Značka: Hackers

NFT marketplace bug undervalues tokens, helps exploiter nab $750,000

A bug in the front end of popular nonfungible token (NFT) marketplace OpenSea has reportedly led to an exploit allowing users to buy popular NFTs at their previous listing price.The bug seems to be prevalent with Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) NFT collectibles, where the exploiter managed to buy them at their old listing price and then sold them for the current market price. The affected NFTs include BAYC #9991, BAYC #8924, MAYC #4986.Opensea User Activity Tab Source: OpenSeaA user named jpegdegenlove is suspected of exploiting the current bug and has reportedly profited 332 Ether (ETH) ($754,000). OpenSea didn’t immediately respond to Cointelegraph’s request for comment.Reported exploiter Ether wallet balance Source: EtherscanAn earlier exploit on Dec, 31 saw a similar scenario, wherein a bug seems to arise from the transfer of assets from the OpenSea wallet to a different wallet without canceling the listing.Related:  Nifty News: FLUF World and Snoop Dogg fundraise, Adidas and Prada NFTs, WAX gifts 10M NFTsOne Twitter user explained that, when a user lists their collectible for auction on the OpenSea and decides to cancel it for some reason, the marketplace charges a significant fee and the floor price of the collectible also decreases. Users found a way around it and instead of canceling their sale, they transfer their asset to a different wallet which automatically removes the listing from OpenSea, However, the bug keeps the listing active through OpenSea’s API. 1/ Recently there’s been an @opensea exploit that has allowed for assets to be purchased at greatly discounted prices, including 3 freshdrops passes, a BAYC https://t.co/8pEgeXkOBo, multiple MAYCs, and more. I did some research this morning and here’s what’s happening – > a — cap10bad.ΞTH | freshdrops.io (@cap10bad) December 31, 2021Users can check whether their listing has been removed on Rarible, another NFT marketplace that uses OpenSea’s API. The user claimed that the bug was flagged after the December incident, but the platform didn’t take any measures to address the issue.NFTs exploded in popularity in 2021 with major brands and celebrities all hopping on the bandwagon, which has attracted an increasing number of scams. 

Čítaj viac

Crypto YouTubers fall victim to hacking and scamming attempt

Hackers attacked a number of popular crypto YouTuber accounts at some point during the afternoon of Jan. 23. The accounts posted unauthorized videos with text directing viewers to send money to the hacker’s wallet. Accounts who appear to have been targeted by the attack include: ‘BitBoy Crypto’, ‘Altcoin Buzz’, ‘Box Mining’, ‘Floyd Mayweather’, ‘Ivan on Tech’, and ‘The Moon’ among others. BREAKING: Dozens of Crypto YouTubers have had their accounts hijacked by hackers promoting a fake crypto giveaway scam. Hacked accounts include:@IvanOnTech@boxmining@aantonop@themooncarl@Bitboy_Crypto@mmcrypto@Altcoinbuzzio@FloydMayweather@crypto_banter@CoinMarketCap pic.twitter.com/ykXkZUh9cO— Mr. Whale (@CryptoWhale) January 23, 2022The Binance Smart Chain wallet address that was listed on the fraudulent videos only had a total of 9 transactions in BNB at the time of writing, with a total value of around $850.Michael Gu told Cointelegraph that his YouTube channel Boxmining posted a video without his permission. “Luckily we caught it within two mins of the video going live and managed to delete it,” he said. “By that time there were already views and comments from my community.”He added that he had done an internal sweep and found no viruses or bugs that may have given the hackers access to his account. “Seems like YouTube might be responsible,” he said. Many Crypto Youtubers (including me) got hacked today – all publishing a scam video at around the same time – @IvanOnTech @aantonop @Bitboy_Crypto @Altcoinbuzzio @FloydMayweather @crypto_banter @CoinMarketCapI have 2FA enabled. pic.twitter.com/c8z5qmJ3bT— Boxmining (@boxmining) January 23, 2022

