1. Home
  2. EXP Attack

EXP Attack

KyberSwap hacker offers $4.6M bounty for return of $46M loot

“On the table is a bounty equivalent to 10% of users’ funds taken from them by your hack,” said KyberSwap to its hacker in an on-chain message.

The decentralized exchange KyberSwap has offered a 10% bounty reward to the hacker who stole $46 million on Nov. 22 and left a note of negotiation. The exchange wants 90% of the loot returned by 6 am UTC on Nov. 25.

On Nov. 23, KyberSwap alerted users that its liquidity solution, KyberSwap Elastic, was compromised and advised them to withdraw funds. In the meantime, on Nov. 22, the hacker made away with roughly $20 million in Wrapped Ether (wETH), $7 million in wrapped Lido-staked Ether (wstETH) and $4 million in Arbitrum (ARB) tokens. The hacker then siphoned the loot across multiple chains, including Arbitrum, Optimism, Ethereum, Polygon and Base.

KyberSwap hacker shared his openness to negotiate a compromise. Source: etherscan.io

After hiding the stolen funds, the hacker wrote an on-chain message directed to KyberSwap developers, employees, decentralized autonomous organization members and liquidity providers, stating, “Negotiations will start in a few hours when I am fully rested.”

KyberSwap team responded to the hacker and offered a 10% bounty. Source: etherscan.io

Following a day’s silence from both ends, KyberSwap responded to the hacker requesting the return of 90% of the stolen funds. The team acknowledged the skills of the hacker and laid down an offer:

“On the table is a bounty equivalent to 10% of users’ funds taken from them by your hack, for the safe return of all of the users’ funds. But we both know how this works, so lets cut to the chase so you and these users can all get on with life.”

If the hacker fails to pay back or respond to KyberSwap by 6 am UTC, Nov. 25, “you stay on the run,” said KyberSwap. The team is open to further discussion with the hacker via email.

Related: KyberSwap announces potential vulnerability, tells LPs to withdraw ASAP

A dissection of the recent KyberSwap hack by a decentralized finance (DeFi) expert suggests that the attacker used an “infinite money glitch” to drain funds.

Ambient exchange founder Doug Colkitt explained the KyberSwap attacker relied on a “complex and carefully engineered smart contract exploit” to carry out the attack.

The attacker then repeated this exploit against other Kyberswap pools on multiple networks, eventually getting away with $46 million in crypto loot.

Magazine: This is your brain on crypto: Substance abuse grows among crypto traders

Machine Learning in Focus as Chainalysis Acquires Hexagate

DeFi protocol Arcadia Finance hacked on Ethereum and Optimism for $455K

A loophole in the code allowed the hacker to drain funds worth roughly $455,000 from Arcadia’s Ethereum and Optimism vaults.

A hacker drained approximately $455,000 from noncustodial decentralized finance (DeFi) protocol Arcadia Finance by exploiting a code vulnerability.

Blockchain investigator PeckShield alerted about the hack on Arcadia Finance, highlighting the cause as “the lack of untrusted input validation.” The code supposedly lacked a validation mechanism to cross-check unverified inputs. This loophole allowed the hacker to drain funds worth roughly $455,000 from Ethereum (darcWETH) and Optimism (darcUSDC) vaults.

Arcadia Finance code required no validation of untrusted input. Source: PeckShield

Arcadia Finance has not yet responded to Cointelegraph’s request for comment.

Arcadia Finance confirmed the hack two hours after PeckShield’s intimation and subsequently paused the contracts to prevent further bleeding of funds.

While the investigations are underway, Arcadia’s code houses another vulnerability, which could prove catastrophic for the protocol if exploited. According to PeckShield:

“In addition, there is a lack of reentrancy protection, which allows for the instant liquidation to bypass the internal vault health check.”

Most of the stolen funds were from Optimism — approximately 180 Ether (ETH) — and have been washed via Tornado Cash. However, the stolen tokens on Ethereum — worth over $103,000 at the time of writing — remain parked at the suspected wallet address.

