Hack

How the Ledger Connect hacker tricked users into making malicious approvals

According to Cyvers, the attacker caused malicious code to be inserted into multiple app user interfaces, allowing the exploiter to fool users into confirming transactions.

The Ledger hacker who siphoned away at least $484,000 from multiple Web3 apps on Dec. 14 did so by tricking users into making malicious token approvals, according to the team behind blockchain security platform Cyvers.

According to public statements made by multiple parties involved, the hack occurred on the morning of Dec. 14. The attacker used a phishing exploit to compromise the computer of a former Ledger employee, gaining access to the employee’s node package manager JavaScript (NPMJS) account.

When a developer first writes their app, they usually install a connect kit through a node package manager. After creating a build and uploading it to their site, their app will contain the connect kit as part of its code, which will then be downloaded into the user’s browser whenever the user visits the site.

Read more

Hacker returns stolen funds to Tender.fi, gets $97K bounty reward

The bounty, which was offered via an on-chain message, was about $97,000, or 6% of the exploit amount.

The hacker behind the exploit of the decentralized finance lending platform Tender.fi has returned the stolen funds for a $97,000 bounty reward in Ether (ETH). 

The exploit was executed at 10:28 am UTC on March 7, with Tender.fi confirming the incident on Twitter soon after, citing “an unusual amount of borrows” and adding it has paused all borrowing.

Blockchain data showed the exploiter used a price oracle glitch to borrow $1.59 million worth of assets from the protocol by depositing 1 GMX token, valued at around $71.

“It looks like your oracle was misconfigured. contact me to sort this out,” the hacker wrote in an on-chain message.

Message sent to Tender.fi from the price oracle exploiter. Source: Arbiscan

Eight hours later, the DeFi protocol announced it had come to an agreement with the “White Hat” exploiter, in which the hacker would repay all loans minus a 62.16 ETH “bounty,” worth around $97,000 at current prices. 

Another hour later, Tender.fi confirmed on Twitter that the exploiter had completed the loan repayments.

“Funds are officially SaFu, post mortem on the way,” it wrote. 

Related: DeFi lender Tender.fi suffers exploit, white hat hacker suspected

Last year in August, cross-chain Nomad Bridge appealed to exploiters that participated in a smart contract exploit that extracted $190 million in funds from the bridge in less than three hours.

Mere hours later, approximately $32.6 million worth of funds were already returned, suggesting some of the exploiters may have been white hat hackers attempting to extract funds for a later safe return.

Later in the month, nonfungible token firm Metagame even offered a “Whitehat Prize” in the form of an NFT for anyone who proved they had returned at least 90% of the funds they stole from the protocol.

Blockchain data from the Official Nomad Funds Recovery Address shows that funds continued to be returned to the recovery address since then, with the latest transaction recorded on Feb. 18 for $7,868 in Covalent Query Token (CQT).

Tornado Cash dev says ‘sequel’ to crypto mixer aims to be regulator-friendly

Soleimani explained that the “critical flaw” with Tornado Cash is that users cannot prove that they’re not associated with a criminal enterprise stealing or laundering crypto funds.

A former Tornado Cash developer claims to be building a new crypto mixing service that aims to solve a “critical flaw” of the sanctioned crypto mixer — which he hopes will convince United States regulators to reconsider its position on privacy mixers.

The code of a new Ethereum-based mixer, “Privacy Pools,” was launched on GitHub on March 5 by its creator, Ameen Soleimani.

In a 22-part Twitter thread, Soleimani explained that the “critical flaw” with Tornado Cash is that users cannot prove that they’re not associated with North Korea’s Lazarus Group or any criminal enterprise for that matter.

With Privacy Pools, however, Soleimani says that depositors and withdrawers can opt out of an anonymity set that contains an address associated with stolen or laundered funds.

