TronWeekly

Crypto World News

You are here: Home / Archives for Hackers

Hackers

Beyond Lazarus – North Korea’s”Dark Army” Stealing BILLIONS in Crypto

by

  • Lazarus Group, part of DPRK’s RGB, orchestrates major hacks, including Sony and Bank of Bangladesh, demonstrating high technical skill.
  • TraderTraitor’s WazirX and Bybit hacks show a pattern: social engineering and malicious code to seize cold wallet control.
  • FBI’s dedicated unit tracks DPRK hackers; experts urge strong security measures like 2FA and password managers for protection.

The bybit hack by North Korea’s Lazarus, deemed as “the biggest hack in the history of crypto,” sparked a huge outcry as no one expected such level of technical prowess from the state-funded actors. Samczsun, a pseudonymous “crypto white hat hacker,” believes it is crucial to understand how the DPRK hackers operate, and know their tactics and procedures to mount safety guardrails.

The Lazarus group is a part of the Reconnaissance General Bureau (RGB), which belongs to the Korean People’s Army (KPA). The RGB manages all North Korean cyber warfare, including the hacks in the cryptocurrency industry.

Besides Lazarus, RGB has other threat actors like AppleJeus, APT38, DangerousPassword, and TraderTraitor. The Lazarus group first came into notoriety in 2014 after the Sony Pictures Entertainment (Sony) hack. Enraged by Sony’s film on Kim Jong Un, the group stole terabytes of data and deleted the original copies.

North Korea’s Cyber Command Structure

Then in 2016, Lazarus compromised the Bank of Bangladesh’s internal network to access the SWIFT network and initiate transfer requests to the New York Federal Reserve, looting almost 1 billion USD. In all these incidents, the hacker group has shown a high level of technical adeptness before turning their attention to the cryptocurrency industry.

Lazarus
Source: ardizor

During this time, the DPRK cyberactivity industry began assigning different activities to these threat actors. For instance, APT38 targeted banks first in 2016, then cryptocurrency later. Then, in 2018, AppleJeus started spreading infected malware targeting cryptocurrency users.

Since 2023, AppleJeus began mounting complex supply chain attacks and later evolved into impersonating a trusted contractor. Likewise, Dangerous Password employed social engineering-based attacks within the cryptocurrency industry. However, the most lethal among them is TraderTraitor, which exclusively preys on exchanges and other companies with big reserves (Axie Infinity and Rain.com).

TraderTraitor’s Cold Wallet Tactics

In the recent WazirX hack, this threat actor tricked engineers into signing a transaction that transferred control of their cold wallet over to them. This attack resembles the Bybit hack, where TraderTraitor first breached the Safe Wallet infrastructure via a social engineering attack before sending malicious JavaScript to the cold wallet. 

When Bybit attempted to rebalancing their wallets, the malicious code was triggered, deceiving engineers to sign a transaction and hand over control of their cold wallet. Such brazen attacks have put TraderTraitor at the forefront of security agencies.

Countering the Threat

The FBI has established a separate unit to track and prevent these intrusions and has been conducting victim notifications for years now. Security experts like Samczsun, part of the SEAL 911 emergency response team, have actively worked with federal agents to identify and protect potential DPRK targets. 

With looming threats, on-chain sleuths recommend using a password manager and 2FA as the first line of defense against such increasingly sophisticated attacks.

FTX Hackers Resurge: $400 Million Heist Revisited Amid Trial Drama

by

In recent weeks, the still-unidentified hackers responsible for the staggering theft of over $400 million from FTX and FTX US in November have resurfaced. Their actions have raised concerns, with some speculating that they are using the media attention surrounding Sam Bankman-Fried’s fraud trial as a smokescreen to further obscure their illicit activities.

CertiK’s Director of Security Operations, Hugh Brooks, suggests that the hackers may be taking advantage of the trial’s hype to divert attention away from their movements with the stolen funds from FTX. This raises serious questions about the security measures in place within the cryptocurrency ecosystem and the ongoing battle against cybercriminals.

Optimism Amid FTX Hacker’s $16.75 Million Stash

On-chain data from Spot On Chain paints a concerning picture. The hacker recently reactivated their wallet after a prolonged dormancy period. This wallet now contains a substantial sum of $16.75 million worth of Ether. What’s more alarming are the two large transactions involving 2,500 ETH each, valued at $4 million each. Such transactions are typically associated with selling activities, and this could have a significant impact on the price of Ethereum (ETH), potentially affecting smaller investors.

