September becomes the biggest month for crypto exploits in 2023: CertiK

October 2, 2023 Coin Telegraph

certik

The Mixin Network cross-chain protocol accounted for almost two-thirds of the crypto exploit losses in September.

September has officially become the worst month in 2023 (so far) for crypto-related exploits — with a whopping $329.8 million in crypto stolen.

On Oct. 2, blockchain security firm CertiK said the most significant contributor to the month’s totals came from the Mixin Network attack on Sept. 23 when the Hong Kong-based decentralized cross-chain transfer protocol lost $200 million due to a breach of its cloud service provider.

#CertiKStatsAlert

Combining all the incidents in September we’ve confirmed ~$332M lost to exploits, hacks and scams.

Exit scams were ~$1.9M

Flash loans were ~$0.4M

Exploits were ~$329.8M

See more details below pic.twitter.com/DMFN9LWU8V
— CertiK Alert (@CertiKAlert) September 30, 2023

Other major incidents for the month included the attacks on the CoinEx exchange and Stake.com resulting in losses of $53 million and $41 million respectively.

As reported by Cointelegraph, North Korean hacking collective the Lazarus Group has been fingered for both attacks. The latest figures from Dune Analytics claim that the group currently holds $45.6 million in crypto assets.

The attack has taken the yearly total of crypto lost to exploits to $925.4 million. July was the second-highest month for exploit losses with $285.8 million pilfered.

Meanwhile, the month also saw $1.9 million lost to exit scams, $400,000 to flash loan attacks, and another $25 million to phishing attacks, according to CertiK.

The total lost in 2023 to exploits, scams, and hacks has now totaled $1.34 billion.

According to blockchain security firm Beosin, total losses from hacks, phishing scams, and exit scams were just under $890 million for the third quarter of 2023.

Losses in Q3 even exceeded the combined sum of the first two quarters which was $330 million in Q1 and $333 million in Q2, it reported late last week.

Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

Criminals more reliant on cross-chain bridges than ever after mixer crackdowns

September 20, 2023 Coin Telegraph

Avalanche Bridge

The sanction of cryptocurrency mixer Tornado Cash in August caused the first major shift, but that is now accelerating even faster than projected.

Cybercriminals have accelerated their shift away from crypto mixers for cross-chain bridges over the past year, according to blockchain forensics firm Elliptic.

In June and July, nearly all of the crypto stolen was laundered through cross-chain bridges, Elliptic’s data shows a complete reversal from the first half of 2022.

In a Sept. 18 blog post, Elliptic explained the cross-chain crime trend is due to the “crime displacement” effect — where criminals move to a new method to carry out the illicit activity when the existing method gets over-policed. However, the shift to cross-chain bridges is rising ahead of their projections.

*Proportion of funds laundered between cryptocurrency mixers and cross-chain bridges between January 2022 and July 2023. Source: Elliptic.*

Between July and September 2022, the ratio of laundered funds passing through mixers vs. cross-chain bridges flipped, corresponding to the U.S. Office of Foreign Asset Control’s sanctioning of Tornado Cash in August 2022, said the firm.

Elliptic said many cybercriminals, like the North Korean-backed Lazarus Group, flocked to the Avalanche bridge after the sanctions.

This same bridge was reportedly used recently by the Lazarus Group to facilitate some of the stolen funds in Stake’s $41 million exploit on Sept. 4, according to blockchain security firm CertiK.

Crypto mixers saw a small comeback between November 2022 and January 2023, due to the shutdown of RenBridge — which closed in December after its financer, Alameda Research collapsed from FTX’s bankruptcy.

Elliptic estimates that RenBridge facilitated $500 million in laundered funds throughout its operation.

However, shortly after, criminals have moved back to cross-chain bridges again, even more than before.

Chain-hopping via bridges has become one of the most popular money laundering methods for illicit actors. That's been a problem for crypto investigators — until now. Meet TRM Phoenix — automated cross-chain tracing through 12+ bridges & services: https://t.co/OziATjlO4P pic.twitter.com/7QsLthn180
— TRM Labs (@trmlabs) August 25, 2022

Elliptic said that criminals may be preferring cross-chain bridges as it is difficult for blockchain forensic firms to track illicit activity across chains in a scalable manner.

