Redditor’s hacked Bitcoin is a lesson on the hidden dangers of paper wallets

July 27, 2023 Coin Telegraph

"My Bitcoin was taken. How?" A Reddit user thought they were following best practices until two days ago when their Bitcoin wallet was completely cleaned out.

A Reddit user has become the latest example of why crypto users should be more careful when using wallet generators — after the user lost a few thousand dollars worth of Bitcoin (BTC) from their "secure" paper wallet.

On July 24, a Redditor by the name /jdmcnair posted on the r/Bitcoin subreddit, asking for an explanation on how a hacker could have been able to steal over $3,000 worth of Bitcoin from their supposedly secure paper wallet — which was even generated on an offline computer.

*The Redditor's Bitcoin wallet address shows an outgoing transaction of 0.12 BTC. Source: Blockchain.com*

“I was doing self-custody, generated my key and printed it on paper on an offline computer, transferred my BTC to this offline wallet, and kept it stored in a safe that only I have the key for,” the user wrote.

“I thought I was keeping it in one of the more secure ways possible.”

In an update to his initial post, the Redditor revealed that they used the wallet creation tool walletgenerator.net to create their wallet’s private keys, which some users highlighted have been infamous for vulnerabilities in the past.

Speaking to Cointelegraph, blockchain security firm CertiK's director of security operations Hugh Brooks said users should think twice before using a crypto wallet generator.

Such online wallet generators have served as a viable hacking tool for a while now, Brooks said:

“Some of these wallet generators could be straight-up scams. The website that the post claims returns an IP address in Russia. When looking at a tool such as Criminal IP we can see that the address has several abuse reports filed against it.”

Paper wallet generators have been known to contain serious vulnerabilities since 2019, Brooks said, adding that if anyone has generated wallets using walletgenerator.net then it's likely “the same keys have been given to different users.”

The Profanity wallet generator exploit was a textbook example of this security vulnerability which led to the $160 million hack on algorithmic market maker Wintermute in September.

The solution is simple, according to Brooks. Users wanting safe crypto storage should use a “trusted hardware wallet provider such as Ledger and Trezor.”

The Redditor was baffled as to why the exploiter waited over 12 months to exploit the funds, prompting another to offer a possible explanation.

“[The hackers] wait for enough noobs to think they generated secure private keys, wait for them to deposit significant amounts, and then, one day, swipe all the funds, so there is no time to react to reports of the site being compromised.”

With a sudden increase in long-dormant Bitcoin wallets waking up — many with funds in the millions — some pundits think it’s due to wallet generators being hacked.

Unpopular crypto opinion: the fact that wallet generators can be cracked and people can lose their funds with no recourse is terrifying. I’m going to tell you what I believe to be the answer, and I know the “make everything decentralized” crew will hate it
— Jesse Hynes (@jesse_hynes) April 25, 2023

Hackers managed to snatch over $300 million in Q2 2023, according to CertiK, a 58% decline from the same period last year.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Pink, Pussy, Venom, Inferno — Drainers coming for a crypto wallet near you

July 10, 2023 Coin Telegraph

certik

Crypto wallet drainers, or sweepers, are malicious smart contracts that can quickly empty a crypto wallet of its funds and are a standard tool for phishing scammers.

Four major crypto drainers have emerged to fill the vacuum left by the notorious wallet sweeper Monkey Drainer, with thousands of victims targeted and millions in crypto stolen already this year.

The crypto drainers — called Pink Drainer, Inferno Drainer, Pussy Drainer, and Venom Drainer — have together stolen $66.4 million in total since around the start of 2023 according to Dune dashboards complied by Web3 anti-scam platform Scam Sniffer.

Venom Drainer has stolen nearly $27.5 million since February, the most out of the group. Inferno Drainer is second with over $21.2 million stolen since January but has three times the number of victims at nearly 45,800.

Pussy Drainer and Pink Drainer together have been used to steal from over 6,000 victims with $17.5 million in funds pilfered across the two. Monkey Drainer was estimated to have stolen about $13 million worth of digital assets in total during its reign.

*Venom Drainer’s stats show the service has stolen, on average, around $1,800 worth from each victim. Source: Dune*

Crypto drainers work by having the victim unknowingly agree to a malicious transaction in their crypto wallet that allows a smart contract to transfer out a portion of assets or the entire contents of the wallet, depending on the transaction that was signed.

Scam Sniffer told Cointelegraph that most crypto drainers are rented out to groups undertaking phishing scams and the drainer takes a percentage cut of the loot.

