearly $170,000 in losses for some users. The vulnerability has been patched, according to the company.

Trust Wallet found out about the issue through its bug bounty program. A security researcher reported a WebAssembly vulnerability in the open-source library Wallet Core in November 2022. New wallet addresses generated “between November 14 and 23, 2022 by Browser Extension contain this vulnerability,” the company said in a statement, adding that all addresses created before and after those dates are safe.

The breach resulted in two exploits that led to a total loss of nearly $170,000. Approximately 500 vulnerable addresses remain, with an $88,000 balance, according to a postmortem report. Affected users will be offered a refund and gas fee assistance to cover the costs of fund transfers. According to Trust Wallet:

“We want to assure users that we will reimburse eligible losses from hacks due to the vulnerability and have created a reimbursement process for the affected users. And we urged affected users [to] move the remaining ~$88,000 USD balance on all the vulnerable addresses as soon as possible.”

Users who experienced abnormal fund movement in late December 2022 and late March 2023 may be among those affected by the two exploits.

The company urged affected customers to create a new wallet and transfer their funds. Users with vulnerable addresses will be notified through the Trust Wallet browser extension, said the company. Developers who used the Wallet Core library in 2022 should implement the latest version of Wallet Core. Affected wallet addresses from Binance were previously notified through the crypto exchange.

Another recently unveiled exploit has drained almost $11 million in nonfungible tokens and cryptocurrencies from various addresses across 11 blockchains since December 2022, targeting veterans in the crypto community. The attack was initially attributed to an exploit in the MetaMask wallet, but that was later denied by the company.

Magazine: ‘Account abstraction’ supercharges Ethereum wallets: Dummies guide

9 Tech YouTube channels to follow

Discover nine tech-focused YouTube channels covering topics such as programming, machine learning, cybersecurity, blockchain and Web3.

Learning tech via YouTube channels can be a great way to supplement traditional learning methods, as it provides a more interactive and engaging experience. Many YouTube channels dedicated to tech provide in-depth tutorials and explanations of complex concepts in a way that is easy to understand, making it accessible to learners of all skill levels.

Additionally, YouTube channels often provide access to industry experts, giving learners the opportunity to learn from individuals with real-world experience and knowledge. For instance, Cointelegraph’s YouTube channel provides news, interviews and analysis on the latest developments in the cryptocurrency and blockchain industries. The channel’s content is well-produced and features engaging visuals, making it an accessible and entertaining way to learn about these topics.

Here are nine other YouTube channels to follow and learn beyond cryptocurrencies.

Ivan on Tech 

Ivan on Tech is a popular YouTube channel focused on blockchain technology, cryptocurrencies and decentralized applications (DApps). The channel is hosted by Ivan Liljeqvist, a software developer and blockchain expert.

Liljeqvist offers educational material on his YouTube channel on a range of subjects relating to blockchain technology, such as crypto trading, the creation of smart contracts, decentralized finance (DeFi) and more. Also, he offers updates on the most recent events and trends in the sector.

Liljeqvist also maintains an online school called Ivan on Tech Academy in addition to his YouTube channel. This school includes classes on blockchain development, cryptocurrency trading and other relevant subjects.

Andreas Antonopoulos

Andreas Antonopoulos’ YouTube channel is an invaluable resource for anyone seeking in-depth knowledge and insights into Bitcoin (BTC) and cryptocurrencies, featuring a wealth of informative talks, interviews and Q&A sessions.

Antonopoulos is a renowned advocate, speaker and author in the field of Bitcoin and cryptocurrencies. He is widely regarded as a leading expert on blockchain technology and has written several books on the subject, including Mastering Bitcoin and The Internet of Money.

He is renowned for his fervent defense of decentralized systems and his capacity to concisely and clearly convey difficult ideas. Since the beginning of cryptocurrencies and blockchain technology, Antonopoulos has been a vocal proponent of their development and use.

Crypto Daily 

Crypto Daily is a popular YouTube channel dedicated to providing daily news, analysis and commentary on the world of cryptocurrencies. With over 500,000 subscribers, the channel covers a broad range of topics, from the latest developments in cryptocurrencies to initial coin offerings and blockchain technology.

James, the host of the channel, makes his insights interesting for both inexperienced and seasoned crypto aficionados by combining wit, humor and intellect in his delivery. The channel also offers interviews with industry leaders, product reviews and educational content, making it a well-rounded resource for anybody interested in the world of cryptocurrency.

