It wasn’t easy digging through the entire history of cybercrime involving cryptocurrencies, but we wanted to get to the bottom of which crypto hacks were the biggest in terms of total value of the stolen digital assets at the time of the incident. Two of the entries occurred while we were conducting our research; that’s how we know this will be the most accurate and up-to-date list of the top 12 hacking incidents in crypto’s history.

Crypto Hack 1. Poly Network: $611M

At $611M, the Poly Network exploit of August 10, 2021 ranks as the largest crypto hack to date in terms of mark-to-market value. Using a series of data manipulation techniques in the high-level code of the Ethereum smart contract, the attacker was able to steal around $274M in crypto assets from the Poly network’s Ethereum wallet, around $253M from the BNB Chain wallet, and another roughly $85M from the Polygon wallet. All the stolen funds were returned, but the identity of the hacker is still unknown. Read an in-depth analysis of the Poly Network Hack.

Crypto Hack 2. Binance Bridge: $556M

The largest crypto exchange in the world today by market volume suffered the second largest crypto hack incident in the history of crypto on October 6, 2022.  On that day, an attacker used the BSC Token Hub smart contract in a way that allowed them to print 2M BNB tokens (the native token on the BNB Smart Chain), valued around $566M at the time. Learn why the Binance Bridge hack will change the way people view web3.

Crypto Hack 3. Ronin Bridge: $551M

The Ronin chain was built for Sky Mavis’ play-to-earn blockchain game, Axie Infinity. On March 23, 2022, a 51% attack against 5 of Ronin’s 9 validators led to the theft of 173,600 ETH and 25.5M USDC from the Ronin bridge, valued around $551M at the time. It’s widely believed that state-sponsored North Korean APT (advanced persistent threat) cybercrime organization Lazarus Group was behind the attack. Continue reading about the Ronin Bride Hack.

Crypto Hack 4. CoinCheck Exchange: $534M

The largest in history at the time it occurred on January 25, 2018, the crypto hack of Tokyo-based exchange CoinCheck ultimately cost the company $534M worth of their native exchange token, NEM. While the funds were never recovered, CoinCheck received praise from the community for using their own capital to return 90% of the funds to affected users. Read the full story.

Crypto Hack 5. MtGox Exchange: $473M

The first major crypto hack in crypto exchange history, MtGox was never able to recover from the 850,000 BTC lost via multiple mishandling of funds and thefts that went undetected for years, despite finding 200,000 BTC in an old wallet shortly after reporting their insolvency. Due to the lack of clarity and transparency, along with the long timeframes that the attacks occurred within, it’s impossible to know exactly how much the total value in USD was at the time of each incident, but at the time of their bankruptcy filing on February 28, 2014, 850,000 BTC was worth $473M. Read the full breakdown and timeline.

Crypto Hack 6. Wormhole Bridge: $320M

The incident that led to the draining of the Wormhole Bridge occurred on February 2, 2022. The attacker used advanced techniques to manipulate on-chain messages and transactions into allowing themselves to mint 120,000 wETH (Wrapped Ether) valued around $320M at the time. The stolen crypto assets remain in the wallets they were initially transferred to after the 120k wETH was exchanged for various other tokens. Find out who replaced them to save the Solana ecosystem.

Crypto Hack 7. KuCoin Exchange: $285M

The $285M hack of Singapore-based crypto exchange KuCoin occurred on September 25, 2020. More than 150 different cryptocurrencies made up the loot, which was stolen by an attacker who had gotten access to their hot wallets via leaked private keys. In the end, $222M (78%) was recovered through cooperation with exchange and project partners, $17.45M (6%) was recovered by law enforcement and security institutions using blockchain forensics and global investigations, and the remaining 16% ($45.55M) was covered by KuCoin and their insurance fund. Find out how they were able to track down and recover the stolen digital assets.

Crypto Hack 8. BitMart Exchange: $200M

Also the result of leaked private keys, this time for two different hot wallets, the December 4, 2021 crypto hack of the BitMart exchange lost the company around $200M. A long list of altcoins, including SAFEMOON, BabyDoge, SHIB, SAITAMA, ELON, CRO, GALA and many more, valued around $200M at the time, were involved in the attack. Ultimately BitMart was able to restore functionality to their exchange and resume operations, including user withdrawals, but some controversy still exists around what happened to some of the investors holding SAFEMOON. Learn more about the controversy and the timeline of the attack.

Crypto Hack 9. Nomad Bridge: $190M

The Nomad Bridge crypto hack is a story of exploitable smart contracts, a $190 million liquidity pool, and simple human nature. One attacker and hundreds of copycats looted the Nomad bridge; few did the right thing in the end. However, some did ultimately return much of the stolen crypto and received a whitehat bounty for their good deed. Read the full story behind the Nomad Bridge Hack of August, 2022.

Crypto Hack 10. Beanstalk Farms: $182M

On April 16, 2022, a $1B flash loan from the Aave protocol allowed an attacker to exploit the Beanstalk Farms liquidity ecosystem to ultimately drain $182M from their pools. The attack involved taking a supermajority of the governance tokens used in the Beanstalk DAO to manage the ecosystem, which was then used to execute malicious transactions to drain all the pools. Learn the full story about where the stolen cryptocurrency ended up.

Crypto Hack 11. BitGrail Exchange: $170M

Around $170M worth of cryptocurrency was allegedly stolen from an obscure Italian crypto exchange called BitGrail sometime in 2018; it’s still unclear exactly how or by whom. This story involves a public beef between the BitGrail exchange owner/operator and the dev team of NANO, and it ends with the exchange owner facing charges and having his assets seized to pay off what he could to users of his platform. Read the full wild and mysterious story.