Many operate on this pricing model but some have an additional access fee. Blockchain security firm CertiK explained that Inferno — like many other drainers — “has a 20% commission” while Venom has “introduced an initial $1,000 fee” for first-time users.

Scam Sniffer said some draining services advertise “add-ons” such as including malicious signature requests that emulate popular nonfungible token (NFT) marketplaces such as Blur and X2Y2.

“In the NFT space, there are a lot of protocols that use unreadable signatures like Seaport, Blur and X2Y2,” Scam Sniffer explained. “If the victims have assets on Blur, the drainers could launch particular malicious signatures to steal NFTs approved to trade on Blur.”

3/ Blur's bulk listing requires users to sign a Root, which is unreadable for users. this Root is the Merkle Tree Root generated by multiple Order hash. pic.twitter.com/RxAsJp0Urv
— Scam Sniffer (@realScamSniffer) June 26, 2023

Not all drainers are around forever though. According to Scam Sniffer, once the person or people behind a drainer steal a certain amount of funds, they will announce they’re quitting — likely an attempt at staving off law enforcement.

However, it added as one crypto drainer leaves another takes its place “because it’s profitable! [...] And no one has been arrested so far.”

The are currently multiple crypto-draining services making the rounds on Telegram. CertiK shared images with Cointelegraph showing other drainers named Angel, Spawn, Whale and Atomic.

In March, the crypto-draining service Monkey Drainer announced they were “shutting down” saying it was “time to move on to something better.”

The person behind Monkey Drainer pointed their “fellow cyber-gangsters” to Venom, touting it as a “flawless” service.

Magazine: Should you ‘orange pill’ children? The case for Bitcoin kids books

CertiK receives $500K bounty after Sui blockchain threat discovery

June 19, 2023 Coin Telegraph

certik

The vulnerability dubbed “HamsterWheel” traps nodes in an endless loop similar to hamsters jogging on a wheel.

Blockchain security firm CertiK has received a bounty of $500,000 from the Sui network after flagging a threat that had the potential to disrupt Sui's entire layer-1 blockchain.

In an announcement sent to Cointelegraph, the CertiK team highlighted that the vulnerability dubbed "HamsterWheel" was different from traditional attacks which focus on shutting down blockchains by crashing nodes.

This attack traps nodes, letting them perform operations without processing new transactions, similar to hamsters jogging on a wheel. The attack has the capability to cripple networks and make them unable to operate.

The security firm discovered the vulnerability and reported it to Sui ahead of its mainnet launch. Responding to the security threat, the Sui network implemented fixes to prevent the potential damages that an attack could inflict on the blockchain.

To appreciate CertiK’s efforts, Sui awarded a $500,000 bounty to the security firm. According to CertiK, this highlights the importance of bug bounty programs and proactive security efforts.

Kang Li, chief security officer at CertiK, said that threats to blockchain networks are constantly evolving. "The discovery of the HamsterWheel attack demonstrates the evolving sophistication of threats to blockchain networks,” Li explained.

According to the announcement, more technical details will be published and made available soon. Moreover, full reports will be announced once all mitigations have been deployed and thoroughly tested.

Meanwhile, in the decentralized finance (DeFi) space, a crypto trading bot has taken a $200 million loan to secure a $3 profit. On June 14, an arbitrage bot performed a series of complicated transactions, including borrowing 200 million DAI (DAI) in MakerDAO and ended up with a total gain of $3.24. A community member praised the bot’s efforts and said “profit is profit” while another said that this was a sign of how bad the crypto bear market is.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Crypto hacks falling in Q1 is but a ‘temporary reprieve’ — Blockchain firm

May 22, 2023 Coin Telegraph

blockchain intelligence firm

It was warned that the amount stolen in Q1 2023 mirrors Q2 2022, which was followed by a “record setting number of hacks.”

The crypto community is being urged not to let their guard down despite a significant decline in crypto hacks during the first quarter of 2023 — with one firm warning it is most likely a “temporary reprieve, rather than a long-term trend.”

2022 was the biggest year for crypto hacking in history, with an estimated $3.8 billion stolen, primarily from decentralized finance (DeFi) protocols and North Korea-linked attackers, according to a report from Chainalysis earlier this year.

However, this number appears to have drastically reduced in the first quarter of 2023. According to a May 21 report by TRM Labs, the amount stolen through crypto hacks in Q1 2023 “was less than any other quarter in 2022.”