Related: Multichain MPC bridge sees $100M+ outflows, sparking fears of exploit

In the second quarter of 2023, hacks and exploits in the crypto space resulted in a cumulative loss of over $300 million.

A report by blockchain security company CertiK showed that a total of 212 security incidents were recorded in the quarter, resulting in a loss of $313,566,528 from Web3 protocols.

Compared with the previous year’s Q2 data, CertiK found that the crypto hacks declined by 58%. Out of the lot, the BNB Smart Chain recorded the most incidents, with 119 incidents leading to $70,711,385 in losses.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.

Magazine: Should you ‘orange pill’ children? The case for Bitcoin kids books

Machine Learning in Focus as Chainalysis Acquires Hexagate

Tornado Cash attacker to potentially give back governance control, proposal reveals

A few hours into the hack, to everyone’s surprise, the attacker surprisingly reached out to the Tornado Cash community with a new proposal to supposedly give back governance control.

An attacker who sparked community-wide panic by hijacking the Tornado Cash governance is now proposing to undo their hack — and while not everyone feels the hacker can be trusted, they apparently have little choice in the matter.

On May 21, the passage of a malicious proposal allowed the attacker to gain complete control over Tornado Cash’s governance. With total control over the governance of the decentralized crypto mixer, the attacker was in a position to inflict massive losses, considering they could withdraw all of the locked votes, drain all of the tokens in the governance contract and brick the router.

While the story unfolded, community member Tornadosaurus-Hex or Mr. Tornadosaurus Hex, took proactive steps to minimize the potential damages by publishing a subsequent proposal requesting all members to withdraw all funds locked in governance, as shown below.

A Tornado Cash community member’s proposal for gaining control from the attacker. Source: Tornado Cash forums

However, Mr. Tornadosaurus Hex (Hex) was uncertain about the effectiveness of the new proposal considering the attacker’s grip over the mixer’s governance. A few hours into the hack, to everyone’s surprise, the attacker surprisingly reached out to the Tornado Cash community with a new proposal, hinting at their intent to give back the governance control.

The Tornado Cash attacker’s proposal. Source: Tornado Cash forums

As shown above, Hex communicated the attacker’s plan to the community, stating that:

“The attacker posted a new proposal to restore the state of Governance. I think that there is a good chance he’s going to execute it.”

Hex further pointed out that while the community has no other option other than complying with the attacker’s chosen method of giving back the governance control, his due diligence with regard to verifying storage layouts checks out.

Mr. Tornadosaurus Hex confirmed the slot matching. Source: Tornado Cash forums

While many community members showed optimism toward the attacker’s supposed change of heart, others speculate it was a move to pump the TORN token’s price before cashing out.

Related: Allbridge offers bounty to exploiter who stole $573K in flash loan attack

On the bright side, the crypto ecosystem has witnessed a sharp decline in the overall hacks in the first quarter of 2023.

Graph showing hacks and exploits from Q1 2022 - Q1 2023. Source: TRM Labs

However, history suggests that crypto users shouldn’t get complacent as 2022 witnessed a spike in crypto hacks soon after recording a slow phase.

Magazine: ‘Moral responsibility’: Can blockchain really improve trust in AI?

Machine Learning in Focus as Chainalysis Acquires Hexagate

Crypto phishing attacks up by 40% in one year: Kaspersky

Russian cybersecurity and anti-virus provider Kaspersky detected 5,040,520 crypto phishing attacks in the year as compared to 3,596,437 in 2021.

When it comes to cryptocurrency-related cyberattacks, bad actors have seemingly reduced the use of traditional financial threats such as banking PC and mobile malware, and instead have shifted their focus to phishing

Russian cybersecurity and anti-virus provider Kaspersky revealed that cryptocurrency phishing attacks witnessed a 40% year-on-year increase in 2022. The company detected 5,040,520 crypto phishing attacks in the year as compared to 3,596,437 in 2021.