Cybersecurity Ventures 

Cybersecurity Ventures is a YouTube channel focused on providing educational content on cybersecurity, cybercrime and cyberwarfare. The channel offers in-depth analyses of new trends and technology, news updates on the most recent cyber threats and assaults, and interviews with top industry experts.

The channel, which has over 20,000 members, offers guidance and best practices for people and businesses wishing to safeguard themselves against online risks, making it a useful tool for both inexperienced and seasoned cybersecurity professionals.

Related: Top 10 most famous computer programmers of all time

Machine Learning Mastery

Machine Learning Mastery also has a YouTube channel that complements its website by providing video tutorials on machine learning topics. The channel, which is hosted by Jason Brownlee, provides a range of content, including lessons, interviews with business leaders, and discussions of the most recent developments and difficulties in the field of machine learning.

The videos are well-made and very educational, covering everything from the fundamentals of machine learning to more complex subjects, such as neural networks and computer vision. The channel, which complements the substantial materials already offered on the Machine Learning Masters website, has a growing subscriber base and is a great resource for anybody wishing to learn about machine learning in a visual format.

Two Minute Papers 

Two Minute Papers is a popular YouTube channel that summarizes and explains complex research papers in the fields of artificial intelligence, machine learning and computer graphics in two minutes or less. 

The channel, hosted by Károly Zsolnai-Fehér, provides an easy way to stay up-to-date on the most recent developments and discoveries in these areas. The professionally made videos include simple visual explanations and can help viewers understand even the most challenging studies.

In order to personalize the information, Two Minute Papers also includes interviews with researchers and subject-matter experts. Two Minute Papers, a popular and useful resource for people interested in cutting-edge research and advancements in AI and related subjects, has more than 1.5 million subscribers.

 Web3 Foundation

The Web3 Foundation is a nonprofit organization dedicated to supporting and building the decentralized web, also known as Web3. Its YouTube channel provides educational content and updates on the latest developments in Web3 technology, including blockchain, distributed systems and peer-to-peer networks.

Related: What are peer-to-peer (P2P) blockchain networks, and how do they work?

The channel offers talks by prominent authorities in the field, including programmers, researchers and businesspeople, as well as discussions and interviews on subjects pertaining to Web3 technology. Also, it provides updates on the progress of the Polkadot network, an open-source platform for constructing interoperable blockchain networks. Overall, the Web3 Foundation YouTube channel is a great resource for anyone interested in the decentralized web’s future because it has over 20,000 followers.

Dapp University 

Dapp University’s YouTube channel complements its educational platform by providing video tutorials on blockchain development, smart contracts and decentralized application (DApp) development. Hosted by developer and entrepreneur Gregory McCubbin, the channel features clear and concise explanations of complex topics in blockchain technology, making it accessible to beginners and experts alike.

The videos cover a wide range of topics, including Ethereum, Solidity and other blockchain tools and technologies. With over 300,000 subscribers, the Dapp University YouTube channel is a valuable resource for individuals looking to learn how to develop decentralized applications on the blockchain.

Tech With Tim

Tech With Tim is a popular YouTube channel dedicated to teaching programming and computer science concepts to beginners and intermediate learners. The channel offers tutorials on a range of programming languages, including Python, Java and C++, as well as web development, game development and machine learning.

It is hosted by Tim Ruscica, a software engineer and seasoned tutor. The well-produced videos have straightforward explanations and examples of programming topics, making them understandable to a variety of students. Tech With Tim is a great resource for anybody wishing to learn programming and computer science skills, with more than 800,000 members.

KyberSwap announces potential vulnerability, tells LPs to withdraw ASAP

Only Kyberswap Elastic funds are said to be at risk, with the developer stating that so far, no funds have been lost.

Kyber Network, the developer of the Kyberswap Elastic decentralized crypto exchange, announced on April 17 that there is a potential vulnerability in the exchange’s contracts. It has advised all liquidity providers to remove their funds as soon as possible.

The developer has stated that no funds have been lost. However, it has advised liquidity providers (LPs) to remove their funds as a precaution. Only Kyberswap Elastic funds are at risk. Kyberswap Classic smart contracts do not contain the vulnerability, the team said.