*Graph showing hacks and exploits from Q1 2022 - Q1 2023. Source: TRM Labs*

It was also noted that the average hack size dropped nearly 65% compared to the prior year period.

“The average hack size also took a hit in Q1 2023 – to USD 10.5 million from nearly USD 30 million in the same quarter of 2022, even as the number of incidents was similar (around 40).”

Despite the drop, history suggests crypto users shouldn’t get complacent. Crypto hacks fell significantly in Q3 2022, right before “a record-setting number of hacks" in Q4 which "turned 2022 into a record year," noted TRM Labs.

“Unfortunately, this slowdown is most likely a temporary reprieve rather than a long-term trend” it noted, adding that just a few large-scale attacks could be enough to tip the scales again.

While it was noted that “there is no one obvious explanation for the lull,” TRM Labs suggested the sanctioning of cryptocurrency mixer Tornado Cash by the U.S. Treasury, and the arrest and charge of Mango Markets' exploiter Avraham Eisenberg may have discouraged would-be hackers.

In January, blockchain security firm Certik told Cointelegraph that it does not “anticipate a respite in exploits, flash loans or exit scams.”

It noted the likelihood of “further attempts from hackers targeting bridges in 2023.” Such bridges accounted for six of the 10 largest exploits in 2022, which saw around $1.4 billion stolen.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Blockchain security firm freezes $160K stolen in Merlin DEX ‘rugpull’

May 5, 2023 Coin Telegraph

<div>Blockchain security firm freezes 0K stolen in Merlin DEX 'rugpull'</div>

Audit Summaries

CertiK has contacted law enforcement in the U.S. and U.K. to find the pseudonymous operators.

Smart contract auditor CertiK claims to have blocked $160,000 from Merlin, a zk-Sync-based decentralized exchange (DEX) which has been the center of a rogue insider "rugpull" that lost users $1.8 million last week.

CertiK shared the news of its successful $160,000 freeze of the stolen funds in an update to its 257,700 Twitter followers on May 5.

“We have successfully frozen $160K of the stolen funds with the help of partners,” CertiK said, adding that they’re continuing to monitor the movement of the stolen funds:

We have successfully frozen $160K of the stolen funds with the help of partners. We will continue to monitor the movement of all stolen funds in an attempt to freeze and recover the remaining amount.
— CertiK (@CertiK) May 4, 2023

The firm explained that they tried to “collaborate” with Merlin to recover the funds stolen from the April 25 "rugpull" but the effort was to no avail.

It led the firm to reach out to law enforcement in the United States and the United Kingdom in an attempt to uncover the identities of the pseudonymous operators:

“This lack of cooperation has complicated our efforts to validate and aid victims. We are focusing on working with law enforcement and have submitted information to relevant US & UK agencies.”

“We are exploring all possibilities to fight exit scams with the $2M we’ve committed,” CertiK added.

The security firm believes the “rogue developers” are based in Europe, according to an earlier post.

As for the exit scam, CertiK said “Merlin insiders abused the owner's wallet privileges,” which is consistent with its initial finding that it came from a private key issue as opposed to an exploit.

Merlin claims the rug pull was carried out by its back-end team, which they claim to have put a “high degree of trust in.”

We are deeply saddened by the actions of the technical team, whom we put a high degree of trust in. Merlin will continue to support our community and resolve the issue.
— Merlin (@TheMerlinDEX) April 26, 2023

CertiK, on the other hand, attributed part of the blame to themselves for failing to properly inform users of the centralization risks.

In a note to Cointelegraph, the firm said they would place more emphasis on this in future audit summaries.

“We are working to improve the clarity of our audit summaries in our reports - especially around centralization risks — and to better communicate with the community about the purpose of an audit.”

Going forward, CertiK will prioritize centralization risks in audit summaries to ensure users have a complete picture of potential risks.

We recognize that audit reports can be highly technical documents, and it’s our job to communicate the risks clearly and transparently.
— CertiK (@CertiK) May 4, 2023

CertiK however stressed that smart contract auditors shouldn’t be held fully responsible for failing to identify rug pulls:

“Code Audits serve the purpose of uncovering vulnerabilities, not to detect a potential rugpull. Its important to recognize that many projects both large and small have centralization issues flagged, and the vast majority do not result in a rugpull,” the firm said.

The firm launched a $2 million compensation plan to cover the funds lost as a result of the “exit scam” on April 27.