A typical phishing attack involves reaching out to investors via fake websites and communication channels that mimic the official companies. Users are then prompted to share personal information such as private keys, which ultimately provides attackers with unwarranted access to crypto wallets and assets.

While Kaspersky could not predict if the trend would increase in 2023, phishing attacks continue the momentum in 2023. Most recently, in March, hardware cryptocurrency wallet provider Trezor issued a warning against attempts to steal users’ crypto by tricking investors into entering their recovery phrase on a fake Trezor site.

In a survey conducted by Kaspersky in 2022, one out of seven respondents admitted to being affected by cryptocurrency phishing. While phishing attacks predominantly involve giveaway scams or fake wallet phishing pages, attackers continue to evolve their strategies.

According to Kaspersky, “crypto still remains a symbol of getting rich quick with minimal effort,” which attracts scammers to innovate their techniques and stories to lure in unwary crypto investors.

Related: 5 sneaky tricks crypto phishing scammers used last year: SlowMist

Arbitrum investors were recently exposed to a phishing link via its official Discord server. A hacker reportedly hacked into the Discord account of one of Arbitrum’s developers, which was then used to share a fake announcement with a phishing link.

Cointelegraph accessed the phishing link to find that it redirects users to a blank website with the text “Astaghfirullah,” which translates to “I seek forgiveness in God.“ According to Wiktionary, the term can also be used to express disbelief or disapproval.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

Machine Learning in Focus as Chainalysis Acquires Hexagate

Euler Labs hacker returns ‘all of the recoverable funds’ — Timeline

Twenty-three days after the hack, on April 4, Euler Finance announced the total possible recovery of the lost funds, thus ending the $1 million bounty.

After being robbed of $196 million in a flash loan attack, Euler Finance has convinced its hacker to return most of the funds. The outcome resulted from numerous back-and-forths over 23 days, eventually leading the hacker to do “the right thing.”

On March 13, the Euler Finance hacker carried out multiple transactions, each draining millions of dollars in various tokens, including Dai (DAI), USD Coin (USDC), staked Ether (StETH) and wrapped Bitcoin (WBTC).

Funds stolen from Euler Finance. Source: BlockSec

As a result, Euler’s total value locked inside its smart contracts has dropped from over $311 million to $10.37 million. Ultimately, 11 different decentralized finance (DeFi) protocols, including Balancer, Yearn.finance and Yield Protocol, either froze or lost funds.

The next day, on March 14, Euler took proactive measures to recover funds, disabling its vulnerable etoken module and donation function as the first course of action. In addition, it worked with auditing companies to analyze the root cause of the exploit.

At the same time, Euler tried contacting the hackers to negotiate a bounty. On March 15, Euler gave the hacker an ultimatum to return 90% of the stolen funds, threatening to announce a $1 million reward for information that could lead to the hacker’s arrest. This deal would allow the hacker to get away with $19.6 million.

The hacker, on the other hand, started moving funds at will. One victim received 100 Ether (ETH) after convincing the hacker that his life savings were lost in the Euler hack. Over several days, the hacker returned the stolen funds, each varying in value.

Amid the chaos, Euler Labs CEO Michael Bentley revealed that ten separate audits over two years deemed the protocol “nothing higher than low risk” with “no outstanding issues.”

On March 21, Euler launched a $1 million bounty reward against the hacker after being ghosted mid-conversation while trying to strike a deal. Starting on March 25, the hacker started returning the stolen assets in large numbers on multiple occasions.

23 days after the hack, on April 4, Euler Finance announced the total possible recovery of the lost funds, thus ending the $1 million bounty. “Because the exploiter did the right thing and returned the funds, and the $1 million reward campaign launched by the Euler Foundation will no longer be accepting new information,” the protocol stated.

In the final transactions, the hacker sent 12 million DAI and 10,580 ETH in multiple transactions. The crypto community applauded Euler Finance’s effort to recover funds and restore investors’ confidence.

