EXP Attack

Crypto phishing attacks up by 40% in one year: Kaspersky

Russian cybersecurity and anti-virus provider Kaspersky detected over 5 million crypto phishing attacks in the year, compared with just over 3.5 million in 2021.

When it comes to cryptocurrency-related cyberattacks, bad actors have seemingly reduced the use of traditional financial threats like desktop and mobile banking malware, shifting their focus to phishing.

Russian cybersecurity and anti-virus provider Kaspersky revealed that cryptocurrency phishing attacks witnessed a 40% year-on-year increase in 2022. The company detected 5,040,520 crypto phishing attacks in the year, compared with 3,596,437 in 2021.

A typical phishing attack involves reaching out to investors through fake websites and communication channels that mimic the official companies. Users are then prompted to share personal information such as private keys, which ultimately provides attackers unwarranted access to crypto wallets and assets.

While Kaspersky could not predict if the trend would increase in 2023, phishing attacks continue the momentum in 2023. Most recently, in March, hardware cryptocurrency wallet provider Trezor issued a warning against attempts to steal users’ crypto by tricking investors into entering their recovery phrase on a fake Trezor site.

In a survey conducted by Kaspersky in 2022, one out of seven respondents admitted to being affected by cryptocurrency phishing. While phishing attacks predominantly involve giveaway scams or fake wallet phishing pages, attackers continue to evolve their strategies.

According to Kaspersky, “crypto still remains a symbol of getting rich quick with minimal effort,” which attracts scammers to innovate their techniques and stories to lure in unwary crypto investors.

Arbitrum investors were recently exposed to a phishing link via its official Discord server. A hacker reportedly hacked into the Discord account of one of Arbitrum’s developers, which was then used to share a fake announcement with a phishing link.

#CertiKSkynetAlert

We are seeing reports that a phishing link has been posted in the @arbitrum Discord Server.

Do not click on any links until the team has confirmed they’ve regained control of the server.#Phishing #Discord

Stay vigilant! pic.twitter.com/XoqHmOXGeV

— CertiK Alert (@CertiKAlert) March 25, 2023

Cointelegraph accessed the phishing link to find that it redirects users to a blank website with the text “Astaghfirullah,” which translates to “I seek forgiveness in God.“ According to Wiktionary, the term can also be used to express disbelief or disapproval.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

Euler Labs hacker returns ‘all of the recoverable funds’ — Timeline

Twenty-three days after the hack, on April 4, Euler Finance announced the total possible recovery of the lost funds, thus ending the $1 million bounty.

After being robbed of $196 million in a flash loan attack, Euler Finance has convinced its hacker to return most of the funds. The outcome resulted from numerous back-and-forths over 23 days, eventually leading the hacker to do “the right thing.”

On March 13, the Euler Finance hacker carried out multiple transactions, each draining millions of dollars in various tokens, including Dai (DAI), USD Coin (USDC), staked Ether (StETH) and wrapped Bitcoin (WBTC).

*Funds stolen from Euler Finance. Source: BlockSec*

As a result, Euler’s total value locked inside its smart contracts has dropped from over $311 million to $10.37 million. Ultimately, 11 different decentralized finance (DeFi) protocols, including Balancer, Yearn.finance and Yield Protocol, either froze or lost funds.

At 10:00 UTC Balancer contributors became aware of an exploit on Euler. It was determined the best course of action was to pause and put into recovery mode bbeUSD (Euler Boosted USD) and all pools containing bbeUSD. This was executed by the emergency subDAO at 11:00 UTC.

— Balancer (@Balancer) March 13, 2023

The next day, on March 14, Euler took proactive measures to recover funds, disabling its vulnerable etoken module and donation function as the first course of action. In addition, it worked with auditing companies to analyze the root cause of the exploit.

One of our auditing partners, @Omniscia_sec, prepared a technical post-mortem and analysed the attack in great detail. You can read their report here:https://t.co/u4Z2xdutwe

In short, the attacker exploited vulnerable code which allowed it to create an unbacked token debt…

— Euler Labs (@eulerfinance) March 14, 2023

At the same time, Euler tried contacting the hackers to negotiate a bounty. On March 15, Euler gave the hacker an ultimatum to return 90% of the stolen funds, threatening to announce a $1 million reward for information that could lead to the hacker’s arrest. This deal would allow the hacker to get away with $19.6 million.

