Debate over 2FA using SMS after SIM-swapping victim sues Coinbase

March 8, 2023 Coin Telegraph

2FA

While members of the crypto community are doubtful the lawsuit against Coinbase will be successful, it has sparked a conversation about the issues with SMS 2FA.

The crypto community is debating whether SMS two-factor authentication (2FA) should ever be used for account security following news that a Coinbase customer is suing the cryptocurrency exchange for $96,000.

On Mar. 6 Jared Ferguson filed a lawsuit against Coinbase in the United States District Court for the Northern District of California, claiming he lost “90% of his life savings” after funds were withdrawn from his account by identity thieves and Coinbase had refused to reimburse him.

Ferguson is said to have fallen prey to a type of identity theft known as “SIM swapping,” which allows fraudsters to gain control of a phone number by tricking the telecom provider into linking the number to their own SIM card.

This allows them to bypass any SMS 2FA on an account, and in this situation allegedly allowed them to confirm the withdrawal of $96,000 from Ferguson's Coinbase account.

Ferguson claimed he lost service after his phone was hacked on May 9, and noticed the funds had been taken from his Coinbase account after getting a new sim card and restoring his service as per instructions from his service provider T-Mobile.

T-Mobile was previously sued by a SIM-swapping victim in February 2021 following the theft of approximately $450,000 worth of Bitcoin (BTC).

Coinbase denied any responsibility for the hack of Ferguson’s account, telling him in an email that he is “responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices.”

Members of the crypto community were generally doubtful that Ferguson’s lawsuit would be successful, noting that Coinbase encourages the use of authenticator apps for 2FA rather than SMS and describes the latter as the “least secure” form of authentication.

I'm guessing his password was compromised because it was used on other sites, one of which got breached. Also, Coinbase encourages Authenticator app for 2FA by labeling it "secure" and SMS as "moderately secure".
— Dave Ferguson (@_sc0rn) March 7, 2023

Some Reddit users discussing the lawsuit in a post titled “Never Use SMS 2FA” went as far as suggesting SMS 2FA should be banned, but noted that it was the only authentication option available for many services, as one user said:

“Unfortunately a lot of services I use don’t offer Authenticator 2FA yet. But I definitely think the SMS approach has proven to be unsafe and should be banned.”

Blockchain security firm CertiK warned of the dangers of using SMS 2FA in September, with its security expert Jesse Leclere telling Cointelegraph that “SMS 2FA is better than nothing, but it is the most vulnerable form of 2FA currently in use.”

Leclere said dedicated authenticator apps like Google Authenticator or Duo offer nearly all the convenience of using SMS 2FA while removing the risk of SIM swapping.

Reddit users shared similar advice but added authenticator apps on phones also make that device a single point of failure and recommended the use of separate hardware authentication devices.

Notorious Monkey Drainer crypto scammer says they’re ‘shutting down’

March 2, 2023 Coin Telegraph

certik

The scammer behind the crypto wallet draining kit even recommended an alternative and gave advice to budding cybercriminals.

The cryptocurrency phishing scammer behind some of the most high-profile and high-value Web3 thefts is claiming to have packed up shop and is “moving on to something better.”

The scammer by the pseudonym Monkey Drainer posted to their Telegram channel on Mar. 1 that they “will be shutting down immediately” and all “files, servers and devices” related to the drainer “will be destroyed immediately” and it “will not return.”

*Monkey Drainer’s full message posted to Telegram recommending an alternative service. Source: Telegram*

The scammer even gave advice to budding “young cyber criminals” saying they shouldn’t “lose themselves in the pursuit of easy money” and only those “with the highest level of dedication” should operate a “large scale cybercrime” outfit.

Monkey Drainer even recommended a “flawless” alternative service to the one they once offered named “Venom Drainer” and pointed to a Telegram account for the service that was created only a day before Monkey’s announcement.

Blockchain security firm PeckShield tweeted on Mar. 1 that Monkey Drainer scammer deposited around 200 Ether (ETH) worth $330,000 within the last day into the crypto mixing service Tornado Cash, attempting to obscure their funds. 840 ETH worth $1.4 million was still in their primary wallet.

