Hackers

NFT Trader’s stolen Apes returned after bounty payment

The hacker returned 36 BAYC and 18 MAYC after receiving a 120 Ether bounty payment from Yuga Labs co-founder Greg Solano.

All Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) nonfungible tokens (NFTs) stolen from the peer-to-peer trading platform NFT Trader have been returned after a bounty payment.

NFTs worth nearly $3 million were stolen in the hack on Dec. 16. As per public messages, the attacker attributed the original exploit to another user. “I came here to pick up residual garbage,” they wrote, requesting ransom payments to return the NFTs.

“If you want these NFT’s back then you need to pay me 120 ETH […] and then I will send you the NFT’s, it’s as simple as that, and I never lie, believe me […],” reads one of the messages.

NFT Trader hacked, millions of dollars in NFT stolen

At least 13 Mutant Ape Yacht Club and 37 Bored Ape tokens were stolen, along with VeeFriends and World of Women tokens, amounting to losses of almost $3 million.

Peer-to-peer trading platform NFT Trader suffered a security breach on Dec. 16, allowing hackers to steal millions of dollars worth of nonfungible tokens (NFTs).

NFT Trader confirmed the incident on X (formerly Twitter), saying the attack targeted old smart contracts, urging users to revoke delegations to two addresses: 0xc310e760778ecbca4c65b6c559874757a4c4ece0 and 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af.

Among the NFTs stolen are at least 13 Mutant Ape Yacht Club and 37 Bored Ape tokens, as well as VeeFriends and World of Women NFTs, amounting to losses of almost $3 million, according to Revoke.cash.

Ledger CEO explains hack, calls it ‘isolated incident’

CEO and chairman Pascal Gauthier says the company is working with law enforcement to “find this bad actor, bring them to justice.”

Ledger CEO Pascal Gauthier has addressed the Dec. 14 hack of the wallet provider’s hack in a post on the company’s blog. He said the hack of Ledger’s Javascript connector library was an “isolated incident” and promised stronger security control.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

Security engineer pleads guilty to Nirvana Finance exploit and one other hack

Shakeeb Ahmed was arrested for hacking an unspecified DEX, and then admitted to the Nirvava Finance hack too.

A software engineer pleaded guilty in the Southern District Court of New York on Dec. 14 to one count of computer fraud in connection with the hacking of Nirvana Finance and an unnamed decentralized cryptocurrency exchange. The United States Attorney’s Office said the case was the first-ever conviction for hacking a smart contract.

Shakeeb Ahmed, described as a “senior security engineer for an international technology company,” was arrested in July in connection with the hack of the unnamed exchange on or about July 2 and 3, 2022. According to the U.S. Attorney’s Office statement:

Ahmed returned all but $1.5 million to the exchange, which “agreed not to refer the attack to law enforcement.” The exchange “allowed users to exchange different kinds of cryptocurrencies, and paid fees to users who deposited cryptocurrency to provide liquidity on the Crypto Exchange.”

Ledger breach possibly affecting whole EVM ecosystem — Linea

Wallet provider MetaMask was also affected by the incident. Ledger released a patch to resolve the issue but warned users to wait 24 hours before using its connector library again.

The attack on Ledger’s connector library may be impacting the whole Ethereum Virtual Machine (EVM) ecosystem, according to the Linea team, a zero-knowledge rollup by Consensys.

The hacker targeted the Ledger connector library, which was designed to enable communication between Ledger hardware wallets and various decentralized applications (DApps). Wallet provider MetaMask has also been affected by the security incident.

Blockchain analytics platform Lookonchain claimed the hacker had stolen assets worth nearly $484,000, but the impact of the security breach could be bigger, noted Ledger.

Ledger attacker drained at least $484K

The hacker behind the attack on Ledger’s connector library has stolen at least $484,000, according to blockchain analysis platform Lookonchain.

The hacker behind the attack on Ledger’s connector library stole assets worth nearly $484,000, according to blockchain analysis platform Lookonchain. Ledger has not yet confirmed the figures, but the impact of the security breach could be in the hundreds of thousands, according to the company.

Users on X (Twitter) flagged the incident on Dec. 14, claiming that a popular Web3 connector was compromised, allowing malicious code to be injected into multiple decentralized applications (DApps).

Protocols affected by the incident include Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, but the damage could be even greater. According to some users on X, the vulnerability could exist in other similar programs that are alternatives to LedgerHQ/connect-kit.

Ledger patches vulnerability after multiple DApps using connector library were compromised

Multiple decentralized applications using Ledger’s connector library have been compromised, including SushiSwap and Revoke.cash. Ledger claims the issue has been fixed.

Update (Dec. 14 at 2:45 pm UTC): This article has been updated to clarify that Ledger has reportedly fixed the issue.

The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised on Dec. 14. Nearly three hours after the security breach was discovered, Ledger reported that the malicious version of the file had been replaced with its genuine version around 1:35 pm UTC.

Ledger is warning users “to always Clear Sign” transactions, adding that the addresses and the information presented on the Ledger screen are the only genuine information. “If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”

Crypto hacking losses plunge by nearly 50% in 2023: Report

Blockchain intelligence firm TRM Labs credits this decline to enhanced security measures, law enforcement and industry coordination.

Blockchain intelligence firm TRM Labs says losses from cryptocurrency hacking in 2023 are down more than 50% from 2022, thanks to improvements in industry security.

TRM Labs’ report published on Dec. 13 reveals that losses from 160 hacks to crypto projects amounted to about $1.7 billion in 2023, less than half the $4 billion stolen from internet protocols in 2022.

TRM Labs said the decline is due to enhanced security measures, which have seen the cryptocurrency industry incorporate real-time transaction monitoring and anomaly detection systems, strengthening digital wallets and exchange platforms.

OKX DEX suffers $2.7M exploit after proxy admin contract upgrade

The OKX DEX suffered an exploit resulting in a loss of around $2.7 million in cryptocurrencies after a proxy admin upgraded a contract that allowed a hacker to compromise the private key.

OKX decentralized exchange (DEX) suffered a $2.7 million hack on Dec. 13 after the private key of the proxy admin owner was reported to be leaked.

On Dec. 13, the blockchain security firm SlowMist Zone posted on X (formerly Twitter) that OKX DEX “encountered an issue.” According to the report, the issue began on Dec. 12, 2023, at approximately 10:23 pm after the proxy admin owner upgraded the DEX proxy contract to a new implementation contract and the user began to steal tokens.

Until September 2023, research shows that the crypto industry has suffered $1.5 billion in losses due to hacks, exploits and scams this year.

KyberSwap exploiter linked to $50M HXA token movement

Blockchain security firm Cyvers said the KyberSwap exploiter’s acquired funds were spread across various externally owned accounts now recognized as the top HXA tokenholders.

Blockchain security firm Cyvers detected a movement of $50 million in HAXcoin (HXA), the native utility token of the Herencia Artifex nonfungible token project, linked to the KyberSwap exploiter.

The KyberSwap exploiter’s address got these tokens from an Ethereum address using the “transfer from function.”

Decentralized application users commonly use the “transfer from” function. It refers to a mechanism by which one party (sender) can transfer or send tokens from the balance of another party (owner) to a third-party address. However, improper use or vulnerabilities in implementing such functions can lead to security concerns.