“Criminals are aware that legacy blockchain analytics solutions do not have the means to trace illicit blockchain activity across blockchains or tokens in a programmatic or scalable manner.”

In addition, many of these stolen tokens are only exchangeable through cross-chain bridges, while most of these DeFi services do not require identity verification to use, Elliptic explained.

The firm estimates that $4 billion in illicit or high-risk cryptocurrencies have been laundered through cross-chain bridges since 2020.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Hackers behind $41M Stake heist shifts BNB, MATIC in latest move: CertiK

September 12, 2023 Coin Telegraph

Hackers behind M Stake heist shifts BNB, MATIC in latest move: CertiK

Beosin

A total of $4.8 million in funds have now been moved by the hacker to Bitcoin and now Avalanche.

The hackers behind cryptocurrency casino Stake’s $41 million hack have shifted another $328,000 million worth of Polygon (MATIC) and Binance Coin (BNB) tokens — its latest moves following the Sept. 4 exploit, according to blockchain security firm CertiK.

The most recent transfer involved 300 BNB tokens worth about $61,500 to an externally owned address “0x695…” which were then bridged to the Avalanche blockchain on Sept. 11 at 4:09 pm UTC.

Another 520,000 MATIC tokens worth over $266,000 were also moved to Avalanche seven hours earlier at 7:18 am UTC.

#CertiKSkynetAlert

We are seeing a further movement of funds from the Stake exploiter.

520k MATIC was swapped and bridged to Avalanche before being bridged to BTC as per other fund movements from the exploiter.

See more on Skynet https://t.co/Sdsfh29AoF
— CertiK Alert (@CertiKAlert) September 11, 2023

The 520,000 MATIC and 300 BNB — totaling $328,000 — add to the $4.5 million in stolen funds that were bridged to the Bitcoin blockchain (in the form of BTC) on Sept. 7, according to blockchain security firm Arkham.

The total $4.8 million transferred however only represents 1.2% of the total $41 million stolen from the hackers.

Over the past 24 hours, the Hacker has been gradually bridging funds to the BTC Blockchain using a series of new wallets on Polygon and Avalanche.

They have so far bridged $4.5M to BTC addresses, with the remaining $36M still held on ETH/BNB/Polygon. pic.twitter.com/fiMy62ABwL
— Arkham (@ArkhamIntel) September 7, 2023

It is understood the hacker gained access to the private key of Stake’s Binance Smart Chain and Ethereum hot wallets to perpetrate the hack on Sept. 4.

The United States Federal Bureau of Investigation believes North Korea’s Lazarus Group was behind the exploit.

Estimated funds lost from hacks, scams passes $1 billion

With $41 million stripped from Stake, the industry’s malicious actors have now taken the cryptocurrency hacks and scams toll to well over $1 billion in 2023.

CertiK previously reported the figure to be $997 million at the end of August, though several attacks in the last two weeks will push the figure over the $1 billion mark.

In September, a cryptocurrency whale lost $24 million in staked Ether (ETH) in a phishing attack on Sept. 6, and Vitalik Buterin’s X (formerly Twitter) account was then compromised on Sept. 9, where the hacker then lured several victims into a nonfungible token scam which totaled $691,000.

The three incidents would take CertiK’s August figure to at least $1.04 billion.

Crypto Hacks And Scams Reach Nearly a Billion Dollars In 2023!

⚔️ThreatSlayer is your security sidekick that keeps you safe! pic.twitter.com/pZmPCdZzP2
— Interlock (@interlockweb3) September 11, 2023

Other recent incidents include Pepe (PEPE) coin’s withdrawal incident which set back investors $13.2 million, Exactly Protocol’s $7.3 million exploit and an exposed security vulnerability on Balancer which did $2.1 million in damage.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Weekend Wrap: Uniswap dev sacked for alleged rug, Steadefi hacker goes mixing and more

August 14, 2023 Coin Telegraph

certik

Uniswap developer AzFlin has admitted to creating the FRENS token but has argued what he did doesn't constitute a rug pull.

Uniswap dev loses job, was it worth it?