Related: Allbridge offers bounty to exploiter who stole $573K in flash loan attack

Gnosis, the team behind Gnosis Safe multisig and Gnosis Chain, recently launched a hash oracle aggregator to improve the security of bridges by requiring more than one bridge to validate a withdrawal.

As Cointelegraph reported, over $2 billion was stolen from bridges in 2021 and 2022, mainly due to bugs and wallet attacks.

Magazine: Huawei NFTs, Toyota’s hackathon, North Korea vs. Blockchain: Asia Express

Machine Learning in Focus as Chainalysis Acquires Hexagate

Jake Paul-endorsed SafeMoon gets hacked after introducing a bug in upgrade

A public burn() function introduced in the latest upgrade allegedly allows users to burn tokens from other addresses.

SafeMoon, a project previously endorsed by A-list celebrities and social influencers such as Jake Paul and Soulja Boy, announced its liquidity pool (LP) was compromised. Without revealing further details about the attack, SafeMoon confirmed undertaking steps “to resolve the issue as soon as possible.”

Just like many other crypto projects in 2021, SafeMoon was backed by numerous celebrities. However, a lawsuit from Feb. 2022 alleged that musicians such as Nick Carter, Soulja Boy, Lil Yachty and YouTubers Jake Paul and Ben Phillips mimicked real-life Ponzi schemes by misleading investors to purchase SafeMoon (SFM) tokens under the pretext of unrealistic profits.

Jake Paul promoting SafeMoon token in 2021. Source: Twitter

Investigating the SafeMoon hack shows that the attacker made away with approximately 27,000 BNB (BNB), worth $8.9 million. SafeMoon has not yet responded to Cointelegraph’s request for comment. Moreover, users have been barred from posting comments on the announcement that revealed the LP compromise.

Blockchain investigator Peckshield narrowed the problem to a recent software upgrade as a potential culprit that introduced the bug. A public burn() function introduced in the latest upgrade allegedly allows users to burn tokens from other addresses.

As explained by community member DeFi Mark, the attacker used the vulnerability to remove SFM tokens, causing an artificial spike in the token’s price. The attacker took advantage of the situation and sold off the tokens at an inflated price.

SafeMoon exploit overview. Source: Peckshield

The attacker, on the other hand, left a note along with the transaction, as shown above, stating:

“Hey relax, we are accidently frontrun an attack against you, we would like to return the fund, setup secure communication channel , lets talk.”

Until SafeMoon officially announces a resolution, investors are advised against investing in the project to avoid possible loss of funds.

Related: New crypto litigation tracker highlights 300 cases from SafeMoon to Pepe the Frog

Following a recent security incident related to illicit access to hot wallets, Bitcoin (BTC) ATM manufacturer General Bytes plans to reimburse customers that lost funds.

As Cointelegraph reported, the hack caused a loss of 56 BTC and 21.82 Ether (ETH), cumulatively worth nearly $1.9 million.

Magazine: Huawei NFTs, Toyota’s hackathon, North Korea vs. Blockchain: Asia Express

Machine Learning in Focus as Chainalysis Acquires Hexagate

Euler Finance hacker sends 100 ETH to red-flagged North Korean address

While Chainalysis suspected the involvement of North Korea in the Euler Finance hack, they highlighted the possibility of misdirection by other hackers.

Ever since Euler Finance fell victim to the biggest decentralized finance (DeFi) hack of 2023, the crypto community closely follows the $197 million loot on-chain — hoping to track down the attacker. Out of the series of transfers made by the hacker, one transaction of 100 Ether (ETH) was allegedly sent to an address associated with North Korea-linked actors.

Blockchain investigator Chainalysis identified 100 ETH from Euler’s stolen funds was transferred to an address that was flagged in an older hack with links to North Korea.

