Wormhole hacker moves another $46M of stolen funds

February 13, 2023 Coin Telegraph

Wormhole hacker moves another M of stolen funds

Arbitrage

The Wormhole exploiter appears to be seeking arbitrage opportunities with Ethereum-pegged assets.

The ill-gotten crypto from one of the industry’s largest exploits is on the move again, with on-chain data showing another $46 million of stolen funds has just shifted from the hacker’s wallet.

The Wormhole attack was the third largest crypto hack in 2022 resulting from an exploit of Wormhole’s token bridge in February 2022. Around $321 million of Wrapped ETH (wETH) was stolen.

According to blockchain security firm PeckShield, the hacker’s associated wallet has become active once again, moving d $46 million worth of crypto assets.

This was made up of around 24,400 of Lido Finance-wrapped Ethereum staking token (wstETH), worth approximately $41.4 million and 3,000 Rocket Pool Ethereum staking token (rETH), worth about $5 million, which was moved to MakerDAO.

The hacker appears to be seeking yield or arbitrage opportunities on their stolen loot as the assets were exchanged for 16.6 million DAI, PeckShield reported.

The MakerDAO stablecoin was then used to buy 9,750 ETH priced at around $1,537 and 1,000 stETH. These were then wrapped back into 9,700 wstETH.

#PeckShieldAlert The Wormhole Network Exploiter 0x629e supplied $46M worth of cryptos, including 24.4k $wstETH ($41.4M) & 3k $rETH (~$5M), to MakerDAO for 16.6M $DAI & used them to buy 9.75k $ETH ($ETH at $1,537) & 1k $stETH ($ETH at $1,543), then wrapped them for ~9.7k $wstETH pic.twitter.com/BRfygHgpit
— PeckShieldAlert (@PeckShieldAlert) February 12, 2023

On Feb. 10, an on-chain sleuth observed that the hacker was “buying the dip.”

However, the price of Ethereum has since fallen below those levels over the past few hours. At the time of writing, ETH was trading down 2.6% on the day at $1,505 according to CoinGecko.

At the time of the transfers, stETH prices depegged from Ethereum and climbed as high as $1,570. They’re currently trading 2.4% higher than ETH at $1,541. Furthermore, wstETH also has depegged and rose to $1,676, 11.3% higher than the underlying asset.

The latest funds movement comes only a few weeks after the hacker moved another $155 million worth of Ethereum to a decentralized exchange on Jan. 24.

95,630 ETH was sent to the OpenOcean DEX and then subsequently converted into ETH-pegged assets including Lido’s stETH and wstETH.

Hacker Sent to Prison for Robbing Vietnamese Crypto Exchange

January 9, 2023 Bitcoin.com

Onchain Sleuths Discover Funds Linked to Alameda Swapped for ETH, USDT, BTC by a Mysterious Entity

December 28, 2022 Bitcoin.com

BNB Chain-Based Defi Protocol Ankr Suffers Major Exploit

December 2, 2022 Bitcoin.com

Breaking: Ankr confirms exploit, asks for immediate trading halt

December 2, 2022 Coin Telegraph

aBNBc

The decentralized-finance protocol said it is working with exchanges to immediately halt trading of its BNB staking rewards token, aBNBc.

BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.

The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2.

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that they’re working with exchanges to immediately halt trading of the compromised token.

Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
— Ankr (@ankr) December 2, 2022

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin (USDC).

It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

Seems that @ankr got hacked an hour ago!

The exploiter minted 20T aBNBc and dumped it on #PancakeSwap.

At present, the exploiter have successfully exchanged more than 5 million $USDC.https://t.co/hF1tgNYw0t pic.twitter.com/XIPjBi6wvs
— Lookonchain (@lookonchain) December 2, 2022

In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

@ankr has been exploited. $aBNBc has dropped -99.5%.
The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million)
The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp
— Beosin Alert (@BeosinAlert) December 2, 2022

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.

In a Dec. 2 Twitter post, crypto exchange Binance also confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance's user funds are not at risk.