F7P8GgGaAAANUUA
Source: X

At the same time, there is optimism in the cryptocurrency market, as the launch of various Ethereum exchange-traded funds (ETFs) in the United States is on the horizon. Several companies are eagerly awaiting approval from the U.S. Securities and Exchange Commission (SEC), which may grant accelerated approval for up to nine ETF products on October 2nd. This development has the potential to drive a bullish trend in the price of ETH, making it a lucrative target for both legitimate investors and cybercriminals alike.

The FTX hack and the subsequent movement of stolen funds serve as a stark reminder of the vulnerabilities in the crypto space. While regulatory bodies work towards providing a more secure environment for investors, the presence of hackers using high-profile distractions to conceal their activities is a clear indication of the challenges that lie ahead. As the cryptocurrency market continues to evolve, stakeholders must remain vigilant and prioritize security measures to protect against threats posed by hackers seeking to exploit the system.

Crypto Hack Downturn in Q1: A Momentary Respite, Cautions Blockchain Firm

by

Despite a substantial decrease in crypto hacks in the first quarter of 2023, the crypto community is being cautioned against lowering their vigilance. One company has advised that this decline is likely to be a momentary relief rather than a persistent trend.

According to a report by Chainalysis earlier this year, the previous year witnessed the highest level of crypto hacking in history, resulting in an approximate theft of $3.8 billion. The majority of these illicit activities targeted decentralized finance (DeFi) protocols and were attributed to attackers associated with North Korea.

Nonetheless, there has been a significant decline in these figures during the initial quarter of 2023. As per a report from TRM Labs on May 21, the total amount pilfered through crypto hacks in Q1 2023 was notably lower than any quarter observed in 2022.

image 72 2
Crypto Hack Downturn in Q1: A Momentary Respite, Cautions Blockchain Firm 4

The average size of crypto hacks experienced a significant drop of nearly 65% compared to the same period in the previous year. However, caution is advised as historical data indicates that crypto users should not become complacent. In Q3 2022, crypto hacks saw a notable decline, only to be followed by a surge in “a record-setting number of hacks” in Q4, which ultimately made 2022 a record-breaking year, according to TRM Labs.

Unfortunately, TRM Labs suggests that this current slowdown is likely a temporary break rather than a lasting trend. The scales could tip once again with just a few large-scale attacks. While no clear explanation for the lull has been identified, TRM Labs speculates that the U.S. Treasury’s sanctions on cryptocurrency mixer Tornado Cash and the arrest and charges against Avraham Eisenberg, the exploiter of Mango Markets, may have acted as deterrents for potential hackers.

In January, Certik, a blockchain security firm, expressed its belief to Cointelegraph that there would be no relief from exploits, flash loans, or exit scams. They highlighted the probability of hackers making additional attempts to target bridges in 2023. It is noteworthy that bridges were involved in six out of the ten largest exploits in 2022, resulting in a total theft of approximately $1.4 billion.

Crypto Mixer Tornado Cash Suffers Attack

Not everyone within the community is in agreement about the proposed plan, which aims to restore governance of Tornado Cash to token holders. Some individuals hold differing opinions regarding the plan’s intentions and whether they are beneficial.

Following a recent attack on the decentralized autonomous organization’s (DAO) governance state, the Tornado Cash token (TORN) has experienced a 10% increase in value. This surge comes as a proposal was submitted by a wallet address associated with the attacker, aiming to reverse the harmful modifications made.

In the Tornado Cash community forum, user Tornadosaurus-Hex mentioned that the attacker has posted a new proposal, expressing optimism about its execution. According to Tornadosaurus-Hex, the attacker intends to reset the TORN tokens they had obtained, which granted them significant control over governance votes, back to zero.

Once the voting period concludes on May 26, the proposal is expected to pass considering the attacker’s significant holdings of TORN governance tokens. However, the exact timing of the proposal’s implementation remains uncertain. Upon approval, the malicious code integrated into the protocol by the attacker, which enabled the theft of voting power from others, will be removed. Consequently, governance control of Tornado Cash’s DAO will be returned to token holders.

CoinGecko data indicates that TORN experienced a surge of up to 10% in value but subsequently stabilized. 0xdeadf4ce, an active member of the TORN community, raised the possibility that this entire situation could be an elaborate scheme (“gigatroll”) aimed at depressing the token’s price and allowing the attacker to acquire more tokens at a discounted rate.

Despite lacking the ability to make a choice regarding this proposal, Tornadosaurus-Hex emphasized its significance and relevance.