#PeckShieldAlert Scammer #MonkeyDrainer, who runs theft schemes for multiple clients (a sort of 'scam-as-a-service') announced to shut down their service
~200 $ETH has been transferred to Tornado Cash within the last 24 hours, while ~840 $ETH (~$1.4M) sits in their main address pic.twitter.com/1lg3KLRxhk
— PeckShieldAlert (@PeckShieldAlert) March 1, 2023

Blockchain security firm CertiK also shared Monkey’s message on a Mar. 1 tweet, saying the crypto wallet-draining kit they offered is understood to take a 30% “commission” of funds stolen funds from others' use of the software.

Wallet-draining kits from other providers have copied the model, and CertiK pointed to other vendors already reporting an uptick in requests since Monkey Drainer announced the shutdown.

3/ Wallet drainer vendors have noted the payment structure Monkey introduced and have since copied

Below are a few examples that we’ve seen: pic.twitter.com/i62aU5t2pv
— CertiK Alert (@CertiKAlert) February 28, 2023

Monkey Drainer is understood to have operated since late 2022 and is estimated to have stolen up to $13 million worth of cryptocurrencies and nonfungible tokens (NFTs) since that time.

Other copycat phishing scammers and wallet-draining kits have stolen much more. A report from Web3 bug bounty platform Immunefi revealed $3.9 billion worth of crypto was lost to hacks, frauds, scams and rug pulls in 2022.

Possibly one of the single most high-profile and high-value theft by a wallet drainer in recent times was the January attack on Kevin Rose, the co-founder of the Moonbirds NFT collection.

Rose’s wallet was drained after he approved a malicious signature on a phishing website that transferred over $1.1 million worth of his personal NFTs to the attacker.

Monkey Drainer-linked scammers possibly exposed after an on-chain quarrel

January 30, 2023 Coin Telegraph

blockchain messaging

The scammer referred to their pseudonym during a blockchain message argument which may have revealed their actual identity, according to CertiK.

Blockchain security firm CertiK believes to have found the real identity of at least one scammer allegedly linked tothe “Monkey Drainer” phishing scam.

Monkey Drainer is the pseudonym for a phishing scammer(s) that uses smart contracts to steal NFTs through a process known as "ice phishing."

The individual or persons behind the phishing scam have stolen millions worth of Ether (ETH) via malicious copycat nonfungible token (NFT) minting websites to date.

In a Jan. 27 blog, CertiK said it found on-chain messages between two scammers involved in a recent $4.3 million Porsche NFT phishing scam and was able to link one of them to a Telegram account involved in selling the Monkey Drainer-style phishing kit.

Exposing Scammers

CertiK investigators uncovered two scammers, Zentoh and Kai, behind the Monkey Drainer kit

This kit is sold to prospective scammers who are looking to steal user funds using Ice Phishing

Who was involved and how? Let's see
— CertiK (@CertiK) January 28, 2023

One message revealed a person referring to themself as “Zentoh” and referred to the person who stole the funds as “Kai.”

Zentoh was seemingly upset at Kai for not sending over a slice of the stolen funds. The message from Zentoh directs Kai to deposit the ill-gotten gains “at our address.”

*An on-chain message from a person referring to themselves as “Zentoh,” upset they didn’t receive a portion of phished funds from a person they address as “Kai.” Image:* *CertiK*

CertiK deduced the joint wallet was the address that received the $4.3 million in stolen crypto. The firm added there is a “direct link” between the joint wallet and “some of the most prominent Monkey Drainer scammer wallets.”

*The wallet address tied to Zentoh is in turn tied to numerous addresses linked to the Monkey Drainer scam. Image:* *CertiK*

Zentoh revealed in another message the pair used Telegram to communicate. CertiK found an exact match for the pseudonym on the messaging app and identified it “to be running a Telegram group that sells phishing kits to scammers.”

The company found numerous other online accounts possibly linked to Zentoh, including one on GitHub that posted repositories for crypto drainer tools.

If the links between the accounts are legitimate, it reveals the identity of a French national living in Russia.

Cointelegraph reviewed accounts potentially related to the person and found public accounts that seemed to be interested in cryptocurrencies. Cointelegraph contacted the person but did not immediately receive a response.

Cointelegraph will not publish the name of the person due to privacy concerns.

Crypto wallet-draining phishing scams have unfortunately been used to great effect recently.

The co-founder of the Moonbirds NFT collection, Kevin Rose, fell victim to such a scam that lead to over $1.1 million worth of his personal NFTs being stolen.