One Reddit post by user “9Oh8m8” suggested that it appears as though the hackers were able to gain access to the accounts using a SIM swap scam, which would have enabled them to bypass two-factor authentication (2FA). They added:“They are all posting with a title like “ONE WORLD CRYPTOCURRENCY”. They have an address in vid and description to send your USDT/USDC/BNB/ETH to receive a new crypto called OWCY.” However, Gu wasn’t convinced that the hack was a result of a SIM swap, telling Cointelegraph that there were no logins on his personal Google account. “If it was a SIM swap I would lose access to my phone etc and that didn’t happen,” he said. “What we noticed was on the BRAND account (which doesn’t have a login. YouTube brand accounts are connected to personal) there was a login from the Philippines. Very likely this is either a hack on YouTube side or a rogue employee. That’s how they got so many people at the same time.”Founder and CEO of the Altcoin Buzz YouTube channel Shash Gupta added that they noticed something was amiss at around 1 AM Singapore time on Sunday night when an unauthorized video was posted to their channel. “It’s pretty unclear what happened. I’m talking to Youtube to get to understand the matter and avoid such further breaches.”Related: YouTube channels hacked and rebranded for livestreaming crypto scamsAnother crypto YouTuber Richard Heart tweeted at 9:30PM UTC that his channel had been banned during the middle of a livestream, indicating that YouTube was probably aware of the event. Hello again @YouTubecreators My channel was just banned in the middle of a livestream. I think it might have to do with all of the other youtubers that were hacked at the same time today. Could you check please, thanks! @YouTube @YouTube— Richard Heart PulseX.com! Called the Bitcoin top! (@RichardHeartWin) January 23, 2022

Cointelegraph reached out to YouTube and a number of other crypto content creators who were affected by the hack but had not received any additional information at the time of writing.

Čítaj viac

Crypto.com shares details on security breach: 483 accounts compromised

The Crypto.com security breach saga gets clarity with an official statement from the Singapore-based crypto exchange following a halt on withdrawals after detecting “suspicious activities” in user accounts.In a statement on Thursday, Crypto.com revealed that “4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other currencies” had been taken from clients’ accounts without their permission. The overall loss is presently valued at around $33.8 million, as per the current market value.Following a security breach, several Crypto.com users have made complaints that their money had been stolen. However, the company’s previous responses had failed to quell concerns.Following the 17th of Jan security incident, we are sharing our findings below, together with enhancements we’ve made to our security infrastructure and the introduction of the Worldwide Account Protection Program. https://t.co/6q86r0o59V pic.twitter.com/ER7DkBoX1Z— Crypto.com (@cryptocom) January 20, 2022On Jan. 17, 2022, at around 12:46 AM UTC, Crypto.com’s risk monitoring systems detected “unauthorized activity on a small number of user accounts” where transactions were being authorized without the 2FA authentication control being entered by the user, according to the official document.The exchange proceeded by halting withdrawals and revoking all customer 2FA tokens, adding even more security hardening measures that required everyone to re-login and reactivate their 2FA token before allowing only authorized action, as detailed in the statement. The withdrawal infrastructure was down for a total of 14 hours.To safeguard against such an accident happening again, Crypto.com claims that they have implemented an additional layer of protection in which a new whitelisted withdrawal address must be registered within 24 hours before the first withdrawal.”Users will receive notifications that withdrawal addresses have been added, to give them adequate time to react and respond,” the statement reads. On Wednesday, Kris Marszalek, the CEO of Crypto.com, told Bloomberg that the exchange has not received any communication from regulators about the event. He went on to say that;”Obviously, it’s a great lesson, and we are continuously strengthening our infrastructure.”Related: Secret Network offers $400M in funding to bring others in on the secretAccording to PeckShield, over $15 million worth of ETH has been stolen. On Monday, the blockchain security firm tweeted that roughly half of the funds had been sent to Tornado Cash “to be washed.” Another analyst from blockchain data firm OXT Research stated that the heist may have cost the exchange $33 million in stolen assets.

Čítaj viac

Multichain under fire from users as hacking losses grow to $3M

Hackers have continued to exploit a critical vulnerability in the cross-chain router protocol (CRP) Multichain that first appeared on Jan 17.Earlier this week, Multichain urged users to revoke approvals for six tokens to protect their assets from being exploited by malicious individuals. However Multichain’s announcement on Jan. 17 encouraged more hackers to try the exploit. One stole $1.43 million, another offered to return 80% while keeping the rest as a tip. According to Tal Be’ery, the co-founder of the ZenGo wallet, the stolen amount has now risen to $3 million. The @MultichainOrg hack is far from being over.Over the last hours more than additional $1M stolen, rising the total stolen amount to $3M.One victim lost $960K!https://t.co/fYhYxUojB8 pic.twitter.com/Gvh5hB6t6s— Tal Be’ery (@TalBeerySec) January 19, 2022Six supported tokens are still subject to the security vulnerability including WETH, PERI, OMT, WBNB, MATIC, and AVAX.Users have accused the company on social media of not providing them with clear enough information or support regarding the situation. One user who lost $960k offered 50 ETH to the hacker’s address in return for the remaining funds.The company claimed on Jan.17 that the critical vulnerability affecting the six tokens had been reported and fixed on Jan. 17, but on Jan. 19 it again reminded users to revoke approvals of the tokens. Multichain has since turned off the comments on its recent tweets. Crypto Twitter figure “ChainLinkGod” said that he was “incredibly confused” by the platform’s message, while “drarreg17” asked Multichain what it was going to do to “compensate users like myself who were affected by the exploits?”I can’t be the only one who’s incredibly confused by @MultichainOrg’s messaging here Schrodinger‘s funds, both safe and unsafe at the same time pic.twitter.com/AW8s8aAhHk— ChainLinkGod.eth 2.0 (@ChainLinkGod) January 19, 2022