A Uniswap developer known as “AzFlin” has been sacked by the founder of Uniswap Labs, Hayden Adams, for allegedly creating a memecoin and rug pulling it a few hours later for 14 wrapped-Ether (wETH), worth $25,800.

It is understood that AzFlin developed and deployed FrensTech token (FRENS) on Coinbase’s new layer 2 blockchain Base on Aug 12 before selling the tokens raised from the liquidity shortly after.

Adams publicly confirmed the sacking of AzFlin, adding that such behaviour is neither supported nor condoned at Uniswap Labs.

Wanted to let people know this person is no longer with the company.

Not behavior we support or condone. https://t.co/sxVowwIR3Q
— hayden.eth (@haydenzadams) August 12, 2023

The developer has mocked the situation at hand with a series of light-hearted posts along with a new X (formerly Twitter) cover photo.

*AzFlin is making fun of their new unemployment status. Source: X (formerly Twitter).*

AzFlin, however, claims that no rug pull was committed.

“I bought that $FRENS used to provide LP with my OWN money from the dev wallet, so I am entitled to do as I please with it. This FUD is outrageous,” they said on Aug. 12.

Not everyone is buying into AzFlin’s story though, with some applauding Adams’ decision to fire AzFlin for the alleged action:

Hayden Adams' decision to terminate employee AzFlin is highly necessary and demonstrates his commitment to upholding Uniswap's reputation and ethical standards. Developing a meme token and then exploiting access to transfer and sell tokens from the liquidity pool is a morally…
— KEVIL KOLS NETWORK (@KevilCrypto) August 13, 2023

Zuckerberg calls out Musk for dodging cage fight

Meta CEO Mark Zuckerberg says it's “time to move on” from any talks of a potential cage fight between him and Elon Musk, accusing the Tesla CEO of making excuses and dragging his feet on any solid plans.

Zuckerberg explained in an Aug. 13 Threads post that Musk isn’t “serious” about a real fight because Musk has dragged on giving any potential dates for the bout.

“I think we can all agree Elon isn’t serious and it’s time to move on.” Zuckerberg added:

“Elon won’t confirm a date, then says he needs surgery, and now asks to do a practice round in my backyard instead.”

*Mark Zuckerberg’s latest comments on a potential fight with fellow billionaire Elon Musk. Source: Threads*

Zuckerberg — who has helped re-shaped Meta’s investment focus on the Metaverse and artificial intelligence — said that he will be ready for a fight whenever Musk “gets serious” about a real date and official event.

The Meta CEO said he will continue to focus on competing with those who take the sport seriously for the meantime.

Donald Trump holds Ethereum and NFTs

Financial records have revealed that former United States President Donald Trump owns between $250,001 to $500,000 in Ethereum (ETH).

The statement, which was filed to the United States Office of Government Ethics on April 14, lists “cryptocurrency wallet (Ethereum)” as one of Trump’s investments, according to the 82-page form.

*Donald Trump's public financial disclosure report. Source: U.S. Government*

The investment may possibly be linked to Trump’s several nonfungible token (NFT) collections which have hit the market on several occasions between 2022 and 2023.

Trump’s NFT venture is expected to rake in between $100,000 and $1 million, according to the financial statement.

Despite the cryptocurrency and NFT investments, the billionaire businessman has voiced his skepticism towards the industry in the past, labeling Bitcoin (BTC) as a “scam” and cryptocurrencies more broadly as “potentially a disaster waiting to happen” in Aug. 2021.

Trump is once again in the running to become the next U.S. President in the upcoming 2024 Presidential Election.

Steadefi hacker turns to Tornado Cash

The exploiter of decentralized finance protocol Steadefi has transferred 100 Ether (ETH), worth about $185,000 to cryptocurrency mixing protocol Tornado Cash, according to blockchain security firm CertiK.

CertiK explained on Aug. 13 that the hacker still holds $786,000 (424 ETH) connected to the Steadefi exploit, which took place on Aug. 7.

#CertiKSkynetAlert

We have seen EOA 0xe10d deposit 100 ETH (~$185K) into @TornadoCash.

The EOA, which still holds 424 ETH ($786k), is connected to the exploit on @steadefi on August 7.