Crypto Hack 12. Wintermute AMM: $160M

Wintermute is an automated market maker (AMM) that was drained for $160M worth of liquidity in Wrapped Ethere, Wrapped Bitcoin, and a handful of stablecoins. The attack occurred on September 20, 2022, but the exploit that was used to steal the funds was identified by the 1inch network 5 days before it occurred. While the stolen digital assets have yet to be recovered, Wintermute remained solvent through the incident and has continued to operate without any serious pause in their protocol, so no users lost any funds. Read the full story here and learn about AMMs.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post The 12 Biggest DeFi and Crypto Hacks in the History of Crypto appeared first on Cryptosec.

Decentralization is a hot button topic in web3, and Binance is (at the time of writing) the biggest crypto exchange by trading volume in the world.

The recent Binance bridge hack – hack of Binance’s native cross-chain bridge BSC Token Hub, revealed to the world what many early adopters of blockchain technology already knew: The BNB Smart Chain (formerly Binance Smart Chain) is not very “decentralized”.

How did the BNB Smart Chain bridge get hacked, how did Binance stop it, and what does the Binance bridge hack have to do with decentralization?

Let’s go through this in order.

How the BSC Token Hub was Hacked

The BSC Token Hub is a cross-chain bridge native to Binance that allows users to transfer tokens between the BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC).

On October 6, 2022, an attacker interacted with the BSC Token Hub smart contract in a way that allowed them to print two million BNB tokens (the native token on the BNB Smart Chain), worth approximately $566 million at the time. This was achieved using falsified transactions that convinced the bridge that the attacker had deposited the BNB previously, and was therefore eligible to withdraw that much.

According to Binance’s official response, “the exploit was through a sophisticated forging of the low level proof into one common library,” and an anonymous blockchain researcher who goes by @samczsun on Twitter shared an in-depth breakdown of the technicalities involved in the forgery.

Source: https://twitter.com/samczsun/status/1578167198203289600?s=20&t=pd2TogOJt1dnOX9aq9Epqg

How the Binance Bridge Hack was Stopped

The short version is that the Binance team was able to respond quickly to rally all the validators on the network to halt the BNB Smart Chain and freeze the majority of the stolen funds before they could be fed through mixers and taken off-chain.

At the time of BNB Smart Chain’s network suspension, around $430M worth of crypto in the attacker’s wallet was frozen, while another ~$110M had already been transferred to various other blockchains. Here’s a snapshot of where the extra funds went:

Tether had begun blacklisting ill-gotten USDT in the hacker’s Ethereum wallet, and Circle will likely do the same with their USDC as soon as an attempt is made to put it through a mixing service or send it to an exchange for withdrawal. For now, tracking any potential movement of the funds provides further insight for cybersecurity experts and law enforcement to continue their investigation and attempt to uncover the attacker’s identity.

So how does Binance Bridge Hack Change the way People View Web3?

It all comes back to decentralization.

A network can be considered “decentralized” if it has a sufficient number of distributed nodes that all share equally in the functions of running the network and keeping it secure. What exactly the “sufficient” number is is up for debate, but it largely comes down to how easy it is for one centralized authority to control what happens to the entire network.

For example, there are nearly 15,000 Bitcoin nodes, over 8,000 Ethereum nodes, and only 26 active BNB Smart Chain nodes at the time of writing. BNB Smart Chain technically is a network of distributed nodes, but it’s not very many nodes comparatively, and the ones that do exist are influenced by Binance’s team to a high degree. It’s this high degree of centralized authority which prompted the BNB Smart Chain node operators to rapidly halt the blockchain and implement a software upgrade which froze the remaining stolen BNB.

When we consider the infamous “blockchain trilemma” (the commonly held belief that a blockchain can only have 2/3 in regard to decentralization, security, and scalability), it’s clear that the BNB Smart Chain sacrifices decentralization for better security and scalability. That’s why their transactions are so fast and cheap, and why they are able to respond to cyber attacks so effectively, but at the end of the day how much different is it from using a normal bank when there’s just a small team of validators who control the entire network?

The answer is that it’s actually quite different. The Binance ecosystem taken as a whole (the exchange, the team, the token and the blockchain) is a bit like web3 lite for users who want a more simple experience of digital asset trading and use. It’s like an introductory on-ramp for crypto and NFTs. While the promises of ETH 2.0, layer 2s and ZK rollups, as well as competing blockchains are all good alternatives that might solve the blockchain trilemma in the future, the BNB Smart Chain in its current form has shown that it can withstand major exploits and mitigate some of the risks inherent to the early adoption of this disruptive technology.

The CEO of Binance, Changpeng Zhao, shared his thoughts on decentralization in the wake of the Binance bridge hack, stating “it is also important to remember that decentralization is a means to the goal, not the goal itself. The goal is freedom, security, and ease of use.”

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post How the Big Binance Bridge Hack Will Change the way People View Web3 appeared first on Cryptosec.

The only way to understand how the Beanstalk Farms decentralized credit-based stablecoin protocol exploit happened is to first understand flash loans, which are a little known financial tool unique to the DeFi (decentralized finance) space, as well as governance. Beanstalk Farms Hack is a great example of DeFi hacks.

A flash loan is, like it sounds, a very fast loan. It happens within a single blockchain transaction and no collateral is needed. Instead, the borrower needs to set up a series of trades using smart contracts that can all be executed at once, and they must yield a profit. If the trade doesn’t yield a profit, the transaction is cancelled and the loan is not approved. On the other hand, if it does yield a profit then a fee is paid to the platform issuing the loan, such as Aave for example, and the remainder is kept by the trader.

If that all sounds too good to be true, it’s because it kind of is. You’ll pay a lot in gas fees, even for failed transactions, and the vast majority of your transactions will probably fail. There are programs to help you organize the trades and find arbitrage opportunities, but it’s still incredibly difficult. Only deeply experienced traders should attempt to use flash loans.

As exciting as they are, flash loans also present unique security risks to DeFi protocols. The $182M exploit of the Beanstalk Farms ecosystem is a perfect example.

How the Attack was Executed

So we know about flash loans, but we also need to briefly discuss governance, particularly in relation to DAOs (decentralized autonomous organizations). With a decentralized project like Beanstalk Farms, a governance protocol is needed to take various actions, such as software updates, changing yield and protocol details, or proposing and voting on solutions to problems that might arise.