Related: Multichain asks users to revoke approvals amid ‘critical vulnerability’Unhappy users posting in the company’s Telegram group today complain  Multichain has not been able to resolve the security vulnerability yet, nor has it been able to provide its users with the support they seek.Seems like @MultichainOrg reached out to the attackers offering them “bounty” (or in other words, actually paying ransom)https://t.co/DzUGUF3vX0 https://t.co/iKLh0HCBXG pic.twitter.com/yC3QEeiZhJ— Tal Be’ery (@TalBeerySec) January 18, 2022

According to Be’ery, the company reached out to the original address that has been holding over 450 ETH ($1.43 million) in stolen funds since Jan. 18 and offered the hacker or hackers a bug “bounty for exploits.” Multichain (formerly Anyswap) envisions being the ultimate router for Web 3.0. The ecosystem supports 30 chains, including Bitcoin (BTC), Avalanche (AVAX), Ethereum (ETH), Fantom (FTM), Litecoin (LTC), and Terra (LUNA), and offers no-slippage swapping. With nearly $9 billion in TVL, it is unclear when and how Multichain will sort the situation. Cointelegraph has contacted the project for comment.

Čítaj viac

Crypto.com breach may be worth up to $33M, suggests onchain analyst

Onchain analyst claims that Crypto.com’s loss in the latest security breach might have been worth more than the reported $15 million.Pseudonymous ErgoBTC, an on-chain analyst at Bitcoin (BTC) research firm OXT Research, claims that the Crypto.com security breach that was said to have resulted in the loss of 4.6K ETH ($15 million), may be worth up to $33 million.Adding another 444 BTC to the previously reported 4.6k ETH from yesterday’s @cryptocom hack.Still no acknowledgement of loss, despite large outflows from the custodial wallet into ETH’s Tornado Cash and a well known BTC tumbler (as detailed below). pic.twitter.com/GalJKM6bi9— ∴Ergo∴ (@ErgoBTC) January 18, 2022On Monday, reports emerged that Crypto.com had halted withdrawals “after a small number of users” experienced suspicious transactions on their accounts. The cryptocurrency exchange has since resumed withdrawals and confirmed that its users’ money was ‘safe,’ but reports emerged later that it had lost 4.6K ETH ($15 million) and was being laundered using Tornado Cash.ErgoBTC tweeted on Tuesday suggesting that another 444 BTC ($18.5 million) had been stolen from Crypto.com’s payout wallet. ErgoBTC said that OXT Research discovered a suspicious transaction of 52.55 BTC ($2.18 million) from Crypto.com’s custodial wallet.Following the transaction, “several hundred withdrawals” were made which were then combined into four outputs worth 67.75 BTC ($2.81 million) each, as per ErgoBTC. The four batches amounted to 271 BTC ($11.25 million), all of which were laundered via Bitcoin tumbler- a service that allows customers to combine several transactions and make it more difficult for investigators to trace Bitcoin transfers.The Bitcoin tumbler allegedly utilized by the alleged perpetrators to wash the 271 BTC is a well-known tool employed by the North Korean cybercrime syndicate, Lazarus, according to ErgoBTC’s tweet.According to ErgoBTC, the criminals behind the Crypto.com security breach also controlled another address holding 172.9 BTC ($7.25 million). Blockchair data reveals that the address received the funds at about the same time as the other transactions linked to the Crypto.com hack. However, as of the publishing of this article, the purported hacker has not transferred the funds through a bitcoin tumbling service yet.Related: ImmuneFi report $10B in DeFi hacks and losses across 2021At the time of publishing Crypto.com is yet to acknowledge any losses. Cointelegraph reached out to Crypto.com for more details regarding its decision to halt withdrawals, but did not receive a response as of publishing time. This article will be updated pending new information.

