Ethereum took center stage in a recent cyber incident reported on December 27, as the Thunder team acknowledged the occurrence of an exploit on its trading platform. This security breach led to the loss of 86 Ethereum and 439 SOL. The hacker responsible for the attack asserted ownership of user data, specifically private keys, and stated an intention to delete it.
Despite the hacker’s assertions, the Thunder team asserted that the protocol does not store keys or wallets, rendering the threat irrelevant. Assuring affected users, the team pledged to refund funds and provide a fee waiver of 0%.
Crypto enthusiasts witnessed another security breach in the crypto market as Thunder, a DeFi protocol operating on Ethereum, Solana, and other blockchain networks, acknowledged an exploit on December 27. The trading platform addressed the suspicious withdrawals that occurred in the early morning hours, promptly stopping the unauthorized activity within nine minutes.
Ethereum Heist: Hacker Snatches 86.5 ETH And 439 SOL Worth $239,000 From Thunder
The perpetrator managed to abscond with 86.5 Ethereum and 439 SOL, valued at over $239,000. Thunder revealed that the hacker exploited a vulnerability by gaining access to a MongoDB connection URL, enabling them to extract session tokens and conduct unauthorized withdrawals on behalf of users.
Although the Thunder team acknowledged that 114 out of the 14,000 wallets on the platform were affected, the hacker insisted on holding user data related to private keys, with an intention to delete it. The team, however, refuted the possibility of such deletions, emphasizing the security of users’ assets.
The Thunder team dismissed the threat posed by the exploiter, asserting that
“No private keys nor wallets were compromised…We do not store any private keys, so the attacker does not have access to any wallets. Desktop wallets were not affected. Less than 1% of wallets on our platform were affected as a result of this attack.
Additionally, the team affirmed that they have initiated communication with the Federal Bureau of Investigation (FBI) and expressed a willingness to engage in negotiations with the exploiter. Failure to reach an agreement would prompt the team to pursue legal action.
In a final assurance to users, the team emphasized the security of their assets. Affected users were notified that the lost funds would be fully refunded, and they would benefit from a fee waiver of 0% along with $100,000 in credits.
The Thunder exploit potentially marks the concluding security breach of 2023, a year that has already witnessed the misappropriation of over $2 billion in assets. Notably, the most substantial attack was reported by the blockchain security consultancy firm Mixin Network, resulting in a loss exceeding $200 million in digital assets.