The crypto wallet of the influencer known on Twitter as “NFT God” suffered a similar fate after they downloaded malicious software from a Google Ad search result, with ETH and high-priced NFTs pilfered from the wallet.

Undeads Metaverse: Security Audit Completed by Certik

January 6, 2023 Bitcoin.com

Crypto Incidents Involving Exit Scams, Hacks, and Code Exploits Reach Record Low in December 2022 According to Certik

January 3, 2023 Bitcoin.com

No ‘respite’ for exploits, flash loans or exit scams in 2023: Cybersecurity firm

January 3, 2023 Coin Telegraph

2022 crypto scams

The industry is likely to see “further attempts from hackers targeting bridges in 2023," while users are urged to be warier of their private keys.

The new year is a fresh start for malicious actors in the crypto space and 2023 won’t likely see a slowdown in scams, exploits and hacks, according to CertiK.

The blockchain security company told Cointelegraph its expectations for the year ahead regarding bad actors in the space, saying:

“We saw a large number of incidents last year despite the crypto bear market, so we do not anticipate a respite in exploits, flash loans or exit scams.”

Regarding other ill-natured incidents the crypto community might face, the company pointed to the “devastating” exploits that took place on cross-chain bridges in 2022. Of the 10 largest exploits during the year, six were bridge exploits, which stole a total of around $1.4 billion.

Due to these historically high returns, CertiK noted the likelihood of “further attempts from hackers targeting bridges in 2023.”

Protect your keys

On the other hand, CertiK said there will likely be “fewer brute force attacks” on crypto wallets, given that the Profanity tool vulnerability — which has been used to attack a number of crypto wallets in the past — is now widely known.

The Profanity tool allows users to generate customized “vanity” crypto addresses. A vulnerability in the tool was used to exploit $160 million worth of crypto in the September hack of algorithmic crypto market maker Wintermute, according to CertiK.

Instead, wallet compromises this year will likely come because of poor user security, CertiK said, stating:

“It’s possible that funds lost to private key compromises in 2023 will be due to poor management of private keys, bar any future vulnerability found in wallet generators.”

The firm said it will also be monitoring phishing techniques that could proliferate in the new year. It noted the slew of Discord group hacks in mid-2022 that tricked participants into clicking phishing links such as the Bored Ape Yacht Club (BAYC) Discord hack in June, which resulted in 145 Ether (ETH) being stolen.

Last year, $2.1 billion worth of crypto was stolen through just the 10 biggest incidents alone, while 2021 saw $10.2 billion total stolen from Decentralized Finance (DeFi) protocols, according to peer security firm Immunefi.

The biggest incident in 2022 — and of all time — was the Ronin bridge exploit, which saw attackers making off with around $612 million. The largest flash loan attack was the $76 million Beanstalk Farms exploit and the largest DeFi protocol exploit was the $79.3 million stolen from Rari Capital.

$62M crypto stolen in Dec was the ‘lowest monthly figure’ in 2022: CertiK

January 2, 2023 Coin Telegraph

2022 crypto hacks

December proved to be the month with the least crypto stolen in 2022, although there were still 23 major incidents, according to CertiK.

Cryptocurrency hackers and exploiters seemingly slowed down for the 2022 holidays as December saw $62.2 million worth of cryptocurrencies stolen, the “lowest monthly figure” of the year, according to CertiK.

The blockchain security company on Dec. 31 tweeted a list of the month's most significant attacks. It highlighted the $15.5 million worth of exit scams as the method that stole the most value over the month, followed by the $7.6 million worth of flash loan-based exploits.

#CertiKStatsAlert

Combining all the incidents in December we’ve confirmed ~$62.2M lost to exploits, hacks and scams.

The lowest monthly figure this year.

Exit scams were ~$15.5M

Flashloans were ~$7.6M

See the details below pic.twitter.com/1ub3mYVv6K
— CertiK Alert (@CertiKAlert) December 31, 2022

A later tweet on Jan. 1 confirmed that the 23 largest exploits were responsible for around 98.5% of the $62.2 million figure, with the $15 million Helio Protocol incident on Dec. 2 the largest of the month.

The protocol, which manages the stablecoin HAY (HAY), suffered a loss when a trader took advantage of a price discrepancy in Ankr Reward Bearing Staked BNB (aBNBc) to borrow millions worth of HAY.