What’s important to know about the DAO in this case is that proposals need a supermajority (more than 2/3) in order to pass, and the platform’s BEAN stablecoin can be used to generate Stalk and Seed tokens, which represent voting power – so if a bad actor could take control of >67% of the governance tokens, they would be able to attack the network and pass malicious proposals.

That’s exactly what happened.

A series of fast transactions involving a $1B flash loan from the Aave protocol along with what must have been the longest 24h wait in the attacker’s life allowed them to take control of a massive pile of BEAN, then use them to generate enough Seed and Stalk tokens to give their wallet 70% of the supply, and then transfer all the funds from Beanstalk’s wallet to their own, ultimately making off with around $76M worth of stolen cryptocurrency, but leaving Beanstalk Farms out $182M in liquidity.

Cybersecurity firm DeFiSafety released a post-mortem with all the technical details.

Timeline of the Beanstalk Farms Hack

April 16, 2022:

At 08:38 UTC, this address (referred to as the ‘Beanstalk Flashloan Exploiter’ address) swaps 73 ETH for 212,858 BEAN. Nothing suspicious here, but now that we know to look we can see that the wallet was initially funded through the crypto mixer Tornado Cash.

Nine minutes later, at 08:47 UTC, this transaction shows the same address depositing the 212K BEAN into the Beanstalk ‘Silo’, which is the mechanism used for generating Seed and Stalk governance tokens. With this deposit, a proportionate amount of governance tokens were generated to allow the address to make a governance proposal.

At 10:54 UTC, the attacker made the first of two proposals. Notably, the first proposal was seemingly blank while the second proposal was a $250,000 donation to Ukrainian crypto exchange KUNA, which was passed but promptly returned with a message from the exchange’s founder. The first proposal contained hidden code which connected it to a malicious smart contract that, if passed, would drain the Beanstalk liquidity into the attacker’s wallet.

However, proposals require a 7-day period before they execute (if they obtain a supermajority vote), but there’s a backdoor called the emergencyCommit() function, which allows a proposal to pass in just 24 hours. All that’s needed is >67% of governance tokens to execute emergencyCommit().

April 17, 2022:

At 12:24 UTC, more than 24 hours after the two proposals were made in the Beanstalk DAO, the attacker initiates the $1B flash loan which includes 350M DAI, 500M USDC, and 150M USDT.

A flurry of swaps occur within the single transaction which allow the attacker to borrow over 32M BEAN and several million more in various Beanstalk whitelisted stablecoins. All this led to the generation of a 70% supply of the governance tokens, which allowed the attacker to execute emergencyCommit() on their two proposals.

As mentioned above, the first proposal passing actually transferred all of Beanstalk’s liquidity to the attacker’s wallet. With the stolen funds, the attacker paid off the flash loan and walked away with around $76M worth of stolen ETH, while Beanstalk Farms had lost $182M.

BeanStalk Farms releases the first public statement confirming the attack at 17:36 UTC via a tweet saying “Beanstalk suffered an exploit today. The Beanstalk Farms team is investigating the attack and will make an announcement to the community as soon as possible.“

They also paused the protocol using ownership privileges right before making the announcement. An update in Discord shortly after confirmed the Beanstalk team had contacted the FBI.

April 18, 2022:

The primary Beanstalk dev, who went by Publius, revealed to the community in a Discord announcement they were actually 3 people and publicly doxxed themselves to help reassure users they were not involved in the attack.

The attacker sent the funds through Tornado Cash and they have still not been recovered as of October, 2022.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post How a $1B Flash Loan Led to the $182M Beanstalk Farms Exploit appeared first on Cryptosec.

Decentralization is a hot-button topic in 2022.

To some, it seems like the solution to a variety of issues plaguing the so-called web2 ecosystem, such as the monopolization of social media, the centralized control over the flow of information, and bad data privacy and data monetization practices. Proponents of distributed blockchain technology offer web3 as the decentralized solution to these problems, but web3 has some kinks to work out before it can replace the established infrastructure of web2.

One of those kinks involves exploitable smart contracts, a $190 million liquidity pool, and simple human nature. This is the full story behind one of the largest DeFi hacks, the Nomad Bridge Hack of August, 2022.

The Nomad Bridge Hack Timeline

August 1, 2022:

Source: https://twitter.com/nomadxyz_/status/1554246853348036608?s=20&t=bbAzgxq95hczZKUsXIabgw

Ethereum block 15259101 at 21:32:31 UTC contains four transactions at indices 0, 1, 3, and 124.

Each transaction is a fraudulent withdrawal from the Nomad bridge for 100 WBTC (~$2.3M at the time).

An attacker has found a bug in the smart contract that verifies Ethereum transactions on the bridge, and it’s as easy as copy/pasting the fraudulent transaction details and replacing the receiving wallet address with one’s own to replicate the attack.

Here’s Nomad’s post-mortem for the technical details about the exploit method.

Needless to say, pandemonium ensued.

Aug 2, 2022:

Within hours of the initial attack, hundreds of similar attacks occurred for a total of 960 transactions with 1,175 individual withdrawals from the bridge, according to an after-the-fact Twitter thread by Nomad.

The liquidity in the Nomad Ethereum bridge wallet was drained from ~$190M to $16,573.

Since it was so easy to replicate, you can imagine the dilemma some people were in when they realized they could copy the attack; others did, however, realize they could take the funds for safekeeping and then return them when the exploit was patched. This was a very risky move because, regardless of intent, they still committed theft and broke multiple cybercrime laws.

Only experts in digital asset recovery and cybersecurity professionals who know what they’re doing should take these kinds of actions.

Source: https://twitter.com/0xPaladinSec/status/1554252732365668362?s=20&t=A0hYTf2pz48Qi4FLt1JMsw

Aug 3, 2022:

Nomad begins the funds recovery process and shares an address for white hats to return stolen funds to.

