August was an action-packed month in the cryptocurrency space, filled with a wide range of hacks and scams. One of the most prominent attacks seen this month was Ice Phishing, with one incident resulting in around half a million dollars’ worth of assets lost to the scam. The growth of the cryptocurrency space is showing no signs of slowing, with a total of 20,810 cryptocurrencies being tracked by coinmarketcap.com at the end of the month. This was an increase of around 360 since the end of July. In this report, we will discuss some of the most impactful threats to the cryptocurrency space that occurred in August.
Nomad bridge exploit led to $190 million being stolen
The month opened with one of the most influential attacks. A vulnerability was discovered in the Nomad bridge that allowed people to steal cryptocurrency from the service. A bridge is a service which enables different blockchains to communicate, often allowing users to operate on one chain using tokens from another.
The exploit used a specially-crafted blockchain message, causing the bridge to send tokens without the required authorisation. This simple exploit allowed over $186 million to be stolen in only nine hours. In the final hours, there was a mad rush, and it has since been found that around 88% of the addresses involved were copycats.
The scale of this exploit led to it becoming the fourth largest DeFi hack, behind others such as the $540 million Ronin bridge hack and the $250 million Wormhole bridge attack. Bridges pose an interesting statistic, with such large thefts not uncommon. It is advised that bridge operators ensure that funds are distributed among multiple protocols and are not stored within the bridge itself. All contracts should also be regularly reviewed and audited.
Around 8,000 Solana wallets drained after exploit
On 2 August, around 8,000 Solana wallets were attacked, and funds were drained. Solana is an efficient blockchain, which at the time of writing is the ninth highest ranked currency on CoinMarketCap. News of the exploit began to circulate, with multiple theories being distributed and concerns of an entire network-wide bug being spread.
Solana revealed that private keys were exposed to the Slope monitoring service. However, very little detail has been shared about this incident and the vulnerability is still not fully understood.
Attacker compromises the wallet of Cameo’s CEO
The CEO of the celebrity video recording service Cameo, Steven Galantis, had his wallet compromised, with around $200,000 worth of cryptocurrencies stolen. The wallet also had a large number of assets removed. These included a Bored Ape, two Captains Club, and three Otherside NFTs, alongside large amounts in stolen $APE.
The interesting part of this incident is Galantis’s claim that the attack was caused by a hack of his Apple ID. While hard to confirm with the lack of information posted, this poses an interesting potential way for threat actors to compromise user wallets. One such known attack method was in the MetaMask wallet application, which would back-up users’ seed phrases to their iCloud accounts. This meant that by compromising an iCloud account, an attacker could access the wallet and its contents. It is important for all users to ensure that their wallets are secured using multi-factor authentication and that iCloud account security has been considered.
Tornado Cash added to US Sanctions List
Throughout this year one service has been in the forefront of the malicious cryptocurrency space, enabling a wide range of attackers to launder their stolen goods. Tornado Cash is an Ethereum mixing service that enables users to make their cryptocurrency transactions harder to follow. The service was created by a series of developers; however, in May 2020 the protocol was given to the community as the team relinquished control. This made the protocol itself fully decentralised, with the original developers having no control over it.
The US Treasury has finally made the decision to sanction the currency mixer, which they claim has laundered more than $7 billion worth of cryptocurrency. The Treasury stated that Tornado Cash had failed to meet their standards and impose effective controls to stop malicious cyber actors. After the sanction was announced, the GitHub source code repository was removed, developer accounts were suspended, and the protocol website was taken down.
It is important to note, however, that Tornado Cash is not the only service being used to launder money. Two days after the sanctioning took place, another cryptocurrency firm, Elliptic, noted that bridges are quickly becoming a new way for criminals to launder their illicit cash. One such bridge, known as RenBridge, has reportedly had nearly $540 million in criminal funds moved across it. By utilising the ability to mix currency cross chain, threat actors can obscure the trail their currency leaves. This allows it to be transferred as less risky money into their wallet.
Curve Finance compromised and Binance came to the rescue
Curve Finance is a decentralised protocol that operates as an automated market maker (AMM), and allows users to exchange tokens efficiently. This protocol makes use of liquidity pools which contain similarly behaving assets, enabling them to lower the usage fees. The platform also uses the CRV token to incentivise users to utilise the platform.
On 9 August, Curve suffered a serious attack in which adversaries were able to steal $570,000 worth of cryptocurrency. The threat actor is suspected of having changed the Domain Name System (DNS) entry for the protocol, which forwarded victims to a fake version of the platform where they approved a malicious contract. After this exploit, the funds were transferred into ETH in an attempt to avoid them being frozen.
However, the upside to this story was that Binance, one of the largest exchanges, came to Curve’s aid. The attacker apparently attempted to transfer the stolen funds to a Binance wallet. The CEO of Binance, Changpeng Zhao, said on Twitter that the exchange immediately froze or recovered around 83% of the illicit funds. The companies are now working together to return the funds to the affected users. With the backing of large exchanges such as Binance, these kinds of incidents can be quickly halted in their tracks if threat actors fail to put in place the correct operational security.
1.2 billion aUSD at risk after Acala stablecoin bug
Acala is a stablecoin of the Polkadot blockchain platform. It uses a multi-collateralised system allowing cross-chain and native assets including DOT, ACA, KAR, KSM, BTC, and ETH to be used as collateral.