At the time, the decentralized finance (DeFi) protocol Ankr suffered a separate exploit where an attacker minted 20 trillion aBNBc, causing its price to plummet. The Helio trader quickly deposited aBNBc tokens to borrow 16 million HAY, causing the loan to be significantly undercollateralized, leading to the protocol's loss and a depeg of its stablecoin.

The second largest incident of the month was the $12.9 million exploits of Defrost Finance’s v1 and v2 protocols on Dec. 23, where an attacker carried out a flash loan attack by adding a fake collateral token and a malicious price oracle to liquidate the protocol.

Days after the exploit, the hacker returned the funds stolen from the v1 protocol to an address controlled by Defrost, though funds are yet to have been returned for the v2 hack.

CertiK labeled the exploit an “exit scam” due to the fact an admin key was required to conduct the attack. Defrost denied the allegations to Cointelegraph, claiming the key was compromised.

The December figure is much lower than the month prior, seeing an 89.5% decrease from the $595 million worth of exploits across 36 major incidents CertiK recorded in November, a figure largely skewed by the $477 million hack of crypto exchange FTX.

#CertiKStatsAlert

36 major attacks were recorded in November totalling a loss of ~$595 Million.

As always, make sure a project has an audit & KYC before investing!

Remember to always #DYOR and read the audit reports! pic.twitter.com/UhiDU2itAm
— CertiK Alert (@CertiKAlert) December 1, 2022

Overall for 2022, just the largest 10 exploits of the year funneled around $2.1 billion to bad actors, largely on cross-blockchain bridges and DeFi protocols.

Defrost offers 20% payment to hackers as ‘Exit Scam’ allegations surface

December 26, 2022 Coin Telegraph

certik

"Merry Christmas guys. We got a lump of coal from Santa Claus," wrote one user in response to the allegations and the incident.

On Dec. 26, blockchain security firm CertiK issued a warning alleging that Defrost Finance, a decentralized leveraged trading platform on the Avalanche Blockchain, is an "Exit Scam." In supporting the decision, CertiK wrote:

"On 24 December we have seen an #exitscam on @Defrost_Finance. We have attempted to contact multiple members of the team but have had no response. The team are not KYC'd but we are using all the information that we do have to assist with authorities."

The prior day, Defrost Finance suffered a flash loan attack that drained protocol users of $12 million in assets. Immediately after the exploit, blockchain analytics firm PeckShield also issued a warning alleging that the operation was a "rugpull":

"We received community intel warning the rugpull of @Defrost_Finance.Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M."

In a brief post-mortem analysis, project developers said that hackers also managed to steal the owner key for a much larger attack on its V1 protocol than the flash loan exploit. Defrost has since offered "sharing 20% (negotiable) of the funds in exchange for the bulk of assets and are calling on the hackers to contact us asap."

After posting an Ethereum (ETH) wallet address on its social page, close to $3 million worth of digital assets have been transferred there at the time of publication. It is unclear if such transactions were related to the stolen assets.

*CertiK's Skynet alert for DeFrost* | *Source: CertiK*

This is a developing story and will be updated accordingly.

How to avoid getting hooked by crypto ‘ice phishing’ scammers — CertiK

December 21, 2022 Coin Telegraph

BAYC

Ice phishing is a type of scam that exists only in Web3 and is a “considerable threat” to the crypto community, said the firm.

Blockchain security company CertiK has reminded the crypto community to stay alert over “ice phishing” scams — a unique type of phishing scam targeting Web3 users — first identified by Microsoft earlier this year.

In a Dec. 20 analysis report, CertiK described ice phishing scams as an attack that tricks Web3 users into signing permissions which end up allowing a scammer to spend their tokens.

This differs from traditional phishing attacks which attempt to access confidential information such as private keys or passwords, such as the fake websites set up which claimed to help FTX investors recover funds lost on the exchange.

#CertiKSkynetAlert

1/ Ice phishing is a considerable threat to the Web3 community

Instead of gaining accessing to your private key, scammers trick you into signing permissions to spend your assets.

We’ll outline below what to look out for, and how to protect yourself!
— CertiK Alert (@CertiKAlert) December 20, 2022

A Dec. 17 scam where 14 Bored Apes were stolen is an example of an elaborate ice phishing scam. An investor was convinced to sign a transaction request disguised as a film contract, which ultimately enabled the scammer to sell all of the user's apes to themselves for a negligible amount.