Concurrently, the hacker also transferred 3,000 ETH to Euler’s deployer account without disclosing their intent. However, no other transfers were made thereafter at the time of writing. In both cases, it was unclear whether the hacker was trolling or if they genuinely considered accepting Euler Finance’s bounty reward of $20 million.

While Chainalysis suspected the involvement of North Korea in the Euler Finance hack, they highlighted the possibility of misdirection by other hackers.

Related: Euler hacker seemingly taking their chances, sends funds to crypto mixer

Euler Labs CEO Michael Bentley shared his displeasure with the $197 million hack as he revealed that ten separate audits conducted over two years assured its security.

As Cointelegraph previously reported, blockchain security firms, including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica, conducted smart contract audits on Euler Finance from May 2021 to September 2022.

Machine Learning in Focus as Chainalysis Acquires Hexagate

Crypto investors under attack by two new malware, reveals Cisco Talos

Since Dec. 2022, the two malicious files — MortalKombat ransomware and Laplas Clipper malware threats — have been actively scouting the Internet for stealing cryptocurrencies from unwary investors.

Anti-malware software Malwarebytes highlighted two new forms of malicious computer programs propagated by unknown sources that are actively targeting crypto investors in a desktop environment. 

Since December 2022, the two malicious files in question — MortalKombat ransomware and Laplas Clipper malware threats — have been actively scouting the Internet for stealing cryptocurrencies from unwary investors, revealed the threat intelligence research team, Cisco Talos. The victims of this campaign are predominantly located in the United States, with a smaller percentage of victims in the United Kingdom, Turkey, and the Philippines, as shown below.

Victimology of the malicious campaign. Source: Cisco Talos

The malicious software work in partnership to swoop information stored in the user’s clipboard, which is usually a string of letters and numbers copied by the user. The infection then detects wallet addresses copied onto the clipboard and replaces them with a different address.

The attack relies on the user’s inattentiveness to the sender’s wallet address, which would send over the cryptocurrencies to the unidentified attacker. With no obvious target, the attack spans individuals and small and large organizations.

Ransom notes shared by MortalKombat ransomware. Source: Cisco Talos

Once infected, the MortalKombat ransomware encrypts the user’s files and drops a ransom note with payment instructions, as shown above. Revealing the download links (URLs) associated with the attack campaign, Talos’ report stated:

“One of them reaches an attacker-controlled server via IP address 193[.]169[.]255[.]78, based in Poland, to download the MortalKombat ransomware. According to Talos’ analysis, 193[.]169[.]255[.]78 is running an RDP crawler, scanning the internet for exposed RDP port 3389.”

As explained by Malwarebytes, the “tag-team campaign” starts with a cryptocurrency-themed email containing a malicious attachment. The attachment runs a BAT file that helps download and execute the ransomware when opened.

Thanks to the early detection of malicious software with high potential, investors can proactively prevent this attack from impacting their financial well-being. As always, Cointelegraph advises investors to perform extensive due diligence before making investments while ensuring the official source of communications. Check out this Cointelegraph Magazine article to learn how to keep crypto assets safe.

Related: US Justice Department seizes website of prolific ransomware gang Hive

On the flip side, as ransomware victims continue to refuse extortion demands, ransomware revenues for attackers plummeted 40% to $456.8 million in 2022.

Total value extorted by ransomware attackers between 2017 and 2022. Source: Chainalysis

While revealing the information, Chainalysis noted that the figures don’t necessarily mean the number of attacks is down from the previous year.

Machine Learning in Focus as Chainalysis Acquires Hexagate

DeFi flash loan hacker liquidates Defrost Finance users causing $12M loss

Moments after a few users complained about the unusual loss of funds, Defrost Finance’s core team member Doran confirmed that Defrost V2 was hit with a flash loan attack.

Defrost Finance, a decentralized leveraged trading platform on Avalanche blockchain, announced that both of its versions — Defrost V1 and Defrost V2 — are being investigated for a hack. The announcement came after investors reported losing their staked Defrost Finance (MELT) and Avalanche (AVAX) tokens from the MetaMask wallets.