On 14 August, the developers deployed a new liquidity pool which contained a bug within its programming. This allowed a threat actor to mint 1.28 billion tokens, causing the value of the coin to plummet by 99%. The bug appeared in the iBTC/aUSD pool allowing the attacker to generate the aUSD tokens. The team quickly froze the malicious wallet and disabled the transfer functionality. This, combined with the burning of most of the new tokens, stabilised the coin to around the $0.90 mark, much closer to its $1 peg.
Stablecoins which aim to be, as the name suggests, a stable way of storing cryptocurrency are often far from this. In August we also saw another stablecoin, HUSD, lose its peg down to $0.85 after the cash-backed currency suffered from “liquidity issues”. Ever since the now infamous UST de-peg back in May, we have seen the once solid trust in stablecoins degrade. This is because users have since realised that the algorithms and systems behind these currencies that keep them stable can be exploited just as a standard cryptocurrency can.
DNS attack causes $240,000 worth of damage to the Celer Network
The Celer Network is an interoperability protocol that allows developers to build inter-chain applications and access all their assets in one centralised place. It also operates a bridge known as cBridge that offers highly efficient and easy-to-use liquidity management.
On 17 August, the platform was forced to shut down the cBridge after a suspected Domain Name System (DNS) hijacking attack occurred. When users attempted to access the site, they were instead redirected to another malicious site asking them to authorise a transaction, which would drain their wallets. Users have been advised to revoke any token approvals for the malicious contracts by the development team.
In total, the attacker was able to steal an estimated 128 ETH worth of assets before the DNS issue was resolved. These funds were then quickly transferred and laundered. Celer has since offered to reimburse all affected users and has promised that additional monitoring is being put in place to help protect against these kinds of attacks in the future.
OptiFi closes their smart contract losing $661,000
While we often see large numbers of platforms being taken down by malicious actors hacking smart contracts, this is not always the case. In this incident, the DeFi project OptiFi was subject to significant financial losses after a simple mistake was made.
The accident arose after a developer pushed an update to the project and, while trying to clean up some partially executed transactions, implemented the command that closed the main smart contract. This means that around $661,000 worth of USDC tokens are now locked within the contract and can no longer be accessed. The platform developers have promised that all affected user deposits and positions will be settled.
This kind of issue raises an important question as to the finality of dealing with blockchain technology. Due to the decentralised nature of technology such as smart contracts, the need for checks and auditing to be completed before pushing any change is vital. We commonly see smart contracts with coding errors being uploaded, and the difficulty of fixing said flaws often leads to threat actors finding and exploiting them. OptiFi has offered some proposals to Solana which they detail within their incident report. These include adding further descriptions and requiring confirmation before programs can be closed. This would go some way towards preventing these kinds of accidental losses.
Belarusian officials targeted by hacktivist’s NFTs
A notorious hacker group known as the Belarusian Cyber Partisans is known to have previously targeted the Belarusian government in multiple attacks. These have included hacking state news websites to show scenes of police brutality; defacing multiple government websites to add the white-red-white flag which is used by Belarusian dissident groups; and disrupting railroad supply lines during Russia’s invasion of Ukraine in protest against Belarus’ support of Putin’s actions.
However, more recently cryptocurrencies, specifically NFTs, have become part of the group’s arsenal for attacking the government regime. It is known that the group gained access to large amounts of passport records after hacking the national passport database back in July last year. They used this information to create an NFT collection that listed a series of mock-passport images. These were all made using the passport data from different high-up Belarusian officials, including President Alexander Lukashenko. This collection was posted on the platform OpenSea, from which it was swiftly removed. Yet the group has registered to host the NFTs on a different platform and is awaiting confirmation that they can do so.
This is one of the first instances where NFTs have been weaponised as a method to distribute hacktivist material targeting government bodies. The decentralised and public nature makes this both an effective distribution tool, but also comprises a major PR stunt that has gained the group and movement a significant amount of attention. As web3 technology becomes more popular, we expect to see decentralisation become a powerful tool used by groups to distribute protest material without the need to host their own infrastructure.
August was one of the most eventful months politically in cryptocurrency, with the important sanctions brought against Tornado Cash, and some serious efforts to shut down illicit services through it. We have seen wallets being blacklisted and money being seized as government entities and large cryptocurrency companies cooperate to help tackle crime in this field. When the US Treasury announces these kinds of sanctions, we often see large movements in the threat landscape with threat actors pivoting to different techniques in order to avoid detection. It would not be surprising to see a quick shift away from Tornado Cash, and for other methods of laundering to occur more frequently. This includes the previously mentioned bridges. This coincided with the FBI releasing a Public Service Announcement (PSA) confirming that cyber criminals are targeting decentralised finance platforms to obtain cryptocurrency. This announcement recommends that all DeFi platforms and protocols ensure that code audits take place regularly. The FBI also recommended that companies avoid rapidly deploying contracts, as this can cause unforeseen errors, such as with OptiFi’s incident.
Another trend seen throughout the month was the move to attack non-web3 based infrastructure, with two of the threats mentioned being due to a DNS attack. This follows a trend of threat actors attacking web3 platforms using web2 infrastructure. While web3 companies are often highly focused on securing their blockchain and DeFi infrastructure, traditional security practices can be forgotten: a standard DNS hijack could then result in a successful attack. This reinforces the need for decentralised finance organisations to ensure that their web3 infrastructure is secure through auditing. These organisations should also carry out standard security testing, such as red teaming exercises, to build a more robust security environment.