TronWeekly

Crypto World News

You are here: Home / Archives for News / Cyber Security

Cyber Security

Critical Privacy Vulnerability can Jeopardize 21 million Metamask Users Data, says Researcher

by

Cryptographer and security analyst Alexandru Lupascu, the co-founder of OMNIA protocol, found Metamask vulnerable. During his recent research, he came across and pointed out that Metamask crypto wallet users could be in jeopardy and might lose all their digital assets.

In his recent medium article, he mentioned that he spent time with this team researching different NFT airdrop situations. They bumbled upon a scenario that could compromise the privacy of more than 21 million people.

“It’s quite a potent scenario, too, as it has the potential to be eight times more devastating than a Distributed Denial of Service (DDoS) attack. And I’m saying that after comparing it to some of the most notorious attacks to hit the news last year.”

Alexandru Lupascu

How dangerous is it?

Alexandru shows how a malevolent actor may create an NFT, transmit it to a victim, and acquire their IP address, putting their privacy at risk. This is a significant privacy flaw in the blockchain ecosystem that anyone may attack for as little as $50.

Do not undervalue the threat posed by IP leaks. Alexandru adds: if hostile actors obtain other information from the IP address (such as geolocation or GSM carrier), they may transform it into a physical threat, such as kidnapping.

Alexandru detailed how the invasion is carried out, from minting an NFT to sending it to the target, obtaining the victim’s IP address, and, finally, jeopardizing their privacy or stealing their crypto assets. He used the iOS Metamask software version 3.7.0 to test this attack, but it might also apply to Android.

Are the users safe now?

Alexandru identified the flaw in early December 2021, and after examining Metamask’s Mobile security policy, they contacted them on December 14, 2021.

They informed us that this is a known problem being addressed as part of a responsible disclosure schedule.

After the study went public, Daniel Finlay, the founder of MetaMask, verified the problem and pledged to resolve it as soon as possible. He also added, “Alex is right to call us out for not addressing it sooner. Starting work on it now. Thanks for the kick in the pants, and sorry we needed it.”

Cryptocurrency worth $400M sacked by N.Korean hackers

by

It has been reported that North Korean hackers stole nearly $400 million worth of digital assets through a minimum of seven attacks on cryptocurrency networks in 2021.

The blockchain data platform, Chainalysis reported that it was one of the most prosperous years for cyber-gangsters in North Korea. As reported, these attacks were primitively aimed at investment firms and centralized exchanges. The closed East Asian state started to launder the funds in custody only to cover up the theft.

In the report, Chainalysis said,

“From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%.”

The techniques and tactics used by the hackers had led many security investigators to identify cyber gangs for North Korea as advanced persistent threats (APTs). Techniques such as phishing lures, code exploits, malware, and advanced social engineering were used to drain funds out of the investment firms’ and exchanges’ internet-connected ‘hot’ wallets into Democratic People’s Republic of Korea (DPRK)-controlled addresses.

Rise of Lazarus Group linked to cryptocurrency crime

The Lazarus Group had first gained fame through its cyberattacks, in 2014, on Sony Pictures Entertainment. This hack was supposedly an act of revenge for ‘The Interview’, a satirical movie that mocked the leader Kim Jong Un.

Conforming to the report, since 2018, the Group has been involved in the theft and laundering of a huge amount of cryptocurrency every year, generally in an overflow of $200 million.

It is said that the hackers aim at an array of cryptocurrencies, with Bitcoin (BTC), accounting for only one-fourth of the embezzled wealth.

A panel of the United Nations (UN) monitoring sanctions on North Korea has reportedly charged Pyongyang with using embezzled assets to support its nuclear and ballistic missile programs as an out to dodge international sanctions.

Furthermore, in February 2021, the US had charged three North Korean computer programmers with an extensive hacking rampage that had targeted to steal more than $1.3 billion in capital and cryptocurrency.

The Department of Justice (DOJ) said that this cyberattack on cryptocurrency impacted firms from financial institutions to movie studios in Hollywood.

At the time of writing, Bitcoin (BTC) was priced at $43,098.27 with a daily rise of 0.69%.

India: Anonymous Hacker demands $1.4 million in cryptocurrencies via mail

by

An Indian-based private financial firm was issued an extortion threat through email demanding $1.4 million [11.63 crores] worth of coins in cryptocurrency by an anonymous sender. Terming the case to be ‘one of the rarest’ police in its investigation revealed that the firm’s officials had received the mail on November 28, 2021. Following this, it immediately safeguarded the data and subsequently filed a police complaint against the unidentified sender on 7th Jan 2022.

The police on condition of anonymity told a leading news outlet that the sender threatened the officials of the financial entity of deleting sensitive data by hacking into its database. The cops however refused to divulge details of the mail.