In a separate message, the team stated that farming rewards have been temporarily suspended until a new smart contract can be deployed. All rewards earned prior to 18 April 2023, 11pm (GMT+7) have already been dispersed and are unaffected by this pause.

The developer has stated that it will update the community soon with an explanation as to when funds can be safely deposited back into the protocol.

According to its official documents, KyberSwap Elastic is a decentralized exchange (DEX) that allows LPs to provide “concentrated liquidity.” Instead of requiring them to provide liquidity for any price point, it allows them to decide a price ceiling and price floor for the tokens they deposit into the pool.

Related: Binance identifies KyberSwap hack suspects, involves law enforcement

If the price moves below the floor or above the ceiling, LPs no longer receive fees. However, they receive higher fees if the price stays within the range they have set. This is contrast to the DEXs previous incarnation, KyberSwap Classic, which does not allow for concentrated liquidity.

The user interface for Kyberswap was hacked in September, and an attacker got away with $265,000 worth of crypto as a result of it.

Hundred Finance loses $7 million in Optimism hack

The attacker reportedly manipulated the exchange rate between ERC-20 tokens and hTOKENS to steal over $7 million from the protocol.

Multichain lending protocol Hundred Finance has experienced a significant security breach on the Ethereum layer-2 blockchain Optimism. The protocol tweeted that the losses sit at $7.4 million.

Hundred Finance announced the exploit on April 15, saying it had contacted the hacker and was working with various security teams on the incident. Although the protocol didn’t reveal how the attack was executed, blockchain security firm CertiK said it was a flash loan attack:

Flash loan attacks involve a hacker borrowing a large amount of funds via a type of uncollateralized loan from a lending protocol. The hacker then uses these funds to manipulate the price of an asset on a decentralized finance (DeFi) platform. 

In Hundred’s case, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, allowing them to withdraw more tokens than originally deposited, according to Certik. The blockchain security firm continued:

“The exchange rate formula was manipulated through Cash value. Cash is the amount of WBTC that the hBTC contract has. The attacker manipulated it by donating large amounts of WBTC to the hToken contract so that the exchange rate goes up.”

Certik says that large loans were taken out under the manipulated exchange rate. Hundred Finance was preparing a postmortem report on the incident.

This attack comes almost nearly 12 months after Hundred was exposed to another exploit on the Gnosis Chain. At that time, the hacker drained all of the protocol’s liquidity through a reentrancy attack, taking over $6 million. In the same exploit, the hacker also stole funds from the Agave protocol.

Since last year, a number of perpetrators have used flash loan attacks to target DeFi protocols. Recent cases include attacks against Euler Finance ($196 million) and Mango Markets ($46 million). Eulerwhile ’s hacker returned most of the funds, Mango’s thief has been arrested by United States authorities.

Magazine: Should crypto projects ever negotiate with hackers? Probably

MetaMask third-party provider was hacked, exposing email addresses

The incident affected users who submitted a MetaMask customer service ticket between August 1, 2021 and February 10, 2023.

The email addresses of some MetaMask users may have been exposed to a malicious party due to a recently discovered cyber-security incident. According to parent company ConsenSys, the incident affected users who submitted a customer support ticket to MetaMask between August 1, 2021 and February 10, 2023.

According to the April 14 blog post, unauthorized actors gained access to a third party’s computer system that was used to process customer service requests, potentially allowing them to view customer support tickets submitted by MetaMask users.

These tickets did not ask for information other than what was necessary to help the user, including email address to facilitate replies. However, they did include a “free text-field,” which some users may have used to submit personally identifying information. This may have included “economic or financial information, name, surname, date of birth, phone number, and postal address,” the post stated.

Consensys emphasized that it does not ask for personally identifying information in customer conversations, but some may have provided it anyway.

The company estimates that the breach may have affected up to 7,000 MetaMask users who submitted customer support tickets.

In response to this incident, hardware wallet provider Keystone warned MetaMask users that some might receive more phishing emails due to the incident since the attacker may use this swiped email database to look for potential victims.

Phishing is a scam that tricks a user into providing sensitive information to an attacker. It is often performed by sending an email to the victim that appears to be from a trusted party or someone the victim knows.

Related: MetaMask launches new fiat purchase function for cryptocurrency

Consensys said it had taken steps to eliminate unauthorized access in the future. As a result, tickets submitted after February 10 should be unaffected by the incident. They have also contacted the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom to report the breach. In addition, the company’s third-party customer service provider is working with a cyber-security and forensics team to perform a more detailed investigation of the incident.