The attacker behind this exploit is leveraging the distinction between structural attacks on DAOs and DeFi protocols, which involve manipulating the code rather than directly breaching it. Unlike traditional hacks, these types of attacks have led to legal charges. However, in this case, the attacker is likely capitalizing on the fact that Tornado Cash was recently classified as a sanctioned entity, potentially hoping to exploit the associated complications or loopholes.

Binance’s Security Team Uncovers 2 KyberSwap Hackers

by

Crypto exchange Binance has unearthed two suspects believed to be the hackers behind the $265k pilferage of the decentralized exchange KyberSwap. The dex built on liquidity protocol Kyber Network fell victim to a frontend exploit on Sept. 1.

After noticing “suspicious element, the protocol reportedly shut down its frontend at 8:24 AM UTC on the same date. Upon further investigation, it discovered “a malicious code” in its Google Tag Manager, which targeted “whale wallets with large amounts,” allowing the hacker to transfer funds to different addresses.

“The attack was identified and put a stop to after 2 hours of investigations,” Kyber Network tweeted. “This attack was an FE exploit and there is no smart contract vulnerability.”

On the same day, the protocol published a post updating users that it will compensate all fo the missing funds related to the exploit, and also sent out a message to the attacker that it had identified its addresses and all its suspected interactions.

Asking the hacker to contact them, the KyberSwap team offered a bug bounty of 15% which comes to roughly $40k of the total exploited funds.

Binance too began its own separate investigation and identified two suspects responsible for committing the online robbery. CEO Changpeng Zhao a.k.a CZ announced that the intel had been sent to the Kyber team and was also in touch with law enforcement agencies.

Community Members Praise Binance’s Action

Lauding Binance‘s proactive action, one community member likened the platform’s act to the role of a big brother.

Binance is now playing the role of a big brother in the crypto space. Binance has gone beyond securing its platform to securing the entire crypto ecosystem. There’s no other platform that has the will or the resources to help the crypto industry like Binance. Binance is doing well.

The biggest crypto exchange in terms of trading volume has recently come forward in helping Curve Finance users by recovering crypto assets worth about $450,000 stolen. The funds represented about 83% of the total amount stolen from users. 

Sharing the update, CZ also noted that the Curve Finance hacker transferred the stolen stash to Binance using different techniques to avoid the exchange’s security. However, the firm identified the transactions and froze the assets. 

Hackers Drain 183 ETH From DeFi Project ‘ForceDAO’

by

A relatively new decentralized finance or DeFi project called ForceDAO reportedly suffered an attack by five hackers on the wee hours of Sunday. The exploit of xFORCE’s contract is yet another reminder of how a seemingly massive inflow of money poured into a few hour-old initiatives by FOMOed investors of the sector can have serious consequences.

Another New DeFi Protocol Exploited

In the latest attack, the exploiters reportedly drained and liquidated a total of 183 ETH [ almost $367K] worth of FORCE tokens. Force’s xFORCE contract was hacked and drained by a white hacker. As explained by Polymath Lab’s blockchain team lead, Mudit Gupta, one of the five hackers reportedly returned some amount of stolen funds.

As per the post-mortem analysis published by the portal of the DeFi platform, the hackers were able to deposit FORCE tokens that would fail the “transferFrom call and receive xFORCE tokens”, as the xFORCE contract expects a revert from the token but instead receives false.

Alberto Cevallos noted that the entire episode could have been dodged by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.

Cevallos also went ahead and stated that the platform takes complete responsibility for the “engineering oversight” and has started processes to make sure any such incidents are mitigated in the future. He also added,

“We also want to thank the White Hat hacker who helped deter further FORCE tokens from being drained. We have a bounty for you. All funds on our platform are safe, only xFORCE was affected.”

As part of the processes to alleviate concerns surrounding future exploitation, the DeFi hedge fund will now have a snapshot and also a new token. Cevallos announced that the necessary steps for internal re-structuring have commenced and a pland will be unveiled over the coming days making any affected FORCE holders and LPs whole.

Earlier the DeFi protocol’s developers had announced the airdrop of its FORCE tokens, which had lost 90% of its value after the attack, to users of other protocols. This decision was made to ensure a fair launch and lure in users to their platform. According to reports, a total of 25 million FORCE tokens were to be airdropped over a period of a month to those staking on Aave, Alchemix, Badger, Balancer, Curve, Maker DAO, Synthetix, Sushi, Vesper, and Yearn Finance.

Hackers Demand $4.5 M In Bitcoin Following Ransomware Attack on Travel Management Firm

by

US-based travel management company CWT paid $4.5 million worth of bitcoin in ransom to hackers this week who stole confidential corporate data, as Reuters reported yesterday (July 31). The hackers claimed to have encrypted files on 30,000 computers and uploaded 2 terabytes data from the company system.