The firm added that the funds pledged will be used to prevent exit scams and assist victims where possible.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

April’s crypto scams, exploits and hacks lead to $103M lost — CertiK

May 1, 2023 Coin Telegraph

certik

The month was particularly bad for exploits, with the amount lost accounting for half of the total crypto exploited so far in 2023.

Crypto exploits, exit scams, and flash loan attacks saw little signs of letting up in April, with more than $103 million of funds stolen from crypto projects and investors in the month.

On April 30, crypto security and auditing firm CertiK posted an April roundup of crypto exploits, scams, and hacks, revealing total funds lost in April was $103.7 million, bringing the year-to-date total loss to $429.7 million.

The month was particularly marred with major crypto exploits, such as $25.4 million lost due to an exploit of several MEV trading bots on April 3, $22 million stolen in a hot wallet exploit at the Bitrue exchange and the hack of South Korean GDAC exchange leading to a loss of $13 million.

*April 2023 crypto exploits. Source: CertiK*

The total lost to crypto and DeFi exploits in the month amounted to $74.5 million, making up around half of the total $145 million exploited in the first four months of the year, according to CertiK.

The month also saw around $20 million lost to flash loan attacks, led mainly by Yearn Finance after a hacker exploited an old smart contract on April 13.

The blockchain security firm noted that total funds lost to exit scams reached $9.4 million in the month, with the top exit scam for the month being Merlin DEX which lost $2.7 million. On April 26, CertiK reported that it was investigating a “potential private key management issue” at the exchange.

Furthermore, the exit scam occurred after the protocol was audited by CertiK which warned about centralization issues. CertiK launched a compensation plan following the attack in which it urged the rogue developer to return 80% of the stolen funds with a 20% white hat bounty offered.

April 2023 crypto exit scams. Source: CertiK

According to De.Fi’s Rekt Database, there were over 50 crypto exploits, scams, hacks, and rug pulls in April. Moreover, a large portion of them was memecoin rug pulls.

The most recent was the Polygon-based Ovix protocol which lost $2 million in a flash loan attack on April 28.

Magazine: US enforcement agencies are turning up the heat on crypto-related crime

Sushiswap Smart Contract Bug Results in Over $3M in Losses; Head Chef Says Hundreds of ETH Recovered

April 10, 2023 Bitcoin.com

Rogue Validator Exploits MEV Bots on Ethereum, Resulting in $25.3M in Crypto Losses

April 4, 2023 Bitcoin.com

Allbridge offers bounty to exploiter who stole $573K in flash loan attack

April 3, 2023 Coin Telegraph

Allbridge

Allbridge offered a hacker who pilfered $573,000 from its platform a chance to come forward as a white hat and forgo any legal ramifications.

The attacker behind a $573,000 exploit on the multichain token bridge Allbridge has been offered a chance by the firm to come forward as a white hat and claim a bounty.

Blockchain security firm Peckshield first identified the attack on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper, who was able to drain the pool of $282,889 in Binance USD (BUSD) and $290,868 worth of Tether (USDT).

In an April 1 tweet following the hack, Allbridge offered an olive branch to the attacker in the form of an undisclosed bounty and the chance to escape any legal ramifications.

To hacker's attention: addressing the incident and the next steps

1. We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack.
— Allbridge (@Allbridge_io) April 2, 2023

“Please contact us via the official channels (Twitter/Telegram) or send a message through tx, so we can consider this a white hat hack and discuss the bounty in exchange for returning the funds,” Allbridge wrote.

In a separate series of tweets, Allbridge made it clear they are hot on the trail of the stolen funds.

With the help of its “partners and community,” Allbridge said it’s “tracking the hacker through social networks.”

“We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack,” it added.

Allbridge also stated it’s working with law firms, law enforcement and other projects affected by the exploiter.

According to Allbridge, its bridge protocol has been temporarily suspended to prevent the potential exploits of its other pools; once the vulnerability has been patched, it will be restarted.

5/ The bridge has been temporarily suspended to prevent the potential exploits of the other pools. We will restart it once the vulnerability has been patched.
— Allbridge (@Allbridge_io) April 2, 2023

“In addition, we are in the process of deploying a web interface for liquidity providers to enable the withdrawal of assets,” it added.

Blockchain security firm CertiK offered an in-depth breakdown of the hack in an April 1 post, identifying the method used was a flashloan attack.