The firm noted that this type of scam was a “considerable threat” found only in the Web3 world, as investors are often required to sign permissions to decentralized finance (DeFi) protocols they interact with, which could be easily faked.

“The hacker just needs to make a user believe that the malicious address that they are granting approval to is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained.”

Once a scammer has gained approval, they are able to transfer assets to an address of their choosing.

*An example of how an ice phishing attack works on Etherscan. Source: Certik*

To protect themselves from ice phishing, CertiK recommended that investors revoke permissions for addresses they don’t recognize on blockchain explorer sites such as Etherscan, using a token approval tool.

Additionally, addresses that users are planning to interact with should be looked up on these blockchain explorers for suspicious activity. In its analysis, CertiK points to an address that was funded by Tornado Cash withdrawals as an example of suspicious activity.

CertiK also suggested that users should only interact with official sites they are able to verify, and to be particularly wary of social media sites like Twitter, highlighting a fake Optimism Twitter account as an example.

*Fake Optimism Twitter account. Source: Certik*

The firm also advised users to take a couple of minutes to check a trusted site such as CoinMarketCap or Coingecko, users would have been able to see that the linked URL was not a legitimate site and should be avoided.

Tech giant Microsoft was the first one to highlight this practice in a Feb. 16 blog post, saying at the time that while credential phishing is very predominant in the Web2 world, ice phishing gives individual scammers the ability to steal a chunk of the crypto industry while maintaining “almost complete anonymity.”

They recommended that Web3 projects and wallet providers increase the security of their services on the software level in order to prevent the burden of avoiding ice phishing attacks being placed solely on the end-user.

Front-running scams rampant on YouTube with 500% surge in 2022: CertiK

December 2, 2022 Coin Telegraph

certik

The scam lures victims to download fake front-running bot software that swipes their assets once they try to initiate a transaction.

Front-running scam bots are significantly gaining traction on YouTube, with the number of dubious videos increasing six-fold in 2022 according to a new report from blockchain security firm CertiK.

In the firm's Dec. 1 report, CertiK explores how a wave of front-running bot scams are promising free returns as high as 10X a day, but ultimately end up swiping people's funds.

Notably, CertiK’s analysis found 84% of videos on YouTube mentioning “front running bot” were scams, with the number increasing 500% from 28 videos in 2021 to 168 videos in 2022:

“There are common themes in all of these videos: free code and huge returns. Successful runners won’t give away free code on a social media site, they will sell it for a large amount on underground forums.”

The scam itself generally sees victims being guided to downloaded fake bot software, which is designed to swipe their assets once they try to initiate a front-running transaction.

Even when they are not scams, front-running bots cause problems as they can give the deployer a distinct advantage over other crypto traders in certain circumstances.

The bots generally scan blockchains for unconfirmed transactions and then pay a greater gas fee to squeeze in ahead of said transactions, “essentially beating it to the punch and taking all the profit on offer” from a trade.

The report identified videos using dubious titles such as “$15,000 Front Running Crypto Bot Leak! - 50X HUGE RETURNS!” and “Uniswap Front Running Bot 2022 – EASY TUTORIAL (Huge profits)” in which scammers give fake tutorials on downloading and using the bots.

The videos’ comment sections are of course swarmed with countless bot comments praising the content so that real comments sounding alarm bells are buried under the noise.

*An example of the typical comments found on front-running bot scam videos. Source: CertiK*

Scam reports have been rife of late, as Cointelegraph reported on Nov. 22 that deepfake videos using Sam Bankman-Fried’s likeness were circulating online aiming to dupe people impacted by FTX’s bankruptcy.

CertiK released a separate report on Nov. 17 outlining that crypto scammers have been using identities bought on the black market to put their names and faces on fraudulent projects. Described as “Professional KYC actors,” CertiK found that their identities could be purchased for as low as $8.00.

On Reddit on Dec. 1, members of the r/Metallica community were also sending out warnings over fake Metallica live streams featuring all the band members that linked to crypto giveaway scams.

Some members even claimed that the YouTube algorithm had been recommending the videos to them in their top recommendations.

certik

Protect your keys

Share this video