We are aware of the attack targeting @ankr's aBNBc token. Our team is engaged with the relevant parties and @BNBCHAIN to investigate further.

This is not an attack against #Binance, and your funds are SAFU on our exchange. This thread will be updated should there be any updates.
— Binance (@binance) December 2, 2022

Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.

Sam Bankman-Fried Interview Reveals Dark Donations to Republicans, FTX’s ‘Poorly Labeled Accounting’

November 30, 2022 Bitcoin.com

Sam Bankman-Fried reveals the circumstances behind Bahamian withdrawals

November 30, 2022 Coin Telegraph

000

The former FTX CEO has explained why the exchange only reopened withdrawals for Bahamian citizens shortly before filing for bankruptcy.

FTX’s former CEO Sam Bankman-Fried has divulged what really went on in the days before it filed for bankruptcy when the exchange selectively reopened withdrawals — only for Bahamian users.

In a telephone interview with crypto blogger Tiffany Fong, dated Nov. 16, Bankman-Fried claims to have made the decision to reopen withdrawals to Bahamian citizens as he did not want himself, nor the exchange, to be in a country “with a lot of angry people in it.”

“The reason I did it was it was critical to the exchange being able to have a future because that’s where I am right now, and you do not want to be in a country with a lot of angry people in it and you do not want your company to be incorporated in a country with a lot of angry people in it,” he said.

Bankman-Fried claims he gave Bahamian securities regulators a “one-day heads up” that FTX was going to do it, but said the regulator neither responded with a “yes or no,” before he ultimately decided to go ahead with allowing withdrawals.

“So it was realistically speaking, it’s shitty, but [...] the pathway for FTX involved Bahamians not being pissed at it.”

The now-defunct crypto exchange initially halted all withdrawals on Nov. 8 as a result of liquidity issues.

On Nov. 10, only a day before it filed for bankruptcy, the exchange noted it had begun to facilitate withdrawals of Bahamian funds. At the time, it claimed that it was in compliance with the demands of the country’s regulators — leading to millions of dollars worth of funds extracted from the exchange.

However, the Securities Commission of The Bahamas (SCB) threw a wrench into FTX’s narrative, stating on Nov. 12 that it had neither instructed nor authorized FTX to prioritize withdrawals of Bahamian clients.

They also warned that any withdrawal of funds could be clawed back as part of the firm’s liquidation proceedings.

Cointelegraph contacted the SCB for confirmation on if it had received communication from FTX prior to the exchange’s withdrawals reopening, and what its response was at the time. The SCB did not immediately respond.

Audio from my first interview with Sam Bankman-Fried. SBF talks bankruptcy, the alleged “backdoor,” donations to the Democratic Party, Ukraine money laundering rumors, the hack, Alameda’s margin position on FTX, using FTT as collateral & more. https://t.co/qVfUv6dhww
— Tiffany Fong (@TiffanyFong_) November 29, 2022

In his most recent interview with Fong, Bankman-Fried denied the move was to facilitate withdrawals by people within FTX after Fong suggested that this is how it was being seen.

“Oh it wasn’t insider withdrawals, this was trying to create a regulatory pathway forward for the exchange.”

SBF was hot on FTX hacker’s trail

The former FTX CEO also noted during the Nov. 16 interview that he was close to finding out the identity of the FTX hacker, who is understood to have stolen over $450 million worth of assets soon after the exchange filed for bankruptcy on Nov. 11.

“I don’t know exactly who because they shut off all access to the systems when I was halfway through exploring it. I’ve narrowed it down to eight people. I don’t know which one it was but I have a pretty decent sense.”

Bankman-Fried said he believes it was “either an ex-employee or somewhere someone installed malware on an ex-employee’s computer.”

In a separate, more recent interview with Sam Bankman-Fried by Axios on Nov. 29, the former FTX CEO has revealed he only has around $100,000 left in his bank account as of today.

This is despite Bankman-Fried being worth an estimated $26 billion at his peak.

Bankman-Fried claims that he had “basically everything” tied up in the now-bankrupt company.

"I mean, I have no idea. I don't know. I had $100,000 in my bank account last I checked," he said.

Hacker