Source: https://twitter.com/nomadxyz_/status/1554679735006859264?s=20&t=bbAzgxq95hczZKUsXIabgw

Aug 4, 2022:

Within 24 hours, Nomad has already recovered $16.6M, and they publish the addresses of some of the white hats who contributed to the asset recovery efforts alongside the amount of crypto each wallet was safeguarding.

Source: https://twitter.com/nomadxyz_/status/1555045760588140544?s=20&t=bbAzgxq95hczZKUsXIabgw

Aug 5, 2022:

Nomad announces they’re working with the TRM Labs cybersecurity team, and states that many of the attackers used traceable addresses with identifying information attached.

Source: https://twitter.com/nomadxyz_/status/1555559853795540992?s=20&t=yJuc3V_5xPj91l2uL3Aaew

They also announce a 10% bounty on the return of stolen funds, and promise not to pursue legal action against those who cooperate.

Source: https://twitter.com/nomadxyz_/status/1555559855217410051?s=20&t=yJuc3V_5xPj91l2uL3Aaew

After one white hat returned $9.4 million worth of crypto, Nomad made another update announcing they had collected $31.8M so far.

From August 5th onward, Nomad would pursue the rest of the assets by working with crypto investigators, law enforcement, and the crypto community at large to entice copycat hackers to return the funds they took and to track down the ones who don’t cooperate.

They announced on August 30th they had engaged the Chainalysis Crypto Incident Response team for advanced blockchain tracing and to help identify the hackers.

Unsurprisingly, white hats who returned 90%+ of the stolen funds were awarded with a free NFT from Metagame, and also 100 FF tokens from Forefront.

Source: https://twitter.com/nomadxyz_/status/1562097378445836292?s=20&t=bbAzgxq95hczZKUsXIabgw

This was a nice gesture and a unique incentive to offer, but clearly it didn’t work as well as they’d hoped.

As of their most recent update on September 27th, they had recovered just $34.1 million (not adjusted to reflect the cost of the assets at the time of the attack).

That number is however expected to rise through future legal action and recovery processes based on their investigations and working with law enforcement.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post How the Nomad Bridge Hack can Help Us Explore the Potential Downsides of Decentralization appeared first on Cryptosec.

Dubbed “Mr. White Hat” by the Poly Network security team, the anonymous perpetrator of the biggest crypto hack to date gave all the stolen crypto assets back within 15 days of the incident.

But how was the Poly Network hack carried out? Why did they return the funds? And how did they manage to remain anonymous? We’ll explore these questions, but first…

What is the Poly Network?

The Poly Network is a DeFi platform that enhances blockchain interoperability by enabling users to transfer information and cryptocurrencies between various blockchains. Using the Poly Chain consortium blockchain as its framework, the Poly Network deploys a series of smart contracts to establish bridges between Bitcoin, Ethereum, BNB Smart Chain, and more than 20 other blockchains.

In simplified terms, Poly Network lets blockchains talk to each other using smart contracts.

How the Poly Network Hack Happened

A comprehensive Poly Network hack technical report by Kraken Security Labs less than 2 months after the incident revealed the mechanics of the attack. Through a series of data manipulation techniques in the high-level code of the Ethereum smart contract, the attacker was able to grant himself the necessary permissions to transfer all Poly Network funds on the Ethereum blockchain into his own wallet, which included 2,528 ETH valued at $267M at the time.

The same method was used to extract 6,610 BNB valued at $252M to the attacker’s BNB Smart Chain wallet, and again it was used to transfer roughly $85M worth of USDC into the attacker’s wallet on the Polygon network.

The stolen assets also included several million dollars worth of Shiba Inu, DAI, USDT, and BUSD, for a grand total of around $611M at the time of the attack and making the Poly Network hack the biggest crypto hack as of October 2022.

The Axie Infinity Ronin Bridge Attack wasn’t the biggest crypto hack of all time.

Why did they Return the Funds?

Oftentimes “white hat” security experts will reveal vulnerabilities in networks by exploiting them first and answering questions later. This is how they ensure they’ll get paid for finding the bug, but it’s also risky because they could technically be breaking various laws. In the case of the Poly Network hack, countless international finance and cybercrime laws were broken, so it was imperative that the attacker remained anonymous.

In short, the Poly Network hack attackers claim it was done with the intention of returning the funds the whole time. The attacker said:

“You don’t know me. Money means little to me, some people are paid to hack, I would rather pay for the fun. I am considering taking the bounty as a bonus for public hackers if they can hack the Poly Network. (They can win double if they feel the current plan is awkward).

If the Poly don’t give the imaginary bounty, as everybody expects, I have well enough budget to let the show go on. Just some funny thoughts but I may probably make them come true. If you are still confused, ask some richer friends, what is money for? I trust some of their code, I would praise the overall design of the project, but I never trust the whole poly team. My only guilt was triggered from the refugees.

All of my actions were determined since I made the final decision to be eternal. I am a little bit surprised that you call them professional negotiators, just look at their tense and repetitive words. If the Poly really got my initial idea, they could be less embarrassed. I published their request so that they got the chance to be a winner. Who do you think is dominating the game?”

However, many in the cybersecurity community are skeptical of this claim, especially in light of the fact that the hacker started moving the funds around between various smart contracts and wallets immediately after the incident.

In a series of messages left by the hacker via Ethereum transaction notes, they said they had done the attack for fun, and also asked “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”

It’s worth noting that the Poly Network hack hacker was only able to return $340M worth of crypto initially, as the rest was frozen by Tether and other blockchain security firms, or locked in DeFi contracts, and the total amount was finally moved back into the Poly Network’s possession on Aug 25, 15 days after the attack.

Blockchain-based security firm SlowMist also announced hours after the attack that they had identified the attacker’s email, IP address, and device fingerprints. This all drew speculation that they only decided to return the funds once they realized how difficult it would be to launder them.