This feature of Privacy Pools is executed with zero-knowledge (ZK) proofs, meaning that the privacy of the user is preserved:

“Now, users have the option to help regulators isolate illicit funds, without revealing their entire transaction history […] With privacy pools, just because someone deposits into the same smart contract as you, it doesn’t mean they can also force you into sharing an anonymity set with them. It’s your choice.”

Soleimani provided a demonstration of how Privacy Pools is used:

The developer hopes the solution will empower “the community to defend against hackers abusing the anonymity sets of honest users without requiring blanket regulation or sacrificing on crypto ideals.”

While Privacy Pools is already live on Optimism, Soleimani noted that the first version of the privacy protocol is still in its “experimental” stage because the code isn’t complete and has not been audited, but he is “pretty close to having this ready.”

To see the protocol progress further, Soleimani wants on-chain forensics platforms like Chainlaysis and TRM Labs to conduct tracebacks on deposits so that users of the privacy tool don’t have to manually create their own subset exclusion lists.

In making the case for on-chain privacy protocols, Soleimani cited what he described as an “excellent” report by the Federal Reserve Bank of St. Louis in Missouri that examined the trade-offs between on-chain privacy and regulation:

“Their report proposes to achieve effective regulation by having Tornado Cash users provide receipts to an intermediary, thus revealing their entire transaction history to the intermediary, but still being able to have privacy with respect to other public blockchain users.”

The developer hopes this can help “start a conversation” with U.S. regulators on how on-chain privacy can be preserved whilst restricting criminal activity through the use of ZK proofs.

Related: On-chain privacy is key to the wider mass adoption of crypto

Soleimani’s attempt to create a crypto-friendly on-chain privacy solution comes after the U.S. Office of Foreign Asset Control (OFAC) sanctioned ETH and USDC addresses linked to Tornado Cash on Aug. 8 in response to several alleged thefts by North Korea’s Lazarus Group, who were claimed to have routinely used the privacy mixer to preserve its anonymity.

Photograph of a #FreeAlex protest. Source: Twitter/ameensol

Shortly after the sanction on Aug. 10, Alexey Pertsev, the creator of Tornado Cash, was arrested by authorities in the Netherlands and is currently facing a series of money laundering charges. He remains behind bars and his next hearing will take place in late April.

Tornado Cash dev says ‘sequel’ to crypto mixer aims to be regulator-friendly

Soleimani explained that the “critical flaw” with Tornado Cash is that users cannot prove that they’re not associated with a criminal enterprise stealing or laundering crypto funds.

A former Tornado Cash developer claims to be building a new crypto mixing service that aims to solve a “critical flaw” of the sanctioned crypto mixer — which he hopes will convince U.S. regulators to reconsider its position on privacy mixers.

The code of a new Ethereum-based mixer, “Privacy Pools,” was launched on GitHub on Mar. 5 by its creator, Ameen Soleimani.

In a 22-part Twitter thread, Soleimani explained that the “critical flaw” with Tornado Cash is that users cannot prove that they’re not associated with North Korea’s Lazarus Group or any criminal enterprise for that matter.

With Privacy Pools, however, Soleimani explained that depositors and withdrawers could opt out of an anonymity set that contains an address associated with stolen or laundered funds.

This feature of Privacy Pools is executed with zero-knowledge (ZK) proofs, meaning that the privacy of the user is preserved:

“Now, users have the option to help regulators isolate illicit funds, without revealing their entire transaction history […] With privacy pools, just because someone deposits into the same smart contract as you, it doesn’t mean they can also force you into sharing an anonymity set with them. It’s your choice.”

Soleimani provided a demonstration of how Privacy Pools is used:

The developer hopes the solution will empower “the community to defend against hackers abusing the anonymity sets of honest users without requiring blanket regulation or sacrificing on crypto ideals.”

While Privacy Pools is already live on Optimism, Soleimani noted that the first version of the privacy protocol is still in its “experimental” stage because the code isn’t complete and has not been audited, but he is “pretty close to having this ready.”

To see the protocol progress further, Soleimani wants on-chain forensics platforms like Chainlaysis and TRM Labs to conduct tracebacks on deposits so that users of the privacy tool don’t have to manually create their own subset exclusion lists.