On the 8th of January 2022, in an interview with Times Now, Senior police inspector Bharat Jadhav said,

We have received a complaint on Friday and we have decided to check from where the email was sent to the company officials. It is however suspected that the mail has been sent after routing it from several servers. It is a case of threat and an attempt of extortion. the company official did not transfer any cryptocurrency to the suspect. We are probing as to how emails of senior officials were compromised.

Cryptocurrency-linked crime surged to a record high last year. According to a report by blockchain analysis firm Chainalysis, scammers took home a record USD 14 billion in crypto in 2021. So. what are the options available against such threats?

The legal course in India

In India, neither is cryptocurrency illegal nor is it regulated by any specific legislation yet.’

The first step that can be taken is to register a complaint with the local Cyber-Crime Investigation Cell [in the absence of access to such cell, a visit to the local police station is advised] and provide full details about the nature of the crime, the extent of the damage, and attach the relevant documents, data, and other information relevant to the complaint.

It has been noted that police in India often refrain from registering such cases. This is due to the fact that they are often not technically aware of the laws surrounding cryptocurrency. In such cases, the victims can approach the Indian Judicial Magistrate for filing their complaints and seeking justice under Section 200 of CrPC.

Another Crypto heist: LCX Exchange hacked for $6.8M

by

In the latest crypto swindle hitting the weekend, Liechtenstein-based LCX Exchange suffered a security breach in one of its hot wallets that took place in the early hours of 9 January 2022. Announcing the same via Twitter, the trading platform has detailed the exploit in a series of threads and stated that Ethereum blockchain-based assets such as ETH, USDC, EURe, LCX, and other coins have been moved out to an unknown wallet. Further, the firm assured that security measures are being deployed to protect other wallets and assets.

1
Another Crypto heist: LCX Exchange hacked for $6.8M 2

Blockchain security firm PeckShield Inc has identified the estimated loss to the tune of $6.8 million and provided the breakdown of the lost funds for a clearer picture. Security breaches like these are not new in the crypto ecosystem, As crypto-assets gained increased adoption in 2021, so did such incidents of hacks across centralized exchanges and the DeFi sector.

Crypto heist in 2021

Previously on December 12, 2021, Singaporean cryptocurrency exchange AscendEX, suffered a major security attack with cyber security firm PeckShield stating, an estimated $77.7 million has been lost. The new year too didn’t fare well for the DeFi community, as the decentralized trading platform Tinyman built on the Algorand network was subjected to an exploit causing a loss of roughly $3 million on the 1st of January 2022, according to researchers at PeckShield.

As stated in the blog post, the attacker was able to take advantage of some loopholes in the network’s smart contracts protocol that provided illegal access to pools from which they could extract tokens.

Based on the data compiled by the consumer website Comparitech, five of the 10 largest crypto thefts of all time have occurred in 2021. And these incidents may only continue to grow due to increased cryptocurrency usage, as per financial tech experts. Rebecca Moody, head of research at Comparitech noted,

What’s clear from the majority of these attacks this year is that it’s often a vulnerability that’s being exploited. With the industry growing at an exponential rate and relying on open source technology, this leaves platforms open to exploitation when hackers are able to find a weakness in the code.

Crypto Heist: Over $100M stolen from NFT market Vulcan forged

by

The latest victim to fall in yet another crypto heist is the non-fungible token [NFT] marketplace Vulcan Forged. Announcing the same, the NFT platform revealed nearly 148 wallets holding its PYR tokens have been compromised which entailed a loss of at least 4.5 million PYR coins or approximately $100 million USD. In a series of tweets, the forum also divulged the wallet address of the supposed hacker and said that the owner of the stolen funds might have ‘KYCd on an exchange’. Further, it stated its intention to switch into a ‘complete decentralized wallet set-up’ and assured all stolen PYR coins to be reimbursed through its treasury.

Crypto heist getting bigger with time

Security Breach like these are not new in the crypto ecosystem, but the worrying trend is the sheer size of these hacks increasing rapidly in the backdrop of the price surge in cryptocurrencies over the last year and its growing mainstream adoption. Previously on 12th December 2021, cryptocurrency exchange AscendEX had been drained off roughly $80 million funds from a hot wallet.

This is the second such high-profile hack that has affected a centralized cryptocurrency exchange since the beginning of this month. Likewise, on December 5th, Tronweekly reported a major hack that saw prominent trading platform Bitmart falling victim to a security breach that caused a loss of about $200 million in various cryptocurrencies. Following that, the exchange firm had temporarily suspended withdrawals, which it resumed after some days and reassured to refund users from its own funds.