Moments after a few users complained about the unusual loss of funds, Defrost Finance’s core team member Doran confirmed that Defrost V2 was hit with a flash loan attack. At the time, the platform believed that Defrost V1 was not impacted by the hack and decided to close down V2 for further investigation.

Core team member Doran confirming attack on Defrost Finance. Source: Telegram

At the time, the platform believed Defrost V1 was not impacted by the hack and decided to close down V2 for further investigation.

Blockchain investigator PeckShield found that the hacker manipulated the share price of LSWUSDC, leading to a gain of roughly $173,000 for the hacker. Upon further analysis, PeckShield’s investigation revealed:

“Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M.”

While the company proactively announced the hack, the community suspects a rug-pull situation at play.

Defrost V1 was initially announced unaffected by the hack as the first version of Defrost lacked a flash loan function.

Core team member Doran confirming attack both Defrost Finance versions. Source: Telegram

However, the platform later acknowledged an emergency for V1 as well, stating:

“Our team is currently investigating. We kindly ask the community to wait for updates and refrain from using either the V1 or V2 for the moment.”

Until further notice, investors are advised to stop using Defrost Finance. An internal team is currently investigating the situation and will reach out to users through official channels.

Defrost Finance has not yet responded to Cointelegraph’s request for comment.

Related: Raydium announces details of hack, proposes compensation for victims

In 2022, North Korean hackers stole crypto worth more than 800 billion Korean won ($620 million) from decentralized finance (DeFi) platforms alone.

A spokesperson from South Korea’s National Intelligence Service (NIS) revealed that all North Korean hacks were done through overseas DeFi exploits. However, with Know Your Customer (KYC) initiatives in place, the total number of North Korean hacks saw a significant reduction.

Machine Learning in Focus as Chainalysis Acquires Hexagate

Hacker drains $1.08M from Audius following passing of malicious proposal

A malicious proposal (Proposal #85) requesting the transfer of 18 million Audius’ in-house AUDIO tokens worth nearly $6 million was approved by community voting.

Proposals in crypto help communities make consensus-based decisions. However, for decentralized music platform Auduis, the passing of a malicious governance proposal resulted in the transfer of tokens worth $5.9 million, with the hacker making away with $1 million. 

On July 24, a malicious proposal (Proposal #85) requesting the transfer of 18 million Audius’ in-house AUDIO tokens was approved by community voting. First pointed out on Crypto Twitter by @spreekaway, the attacker created the malicious proposal wherein they were “able to call initialize() and set himself as the sole guardian of the governance contract.”

Further investigation from Auduis confirmed the unauthorized transfer of AUDIO tokens from the company’s treasury. Following the revelation, Auduis proactively halted all Audius smart contracts and AUDIO tokens on the Ethereum blockchain. 

Blockchain investigator Peckshield narrowed down the fault to Audius’ storage layout inconsistencies.

While the hacker’s governance proposal drained out 18 million tokens worth nearly $6 million from the treasury, it was soon dumped and sold for $1.08 million. While the dumping resulted in maximum slippage, investors recommended an immediate buyback to prevent existing investors from dumping and further lowering the token’s floor price. 

Investors are yet to get clarity on the stolen funds as one investor asked, “They hacked the community fund right? The team's fund is separate correct?”

While a post-mortem report is underway, Audius has not yet responded to Cointelegraph’s request for comment.

Related: Yuga Labs warns of ‘persistent threat group’ targeting NFT holders

Bored Ape Yacht Club (BAYC) creator Yuga Labs issued its second warning about an expected “coordinated attack” on its social media accounts.

In June, Gordon Goner, pseudonymous co-founder of Yuga Labs, issued the first warning of a possible incoming attack on its Twitter social media accounts. Soon after the warning, Twitter officials actively monitored the accounts and fortified their existing security.

Machine Learning in Focus as Chainalysis Acquires Hexagate