In making the case for on-chain privacy protocols, Soleimani cited what he described as an “excellent” report by the Federal Reserve Bank of St. Louis in Missouri which examined the trade-offs between on-chain privacy and regulation:

“Their report proposes to achieve effective regulation by having Tornado Cash users provide receipts to an intermediary, thus revealing their entire transaction history to the intermediary, but still being able to have privacy with respect to other public blockchain users.”

The developer hopes this can help “start a conversation” with U.S. regulators on how on-chain privacy can be preserved whilst restricting criminal activity through the use of ZK proofs.

Related: On-chain privacy is key to the wider mass adoption of crypto

Soleimani’s attempt to create a crypto-friendly on-chain privacy solution comes after the U.S. Office of Foreign Asset Control (OFAC) sanctioned ETH and USDC addresses linked to Tornado Cash on Aug. 8 in response to several alleged thefts by North Korea’s Lazarus Group, who were claimed to have routinely used the privacy mixer to preserve its anonymity.

Photograph of a #FreeAlex protest. Source: Ameen.eth Twitter

Shortly after the sanction on Aug. 10, Alexey Pertsev, the creator of Tornado Cash was arrested by authorities in the Netherlands and is currently facing a series of money laundering charges. He remains behind bars and his next hearing will take place in late April.

BitKeep remains on track to fully compensate victims of $8M APK exploit

The company says user losses will be 100% reimbursed by mid-March, with the funds being paid out of company coffers.

Singaporean cross-chain crypto wallet developer BitKeep says it has reimbursed 50% of user assets lost during a Dec. 26 security breach involving the hijacking of BitKeep’s APK 7.2.9 (Android Package Kit) installation package. Users who downloaded the malware subsequently saw their private keys compromised, leading to the theft of an estimated $8 million in user assets.

According to the March 1 statement from Bitkeep’s official Telegram account, a total of 6,731 verified addresses were breached during the incident. The firm has since completed reimbursing 50% of stolen assets in the affected addresses, with “expedited processing” for the remaining 50% of funds. BitKeep says it will complete its compensation plan ahead of schedule and release the remaining funds within two weeks.

In a statement to Cointelegraph, a spokesperson for BitKeep said the company has yet to recover the remaining assets through law enforcement efforts, and all reimbursements are “currently coming out of the company’s own pockets, including those to be completed in the near future.” According to the spokesperson:

“BitKeep is adamant about the safety of users’ assets and that is why we have stepped up to take responsibility for all damages as a result of the incident. Users’ losses are being compensated by BitKeep’s 2022 revenue and its Secure Assets Fund, and we will complete all reimbursements by March. Finally, we would like to express our gratitude to our users for their trust and support, as well as to our partners for working with us to overcome the recent challenges.”

On Dec. 29, three days after the incident, BitKeep announced that it had alerted law enforcement and would reimburse 100% of user losses. The wallet currently has over 8 million users worldwide. Last May, the firm raised $15 million in its Series A at a valuation of $100 million. 


Wormhole hacker moves another $46M of stolen funds

The Wormhole exploiter appears to be seeking arbitrage opportunities with Ethereum-pegged assets.

The ill-gotten crypto from one of the industry’s largest exploits is on the move again, with on-chain data showing another $46 million of stolen funds has just shifted from the hacker’s wallet.

The Wormhole attack was the third-largest crypto hack in 2022, resulting from an exploit of Wormhole’s token bridge in February 2022. Around $321 million of Wrapped ETH (wETH) was stolen.

According to blockchain security firm PeckShield, the hacker’s associated wallet has become active once again, moving $46 million worth of crypto assets.

This was made up of around 24,400 Lido Finance-wrapped Ethereum staking token (wstETH), worth approximately $41.4 million, and 3,000 Rocket Pool Ethereum staking token (rETH), worth about $5 million, which was moved to MakerDAO.