The bug bounty offered to “Mr. White Hat” by Poly Network was a $500,000 reward, plus an offer to become their chief security advisor. It’s still unknown if they took the position. Poly Network also stated that it has no intention of holding Mr. White Hat legally responsible.

How the Poly Network Hack Attacker Managed to Remain Anonymous

While SlowMist did say they had identified the attacker’s email, IP address, and device fingerprint, a sophisticated hacker knows how to mask those properties and shield their true identity. It’s unlikely that any of these identifiers would reveal the precise location or true identity of the attacker. However, the smartest thing the attacker did was not try to reach any cashout points or make any withdrawals of the funds, because that’s the point at which digital identities collide with reality.

The attacker was able to remain anonymous by letting their pseudonymous digital identity be found, but never revealing any personal information through it. They would not have been able to cash out the funds without revealing their true identity.

This is yet another lesson taught to us by “Mr. White Hat”, which is that despite the headlines about massive smart contract exploits like this one, cryptocurrencies aren’t as private or as easily laundered as people think.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post Poly Network Hack – How Crypto’s Biggest Hacker was Found but Never Identified appeared first on Cryptosec.

In order to understand the $160M Wintermute hack, we first need to understand algorithmic market makers and how they work in DeFi (decentralized finance), since that’s what Wintermute is.

Imagine you’re the developer of a crypto project and you expect to get your token listed on a large exchange, even a top 10 such as Kraken or Binance. It sounds great, but now you have a new problem because you’ll need to constantly ensure the exchange always has enough liquidity to maintain trading, especially in DeFi markets where liquidity is a primary target for exploiters to attempt malicious activities and try to drain the funds. It would be great if you could deploy an algorithm to perform this constant liquidity observation and management for you – that’s essentially what an algorithmic market maker does.

Wintermute offers this service on both centralized and decentralized exchanges, among other services such as OTC trading and early-stage start up investments. They incentivize users to provide liquidity into their protocol, and then their protocol manages the markets and liquidity pools across the project’s various partners’ and clients’ exchanges. Wintermute solves two of the tallest hurdles for projects in crypto – lack of liquidity and inefficient markets.

This is the full story behind the Wintermute hack of 2022.

$160M Wintermute Hack Timeline

September 15, 2022:

The 1inch Network finds a vulnerability in an Ethereum vanity address tool called Profanity. They publish a technical breakdown of the bug and how it could potentially be exploited if not patched, adding a notice that states “Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP! Moreover, if you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”

This is relevant to the Wintermute hack because Wintermute had generated a vanity wallet with Profanity and it was an admin to their vault, which means it could execute withdrawals.

September 20, 2022:

This transaction initiates the attack at 05:11 UTC, calling Wintermute’s vault contract to transfer various amounts of several different cryptocurrencies into the hacker’s contract.

The assets include:

• 6,919 wrapped Ether (WETH), valued around $9,410,159
• 10,895,735 Dai Stablecoin (DAI), valued at $10,895,735
• 61,350,986 USD Coin (USDC), valued at $61,350,986
• 29,461,553 Tether (USDT), valued at $29,461,553
• 3,246,604 TrueUSD (TUSD), valued at $3,246,604
• 9,470,755 Binance USD (BUSD), valued at $9,470,755
• 3,250,807 Pax Dollar (USPD), valued at $3,250,807
• 671.247 Wrapped BTC (WBTC), valued around $14,341,194
• And various amounts of 62 other altcoins, almost all with values under $1M

How the Wintermute Hack was Executed

Polygon’s Chief Information Security Officer, Mudit Gupta, published this post-mortem on September 20th, correctly identifying the Profanity-built hot wallet as the attack vector.

While the Wintermute team had clearly been aware of the Profanity vulnerability, evidenced by the fact that they transferred all the ETH from the compromised hot wallet shortly after 1inch exposed it, they had simply forgotten to revoke admin permissions that the wallet had pertaining to Wintermute’s vault.

Through the Profanity vulnerability, the attacker was able to access the hot wallet with admin permissions and simply ask the vault to send them $160M worth of tokens.

While the Wintermute hack stolen digital assets have yet to be recovered, Wintermute remained solvent through the incident and has continued to operate without any serious pause in their protocol.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post The Famous $160M Wintermute Hack: Inside Job or Profanity Bug? appeared first on Cryptosec.

When a high-profile cyber attack takes place and hundreds of millions of dollars are lost, usually a healthy balance is struck between safeguarding information to protect ongoing investigations and maintaining a level of transparent communication with the public.

In the case of BitMart hack, they chose to keep a lot under wraps. We can still get a general idea of what happened and what went wrong from a string of statements they made early on.

This is the fullest story you’ll find on what happened with the $200M BitMart hack.

Timeline of the BitMart Hack

December 04, 2021:

At approximately 22:30 UTC, BitMart staff identifies a security breach involving two hot wallets (lower-security wallets that are connected to the internet). They respond by immediately shutting down various systems, including withdrawals and the freezing of certain trading pairs.

We learn in a later update that the BitMart hack involved the attacker gaining access to two private keys, which allowed them to take various cryptocurrencies from the two wallets.

December 05, 2021:

At 00:28 UTC, just under 2 hours after BitMart noticed the hack and paused withdrawals, blockchain security and data analytics company PeckShield posts a tweet showing multiple suspicious withdrawals from BitMart’s hot wallets, and asking publicly if they’d been compromised.

By 01:50 UTC, PeckShield releases an update on the affected tokens, including the exact amounts of each, and estimates approximately $100M was lost from an Ethereum hot wallet, and another ~$96M from a Binance Smart Chain wallet.

The list of tokens stolen from the Ethereum wallet include SHIB, SAITAMA, ELON, CRO, GALA, STARS, SAND, LUFFY, HOT, WOO, HEX, MATIC, TRU, SRK, KISHU, RVF, AKITA, RSR, USDC, FTM, MANA, XDB, WPP, UFO, ENJ, WILD, ZEON, and PBR.