See more on Skynet https://t.co/4HOEg2PJ1k
— CertiK Alert (@CertiKAlert) August 13, 2023

A total of $334,000 was drained directly from Steadefi, with total losses amounting to over $1.1 million, according to some estimates.

Tornado Cash has served as a tool for hackers attempting to obfuscate the money trail and cash out the stolen funds.

On Aug. 8, 2022, the United States Office of Foreign Asset Control (OFAC) sanctioned Ethereum and USD Coin (USDC) addresses connected to the privacy tool.

Also making news

United States Senator Cynthia Lummis has filed an amicus brief supporting Coinbase’s motion to dismiss its lawsuit against the U.S. Securities and Exchange Commission. Lummis says the SEC is unrightfully pushing to obtain “primary influence” over the cryptocurrency sector at a time where much regulatory consideration needs to be taken by Congress.

Decentralized finance platform Curve Finance has officially stated on Aug. 11 its intention to reimburse users impacted by the recent hack resulting in $62 million of losses on July 30. The firm has already managed to retrieve 79% of the funds thus far.

Magazine: Girl Gone Crypto thinks ‘BREAKING’ crypto news tweets are boring: Hall of Flame

Telegram trading bots are hot, but don’t trust them for custody — Security firms

August 10, 2023 Coin Telegraph

Beosin

There are still too many unknowns over how various Telegram trading bots store private keys, blockchain security firms told Cointelegraph.

Telegram trading bots, which have been turning the messaging platform into a quasi-crypto marketplace, pose significant security risks for users and require further scrutiny, according to blockchain security firms.

While such trading bots have existed for years, they've recently gained attention as crypto markets gain and associated bot tokens have gained in price, blockchain security firm CertiK told Cointelegraph.

As of the time of writing, the combined market capitalization of Telegram bot tokens is nearing $250 million, according to CoinGecko. The largest of the pack is Unibot; other popular bots include Wagie Bot and Mizar.

The bots are automated programs that run through Telegram, allowing users to make trades on decentralized exchanges (DEXs) by sending messages to it through the app.

Telegram bot tokens will be the next crypto meta in the coming 1-2 months. Agree or disagree? https://t.co/LewLnlivSm
— Bobby Ong (@bobbyong) July 19, 2023

CertiK, however, warned that many Telegram bots create crypto wallets for users, with only some actually providing the private key.

It’s unclear if they’re stored with accessibility by project employees, on the user device, or backed up through Telegram.

“While these platforms offer high-volume DEX trading options, they should be considered extremely high-risk and unsuitable for medium to long-term storage of assets,” CertiK said.

The Unibot token market capitalization is over $185 million — the largest Telegram bot token by market cap.

Latest data shows Unibot users have traded a volume of $155 million across over 230,000 trades using the bot, according to Dune Analytics.

*The daily trading volume of Unibot users since late May shows a spike around late July. Source: Dune*

In an Aug. 5 post, blockchain security firm Beosin also highlighted the security risks of using the bots, claiming their centralization posed a risk to a user’s private wallet keys.

It added further security risks come from many of the bots not open-sourcing their code or undertaking security audits and a user could also lose control of their funds if their Telegram account is hacked.

Beosin recommended projects open-source their code to make security reviews easier and ensure better storage of user private keys.

Hall of Flame: Wolf Of All Streets worries about a world where Bitcoin hits $1M

Redditor’s hacked Bitcoin is a lesson on the hidden dangers of paper wallets

July 27, 2023 Coin Telegraph

Blockchain security

"My Bitcoin was taken. How?" A Reddit user thought they were following best practices until two days ago when their Bitcoin wallet was completely cleaned out.

A Reddit user has become the latest example of why crypto users should be more careful when using wallet generators — after the user lost a few thousand dollars worth of Bitcoin (BTC) from their "secure" paper wallet.

On July 24, a Redditor by the name /jdmcnair posted on the r/Bitcoin subreddit, asking for an explanation on how a hacker could have been able to steal over $3,000 worth of Bitcoin from their supposedly secure paper wallet — which was even generated on an offline computer.

*The Redditor's Bitcoin wallet address shows an outgoing transaction of 0.12 BTC. Source: Blockchain.com*

“I was doing self-custody, generated my key and printed it on paper on an offline computer, transferred my BTC to this offline wallet, and kept it stored in a safe that only I have the key for,” the user wrote.