The hacker appears to be seeking yield or arbitrage opportunities on their stolen loot as the assets were exchanged for 16.6 million DAI, PeckShield reported.

The MakerDAO stablecoin was then used to buy 9,750 ETH priced at around $1,537 and 1,000 stETH. These were then wrapped back into 9,700 wstETH.

On Feb. 10, an on-chain sleuth observed that the hacker was “buying the dip.”

However, the price of Ether (ETH) has since fallen below those levels over the past few hours. At the time of writing, ETH was down 2.6% on the day at $1,505, according to CoinGecko.

At the time of the transfers, stETH prices depegged from Ethereum and climbed as high as $1,570. At time of writing, they were trading 2.4% higher than ETH at $1,541. Furthermore, wstETH also had depegged and risen to $1,676, 11.3% higher than the underlying asset.

Related: Crypto exploit losses in January see nearly 93% year-on-year decline

The latest funds movement comes only a few weeks after the hacker moved another $155 million worth of Ethereum to a decentralized exchange.

On Jan. 24, 95,630 ETH was sent to the OpenOcean DEX and then subsequently converted into ETH-pegged assets, including Lido’s stETH and wstETH.

LastPass data breach led to $53K in Bitcoin stolen, lawsuit alleges

A class action is seeking damages from the password manager following a data breach in August 2022.

A class-action lawsuit has been filed against password management service LastPass following a data breach from Aug. 2022.

The class action was filed with the United States district court of Massachusetts on Jan. 3 by an unnamed plaintiff known only as “John Doe” and on behalf of others similarly situated.

It alleges that the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin (BTC).

The plaintiff claimed he began accruing BTC in July 2022 and updated his master password to more than 12 characters using a password generator, as recommended by the LastPass “best practices.”

This was done to enable the storage of private keys in the seemingly secure LastPass customer vault.

When news of the data breach broke, the plaintiff deleted his private information from his customer vault. LastPass was hacked in Aug. 2022, with the attacker stealing encrypted passwords and other data, according to a December statement from the company.

Despite the quick action to delete the data, it appeared to be too late for the plaintiff. The lawsuit read:

“However, on or around Thanksgiving weekend of 2022, Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant [LastPass].”

“The LastPass Data Breach has, through no fault of his own, exposed him to the theft of his Bitcoin and exposed him to continued risk,” it added.

The suit claims that victims have been put at increased substantial risk of future fraud and misuse of their private information, which may take years to manifest, discover and detect.

LastPass is being accused of negligence, breach of contract, unjust enrichment and breach of fiduciary duty. However, the figure sought in damages was not specified.

Related: ‘Third-party incident’ impacted Gemini with 5.7 million emails leaked

According to cybersecurity researcher Graham Cluley, the stolen data includes unencrypted information including company names, user names, billing addresses, telephone numbers, email addresses, IP addresses and website URLs from password vaults.

In December, LastPass admitted that if customers had weak Master Passwords, the attackers may be able to use brute force to guess this password, allowing them to decrypt the vaults.

‘WTH did I just witness?’ Magic Eden turns porno after hosting service hacked

The NFT marketplace said the issue was caused by its third-party image hosting provider and assured users their NFTs were safe.

Nonfungible token (NFT) marketplace Magic Eden had to assure users their NFTs “are safe” after a spate of pornographic images littered its platform on Jan. 3.

In a Jan. 3 tweet, the Solana-based NFT marketplace told its users it “has not been hacked” and the “unsavory images” were the result of its third-party image hosting provider being “compromised.”

According to Jan. 3 tweets from Magic Eden users, loading a collection’s page would sometimes temporarily flash a pornographic image in place of the NFT thumbnail.

Others reported seeing a still from the comedy television series The Big Bang Theory instead.

“Anyone else seeing the characters from the series Big Bang Theory very quickly while loading their items on Magic Eden? WTH did I just witness” @Yaboibeclownin tweeted.

Magic Eden advised users that doing a “hard refresh” of one’s browser would fix the issue.