Here’s the list of ERC-20 token amounts stolen.

The list of tokens stolen from the Binance Smart Chain wallet include SAFEMOON, X2P, FLNS, BabyDoge, HERO, STARSHIP, FLOKI, JULb, CMCX, GMR, SPE, BETU. GMEX, ZEO, MOONTSHOT, BPAY, STACK, EnergyX, BSC-USD, and BNB.

Here’s the list of BEP-20 token amounts stolen.

At 02:13 UTC, the CEO of BitMart, Sheldon Xia, makes an announcement on Twitter confirming the security breach. He adds “the affected ETH hot wallet and BSC hot wallet carries a small percentage of assets on BitMart and all of our other wallets are secure and unharmed.”

December 06, 2021:

BitMart announces they will host an AMA; the distraught comments under the tweet indicate that many users are still unable to withdraw their funds. During the AMA, Sheldon Xia confirms the data shared by PeckShield.

“Unfortunately, we have more than 45 tokens involved in the BitMart hack, including #SHIB, #SAFEMOON, #SAITAMA, and so on. The total amount taken is around USD $200 million,” he said during the live communication. At this time, BitMart also ensures users that they will compensate anyone who was affected by the BitMart hack using their own funding.

December 08, 2021:

BitMart releases an official statement on the BitMart hack, mostly just covering the information that was already available, but also reassuring users that they are “committed to exhausting all feasible options for supporting users’ withdrawal requests,” and they add that features are expected to be activated systematically within the coming days.

According to a later update by BitMart, it was on Dec 07 that deposit and withdrawal functions for “ETH and some ERC-20” tokens were first reinstated.

They also launched a giveaway program on this day with two separate prize pools of 500,000 BitMart tokens (BMX) as an expression of gratitude for users’ support. BMX was valued around $0.37 at the time, so the total prize was valued at roughly $370,000. The giveaway program concluded on Dec 15, and the BMX token held above $0.30 until mid-May 2022.

December 09, 2021:

At 03:00 UTC, BitMart restores deposit and withdrawal functions for partial BEP-20 tokens.

They also confirm they have “replaced all token deposit addresses including BTC, ETH, SOL, and all other tokens.”

December 17, 2021:

BitMart resumes deposit and withdrawal functions on multiple mainnets, including Bitcoin, Avalanche, Harmony, Polkadot, Polygon, Solana, and several more.

December 31, 2021:

BitMart drops its BitMart hack post-mortem, which offers little further detail about the attack, but lays out their security response and several updates they’ve made to improve risk control and network architecture, such as deeply integrated identity authentication via Google’s identification systems, more secure data transmission, and a fully isolated DevOps environment to avoid future leaks of sensitive information, such as private keys to hot wallets.

Apart from a few tokens that are pending “high-level security reviews”, the majority of functions on the exchange, such as trading and withdrawals, are restored.

Did BitMart Reimburse Users?

This is where the trail goes cold.

Due to BitMart’s rapid response in shutting down their systems, all users on the platform were impacted by the inability to make withdrawals. However, once withdrawals were reinstated, the majority of users were no longer impacted because they still had the same assets and were able to trade or withdraw them as usual. So no reimbursement for those users was required.

However, those “high-level security reviews” mentioned above impacted users holding the tokens that were subject to review because they were still unable to withdraw or trade those assets. It’s unclear how many users were impacted in this way, but on January 7, five weeks after the BitMart hack, reports emerged that many users were still waiting to receive reimbursements or make withdrawals, particularly holders of the memecoin SAFEMOON.

As of August 10, 2022, there has been an ongoing FTC investigation into the BitMart hack and its response. No further updates were available at the time of writing, but BitMart continues to operate consistently within the top 15 centralized crypto exchanges in terms of daily trading volume.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post Trying to Solve the Mysterious $200M BitMart Hack appeared first on Cryptosec.

Seasoned crypto enthusiasts and early adopters of the disruptive new technology know now that safely storing your digital assets is half the battle, but it wasn’t always so. Insufficiently secured storage was the norm for almost a decade after Bitcoin’s creation, with many people simply keeping their crypto on centralized exchanges, hot wallets, or even just USB sticks without any password protection.

With the $534M Coincheck hack in January of 2018, security and responsible self-custody of crypto assets quickly became a hot topic of discussion in the media and the crypto community.

You’ll see why.

The Full Story Behind the Coincheck Hack

Coincheck is today one of Japan’s largest crypto exchanges, still trading 10’s of millions of dollars worth of crypto each day, denoted in Japanese Yen (JPY). At the time of the Coincheck hack, it was the largest crypto exchange in Japan, and the attack represented the largest crypto heist of all time in terms of US dollar amount, surpassing the hack of another Japanese Exchange, Mt. Gox. However, the exchange’s response to the Coincheck hack and it’s ability to reimburse the impacted customers means that the exchange was able to continue operating and to grow.

The incident

At 17:57 UTC on Thursday, January 25th of 2018, an attacker gained access to one of Coincheck’s wallets. The wallet was holding the exchange’s entire supply of 523M NEM tokens (NEM was the 10th-largest cryptocurrency by market cap at the time).

Subsequent investigation reveals that the initial access to the wallet on an employee’s PC was achieved by attackers using email phishing to trick an employee to download “Mokes” and “Netwire” viruses which allowed the attacker to gain unauthorized access to the exchange’s private keys. Given that both viruses are known to have been previously deployed by Russian hackers and assumption is that the Coincheck hack is executed by a Russian organized crime group.

When the Coincheck hack occurred, the NEM tokens held by the exchange were valued at around 58 billion yen at the time of detection worth around $534M. Worse, the tokens were in the custody of the exchange, but most of them actually belonged to the users who were holding or trading NEM tokens on the Coincheck platform.

The Coincheck hack went unnoticed for nearly 8 and a half hours when at 02:25 UTC on Friday, January 25th, employees at Coincheck realized the wallet had been drained thanks to complaints from users about failed transactions involving NEM tokens.