The attack hit the business last week and it is reported that hackers used Ragnar Locker, a form of ransomware that encrypts computer files and keeps them inaccessible till the victim pays for access restoration.

Reuters said that they obtained the specifics of the negotiations between CWT representative and unidentified hackers from the publicly viewable chat room where hackers initially demanded $10 million as ransom before settling for $4.5 million. The first hint of a hack and ransom was posted on twitter by independent malware hunter @JAMESWT.

In a statement, CWT confirmed the cyberattack and said “We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased’. CWT further added that U.S. law enforcement and the European data protection authorities had been immediately informed. Although the investigation is at an early stage, there is no evidence that customer’s personal and travel information has been compromised.

 Huge rise in hacking attacks

Various research indicates that both the number of ransomware attacks and the percentage of payment attacks are increasing annually. Attackers today often threaten large companies and demand massive payments. There are a lot of things that malware can do after the victim’s device has been taken over, the most common action is to encrypt some or all of the user’s data. Perhaps that’s why more ransomware victims are complying with their cyber attackers’ demands by handing out cash to decrypt encrypted data than ever before.

Twitter accounts of several famous figures, including Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, were hacked on July 15, 2020. The tweeted message said that every bitcoin sent to the link in the tweet would have a doubled return. Fake tweets promised $2,000 for every $1,000 sent to Bitcoin. Although the hack was detected in hours, data from open blockchain records showed that a hacker could earn up to $120,000 in a short time frame.

17-Year-Old Teenager in Florida Accused of Setting up Twitter Hack

by

Federal agents arrested a 17-year-old teenager for allegedly masterminding the high-profile July 15 Twitter hack that left many high-profile Twitter accounts in jeopardy. High profile personalities affected by the major cyber attack include Bill Gates, Elon Musk, Kanye West, Barack Obama, and Joe Biden.

The hack raked in around $120,000 in Bitcoin from victims who unknowingly were lured to transfer their funds, with the false promise of doubling the amount. The Tampa teenager arrested in Florida faces 30 counts of felony and has been investigated by the Federal Investigation Bureau (FBI), the Secret Service and the Florida police.

https://twitter.com/TwitterComms/status/1289267856333402112

Two more Twitter hack suspects identified

According to a media agency in Florida, WFLA-TV, Graham Ivan Clark, the alleged Twitter hack mastermind, is believed to have obtained access to Twitter’s backend, taken over a few high-profile accounts and tweeted on their behalf to promote a fake bitcoin giveaway scam. Hillsborough State Attorney Andrew Warren has announced the charges against the teenager.

Moreover, hours after Warren’s press conference, the United States DoJ announced additional charges against two other persons suspected to have been involved in the Twitter hack. The second suspect, named Mason Sheppard, aka “Chaewon, is a 19-year-old from Bognor Regis in the United Kingdom; while the other is Nima Fazeli, aka “Rolex,” a 22-year-old from Orlando, Florida. However, the DoJ did not specify whether the two other suspects were arrested.

Twitter working to improve its security protocol

Notably, the massive Twitter hack reportedly used Twitter’s internal administration tool to access celebrity accounts. In addition, reports suggest that an inside man working with Twitter has been paid to grant access to the perpetrators. According to the New York Times, the insider was identified as “Kirk,” who sold the internal administrative tool to different cyber attackers.

In its efforts to prevent such an incident from occurring in the future, Twitter noted that it would “accelerating several of our pre-existing security workstreams and improvements to our tools” and also improve its procedure for identifying and stopping unwarranted access to its backend.

 

Hackers Steal $3.1 Million in Bitcoin From Crypto Exchange Cashaa

by

The U.K.-based crypto exchange, Cashaa, claims that hackers stole 336 bitcoins worth about $3.1 million from the exchange. The exchange firm has now halted all cryptocurrency transactions, such as withdrawals and deposits, in order to pave the way for security breach investigations.

Cashaa revealed through a tweet that the attacker hacked one of their wallets on Blockchain.com. The wallet is used to maintain the BTC and to make transfers to the crypto exchange platform. It is believed that the hacker has embedded malware into one of Casha’s computer systems.

Crypto exchange Cashaa attack took 3 minutes

Moreover, as one of the employees accessed the computer on July 10 to validate two separate transactions, the attacker swooped in, getting away with 336 Bitcoins worth approximately $3.1 million under the current market price. The incident took place within three minutes, between 1:23 pm and 1:26 pm. The CEO of Cashaa, Kumar Gaurav, reportedly told media outlets that:

“We are still investigating the damage caused by the incident and suspend all withdrawals for 24 hours. We have called the board meeting to decide whether the company will bear all the losses.”