A hard refresh typically involves clearing the browser’s cache and forcing it to reload the most recent version of the page.

At the time of writing, the issue appears to have been rectified as the reported images have not appeared on the platform upon testing.

Related: China’s first national NFT marketplace to launch next week: Report

According to DappRadar, Magic Eden is the largest Solana-based NFT marketplace and the third largest of all NFT marketplaces, with a 30-day trading volume of $74.65 million, behind OpenSea and Blur.

The 10 largest crypto hacks and exploits in 2022 saw $2.1B stolen

Just the top 10 major cryptocurrency exploits garnered over $2 billion for malicious actors in a year that was marred with bankruptcies and collapses.

It’s been a turbulent year for the cryptocurrency industry — market prices have taken a huge dip, crypto giants have collapsed and billions have been stolen in crypto exploits and hacks.

It was not even halfway through October when Chainalysis declared 2022 to be the “biggest year ever for hacking activity.”

As of Dec. 29, the 10 largest exploits of 2022 have seen $2.1 billion stolen from crypto protocols. Below are those exploits and hacks, ranked from smallest to largest.

10: Beanstalk Farms exploit — $76M

Stablecoin protocol Beanstalk Farms suffered a $76 million exploit on April 18 from an attacker using a flash loan to buy governance tokens. This was used to pass two proposals that inserted malicious smart contracts.

The exploit was initially thought to have cost around $182 million as Beanstalk was drained of all its collateral but in the end, the attacker only managed to get away with less than half that.

9: Qubit Finance bridge exploit — $80M

Qubit Finance, a decentralized finance (DeFi) protocol on BNB Smart Chain, had over $80 million worth of BNB (BNB) stolen on Jan. 28 in a bridge exploit.

The attacker duped the protocol’s smart contract into believing they had deposited collateral that allowed them to mint an asset representing bridged Ether (ETH).

They repeated this multiple times and borrowed multiple cryptocurrencies against the unbacked bridged ETH, draining the protocol’s funds.

8: Rari Fuse exploit — $79.3M

Another DeFi protocol called Rari Capital was exploited on April 30 for the sum of roughly $79.3 million.

The attacker exploited a reentrancy vulnerability in the protocol’s Rar Fuse liquidity pool smart contracts, making them call a function to a malicious contract to drain the pools of all crypto.

In September, Tribe DAO, which includes Rari Capital and other DeFi protocols, voted to reimburse affected users from the hack.

7: Harmony bridge hack — $100M

In yet another bridge hack, the Horizon Bridge that links Ethereum, Bitcoin (BTC), and BNB Chain to Harmony’s layer-1 blockchain was drained of around $100 million in multiple cryptocurrencies.

Blockchain forensics firm Elliptic pinned the hack on North Korean cybercriminal syndicate Lazarus Group, as the funds were laundered in a similar way to other known Lazarus attacks.

Lazarus is understood to have targeted Harmony employee login credentials, breaching the platform’s security system and gaining control of the protocol before deploying automated laundering programs to move their ill-gotten gains.

6: BNB Chain bridge exploit — $100M

The BNB Chain was paused on Oct. 6 due to “irregular activity” on the network, which later was revealed as an exploit that drained around $100 million from its cross-chain bridge, the BSC Token Hub.

Initially, it was thought the attacker was able to take around $600 million due to a vulnerability that allowed the creation of roughly two million BNB, the chain’s native token.

Unfortunately for the attacker, they had roughly over $400 million worth of digital assets frozen on the blockchain and more was possibly stuck in cross-chain bridges on the BNB blockchain side.

5: Wintermute hack — $160M

United Kingdom based crypto market-maker Wintermute suffered from a compromised hot wallet that saw approximately $160 million across 70 tokens transferred out of the wallet.

Analysis from blockchain cybersecurity firm CertiK claimed a vulnerable private key was attacked that was likely generated by Profanity — an app that allows users to generate vanity crypto addresses, that has a known exploit.