How did the Coincheck hack attacker gain access?

The wallet that the tokens were being held in was a low-security “hot wallet”, some examples of which include Metamask and Phantom. These wallets are convenient for interacting with dApps (decentralized applications) online and storing cryptocurrencies or NFTs for easy access and use. However, they sacrifice security measures to achieve such convenience. Without 2FA (two-factor authentication) enabled, many hot wallets can be accessed with nothing more than the private key (or the 12-24 word seed phrase).

The Coincheck hack hacker used a phishing scam to install malware on an employee’s computer to obtain the private key to the hot wallet that was holding Coincheck’s NEM token liquidity pool, and was therefore able to access the wallet and drain it of all funds.

The aftermath

Shortly after the breach was identified, Coincheck disabled all withdrawals from the platform and immediately reported the incident to Japanese financial authorities and police. It was dubbed “the biggest theft in the history of the world” at the time, but that’s no longer the case thanks to subsequent thefts that have happened in the crypto industry, mostly in 2021-2022.

Besides the direct losses, as a result of the Coincheck hack NEM, at the time the 10th-largest crypto-currency by market value, fell 11% over a 24-hour period to 87 cents. Among the other crypto-currencies, Bitcoin dropped 3.4% and Ripple retreated 9.9%.

Of course, this event started a widespread discussion about cybersecurity pertaining to blockchain technology and safe crypto storage of digital assets at the time. Even though multisig wallets (blockchain wallets that require multiple signees to perform any transaction) existed and were being used by Coincheck for some of their other assets at the time, it would now be inconceivable for an exchange or cryptocurrency project to keep any funds in an unsecured hot wallet; it should be inconceivable for you as well.

Coincheck Returning Lost User Funds

Coincheck, still based in Tokyo’s Shibuya district (the same district which the now defunct Mt. Gox exchange once called home), has continued to operate and maintain its spot as one of Japan’s leading crypto exchanges.

In the end, 260,000 users were affected by the Coincheck hack. However, the exchange promised to return the funds using their own capital to all users who were in possession of NEM on the platform at 23:59:59 JST on Jan. 26, 2018.

They were praised for this move, as it was the exact opposite of how Mt. Gox responded to their 2014 attack, which was to declare bankruptcy and begin a long legal process for returning funds which still hasn’t reached a conclusion in 2022.

Their reimbursement plan was effective from March 12, 2018, and they returned 90% of all funds to users according to the parameters outlined above.

Although this Coincheck hack shook the industry, it also made many crypto exchanges realize that they need to improve their security and keep their customers’ assets safe. Coincheck set a great example by being able to compensate for the losses of their customers after the Coincheck hack.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post What the $534M Coincheck Hack Taught Us All About Safe Storage of Digital Assets appeared first on Cryptosec.

The popular misconception that cryptocurrencies are private and untraceable fuels the equally popular misconception that it’s impossible to track and recover stolen crypto assets.

In fact, even some of the most high-profile and sophisticated crypto theft operations have been exposed through the use of blockchain forensics and crypto investigations.

The infiltration of Sky Mavis leading to the Axie Infinity Ronin bridge exploit and the subsequent postmortem is a perfect example.

How Axie Infinity’s Ronin Bridge was Hacked

In short, it was a phishing attack against employees at Sky Mavis that led to a successful 51% attack on the Ronin network, but let’s start at the beginning.

Axie Infinity was at one time the world’s most popular play-to-earn blockchain game. It has its own layer 2 blockchain called Ronin, built on Ethereum. In order for users to transfer funds from the Ethereum blockchain to the Ronin blockchain, a bridge is required. This is what we’re referring to when we talk about the Ronin bridge.

Bridges require sufficient liquidity on both blockchains so they can effectively facilitate transfers for users in a timely manner, and it’s this liquidity in the Ronin bridge that was targeted.

Sky Mavis is the name of the company that developed both the Ronin network and the Axie Infinity game.

Reports have surfaced since the incident which suggest that an employee at Sky Mavis was compromised through a fake job offering that he initially received via the popular networking website, LinkedIn. After several rounds of interviews, the targeted employee was sent a PDF which contained malware that allowed the attackers to infiltrate Sky Mavis’ IT infrastructure and gain access to their internal network.

The Ronin blockchain had 9 validators at the time of the attack, meaning that control of only 5 validators would be sufficient to lead a 51% attack and forge transactions to drain the liquidity from the Ronin bridge. 4 validators were operated by Sky Mavis.

Once the attackers gained control of Sky Mavis’ 4 validators, it left them just 1 validator short of success. They were able to gain control of a 5th validator (operated by the Axie DAO) through a backdoor in Ronin’s gas-free RPC node. With control over 5 of 9 validators, the attackers were then able to forge 2 separate transactions, sending ETH and USDC valued at more than $551M to their own wallet.

Confusion about How Much was Stolen

Many top 10 crypto hacks listicles have the Axie Infinity Ronin Bridge hack at the top of the list with the value being $625M, but it’s not so simple.

According to the Ronin Network’s postmortem report, 173,600 ETH were stolen along with 25.5 million USDC on March 23, 2022, and the price of ETH closed at $3,028 that day. Those figures add up to approximately $551M. However, the price of ETH rose as high as $3,521 by April 3, just 11 days later, which would bring the total value of the hack closer to the widely reported $625M.

Given that the attackers were engaged in various methods of laundering the stolen funds through ETH’s volatility in the days and weeks after the incident, such as using crypto mixers like Tornado Cash and Blender io, decentralized exchanges such as Uniswap, and even centralized exchanges like Binance as cashout points, all with varying degrees of success, it can be debated how much they technically stole.

The graphic below from Chainalysis shows the complicated web of methods used to launder the funds.

Source: https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure/

Regardless, at the time of the attack the assets were worth $551M.

This would put the Ronin Bridge hack at number 4 on the list of biggest crypto hacks, as of October 2022.

Who was Behind the Ronin Bridge Hack?