“I thought I was keeping it in one of the more secure ways possible.”

In an update to his initial post, the Redditor revealed that they used the wallet creation tool walletgenerator.net to create their wallet’s private keys, which some users highlighted have been infamous for vulnerabilities in the past.

Speaking to Cointelegraph, blockchain security firm CertiK's director of security operations Hugh Brooks said users should think twice before using a crypto wallet generator.

Such online wallet generators have served as a viable hacking tool for a while now, Brooks said:

“Some of these wallet generators could be straight-up scams. The website that the post claims returns an IP address in Russia. When looking at a tool such as Criminal IP we can see that the address has several abuse reports filed against it.”

Paper wallet generators have been known to contain serious vulnerabilities since 2019, Brooks said, adding that if anyone has generated wallets using walletgenerator.net then it's likely “the same keys have been given to different users.”

The Profanity wallet generator exploit was a textbook example of this security vulnerability which led to the $160 million hack on algorithmic market maker Wintermute in September.

The solution is simple, according to Brooks. Users wanting safe crypto storage should use a “trusted hardware wallet provider such as Ledger and Trezor.”

The Redditor was baffled as to why the exploiter waited over 12 months to exploit the funds, prompting another to offer a possible explanation.

“[The hackers] wait for enough noobs to think they generated secure private keys, wait for them to deposit significant amounts, and then, one day, swipe all the funds, so there is no time to react to reports of the site being compromised.”

With a sudden increase in long-dormant Bitcoin wallets waking up — many with funds in the millions — some pundits think it’s due to wallet generators being hacked.

Unpopular crypto opinion: the fact that wallet generators can be cracked and people can lose their funds with no recourse is terrifying. I’m going to tell you what I believe to be the answer, and I know the “make everything decentralized” crew will hate it
— Jesse Hynes (@jesse_hynes) April 25, 2023

Hackers managed to snatch over $300 million in Q2 2023, according to CertiK, a 58% decline from the same period last year.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Pink, Pussy, Venom, Inferno — Drainers coming for a crypto wallet near you

July 10, 2023 Coin Telegraph

certik

Crypto wallet drainers, or sweepers, are malicious smart contracts that can quickly empty a crypto wallet of its funds and are a standard tool for phishing scammers.

Four major crypto drainers have emerged to fill the vacuum left by the notorious wallet sweeper Monkey Drainer, with thousands of victims targeted and millions in crypto stolen already this year.

The crypto drainers — called Pink Drainer, Inferno Drainer, Pussy Drainer, and Venom Drainer — have together stolen $66.4 million in total since around the start of 2023 according to Dune dashboards complied by Web3 anti-scam platform Scam Sniffer.

Venom Drainer has stolen nearly $27.5 million since February, the most out of the group. Inferno Drainer is second with over $21.2 million stolen since January but has three times the number of victims at nearly 45,800.

Pussy Drainer and Pink Drainer together have been used to steal from over 6,000 victims with $17.5 million in funds pilfered across the two. Monkey Drainer was estimated to have stolen about $13 million worth of digital assets in total during its reign.

*Venom Drainer’s stats show the service has stolen, on average, around $1,800 worth from each victim. Source: Dune*

Crypto drainers work by having the victim unknowingly agree to a malicious transaction in their crypto wallet that allows a smart contract to transfer out a portion of assets or the entire contents of the wallet, depending on the transaction that was signed.

Scam Sniffer told Cointelegraph that most crypto drainers are rented out to groups undertaking phishing scams and the drainer takes a percentage cut of the loot.

Many operate on this pricing model but some have an additional access fee. Blockchain security firm CertiK explained that Inferno — like many other drainers — “has a 20% commission” while Venom has “introduced an initial $1,000 fee” for first-time users.

Scam Sniffer said some draining services advertise “add-ons” such as including malicious signature requests that emulate popular nonfungible token (NFT) marketplaces such as Blur and X2Y2.

“In the NFT space, there are a lot of protocols that use unreadable signatures like Seaport, Blur and X2Y2,” Scam Sniffer explained. “If the victims have assets on Blur, the drainers could launch particular malicious signatures to steal NFTs approved to trade on Blur.”