Čítaj viac

LCX loses $6.8M in a hot wallet compromise over Ethereum blockchain

Liechtenstein-based crypto exchange LCX has confirmed the compromise of one of its hot wallets after temporarily suspending all deposits and withdrawals on the platform. The hack was first identified by PeckShield, a blockchain security company, based on the suspicious transfer of ERC-20 tokens from LXC to an unknown Ethereum (ETH) wallet.hot wallet compromised? @lcx https://t.co/uL5a7oCFfM— PeckShield Inc. (@peckshield) January 9, 2022The probable hot wallet compromise was soon confirmed by the exchange as it announced the loss of numerous tokens including ETH, USD Coin (USDC) and other tokens including its in-house LCX token.Ethereum blockchain based assets such as ETH, USDC, EURe, LCX and other assets have been moved to theHacker ETH Wallet: 0x165402279F2C081C54B00f0E08812F3fd4560A052/3— LCX (@lcx) January 9, 2022

Based on PeckShield’s investigation, LCX lost a cumulative of $6.8 million after the hacker successfully transferred eight types of tokens that included Sandbox (SAND), Quant (QNT), Chainlink (LINK), Enjin Coin (ENJ) and Maker (MKR).Details of the stolen funds on LCX. Source: PeckShield.At the time of writing, LCX has not shared any plans to help return the stolen funds. However, the company has confirmed to take security measures to protect other wallets and assets:“During this difficult period, we greatly appreciate the support from our customers, other exchanges, security experts, and the broader crypto community.”LCX has not yet responded to Cointelegraph’s request for comment. Related: ImmuneFi report $10B in DeFi hacks and losses across 2021A recent report from security platform ImmuneFi found that crypto companies incurred losses of over $10.2 billion in 2021 due to hacks, scams and other malicious activities. As Cointelegraph reported, ImmuneFi identified 120 instances of crypto exploits and rug-pulls, the highest-valued hack being Poly Network at $613 million, followed by Venus and BitMart with $200 million and $150 million, respectively.