Cashaa CEO wants exchanges that allow transfer of stolen funds to be shut down

According to Cashaa crypto exchange, the funds were transferred to this bitcoin address: 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek. There are some suggestions that the crypto mixing software is being used to transfer the stolen BTC; to confine the digital trails. Cashaa also suspects that the perpetrator is from East Delhi , India, and has therefore filed a report with the Delhi Police Cyber Crime Department.

In addition, Cashaa has reported the address involved to all crypto exchange platforms in an attempt to prevent the hacker from spending the stolen crypto. Through a statement directed at exchanges that permit stolen funds transactions; Guarav said attackers are assured of hacking cryptocurrency addresses and moving the funds via these exchanges.  Gaurav also noted the need to shut down these platforms and charge owners for money laundering.

Ransomware Attackers Targeting Nicki Minaj, Le Bron, and Mariah Carey

by

Notorious ransomware attackers, the REvil Group, have made another move; this time around, the group is threatening to leak sensitive personal information about the basketball player Le Bron James and the global artists Nicki Minaj and Mariah Carey.

The ransomware attackers noted that the auction of the information would commence on July 1, 2020. Notably, the REvil ransomware scheme threatened to auction sensitive information about musician Madonna last month. Files containing personal details about the two artists and the NBA star will be auctioned beginning at $600,000 according to a Variety report.

Ransomware attackers personal data auction

REvil claimed that it would sell information belonging to Bad Boy Records, MTV, and Universal. The auction for Bad Boy Records will begin at $750,000, while the auction for MTV and Universal will begin at $1 million. In addition, all payments will be transferred using Monero altcoin, which focuses on privacy.

As per the Variety report, the ransomware attackers claimed through a press release that it has files containing “contracts, agreements, NDA, confidential information, court conflicts [and] internal correspondence with the firm.” Moreover, the post stated:

“Show business is not concerts and love of fans only—also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs, and treachery.” 

REvil also targeted the famous showbiz lawyer Allen Grubman and his law firm, Grubman Shire Meiselas & Sacks, on 14 May. The ransomware attackers called for a $42 million ransom; it leaks sensitive information about the U.S. President Donald J. Trump, pop musician Lady Gaga, Barbra Streisand. On May 18, the group also said that Madonna’s dirty secrets would leak.

REvil has been ‘successful’ in leaking sensitive info before

REvil Group would previously demand ransom in bitcoin but later opted for Monero, which is difficult to trace the digital footprints. According to Darkowl.com, the ransomware attackers have been successful in what it does. On May 14, the REvil leaked more than 3,000 personal files, containing expense reports and confidentiality agreements, belonging to singer Lady Gaga.

Hacking Group Robbed Nearly $200M From 5 Exchange Platforms

by

According to ClearSky ‘s report, on June 25, a single hacking group stole approximately $ 200 million from cryptocurrency exchanges. The malicious group used a spear-phishing strategy to gain access to cryptocurrency exchanges, which proved to be effective.

The hacking group is known as “CryptoCore,” which is believed to operate out of Eastern Europe. The report also notes that the group has been targeting attacks on crypto exchanges since 2018. CryptoCore focused mainly on the exchange platforms of the United States and China.

Over time , the group has managed to rip off some $200 million from various exchanges. However, ClearSky does not believe that they are technically advanced on a massive scale despite their success. The report notes that their main tactics are “swift, persistent and efficient.”

Hacking group strategy breakdown

Hackers have access to cryptocurrency wallets belonging to exchange firms. The hacking group begins with a broad review phase on the target exchange and its employees. The hacking group warms its way by deploying spear-phishing attacks; for example, they send emails to the firm’s executives through an email that looks like a top employee or a high-ranking partner company official.

Once they get into the system, the gang installs malware and infringes the executive’s password manager account; this is where all the private keys to all the cryptocurrency wallets are stored. The next step is to wait patiently for the multi-factor authenticator to be removed. If it is eliminated, the hacking group moves quickly and steals all the money from the wallets as per the report.

Spear-phishing attacks

In conclusion, spear-phishing attacks are a popular strategy used by cryptocurrency con men, and they are very problematic. Earlier this year, a major spear-phishing attack was deployed on YouTube users. As a result, multiple accounts with massive follow-ups and subscriptions; were compromised and hijacked when owners clicked on the link.