3/ Blur's bulk listing requires users to sign a Root, which is unreadable for users. this Root is the Merkle Tree Root generated by multiple Order hash. pic.twitter.com/RxAsJp0Urv
— Scam Sniffer (@realScamSniffer) June 26, 2023

Not all drainers are around forever though. According to Scam Sniffer, once the person or people behind a drainer steal a certain amount of funds, they will announce they’re quitting — likely an attempt at staving off law enforcement.

However, it added as one crypto drainer leaves another takes its place “because it’s profitable! [...] And no one has been arrested so far.”

The are currently multiple crypto-draining services making the rounds on Telegram. CertiK shared images with Cointelegraph showing other drainers named Angel, Spawn, Whale and Atomic.

In March, the crypto-draining service Monkey Drainer announced they were “shutting down” saying it was “time to move on to something better.”

The person behind Monkey Drainer pointed their “fellow cyber-gangsters” to Venom, touting it as a “flawless” service.

Magazine: Should you ‘orange pill’ children? The case for Bitcoin kids books

CertiK receives $500K bounty after Sui blockchain threat discovery

June 19, 2023 Coin Telegraph

certik

The vulnerability dubbed “HamsterWheel” traps nodes in an endless loop similar to hamsters jogging on a wheel.

Blockchain security firm CertiK has received a bounty of $500,000 from the Sui network after flagging a threat that had the potential to disrupt Sui's entire layer-1 blockchain.

In an announcement sent to Cointelegraph, the CertiK team highlighted that the vulnerability dubbed "HamsterWheel" was different from traditional attacks which focus on shutting down blockchains by crashing nodes.

This attack traps nodes, letting them perform operations without processing new transactions, similar to hamsters jogging on a wheel. The attack has the capability to cripple networks and make them unable to operate.

The security firm discovered the vulnerability and reported it to Sui ahead of its mainnet launch. Responding to the security threat, the Sui network implemented fixes to prevent the potential damages that an attack could inflict on the blockchain.

To appreciate CertiK’s efforts, Sui awarded a $500,000 bounty to the security firm. According to CertiK, this highlights the importance of bug bounty programs and proactive security efforts.

Kang Li, chief security officer at CertiK, said that threats to blockchain networks are constantly evolving. "The discovery of the HamsterWheel attack demonstrates the evolving sophistication of threats to blockchain networks,” Li explained.

According to the announcement, more technical details will be published and made available soon. Moreover, full reports will be announced once all mitigations have been deployed and thoroughly tested.

Meanwhile, in the decentralized finance (DeFi) space, a crypto trading bot has taken a $200 million loan to secure a $3 profit. On June 14, an arbitrage bot performed a series of complicated transactions, including borrowing 200 million DAI (DAI) in MakerDAO and ended up with a total gain of $3.24. A community member praised the bot’s efforts and said “profit is profit” while another said that this was a sign of how bad the crypto bear market is.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Crypto hacks falling in Q1 is but a ‘temporary reprieve’ — Blockchain firm

May 22, 2023 Coin Telegraph

blockchain intelligence firm

It was warned that the amount stolen in Q1 2023 mirrors Q2 2022, which was followed by a “record setting number of hacks.”

The crypto community is being urged not to let their guard down despite a significant decline in crypto hacks during the first quarter of 2023 — with one firm warning it is most likely a “temporary reprieve, rather than a long-term trend.”

2022 was the biggest year for crypto hacking in history, with an estimated $3.8 billion stolen, primarily from decentralized finance (DeFi) protocols and North Korea-linked attackers, according to a report from Chainalysis earlier this year.

However, this number appears to have drastically reduced in the first quarter of 2023. According to a May 21 report by TRM Labs, the amount stolen through crypto hacks in Q1 2023 “was less than any other quarter in 2022.”

*Graph showing hacks and exploits from Q1 2022 - Q1 2023. Source: TRM Labs*

It was also noted that the average hack size dropped nearly 65% compared to the prior year period.

“The average hack size also took a hit in Q1 2023 – to USD 10.5 million from nearly USD 30 million in the same quarter of 2022, even as the number of incidents was similar (around 40).”