The hacker, on the other hand, started moving funds at will. One victim received 100 Ether (ETH) after convincing the hacker that his life savings were lost in the Euler hack. Over several days, the hacker returned the stolen funds , each varying in value.

Amid the chaos, Euler Labs CEO Michael Bentley revealed that ten separate audits over two years deemed the protocol “nothing higher than low risk” with “no outstanding issues.”

On March 21, Euler launched a $1 million bounty reward against the hacker after being ghosted mid-conversation while trying to strike a deal. Starting on March 25, the hacker started returning the stolen assets in large numbers on multiple occasions.

23 days after the hack, on April 4, Euler Finance announced the total possible recovery of the lost funds, thus ending the $1 million bounty. “Because the exploiter did the right thing and returned the funds, and the $1 million reward campaign launched by the Euler Foundation will no longer be accepting new information,” the protocol stated.

Because the exploiter did the right thing and returned the funds, and the $1 million reward campaign launched by the Euler Foundation will no longer be accepting new information.

Full details to follow tomorrow.

— Euler Labs (@eulerfinance) April 3, 2023

In the final transactions, the hacker sent 12 million DAI and 10,580 ETH in multiple transactions. The crypto community applauded Euler Finance’s effort to recover funds and restore investors’ confidence.

Gnosis, the team behind Gnosis Safe multisig and Gnosis Chain, recently launched a hash oracle aggregator to improve the security of bridges by requiring more than one bridge to validate a withdrawal.

As Cointelegraph reported, over $2 billion was stolen from bridges in 2021 and 2022, mainly due to bugs and wallet attacks.

Magazine: Huawei NFTs, Toyota’s hackathon, North Korea vs. Blockchain: Asia Express

Jake Paul-endorsed SafeMoon gets hacked after introducing a bug in upgrade

A public burn function introduced in the latest upgrade allegedly allows users to burn tokens from other addresses.

SafeMoon, a project previously endorsed by celebrities and social influencers like Jake Paul and Soulja Boy, announced its liquidity pool (LP) had been compromised. Without revealing further details about the attack, SafeMoon confirmed it is undertaking steps “to resolve the issue as soon as possible.”

Like many other crypto projects in 2021, SafeMoon was backed by numerous celebrities. However, a lawsuit from February 2022 alleged that musicians such as Nick Carter, Soulja Boy, Lil Yachty, and YouTubers Jake Paul and Ben Phillips mimicked real-life Ponzi schemes by misleading investors to purchase SafeMoon (SAFEMOON) tokens under the pretext of unrealistic profits.

*Jake Paul promoting SafeMoon token in 2021. Source: Twitter*

Investigating the SafeMoon hack shows that the attacker made away with approximately 27,000 BNB (BNB), worth $8.9 million. SafeMoon has not yet responded to Cointelegraph’s request for comment. Moreover, users have been barred from posting comments on the announcement that revealed the LP compromise.

To the @SAFEMOON community: We want to inform you that our LP has been compromised.

We are taking swift action in an attempt to resolve the issue as soon as possible. Follow here for updates.

Thank you for your support as we work to address this situation.

— SafeMoon (@safemoon) March 28, 2023

Blockchain investigator PeckShield narrowed the problem to a recent software upgrade as a potential culprit that introduced the bug. A public burn function introduced in the latest upgrade allegedly allows users to burn tokens from other addresses.

Community member “DeFi Mark” explained that the attacker used the vulnerability to remove SafeMoon tokens, causing an artificial spike in the token’s price. The attacker took advantage of the situation and sold off the tokens at an inflated price.

*SafeMoon exploit overview. Source: PeckShield*

The attacker left a note along with the transaction, as shown above, which said:

“Hey relax, we are accidently frontrun an attack against you, we would like to return the fund, setup secure communication channel , lets talk.”

Until SafeMoon officially announces a resolution, investors are advised against investing in the project to avoid possible loss of funds.

Following a recent security incident related to illicit access to hot wallets, Bitcoin (BTC) ATM manufacturer General Bytes plans to reimburse customers that lost funds.