MetaMask came under fire from privacy advocates in late 2022 when it revealed that it sometimes logged users’ IP addresses. However, it updated its app in March to give users more control over which providers could obtain this information.

MetaMask third-party provider hacked, exposing email addresses

The incident affected users who submitted a MetaMask customer service ticket between August 1, 2021 and February 10, 2023.

The email addresses of some MetaMask users may have been exposed to a malicious party due to a recently discovered cybersecurity incident. According to parent company ConsenSys, the incident affected users who submitted a customer support ticket to MetaMask between August 1, 2021 and February 10, 2023.

According to the April 14 blog post, unauthorized actors gained access to a third party’s computer system that was used to process customer service requests, potentially allowing them to view customer support tickets submitted by MetaMask users.

These tickets did not ask for information other than what was necessary to help the user, including an email address to facilitate replies. However, they did include a “free text-field,” which some users may have used to submit personally identifying information. This may have included “economic or financial information, name, surname, date of birth, phone number, and postal address,” the post stated.

ConsenSys emphasized that it does not ask for personally identifying information in customer conversations, but some may have provided it anyway.

The company estimates that the breach may have affected up to 7,000 MetaMask users who submitted customer support tickets.

In response to this incident, hardware wallet provider Keystone warned MetaMask users that some might receive more phishing emails due to the incident since the attacker may use this swiped email database to look for potential victims.

Phishing is a scam that tricks a user into providing sensitive information to an attacker. It is often performed by sending an email to the victim that appears to be from a trusted party or someone the victim knows.

Related: MetaMask launches new fiat purchase function for cryptocurrency

ConsenSys said it had taken steps to eliminate unauthorized access in the future. As a result, tickets submitted after February 10 should be unaffected by the incident. The company also contacted the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom to report the breach. In addition, the company’s third-party customer service provider is working with a cybersecurity and forensics team to perform a more detailed investigation of the incident.

MetaMask came under fire from privacy advocates in late 2022 when it revealed that it sometimes logged users’ IP addresses. However, it updated its app in March to give users more control over which providers could obtain this information.

DeFi tool to notify users about suspicious on-chain activity

In determining the success of Web3, security measures like PureFi’s SafeTransact alongside Web3 security companies are an approach to secure transactions from cybercriminals.

The success of Web3 is dependent upon solutions to the security issues posed by distinct application structures.

Web3 security companies are responsible for ensuring that blockchain-based platforms and applications are protected from cyber threats. These companies offer a variety of services, including smart contract auditing, security testing and incident response. PureFi, a decentralized finance (DeFi) protocol for cryptocurrency onboarding, has introduced a new method called SafeTransact to improve the security of Web3 transactions.

Web3 security is heavily dependent on the unique ability of blockchains to establish promises and withstand human intervention. These software-controlled networks, however, are a potential hacking target because of the related trait of finality — the fact that transactions are often irreversible. This implies a need for more levels of prevention-oriented security. SafeTransact’s addition to the global crypto security arsenal helps in that regard.

SafeTransact examines blockchain transactions and promptly notifies users of any suspicious activities. It is designed to integrate with AMLSafe, a multi-crypto wallet from the same ecosystem.

The SafeTransact system considers the token address, sender address, spender address and amount to gauge transaction risk for approved transactions. The system analyzes input data such as “from,” “to” and “amount” addresses to determine risk levels for token transfer transactions. For swap transactions, it analyzes decentralized exchange addresses, fund senders, tokens in and out, and amounts sent to provide a comprehensive assessment of risk.

According to a recent Chainalysis report, the DeFi industry experienced the most hacks and data breaches in 2022. The DeFi space is yet to develop security measures to help users navigate the Web3 world.

Related: No ‘respite’ for exploits, flash loans or exit scams in 2023: Cybersecurity firm

Security companies perform audits of Web3 applications to identify vulnerabilities and potential risks, as well as develop blockchain-specific security tools that can help detect and prevent attacks on blockchain networks. These security companies also implement secure coding practices to prevent vulnerabilities in Web3 applications.

Overall, security companies are constantly innovating and developing new approaches to protect Web3 transactions, given the unique challenges and risks associated with blockchain-based transactions.

Magazine: North Korean crypto hacking: Separating fact from fiction