According to CertiK, this allowed the attacker to use a function with the private key that allowed the hacker to change the platform’s swap contract to the hacker’s own.

Conspiracy theories alleging the hack was an “inside job” due to how it was carried out were debunked by blockchain security firm BlockSec, who said the allegations were “not convincing enough.”

4: Nomad token bridge exploit — 190M

On Aug. 2, the Nomad token bridge, which allows users to swap cryptocurrencies across multiple blockchains, was drained by multiple attackers to the tune of $190 million.

A smart contract vulnerability that failed to properly validate transaction inputs was the cause of the exploit.

Multiple users, seemingly both malicious and benevolent, were able to copy the original attacker’s moves to funnel funds to themselves. Around 88% of addresses taking part in the exploit were identified as “copycats” in a report.

Only around $32.6 million worth of funds were able to be intercepted and returned to the protocol by white hat hackers.

3: Wormhole bridge exploit — $321M

The Wormhole token bridge suffered an exploit on Feb. 2 that resulted in the loss of 120,000 Wrapped Ether (wETH) tokens worth $321 million.

Wormhole allows users to send and receive crypto between multiple blockchains. An attacker found a vulnerability in the protocol’s smart contract and was able to mint 120,000 wETH on Solana (SOL) unbacked by collateral and was then able to swap this for ETH.

At the time it was marked as the largest exploit in 2022 and is the third-largest protocol loss overall for the year.

2: FTX wallet hack — $477 million

During the start of FTX’s bankruptcy proceedings on Nov. 11 and 12, a series of unauthorized transactions took place at the exchange, with Elliptic suggesting that around $477 million worth of crypto was stolen.

Sam Bankman-Fried said in a Nov. 16 interview that he believed it was “either an ex-employee or somewhere someone installed malware on an ex-employee’s computer” and had narrowed the perpetrator down to eight people before he was shut out of the company’s systems.

Related: 7 biggest crypto collapses of 2022 the industry would like to forget

According to reports, on Dec. 27 the United States Department of Justice launched an investigation into the whereabouts of around $372 million of the missing crypto.

1: Ronin bridge hack — $612M

The largest exploit to take place in 2022 happened on March 23, when the Ronin bridge was exploited for around $612 million — 173,600 ETH and 25.5 million USD Coin (USDC).

Ronin is an Ethereum sidechain built for Axie Infinity, a play-to-earn nonfungible token (NFT) game. Sky Mavis, Axie Infinity’s developers, said the hackers gained access to private keys, compromised validator nodes and approved transactions that drained funds from the bridge.

The U.S. Treasury Department updated its Specially Designated Nationals and Blocked Persons (SDN) list on April 14 to reflect the possibility that Lazarus Group was behind the bridge’s exploit.

The Ronin bridge hack is the largest cryptocurrency exploit to ever take place.

Gemini allegedly suffered data breach; 5.7 million emails leaked

Users’ emails, account numbers and partial phone numbers were allegedly leaked.

Cryptocurrency exchange Gemini appears to have suffered a data breach on or before Dec. 13. According to documents obtained by Cointelegraph, hackers gained access to 5,701,649 lines of information pertaining to customers’ account numbers, email addresses and partial phone numbers. In the case of the latter, hackers apparently did not gain access to the full phone numbers, as certain numeric digits were obfuscated.

The leaked database did not include sensitive personal information such as names, addresses and other Know Your Customer information. In addition, some emails were repeated in the document; thus, the number of customers affected is likely lower than the total rows of information. Gemini currently has 13 million active users.

Security breaches in the Web3 industry, even if mild in nature, can have serious consequences. One such incident took place in April this year and involved cryptocurrency hardware wallet manufacturer Trezor. Hackers gained access to Trezor users’ email addresses by breaching a third-party newsletter provider and then utilized the information to target users in a phishing scam, leading to losses. 

Cointelegraph has reached out to Gemini for comments but has not received a response by press time. This is a developing story and will be updated accordingly.