On March 17-18th, 2023, GENERAL BYTES experienced a security incident.

We released a statement urging customers to take immediate action to protect their personal information.

We urge all our customers to take immediate action to protect their funds and https://t.co/fajc61lcwR…

— GENERAL BYTES (@generalbytes) March 18, 2023

As Cointelegraph reported, the hack caused a loss of 56 BTC and 21.82 Ether (ETH), cumulatively worth nearly $1.9 million.

Magazine: Huawei NFTs, Toyota’s hackathon, North Korea vs. Blockchain: Asia Express

Euler Finance hacker sends 100 ETH to red-flagged North Korean address

While Chainalysis suspected the involvement of North Korea in the Euler Finance hack, it highlighted the possibility of misdirection by other hackers.

Ever since Euler Finance fell victim to the biggest decentralized finance (DeFi) hack of 2023, the crypto community closely followed the $197 million loot on-chain — hoping to track down the attacker. Out of the series of transfers made by the hacker, one transaction of 100 Ether (ETH) was allegedly sent to an address associated with North Korea-linked actors.

Blockchain investigator Chainalysis identified that 100 ETH from Euler’s stolen funds was transferred to an address flagged in an older hack with links to North Korea.

100 ETH stolen in Monday’s #Euler Finance hack have moved to an address associated with a previous hack carried out by #NorthKorea-linked actors. This may mean the Euler hack is the work of #DPRK too, or could be misdirection by other hackers. We’ll share more details as possible https://t.co/DxvGsc90Z8 pic.twitter.com/5QPphNTyYY

— Chainalysis (@chainalysis) March 17, 2023

The hacker also transferred 3,000 ETH to Euler’s deployer account without disclosing their intent. However, no other transfers were made after that at the time of writing. In both cases, it was unclear whether the hacker was trolling or if they genuinely considered accepting Euler Finance’s bounty reward of $20 million.

While Chainalysis suspected the involvement of North Korea in the Euler Finance hack, it highlighted the possibility of misdirection by other hackers.

Euler Labs CEO Michael Bentley shared his displeasure with the $197 million hack as he revealed that ten separate audits conducted over two years assured its security.

Euler has always been a security-minded project. The Euler smart contracts, including the vulnerable lines of code, were audited.https://t.co/SvNeoKEGuY

— Michael Bentley (@euler_mab) March 16, 2023

As Cointelegraph previously reported, blockchain security firms, including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica, conducted smart contract audits on Euler Finance from May 2021 to September 2022.

Crypto investors under attack by new malware, reveals Cisco Talos

Since December 2022, the two malicious files — MortalKombat ransomware and Laplas Clipper malware — have been actively scouting the internet and stealing cryptocurrencies from unwary investors.

Anti-malware software Malwarebytes highlighted two new malicious computer programs propagated by unknown sources actively targeting crypto investors in a desktop environment.

Since December 2022, the two malicious files in question — MortalKombat ransomware and Laplas Clipper malware — have been actively scouting the internet and stealing cryptocurrencies from unwary investors, revealed the threat intelligence research team, Cisco Talos. The campaign’s victims are predominantly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey and the Philippines, as shown below.

*Victimology of the malicious campaign. Source: Cisco Talos*

The malicious software work in partnership to swoop information stored in the user’s clipboard, which is usually a string of letters and numbers copied by the user. The infection then detects wallet addresses copied onto the clipboard and replaces them with a different address.

The attack relies on the user’s inattentiveness to the sender’s wallet address, which would send the cryptocurrencies to the unidentified attacker. With no obvious target, the attack spans individuals and small and large organizations.

*Ransom notes shared by MortalKombat ransomware. Source: Cisco Talos*

Once infected, the MortalKombat ransomware encrypts the user’s files and drops a ransom note with payment instructions, as shown above. Revealing the download links (URLs) associated with the attack campaign, Talos’ report stated:

“One of them reaches an attacker-controlled server via IP address 193[.]169[.]255[.]78, based in Poland, to download the MortalKombat ransomware. According to Talos’ analysis, 193[.]169[.]255[.]78 is running an RDP crawler, scanning the internet for exposed RDP port 3389.”