Čítaj viac

Beware of sophisticated scams and rug pulls, as thugs target crypto users

This year has been monumental for the cryptocurrency sector in terms of mainstream adoption. A recent report published by Grayscale Investments found that more than one-quarter of United States investors (26%) surveyed own Bitcoin (BTC), up from 23% in 2020. With the holidays around the corner, financial services provider MagnifyMoney also found that nearly two-thirds of surveyed Americans hope to receive cryptocurrency as a gift this year. While crypto’s growth is notable, there has also been an increase in the number of scams associated with digital assets. A Chainalysis blog post highlighting the company’s “2022 Crypto Crime Report” revealed that scams were the dominant form of cryptocurrency-based crimes by transaction volume this year. The post notes that over $7.7 billion worth of cryptocurrency has been taken from scam victims globally. According to Chainalysis’ previous research, this number represents an 81% increase compared to 2020, a year in which scamming activity dropped significantly compared to 2019. Source: ChainalysisScams are the biggest threat for building trust in crypto Kim Grauer, head of research at Chainalysis, told Cointelegraph that while there are many different crypto-related crimes, scamming has become the largest in terms of value received by criminals. She added that scams represent a significant threat to building trust within the crypto ecosystem, as this may prevent people from investing in digital assets.Grauer further mentioned that scams related to decentralized finance (DeFi) have been on the rise this year. With an annualized revenue in all DeFi protocols estimated at around $5 billion, this shouldn’t come as a surprise. More interesting, though, is that Chainalsyis has discovered that “rug pulls” have contributed to this year’s increase in scam revenue. According to Grauer, Chainalysis defines rug pulls as an instance when a person or developer decides to unexpectedly cease a project and run away with funds:“Rug pulls have accelerated the amount of scamming the crypto space has seen this year. In addition to financial scams, rug pulls have exploited different vulnerabilities in the crypto space. Overall, they have taken $2.8 billion of cryptocurrency.” Although rug pulls are a relatively new crime, Grauer believes these cases are becoming common in the growing DeFi ecosystem. To put this in perspective, the Chainalysis blog post notes, “Rug pulls have emerged as the go-to scam of the DeFi ecosystem, accounting for 37% of all cryptocurrency scam revenue in 2021, versus just 1% in 2020.” The Chainalysis blog post also provides examples of some of the biggest rug pulls of 2021. For instance, the AnubisDAO case is mentioned as the second-biggest rug pull of this year, with over $58 million worth of cryptocurrency stolen. According to the post, AnubisDAO launched on Oct. 28, 2021, with claims of offering a decentralized currency backed by a number of assets. However, the project didn’t contain a website or white paper, and all of the developers went by pseudonyms. Miraculously, AnubisDAO still managed to raise nearly $60 million overnight, yet 20 hours later, all of those funds disappeared from AnubisDAO’s liquidity pool. While AnubisDAO demonstrates a large-scale DeFi rug pull, new cases are occurring almost daily. An early Ethereum and DeFi investor who wishes to remain anonymous told Cointelegraph that they fell victim to a rug pull on Dec. 19, 2021. The anonymous source shared that the project is called “up1.network,” noting that many early Ethereum investors were discussing Up1 in a Discord chat group. They added:“People I trusted were mentioning the project so I checked it out. I thought it was strange to see Up1 giving away airdrops, but thought it could have been affiliated with a DeFi token I had. I then connected my MetaMask wallet and clicked on ‘get airdrop’ but kept getting an error message. I did this three times, which gave the project access to my account.” Unfortunately, once Up1 gained access to their account, three DeFi tokens worth $50,000 were instantly taken. “I revoked access after the fact on Etherscan so they couldn’t steal any more tokens,” they mentioned. The Ethereum investor then checked the DeFi platform Zerion where they saw the notifications that the DeFi tokens had left their wallet. Zerion also provided them with a wallet address to where the funds went, along with a message:“0xc28a580acc42294787f44cffbaa788eaa4958056; You gave a web3 site / smart contract unlimited access to your funds (check who you gave access to and revoke here).”While both AnubisDAO and Up1 are examples of DeFi rug pulls, it’s important to point out that the nonfungible token (NFT) ecosystem is also vulnerable to rug pulls. Most recently, the Bored Ape Yacht Club community fell victim to a rug pull when some members decided to connect their wallets to mint NFTs from a link posted in the group’s Discord channel. Even more surprising is that rug pull scams are also targeting mainstream NFT projects. For example, on Oct. 28, 2021, the global beauty pageant Miss Universe sent out an official tweet announcing the launch of its NFTs on the Wax blockchain. Unfortunately, the people who minted these nonfungible tokens were part of a rug pull.As a reminder: DON’T MINT from the links posted in Discord.Due to amazing members of the community, we’ve obtained pertinent information about the hackers.We’re working diligently to fix this. Priorities are restoring the server, prosecuting, and making it up to the minters— Jenkins The Valet (@jenkinsthevalet) December 21, 2021Jessica Yang, an NFT photographer, told Cointelegraph that when Miss Universe announced the launch of an NFT project, she didn’t question whether it was a scam or not because the pageant is widely known. “The price of each NFT was 0.06 Ethereum. That translates to around $230 for one. The artwork also has the beauty contestant’s face and country they are associated with plastered on it,” she remarked. Yang also mentioned that the project was geared toward women, noting that Paula Shugart, the president of Miss Universe, previously stated:“Miss Universe is going to be the first brand in the NFT space that is about women, about women’s empowerment, and embracing the technology, and moving forward. I love it; this is the first one that is away from other more male-oriented spaces.” Given the brand’s reputation and appeal, Yang and many others minted Miss Universe NFTs, connecting their wallets to the platform. Yet Yang noted that the next day, Miss Universe deleted its official Instagram account. She then noticed that her funds disappeared entirely. Yang added:​​”One red flag I saw was coming from their Discord. The moderators kept trying to get everyone to buy Miss Universe NFTs, promising that they were going along with the roadmap. Their roadmap promised monthly AMAs, signed prints, and much more. Even Steve Harvey vetted the project.”Do your own researchAs the DeFi and NFT ecosystems continue to mature and grow, these environments will, unfortunately, be prone to rug pull scams until industry solutions are developed. In the meantime, the best course of action is for users to do their own research. For instance, Grauer shared that every DeFi project should have a code audit available to make investors feel safer. “Many of the DeFi platforms that have been hacked don’t have code audits,” she remarked. The Chainalysis blog post also pointed out that “rug pulls are prevalent in DeFi because with the right technical know-how, it’s cheap and easy to create new tokens on the Ethereum blockchain or others and get them listed on decentralized exchanges (DEX) without a code audit.”In addition to code audits, the anonymous Ethereum investor shared that after reviewing the Up1 site more closely, they could tell that it was fake. “For instance, the team was all anonymous, with just first names that couldn’t be clicked on to open a Twitter or LinkedIn profile.” Even with these precautions the anonymous source mentioned that wallet providers also need to do a better job of keeping users safe:“If there is a questionable site, wallets should seek them out. I believe this technology can scale, but it has to be able to handle these scams. Otherwise, people will lose all their money.” Following the Up1 rug pull, the anonymous source contacted MetaMask and shared that they got a response noting that it would flag the website. It’s also important to point out that while a clear industry solution is yet to be developed, Grauer noted that, unlike fiat-related crimes, crypto payments can be traced to their source. With this in mind, she added that some cryptocurrency platforms are starting to take action to keep users safe from scams. For example, crypto exchange Luno partnered with Chainalysis in 2020 to protect against a scam targeting South African crypto users. Eva Crouwel, head of financial crime at Luno, told Cointelegraph that one of the requirements from a regulatory framework point of view is to be able to monitor and act upon transactions that have a suspicion of money laundering, terrorist financing, sanctions or any other type of illicit activity. She noted that on-chain transactions must be monitored, as well as the design and the development of case management and user interface. In terms of crypto investors keeping themselves safe from scams, Crouwel recommends staying away from offers that sound too good to be true, adding:“Start by doing as much due diligence as possible. Look at the company’s/token’s social media profiles to see what other users’ experiences have been. You should also go through the company directors’ personal social media pages and look into their industry connections and employment background so ensure their history is sound.”