During the last summer, an anonymous hacker or hackers siphoned off a staggering $600 million in crypto assets from Poly Network, a cross-chain Bridge provider, by exploiting a vulnerability in the platform before returning back the stolen funds following a request by the team of the Poly Network. According to the blockchain forensics firm Chainalysis, the alleged attacker claimed to have hacked “for fun :)” and that he or she took it as a challenge and released the following statement,

“I take the responsibility to expose the vulnerability before any insiders hiding and exploiting it!. I understood the risk of exposing myself even if I don’t do evil. So I used temporary email, IP or _so called_ fingerprint, which were untraceable. I prefer to stay in the dark and save the world.”

Indian PM’s Twitter handle hacked with a fake Bitcoin giveaway scam!

by

On December 12, in the wee hours of the morning, Indian Prime Minister Narendra Modi’s official Twitter account displayed a post declaring the nation had formally adopted Bitcoin [BTC] as a legal tender, and that the administration had purchased 500 BTC to “distribute” to its citizens. The tweet also had a link to a blog, which read, “The future has come today”.

About an hour later, another Tweet emerged from the official handle of the Prime Minister’s Office [PMO] clarifying that the PM’s Twitter account was restored after it was “very briefly compromised” and that the incident had been raised with the social networking firm.

However, Twitter did not specify the exact time at which Modi’s account was breached and when they were notified about the matter. In addition to that, there was no response with regards to the time taken to bring down the fake post, and if the social platform deploys any extra level of security standards for major public accounts such as those of political leaders, governments heads, and others.

In the meantime, sources at the Ministry of Electronics and Information Technology [MoE&IT] revealed that the Indian Computer Emergency Response System (Cert-In) would be launching a “full-scale investigation headed by a senior official” and will submit its report to the government agency shortly.

India’s tryst with fake bitcoin scams

The latest news comes after the incident where the Twitter account belonging to the Prime Minister’s personal website and app had sent out Tweets asking for donations for the Prime Minister’s Covid relief fund through cryptocurrency, back in September 2020.

A similar mass breach took place in July last year, when the social accounts of several leading personalities such as former president of the US Barack Obama, present president of the US Joe Biden, singer and rapper Kanye WestMicrosoft founder Bill Gates, and Tesla chief Elon Musk put out the same tweets asking people to deposit bitcoins on dubious links, promising double returns.

Even though several of these tweets were taken down, some of the accounts that were then compromised sent out these tweets again after some time, which indicates the severity of the attacks. Following the large-scale breach, Twitter said that ‘several of its employees who had access to internal systems had their accounts compromised in a coordinated social engineering attack, which resulted in the hack’.

Bitmart hacked; Estimated loss of $200M

by

Crypto exchange firm Bitmart suffered a large-scale hack incurring a total loss of approximately $200 million. The news was first brought to the attention by security analytics entity Pecksheild Inc who raised an alarm of the reported breach on Saturday night. Pechsheild sent out the tweet detailing the suspicious amount of outflows of a range of tokens that are valued at tens of millions of dollars, to an address called ‘Bitmart Hacker’.

Further, Peckshield researchers estimated the losses to be around $100 million in various cryptocurrencies on the Ethereum Blockchain, and $96 million on the Binance Smart Chain. The stolen funds have been siphoned off from a hot wallet using decentralized exchange aggregator 1inch to swap the assets and deposit into harder-to-trace privacy solution Tornado Cash. Initially Bitmart representatives refuted the news, terming the reports as ‘fake’ and claimed that the outflows were just routine withdrawals.

However, later founder and CEO Sheldon Xia admitted the incident to be a ‘large-scale security breach‘ in his official Twitter handle and stated,

We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets. At this moment we are still concluding the possible methods used. The hackers were able to withdraw assets of the value of approximately USD 150 million.

In a series of tweets, the Exec assured that the trading platform would be conducting a thorough security check and that all withdrawals would be temporarily paused until “further notice.” 

Recent Hack in Badger DAO

The crypto ecosytem has been a target of a never ending onslaught of malicious attackers and rug pulls. On December 2, 2021 the latest to come under attack was decentralized finance [DeFi] protocol, Badger DAO. The platform was under a cyber attack that led to a loss of around $120 million. Confirming the exploit, the Badger DAO team later acknowledged that all smart contracts on its platform have been suspended in an effort to stop any further potential malicious withdrawals.

Last November, liquidity platform MonoX finance too was reportedly drained $31 million worth of asset. Despite receiving two separate audits, the vulnerabilities in MonoX’s smart contracts were not identified.

Badger DAO Protocol hacked, team seizes all the accounts

by

The Badger DAO yield vault protocol, a mainstay of decentralized finance (DeFi), has been another victim to a hack, resulting in the loss of $10 million in the form of cryptocurrencies.

On Wednesday at 9 p.m. EST, users first noted potential issues and theft in the Discord of protocol.

The attack, according to community speculation, was caused by an exploit in the Badger.com user interface rather than in the core protocol contracts. Many impacted users claim that their wallet providers prompted illegitimate requests for additional permissions while receiving yield farming rewards and engaging with Badger vaults.