CertiK explained the attacker took a $7.5 million BUSD flash loan, then initiated a series of swaps for USDT before deposits in BUSD and USDT liquidity pools on Allbridge were made. This manipulated the price of USDT in the pool, allowing the hacker to swap $40,000 of BUSD for $789,632 USDT.

According to a March 31 tweet from PeckShield, March saw 26 crypto projects hacked, resulting in total losses of $211 million.

#PeckShieldAlert ~26 exploits grabbed $211.5M in March 2023.
Regarding the @eulerfinance exploit, the estimated loss is $197M. The exploiter has returned 84,963.4 $ETH (~$152.8M) and 29.9M $DAI to the Deployer, and he has already transferred 1,100 $ETH to Tornado Cash pic.twitter.com/kf2Ul4uIun
— PeckShieldAlert (@PeckShieldAlert) March 31, 2023

Euler Finance’s March 13 hack was responsible for over 90% of the losses, while other costly exploits were suffered by projects including Swerve Finance, ParaSpace and TenderFi.

Cointelegraph contacted Allbridge for comment but did not receive an immediate response.

Magazine: Crypto winter can take a toll on hodlers’ mental health

$4M ‘exit scam’ suspected as Kokomo Finance flies off radar, token plunges

March 27, 2023 Coin Telegraph

<div>M 'exit scam' suspected as Kokomo Finance flies off radar, token plunges</div>

0xGuard

Kokomo Finance's social media presence and websites are offline, while the price of the KOKO token fell more than 95% within a matter of minutes.

Optimism-based lending protocol Kokomo Finance has been suspected of a $4 million “exit scam” that has seen user funds plucked out from the platform via a smart contract loophole.

Blockchain security firm CertiK alerted its followers to the “exit scam” in a March 26 Twitter post, noting that the Kokomo Finance (KOKO) token has plummeted 95% in value in a matter of minutes.

CertiK also noted that Kokomo Finance removed all social media accounts immediately following the alleged rug pull too.

*Kokomo Finance has either deactivated or deleted its Twitter account. Source:* *Twitter*

CertiK said the deployer of KOKO attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function.

After that, an address beginning with “0x5a2d..” approved the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).

#CertiKSkynetAlert

On 26 March 2023, Kokomo Finance conducted an exit scam and stole ~$4 million in user funds.

Details Below https://t.co/BEPwfahblz
— CertiK Alert (@CertiKAlert) March 26, 2023

The attacker then called another command to swap the So-WBTC to the 0x5a2d address, which produced a $4 million profit, according to the security firm.

*Changes to the smart contract code of the KOKO began at about 9 am UTC on March 26. Source:* *Optimistic Etherscan*

A CertiK spokesperson told Cointelegraph that it was the largest "incident" that they’ve detected on Optimism.

Kokomo Finance is an open-source and non-custodial lending protocol on Optimism, where investors could trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC) and DAI.

Kokomo Finance rose up the ranks quickly in recent days, with blockchain data platforms like CoinGecko and DefiLlama officially tracking it shortly after Kokomo Finance went live on Optimism on March 25.

*The price of Kokomo Finance token, KOKO fell over 97% at about 4:10pm UTC time on March 26. Source:* *CoinGecko*

Recent screenshots reveal that more than $2 million was locked into Kokomo Finance prior to it falling more than 97%.

@KokomoFinance is an open source and non-custodial lending protocol built on Optimism and @arbitrum .
- Launch on @DefiLlama
- Audited by @0xGuard $KOKO TVL : 2M, is continuously increasing, money will flow into this lending platform soon when it is deployed on @Arbitrum. pic.twitter.com/RduuHBWX39
— Az.eth (@0x_az) March 26, 2023

Over 72% of the total value locked in the Kokomo Finance protocol came in the form of wrapped Bitcoin, according to data from DefiLlama.

Cointelegraph attempted to access all social media and blog websites listed on Kokomo Finance’s Linktree page, however, all of these links now lead to some form of an error page, suggesting the page has been removed.

Cointelegraph came across Kokomo Finance’s smart contract audit, which was reviewed and shared by 0xGuard earlier in March.

While most aspects of the audit were passed, “typographical errors” were found and the owner of the KOKO token was found to have a one-time ability to 45% of the maximum supply to an arbitrary address.

*Kokomo did not pass all aspects of its smart contract audit, which was reviewed by 0xGuard in March. Source:* *GitHub*

Cointelegraph reached out to 0xGuard for comment but did not receive an immediate response.

Magazine: Should crypto projects ever negotiate with hackers? Probably

certik

Share this video