Čítaj viac

Bent Finance confirms pool exploit, advises investors to withdraw funds

Staking and farming platform Bent Finance joins the list to become the sixth crypto establishment to get hacked in December. The acknowledgment of the attack was followed by requesting investors to withdraw their pool funds and disabling the reward claims on the compromised platform. Bent Finance first realized the exploit on Monday at roughly 8:55 PM EST, a timeline when the company reported no loss of funds. However, the community suspected a rug-pull event when blockchain investigator PeckShield allegedly located the source of the hack transactions.We have located the hack tx, which interestingly is sent from the Bent Finance: Deployer @BENT_Finance !!! What is going on?! https://t.co/3L4F1gcNYJ— PeckShield Inc. (@peckshield) December 21, 2021“Yes, we see the same and are working through it right now,” said Bent Finance as the team appointed two independent white hat developers to get a better understanding of the unfolding situation. The company confirmed soon after:1/ There was an exploit from the bent deployer address, it added balance of cvxcrv and mim to an address on an unvierifed update 20 days ago. We just discovered this today. There are multiple members on this team and we will make this right.— Bent Finance (@BENT_Finance) December 21, 2021

Bent Finance continues to advise its pool investors to withdraw the funds until the exploit is addressed with every update. However, the company has confirmed to recover all stolen funds from the Bent curve pool:“We recommend you withdraw from the protocol until further notice. We are not going anywhere and will recover from this one way or another.”According to crypto fraud investigator and former member of the US Secret Service Joe McGill of TRM Labs, the attackers managed to steal approximately 440 Ethereum (ETH), worth more than $1.6 million at the time of writing. McGill’s investigations hinted that the attack has been ongoing since Dec. 12, which contradicts Bent Finance’s finding that suspects the attacker’s presence over the network since Dec. 1. In December alone, five crypto companies — including Grim Finance, BitMart and AscendEX — cumulatively lost over $600 million as a direct result of a successful hack. However, further investigations are underway to identify the losses from the Bent Finance exploit.Bent Finance has not yet responded to Cointelegraph’s request for comment. Related: Indian prime minister Modi’s hacked Twitter account attempts BTC scamRunning parallel to the ongoing exploits on crypto businesses, December was also a witness to a momentary compromise of Modi’s Twitter account, which was used to spread misinformation about Bitcoin’s (BTC) mainstream adoption in India. As Cointelegraph reported, hackers from unknown origins took control of the prime minister’s account on Dec. 12 with over 73.4 million followers to declare BTC as a legal tender in addition to announcing a 500 BTC giveaway for the Indian citizens.