As explained by Malwarebytes, the “tag-team campaign” starts with a cryptocurrency-themed email containing a malicious attachment. The attachment runs a BAT file that helps download and execute the ransomware when opened.

Thanks to the early detection of malicious software with high potential, investors can proactively prevent this attack from impacting their financial well-being. As always, Cointelegraph advises investors to perform extensive due diligence before investing, while ensuring the official source of communications. Check out this Cointelegraph Magazine article to learn how to keep crypto assets safe.

On the flip side, as ransomware victims continue to refuse extortion demands, ransomware revenues for attackers plummeted 40% to $456.8 million in 2022.

*Total value extorted by ransomware attackers between 2017 and 2022. Source:* *Chainalysis*

While revealing the information, Chainalysis noted that the figures don’t necessarily mean the number of attacks is down from the previous year.

DeFi flash loan hacker liquidates Defrost Finance users causing $12M loss

Moments after a few users complained about the unusual loss of funds, Defrost Finance’s core team member Doran confirmed that Defrost V2 was hit with a flash loan attack.

Defrost Finance, a decentralized leveraged trading platform on Avalanche blockchain, announced that both of its versions — Defrost v1 and Defrost v2 — are being investigated for a hack. The announcement came after investors reported losing their staked Defrost Finance (MELT) and Avalanche (AVAX) tokens from the MetaMask wallets.

Moments after a few users complained about the unusual loss of funds, Defrost Finance’s core team member Doran confirmed that Defrost v2 was hit with a flash loan attack. At the time, the platform believed that Defrost v1 was not impacted by the hack and decided to close down v2 for further investigation.

*Core team member Doran confirming attack on Defrost Finance. Source: Telegram*

At the time, the platform believed Defrost v1 was not impacted by the hack and decided to close down v2 for further investigation.

Defrost Finance is sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds.

The V1 is not affected. We will soon close the V2 UI and investigate further with our tech team.

Updates will be posted on our official channels.

— Defrost Finance (@Defrost_Finance) December 24, 2022

Blockchain investigator PeckShield found that the hacker manipulated the share price of LSWUSDC, leading to a gain of roughly $173,000 for the hacker. Upon further analysis, PeckShield’s investigation revealed:

“Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M.”

While the company proactively announced the hack, the community suspects a rug-pull situation at play.

Defrost v1 was initially announced unaffected by the hack as the first version of Defrost lacked a flash loan function.

*Core team member Doran confirming attack both Defrost Finance versions. Source: Telegram*

However, the platform later acknowledged an emergency for v1 as well, stating:

“Our team is currently investigating. We kindly ask the community to wait for updates and refrain from using either the V1 or V2 for the moment.”

Until further notice, investors are advised to stop using Defrost Finance. An internal team is currently investigating the situation and will reach out to users through official channels.

Defrost Finance has not yet responded to Cointelegraph’s request for comment.

In 2022, North Korean hackers stole crypto worth more than 800 billion Korean won ($620 million) from decentralized finance (DeFi) platforms alone.

A spokesperson from South Korea’s National Intelligence Service (NIS) revealed that all North Korean hacks were done through overseas DeFi exploits. However, with Know Your Customer (KYC) initiatives in place, the total number of North Korean hacks saw a significant reduction.

Hacker drains $1.08M from Audius following passing of malicious proposal

A malicious governance proposal (Proposal #85) requesting the transfer of 18 million Audius’ in-house AUDIO tokens worth $6.1 million was approved via an exploit.

Proposals in crypto help communities make consensus-based decisions. However, for decentralized music platform Audius, the passing of a malicious governance proposal resulted in the transfer of tokens worth $6.1 million, with the hacker making away with $1 million.

On Sunday, a malicious proposal, Proposal #85, requesting the transfer of 18 million Audius’ in-house AUDIO tokens was approved by community voting. First pointed out on Crypto Twitter by spreekaway, the attacker created the malicious proposal wherein they were “able to call initialize() and set himself as the sole guardian of the governance contract.”

Hello everyone – our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.

If you’d like to help our response team, please reach out.