Despite the drop, history suggests crypto users shouldn’t get complacent. Crypto hacks fell significantly in Q3 2022, right before “a record-setting number of hacks" in Q4 which "turned 2022 into a record year," noted TRM Labs.

“Unfortunately, this slowdown is most likely a temporary reprieve rather than a long-term trend” it noted, adding that just a few large-scale attacks could be enough to tip the scales again.

While it was noted that “there is no one obvious explanation for the lull,” TRM Labs suggested the sanctioning of cryptocurrency mixer Tornado Cash by the U.S. Treasury, and the arrest and charge of Mango Markets' exploiter Avraham Eisenberg may have discouraged would-be hackers.

In January, blockchain security firm Certik told Cointelegraph that it does not “anticipate a respite in exploits, flash loans or exit scams.”

It noted the likelihood of “further attempts from hackers targeting bridges in 2023.” Such bridges accounted for six of the 10 largest exploits in 2022, which saw around $1.4 billion stolen.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Blockchain security firm freezes $160K stolen in Merlin DEX ‘rugpull’

May 5, 2023 Coin Telegraph

<div>Blockchain security firm freezes 0K stolen in Merlin DEX 'rugpull'</div>

Audit Summaries

CertiK has contacted law enforcement in the U.S. and U.K. to find the pseudonymous operators.

Smart contract auditor CertiK claims to have blocked $160,000 from Merlin, a zk-Sync-based decentralized exchange (DEX) which has been the center of a rogue insider "rugpull" that lost users $1.8 million last week.

CertiK shared the news of its successful $160,000 freeze of the stolen funds in an update to its 257,700 Twitter followers on May 5.

“We have successfully frozen $160K of the stolen funds with the help of partners,” CertiK said, adding that they’re continuing to monitor the movement of the stolen funds:

We have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.
— CertiK (@CertiK) May 4, 2023

The firm explained that they tried to “collaborate” with Merlin to recover the funds stolen from the April 25 "rugpull" but the effort was to no avail.

It led the firm to reach out to law enforcement in the United States and the United Kingdom in an attempt to uncover the identities of the pseudonymous operators:

“This lack of cooperation has complicated our efforts to validate and aid victims. We are focusing on working with law enforcement and have submitted information to relevant US & UK agencies.”

“We are exploring all possibilities to fight exit scams with the $2M we’ve committed,” CertiK added.

The security firm believes the “rogue developers” are based in Europe, according to an earlier post.

As for the exit scam, CertiK said “Merlin insiders abused the owner's wallet privileges,” which is consistent with its initial finding that it came from a private key issue as opposed to an exploit.

Merlin claims the rug pull was carried out by its back-end team, which they claim to have put a “high degree of trust in.”

We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in. Merlin will continue to support our community and resolve the issue.
— Merlin (@TheMerlinDEX) April 26, 2023

CertiK, on the other hand, attributed part of the blame to themselves for failing to properly inform users of the centralization risks.

In a note to Cointelegraph, the firm said they would place more emphasis on this in future audit summaries.

“We are working to improve the clarity of our audit summaries in our reports - especially around centralization risks — and to better communicate with the community about the purpose of an audit.”

Going forward, CertiK will prioritize centralization risks in audit summaries to ensure users have a complete picture of potential risks.

We recognize that audit reports can be highly technical documents, and it’s our job to communicate the risks clearly and transparently.
— CertiK (@CertiK) May 4, 2023

CertiK however stressed that smart contract auditors shouldn’t be held fully responsible for failing to identify rug pulls:

“Code Audits serve the purpose of uncovering vulnerabilities, not to detect a potential rugpull. Its important to recognize that many projects both large and small have centralization issues flagged, and the vast majority do not result in a rugpull,” the firm said.

The firm launched a $2 million compensation plan to cover the funds lost as a result of the “exit scam” on April 27.

The firm added that the funds pledged will be used to prevent exit scams and assist victims where possible.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

certik

Estimated funds lost from hacks, scams passes $1 billion

Uniswap dev loses job, was it worth it?

Zuckerberg calls out Musk for dodging cage fight

Donald Trump holds Ethereum and NFTs

Steadefi hacker turns to Tornado Cash

Also making news

Share this video