Čítaj viac

DeFi protocol Grim Finance lost $30M in 5x reentrancy hack

The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform’s deposits.Grim Finance officially announced on Dec. 18 that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform is processing the first deposit.Grim paused all vaults after the attack to minimize the risk for future funds: “We have paused all of the vaults to prevent any future funds from being placed at risk, please withdraw all of your funds immediately.”Grim noted that they also notified entities involved in operating major cryptocurrencies like Circle (USDC), DAI, and the cross-chain protocol AnySwap regarding the attacker address to freeze further fund transfers.Grim Finance positions itself as a “compounding yield optimizer” built on DeFi-focused blockchain protocol, Fantom, allowing users to stake liquidity provider tokens by employing complex vault strategies.According to the Fantom (FTM) Blockchain Explorer data, Grim Finance Exploiter continued transacting on Dec. 19. One of the addresses associated with the exploit holds $1.2 million in Bitcoin (BTC), $1.7 million in SpookyToken (BOO) alongside $13,700 in FTM tokens.Some in the crypto community suggested that Grim Finance should hold responsibility for the exploit due to failing to adopt proper reentrancy protection tools. DeFi security platform Rugdoc.io also argued that the protocol gave the user “more privilege than is necessary.” 5) So what was the big mistake of grim finance?1. No reentrancy guard on a pattern that absolutely needs it (@0xPaladinSec always points this out)2. Giving the user more privilege than is necessary: There is absolutely no need for the user to be able to choose the deposit token— Rugdoc.io (@RugDocIO) December 18, 2021Related: Finance Redefined: Two DeFi hacks top $120M, and $500M Algo Fund launches, Nov. 26–Dec. 3The rising popularity of DeFi has triggered a number of new challenges for the cryptocurrency industry as hackers were rushing to exploit the flaws of the emerging industry. In early December, DeFi protocol BadgerDAO was reportedly exploited to the tune of $120 million.

Čítaj viac

AscendEX loses $80M following ERC-20, BSC, Polygon hot wallet compromise

Crypto trading platform AscendEX suffered a loss of $77.7 million in a hot wallet compromise that allowed hackers to access and transfer tokens hosted over the Ethereum (ETH), Binance Smart Chain (BSC) and Polygon (POLY) blockchains.Soon after realization, AscendEX proactively warned its users about the stolen funds, confirming that the hackers were not able to access the company’s cold wallet reserves.22:00 UTC 12/11, We have detected a number of ERC-20, BSC, and Polygon tokens transferred from our hot wallet. Cold Wallet is NOT affected. Investigation underway. If any user’s funds are affected by the incident, they will be covered completely by AscendEX.— AscendEX (@AscendEX_Global) December 12, 2021According to PeckShield, a blockchain security and data analytics company, around $60 million worth of tokens were transferred over the Ethereum blockchain. Tokens stolen from the Binance Smart Chain and Polygon are worth $9.2 million and $8.5 million respectively, as evidenced by EtherScan data.Estimated loss @AscendEX_Global: $77.7M in total ($60M on @ethereum $9.2M @BinanceChain $8.5M @0xPolygon). Here is the list of the transferred-out assets and their amounts on @ethereum pic.twitter.com/VC4DKOwu4f— PeckShield Inc. (@peckshield) December 12, 2021

Some of the popular tokens stolen in this hack include USD Coin (USDC), Tether (USDT), and Shiba Inu (SHIB). However, AscendEX is yet to officially confirm the exact worth of the tokens taken away by the hackers. The company also announced to help the affected users by covering up their losses due to this attack. Related: Bitmart hacked for $200M following Ethereum, Binance Smart Chain exploitJust last week on Dec. 05, a similar attack on crypto exchange BitMart resulted in a loss of nearly $200 million due to a hot wallet compromise hosted over the Ethereum and Binance Smart Chain blockchains. As reported by Cointelegraph, the hack was a straightforward case of transfer-out, swap, and wash:Transfer of stolen tokens on Bitmart. Source: PeckShieldWhile BitMart CEO Sheldon Xia confirmed the losses over Twitter, he announced a temporary stop on all withdrawals and deposits while further investigations were underway.The deposit and withdrawal function of all tokens will be resumed step by step, along with the recovery progress of security testing and public chain development. No worries, we are marching forward, security will be always the first priority.— Sheldon Xia (@sheldonbitmart) December 8, 2021