“It looks like a bunch of users had approvals set for the exploit address allowing [the address] to operate on their vault funds, and that was exploited.”

Badger’s core contributor Tritium on Discord states.

He added that as soon as the team noticed it, it froze all the vaults to prevent any movement. He kept on to say that the team is trying to figure out where the approvals came from, the number of people who have them, and what the next moves are. 

The team confirmed the hack on Twitter, saying that all smart contracts have been paused to seize further withdrawals. It added that the investigation is going on, and the team will release further information as soon as possible.

Badger loses over $10 million

Reports by various sites say that the Badger hack has taken around 185 WBTC, 64,000 veCVX, 136,000 cvxCRV, and many types of synthetic bitcoin from attacked wallets worth more than $10 million.

At the time of publication, Badger DAO’s token BADGER is already down by 19% and is trading around $22.16.

While most of the funds were lost on Wednesday night, the above-mentioned fake permission request may have been made days prior to the hack.

Despite the smart contracts being paused, the community members are advising the depositors to use tools like Debank and Unrekt to revoke permissions for the fake contract.

Hacks in the crypto industry have never been a new thing. Recently, Synapse Protocol lost over $8 million of funds during exploitation by malicious elements.

Another crypto hack; Synapse Protocol exploited, $8 million funds at risk

by

Synapse Protocol, known for its native token, the SYN token, is an automated market maker or simply AMM known for its trustless cross-chain bridge. Recently, according to the tweet by well-known Chinese crypto journalist Colin Wu, the “Synapse Protocol was exploited and lost approximately US$8 million.”

Synapse was introduced in the crypto space as the platform that would eradicate the need for a centralized exchange in the DeFi industry, allowing the users to become their own banks. However, it seems that the recent hack proves otherwise.

According to the Twitter account by the username “ricosoon”, the Chinese journalist made a mistake in reporting the exploit. It seems that the Synapse $8 million were not lost as the bridge is on hold. The bridges are the center of the Protocol and are responsible for the swapping of tokens.

Synapse bridges intact

According to “Ricosoon,” the problem wasn’t with the bridge or the bridge contracts but with the implementation of the AMM contracts “that a few different stableswaps used, forked from the Saddle.”

According to the statement by the developers on their Discord channel, the hacker tried to move the funds by converting them into USDC while the validators were not online. Upon this issue being noticed, the AMM contracts were all put to rest so that the vulnerability didn’t spread.

Furthermore, the Protocol notified Saddle, who also closed their bridges. As a result, “the validators, by consensus are now electing not to process this transaction as it was malicious against LPs and the network as a whole:~$8 million nUSD will therefore not be minted to the attackers’ address on the destination chain.”

It seems that the Synapse developers are now in control of the situation as they are working to re-deploy the pools ‘to an older, less-complex version’ of the bridge contracts, re-enabling liquidity, buying time to solve the issue, and restart the original bridges.

Such an increasing number of exploits in the blockchain industry is currently being reviewed by many protocols. The Polygon network was recently exploited by an arbitrary bot, turning 14 ETH into 218.5 ETH. Similar hacks also happened on the ThorChain network.

Binance mandates immediate KYC verification for all its services

by

Binance, one of the largest cryptocurrency exchanges in the world has been a lot in the news lately. The platform’s fallout with several regulators from all around the world has made the exchange the talk of the crypto-town. Further focusing on its security aspect, Binance decided to formulate new Know-Your-Customer [KYC] procedures.

The Changpeng Zhao-led exchange had been making headlines over the delisting of assets and closing of partnerships. Steering away from all the bad news, the platform started this week off on a good note. The exchange went on to hire the former US Treasury Criminal Investigator to look into the Anti-money laundering [AML] requirements of the platform. And, now the exchange is all set to ramp up its KYC system.

In a recent tweet, CEO CZ went on to share the blog post that had information pertaining to the latest KYC requirements of Binance. This was further followed by another message. The tweet read,

Binance to bolster its KYC requirements

The crypto exchange, in its blog post, noted that the existing users would have a slightly different set of rules compared to the new users. Elaborating on what the new users have to follow, the post read,

“Effective immediately, all new users are required to complete Intermediate Verification to access Binance products and service offerings, including cryptocurrency deposits, trades, and withdrawals.”

However, for existing users, if they haven’t completed their “Immediate Verification” they would have access to limited services as their accounts would go into “Withdraw Only” mode. This would include, withdrawal, order cancellation, position close, and redemption.

Soon after these users complete their verification, they would garner access to all the other services. The aforementioned Withdraw only service would take place until 19 October 2021.

Speaking about this unexpected change, the exchange stated,

“Binance reviews its products and services on an ongoing basis to determine changes and improvements in light of evolving global compliance standards.”