This is where it gets interesting.

Who would have the resources to run such a sophisticated operation?

A July 2022 report by ESET Research identified the group behind a series of fake job offers in the aerospace and defense sectors similar to the ones received by employees at Sky Mavis. The group was none other than state-sponsored North Korean APT (advanced persistent threat) cybercrime organization Lazarus Group.

The U.S. Treasury Department had already added the Ethereum address associated with the Ronin bridge attack alongside the designation of Lazarus (and its various aliases) to the OFAC SDN list on April 14, 2022, so we now had both pieces of the puzzle confirming who was behind the attack and how it was launched.

Little is known about the Lazarus Group apart from the string of significant cybercrimes that have been attributed to them by researchers between 2010-2021. They fall within the designation of HIDDEN COBRA, a name used by the US Intelligence Community to refer to malicious cyber activity by the North Korean Government in general.

What this Means for the Future of Crypto Adoption

Even the most sophisticated cybercrime operations involving cryptocurrencies sponsored at the state level can be exposed using on and off-chain investigation techniques. Even with the use of advanced laundering strategies and crypto mixers, cybercriminals can be tracked down through the messages they send, the accounts they create, the methods they use and a plethora of other identifiers. This flies in the face of the common perception.

While there are novel threats and new vulnerabilities to be exploited through the use of blockchain technology, DeFi applications, smart contracts, and Web3 in general, there are ways to defend against attackers and ultimately realize a higher degree of security than was available through the centralized nature of so called Web2, and it’s actually easier to recover stolen assets than it is in the real world.

Once a majority of people make this essential recognition, it’s likely that the rate of crypto adoption will persist or even increase.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post What the Biggest Blockchain Game – Axie Infinity’s Hack Reveals about the Future of Crypto Adoption appeared first on Cryptosec.

Early February of 2022 was a low-point for the cryptocurrency asset class; one of many more to come throughout the year. The price of BTC was on a relentless downtrend from a high of $69,044.77 on Nov 10, 2021, to under $40,000 by February 02, 2022.

This is the market atmosphere in which the $320M Wormhole bridge hack occurred.

The Wormhole bridge exists to help users move their assets from one blockchain to another – most often from Ethereum to Solana. The bridge, like any other, requires that users deposit their assets from one chain, such as ETH for example, and then they get the equivalent in a “debt token” (wETH or wrapped ETH) on the chain they wish to bridge to. From there, they can use the wETH to interact with dApps (decentralized apps) or exchange it for other assets, such as SOL or USDC.

The Wormhole bridge hack involved falsifying on-chain messages and transactions which allowed the attacker to steal the funds.

How the Wormhole Bridge Hack was Executed

By using a fake ‘sysvar’ account to invoke the “verify_signatures” function, the attacker was able to create a malicious transaction and ultimately trick the Wormhole bridge verification process to make “guardians” (validators) believe 120,000 ETH had been deposited on the Ethereum side, and therefore allow for the fraudulent minting of 120,000 wETH to this Solana address.

Here’s the initial transaction; ‘line #4 – account3’ should read “Sysvar: Instructions”, but instead reads “2tHS1cXX2h1KBEaadprqELJ6sV9wLoaSdX68FqsrrZRd” in its place. This is where the exploit occurred, which then led to forged signatures, the fake verification, and the eventual successful attack.

Blockchain Cybersecurity Company CertiK provided an in-depth incident analysis that further breaks down the technical aspects of the Wormhole bridge hack.

Timeline of the Wormhole Bridge Hack

February 02, 2022:

At 17:58 UTC, the first transaction occurs on Solana block 119025020 to create the fake ‘sysvar’ account.

After a series of technical maneuvers, this transaction is confirmed less than half an hour later on block 119027414 at 18:24 UTC, which mints the fraudulent 120k wETH valued around $320M at the time.

Within 10 minutes, by 18:34 UTC, the majority of the ‘debt token’ wETH has been exchanged for various assets, including 93,750 wETH being bridged to regular ETH, and the remaining 26,250 wETH being liquidated to 432,662 SOL and 1444 USDC.

The discrepancy in outstanding funds was not noticed until 19:07 UTC, when it was pointed out by Wormhole network contributors.

At 19:33 UTC, the team temporarily shuts down the Wormhole network.

At 20:15 UTC, the Wormhole security team sends a message on Ethereum block 141128723 to the attacker, “We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted.” They also left contact details.

According to public reports, the attacker never contacted the Wormhole team to claim the $10M bounty, and all the assets still remain in the addresses they were initially transferred to.

At 20:42 UTC, the team announces the attack to the public via Twitter, and then at 22:25 UTC, they releases another statement on Twitter ensuring users that “ETH will be added over the next hours to ensure wETH is backed 1:1.”

February 03, 2022:

The vulnerability that led to the exploit is patched in collaboration with Wormhole contributors led by auditing company Neodyme at 00:32 UTC.

By 13:29 UTC, the Wormhole network is back online and fully operational, and the announcement that “All funds have been restored and Wormhole is back up” comes in the form of a tweet at 13:39 UTC.

What Happened to the Stolen Funds?

As previously mentioned, at the time of writing the funds remain in the wallets they were initially transferred to. They haven’t been recovered, and no attempt has been made to extract them to a cash out point, such as a crypto exchange. However, since the fraudulent funds posed a massive risk to the stability of the Solana DeFi ecosystem due to the fact that there would be 120k ETH missing from the bridge’s liquidity, it was replaced on February third by contributors from Jump Crypto. This has allowed the bridge to return to full capacity and remain in operation today.

Cryptosec is a leading provider of security solutions in the rapidly evolving world of blockchain, cryptocurrency, DeFi. Their specialist investigations arm, Crypto Investigators, offers expert services in blockchain forensics and legal investigations, leveraging deep industry knowledge and advanced investigative techniques to navigate the complexities of the digital age.

The post Diving into the $320M Wormhole Bridge Hack appeared first on Cryptosec.