Čítaj viac

Indian prime minister Modi's hacked Twitter account attempts BTC scam

The official Twitter account of Indian Prime Minister Narendra Modi got compromised earlier today, which was then used to share misleading information about the mainstream adoption of Bitcoin (BTC) and redistribution of 500 BTC among the Indian citizens. On Dec. 10, Modi said in a virtual event virtual summit hosted by US President Joe Biden that technologies such as cryptocurrencies should be used to empower democracy and not undermine it:“By working together, democracies can meet the aspirations of our citizens and celebrate the democratic spirit of humanity.”While the long-awaited Lok Sabha Winter Session, a parliamentary meetup intended to discuss the legality of cryptocurrencies in the region, did not conclude the government’s stance on crypto, hackers from unknown origins managed to take control of the prime minister’s account with over 73.4 million followers to declare Bitcoin as a legal tender.Bitcoin scammers declare the cryptocurrency as India’s legal tender. pic.twitter.com/uTe1R7XUWZ— Priya (@supesuonna) December 11, 2021While the hack happened at midnight in India (around 4:00 pm ET), Twitter user Priya was among the many crypto enthusiasts that took notice of the untimely tweet that read:“India has officially adopted Bitcoin as legal tender. The government has officially bought 500 BTC and is distributing them to all residents of the country. The future has come today!”The post also included a link that urged unwary investors to sign up and claim their share of BTC. However, this was the second time Modi’s Twitter account got hacked and was used for crypto scams.Soon after the hack, the unauthorized tweet was deleted and the hack was confirmed by the Prime Minister’s official account.The Twitter handle of PM @narendramodi was very briefly compromised. The matter was escalated to Twitter and the account has been immediately secured.In the brief period that the account was compromised, any Tweet shared must be ignored.— PMO India (@PMOIndia) December 11, 2021

As Cointelegraph reported, hackers were able to breach Modi’s Twitter account back in Sept. 2020. Under the pseudo name ‘John Wick,’ the hackers shared several tweets asking the prime minister’s followers to “donate generously to PM National Relief Fund for Covid-19.”Related: India misinterpreted private crypto ban, says crypto bill creatorThe launch of India’s crypto bill sparked new concerns around the ban of private cryptocurrencies. While the meaning of ‘private’ was yet to be interpreted in the parliamentary meeting, the lack of information sparked panic among investors. Clearing out the speculations around the crypto bill discussions, former Finance Secretary Subhash Garg, who was also the creator of the bill, dismissed the notion of banning “private cryptocurrencies” as a misinterpretation. In an interview with News 18, Garg said:“[The description of the crypto bill] was perhaps a mistake. It is misleading to say that private cryptocurrencies will be banned and to intimate the government about the same.”

Čítaj viac

Huobi and Shiba Inu community to help BitMart overcome $200M hack

Following a near $200 million hack on the BitMart exchange, the Shiba Inu (SHIB) community and crypto exchange Huobi Global aim to help the exchange strengthen security and track inflows of stolen assets.On Dec. 5, crypto exchange BitMart became victim to a hot wallet compromise hosted over the Ethereum (ETH) and Binance Smart Chain (BSC) blockchains. As a result, the hackers were able to steal over $196 million, roughly $100 million over the Ethernet network and around $96 million over the BSC blockchain.1/3 We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets. At this moment we are still concluding the possible methods used. The hackers were able to withdraw assets of the value of approximately USD 150 millions.— Sheldon Xia (@sheldonbitmart) December 5, 2021Soon after BitMart CEO Sheldon Xia confirmed the hack, Huobi announced it would help BitMart track the inflow of assets on its exchange and report matches to the stolen funds.Huobi will do our best to assist #BitMart in handling this issue. If there are any inflows of related assets, we will report and assist in a timely manner.— Huobi (@HuobiGlobal) December 5, 2021

Following suit, the Shiba Inu community also confirmed it would help the hacked crypto exchange, citing their already existing efforts in reviewing potential security threats for ShibaSwap, a community-built decentralized exchange.Dear #ShibArmy,Even though the core of our project is decentralization, we want to show our support and give some love to our friends at @BitMartExchange, who are already working hard to fix the security incident that happened yesterday. pic.twitter.com/CJZjQHaP59— Shib (@Shibtoken) December 5, 2021

Xia also said the exchange would compensate affected investors with its own funds. “We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed,” he added.The hack forced the exchange to temporarily stop all withdrawals and deposits. However, Xia is confident BitMart will resume services by Dec. 7.Related: Synapse Bridge prevents $8M hackCross-chain protocol Synapse Bridge recently averted a multi-million dollar exploit on the Avalanche Neutral Dollar (nUSD) Metapool. As Cointelegraph reported, Synapse Bridge prevented a hacker from stealing approximately $8 million worth of cryptocurrencies:“Over the past 16 hours, we encountered and discovered a contract bug in the way that the AMM Metapool contracts handle virtual price calculations against the base pool’s virtual price.”While the threat was averted, Synapse Bridge soon deployed new nUSD pools as a means to further strengthen its security against similar attacks.

Čítaj viac
Načítava

Získaj BONUS 8 € v Bitcoinoch

nakup bitcoin z karty

Registrácia Binance

Burza Binance

Aktuálne kurzy