— Audius (@AudiusProject) July 24, 2022

Speaking to Cointelegraph, Audius co-founder and CEO Roneil Rumburg clarified that the community did not pass a malicious proposal:

“This was an exploit — not a proposal proposed or passed through any legitimate means — it just happened to use the governance system as the entry point for the attack.”

Further investigation from Audius confirmed the unauthorized transfer of AUDIO tokens from the company’s treasury. Following the revelation, Audius proactively halted all Audius smart contracts and AUDIO tokens on the Ethereum blockchain to avoid further losses. The company, however, resumed token transfers shortly after, adding that the “Remaining smart contract functionality is being unpaused after thorough examination/mitigation of the vulnerability.”

Blockchain investigator Peckshield narrowed down the fault to Audius’ storage layout inconsistencies.

The issue of @AudiusProject lies in inconsistent storage layout between its proxy and impl. In particular, the collision of Audius Community Treasury contract results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a role here. pic.twitter.com/x4CqRncahp

— PeckShield Inc. (@peckshield) July 24, 2022

While the hacker’s governance proposal drained out 18 million tokens worth nearly $6 million from the treasury, it was soon dumped and sold for $1.08 million. While the dumping resulted in maximum slippage, investors recommended an immediate buyback to prevent existing investors from dumping and further lowering the token’s floor price.

Investors are yet to get clarity on the stolen funds, as one investor asked, “They hacked the community fund right? The team’s fund is separate correct?”

Rumburg confirmed with Cointelegraph that the root cause of the exploit has been mitigated and cannot be re-exploited. Given that the community treasury is kept separate from the foundation treasury, the remaining funds remain safe from any exploit.

Bored Ape Yacht Club (BAYC) nonfungible token (NFT) creator Yuga Labs issued its second warning about an expected “coordinated attack” on its social media accounts.

Our security team has been tracking a persistent threat group that targets the NFT community. We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts. Please be vigilant and stay safe.

— Yuga Labs (@yugalabs) July 18, 2022

In June, Gordon Goner, pseudonymous co-founder of Yuga Labs, issued the first warning of a possible incoming attack on its Twitter social media accounts. Soon after the warning, Twitter officials actively monitored the accounts and fortified their existing security.

Crema Finance shuts liquidity protocol on Solana amid hack investigation

While awaiting Crema Finance’s report on the situation, the Crypto Twitter community took it to themselves to track down the hacker’s wallet and better understand the problem.

Crema Finance, a concentrated liquidity protocol over the Solana blockchain, announced the temporary suspension of its services owing to a successful exploit that has drained a substantial but undisclosed amount of funds.

Soon after realizing the hack on its protocol, Crema Finance suspended the liquidity services to refrain the hacker from draining out its liquidity reserves — which include the funds of the service provider and investors.

Attention! Our protocol seems to have just experienced a hacking. We temporarily suspended the program and are investigating it. Updates will be shared here ASAP.

— CremaFinance (@Crema_Finance) July 3, 2022

Speaking to Cointelegraph about the matter, Henry Du, the co-founder of Crema Finance, confirmed the commencement of the investigation. He stated:

“We are working with some security companies and got support from Solana, Solscan and Etherscan etc. We will continue to post any update via official Twitter account.”

While the company has yet to provide an update based on an investigation that was ongoing at the time of writing, the Crypto Twitter community took it to themselves to track down the hacker’s wallet and gain a better understanding of the situation.

Based on a personal investigation, crypto community member @HarveyMackinto2 allegedly spotted the hacker’s wallet address. The address in question holds 69,422.89 Solana (SOL) tokens — roughly over $2.3 million — procured through a series of transactions over several hours.

Other members of the crypto community, however, suspect the hacker made away with 90% of the total liquidity from some of Crema Finance’s pools. Du, too, confirmed that all the functions of the protocol have been suspended indefinitely and asked investors to stay tuned for further information in the form of an update.

Readers must note that Crema Finance is not related to Cream Finance, a decentralized finance DeFi lending protocol, that also lost $19 million in a flash loan hack last year.

North Korean hacking syndicate — the Lazarus Group — has become the primary suspect of a recent attack that made away $100 million from the Harmony protocol.

Investigations from blockchain analysis firm Elliptic claimed the involvement of North Korea based on the laundering methods of the stolen funds:

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds.”