1. Home
  2. Kraken Security Labs

Kraken Security Labs

Hijacking an NFT’s Media — No Coding Required

NFTs are only as secure as their creator makes them. As with any emerging technology, taking shortcuts in the design stages can have disastrous consequences down the line. Kraken Security Labs scanned thousands of smart contracts on the Ethereum blockchain to take advantage of vulnerabilities…

The post Hijacking an NFT’s Media — No Coding Required appeared first on Kraken Blog.

Planning Ahead: Cosmos Health Looks to Add Bitcoin and Ethereum to Its Treasury

Vulnerable: Kraken reveals many US Bitcoin ATMs still use default admin QR codes

Kraken has urged BATMTwo ATM owners and operators to change the admin QR code for their ATMs to avoid potential attacks.

Kraken Security Labs has said that a “large number” of Bitcoin ATMs are vulnerable to hacking as the administrators never changed the default admin QR code.

In a Sept. 29 blog post, Kraken posted research from its Security Labs team which found that there are “multiple hardware and software vulnerabilities” in the General Bytes BATMTwo ATM range.

“Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine,” the post read.

Kraken’s security team stated that if a hacker gets their hands on the administrative code, they can essentially “walk up to an ATM and compromise it,” while also highlighting issues with the BATMtwo’s lack of secure boot mechanisms, as well as “critical vulnerabilities” in the ATM’s management system. However, General Bytes has reportedly already alerted ATM owners to the vulnerabilities:

“Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.”

The team also found that it was able to gain full access to the Android operating system behind the BATMTwo ATM by simply attaching a USB keyboard to the machine, and warned that “anyone” could “install applications, copy files or conduct other malicious activities.”

General Bytes is headquartered in the Czech Republic and, according to Coin ATM Radar, there are currently 6391 General Bytes ATMs installed worldwide, which represents 22.7% of the global market. However, those figures also account for BATMThree machines which weren’t reported on by Kraken.

The majority of the BATM ATMs are located in the U.S. and Canada, with a combined figure tallying in at around 5300, while Europe has around 824 ATMs installed.

Kraken is calling on BATMTwo owners and operators to change the default QR admin code, update the CAS server and place the ATMs in visible locations for security cameras.

Related: El Salvador ranks third in global Bitcoin ATM installations, data finds

Bitcoin ATM scams

While reports of hacked Bitcoin ATMs appear to be minimal, there is a history of crafty individuals building scams around crypto ATMs.

In March of 2019, the Toronto Police issued a public statement calling on the community to locate four men suspected of carrying out a series of “double-spending” transactions that fetched $150,000 worth of funds over a 10-day window. Double spending consists of canceling transactions before the ATM has had a chance to confirm but keeping the dispensed cash.

The Oakland Press reported on June. 22 of this year that two women from Berkley were scammed out of a combined $15,000 after fraudsters posed as public safety officers and federal employees. The scammers reportedly told the victims that they had outstanding warrants and tax violations, and ordered them to pay fines via local Bitcoin ATMs in the area.

And Malwarebytes posted research in August which uncovered a trend of gas station Bitcoin ATM scams in which threat actors would post fake jobs listings to dupe applicants into money laundering.

Planning Ahead: Cosmos Health Looks to Add Bitcoin and Ethereum to Its Treasury

Abusing Smart Contracts to Steal $600 million: How the Poly Network Hack Actually Happened

On August 10, a hacker stole more than $600 million through Poly Network and a bizarre series of events unfolded in the aftermath. In this article, Kraken Security Labs dives into the technical details of how the attacker was able to steal such a large…

The post Abusing Smart Contracts to Steal $600 million: How the Poly Network Hack Actually Happened appeared first on Kraken Blog.

Planning Ahead: Cosmos Health Looks to Add Bitcoin and Ethereum to Its Treasury

Email spoofing is not a thing of the past

Kraken, like any popular service, has clients that are targeted by scammers who try to send phishing emails from @kraken.com email addresses. You should never see this form of spoofed email because it should be rejected by mail providers like Gmail because their  servers will…

The post Email spoofing is not a thing of the past appeared first on Kraken Blog.

Planning Ahead: Cosmos Health Looks to Add Bitcoin and Ethereum to Its Treasury

Alert: Modified hardware wallets spotted in the wild

Last week someone on the Ledger subreddit reported receiving an unsolicited package with a Ledger Nano X along with a  letter from “the CEO” of Ledger. The scam tries to trick people into migrating their crypto holdings onto the new, modified device. Kraken Security Labs…

The post Alert: Modified hardware wallets spotted in the wild appeared first on Kraken Blog.

Planning Ahead: Cosmos Health Looks to Add Bitcoin and Ethereum to Its Treasury

Wallet Security 101 – How To Store Your Coins

It goes without saying that there is A LOT going on in crypto. Whether it’s bitcoin hitting new all-time highs, DeFi exploding, or NFTs becoming all the rage, we know there is plenty on your mind. But have you recently thought about how you’re storing…

The post Wallet Security 101 – How To Store Your Coins appeared first on Kraken Blog.

Planning Ahead: Cosmos Health Looks to Add Bitcoin and Ethereum to Its Treasury