1208 hack event(s)
Description of the event: On September 9, PEPE stated on Twitter that PEPE’s old Telegram account had been hacked and was no longer under official control. The Twitter account "lordkeklol" has been compromised and used to perpetrate scams and is in no way affiliated with PEPE or its team members. All official information from PEPE will be released via its Twitter account in the coming weeks.
Amount of loss: - Attack method: Telegram was hacked
Description of the event: Ordinals Wallet suffered a SIM Swap attack. The Twitter account was hacked and phishing links were posted. The attacker is PinkDrainer.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: On September 7, crypto trust company Fortress said on the X platform that its customers were affected by a "compromised third-party provider of cloud tools," but that there was no loss of funds. On September 13, Fortress Trust founder and CEO Scott Purcell said that the company lost $12 million to $15 million in cryptocurrencies in a recent hack, most of which was Bitcoin but two stablecoins. A small amount of USDC and USDT were also stolen, and the company immediately made up for the loss. "Of the 225,000 customers, only 4 customers were actually affected." Purcell repeatedly emphasized that the fault of the security breach lies with the third-party provider, not the Fortress Trust or the company's hosting partners Fireblocks or BitGo. The vendor has been identified as Retool, and Retool admitted that it was the victim of a phishing attack.
Amount of loss: $ 15,000,000 Attack method: Third-party Provider Vulnerability
Description of the event: According to official sources, Base had previously experienced a block failure. The Base team immediately investigated, and a fix was subsequently deployed, and block production began to resume. At present, the team confirmed that the network operation and RPC API have returned to normal, and will continue to monitor. Base later tweeted that the glitch had been fixed and no funds were at risk.
Amount of loss: - Attack method: Block Failure
Description of the event: The token GALA of the blockchain gaming platform Gala Game underwent a major upgrade on May 15, 2023, and the token contract address was updated. As a result, there are now two tokens in circulation, both called GALA. The price ratio of old GALA and normal GALA is 1:12. The attacker has been using old GALA tokens to deposit funds on various exchanges since July 27 this year to test fake deposits. At the same time, hackers were also involved in the LDO “fake top-up” incident and the Nomad Bridge attack last August. On September 6, hackers deposited old GALA tokens to CoinHub, successfully causing the exchange to treat the deposited old GALA tokens as normal GALA tokens. Then the hacker user withdrew the real GALA. Now there is only $168 worth of GALA left in the exchange hot wallet, and the hacker earned 2.7 ETH.
Amount of loss: 2.7 ETH Attack method: False top-up
Description of the event: Arbitrum ecological decentralized exchange GMBL COMPUTER was attacked, and the attacker withdrew GMBL worth approximately US$815,000 from the contract. GMBL said: “We believe that the vulnerability is caused by a flaw in the platform’s recommendation system, which allows people to place bets without depositing any funds and use them to generate referral bonuses. We have identified the exploiter and are working to recover all funds lost due to this exploit. The GMBL team stated that they provided a "Bug Bounty" to the attackers to return 90% of the stolen funds in exchange for a promise not to take legal action. On September 6, the attackers returned 235 ETH (approximately $382, 000), which is 50% of the stolen funds.
Amount of loss: $ 815,000 Attack method: Contract Vulnerability
Description of the event: According to a number of community users, there seems to be a problem in the Layer2 interoperability protocol Connext airdrop claim process. The NEXT tokens of some accounts were claimed to unexpected addresses. The data on the chain shows that the address starting with 0x44Af received a large number of Connext token NEXT airdrops through 230 accounts in the past 1 hour, and sold them all for ETH, USDT and USDC, earning nearly 39,000 US dollars. According to SlowMist analysis, users can claim NEXT tokens through the claimBySignature function of the NEXT Distributor contract. There are recipient and beneficiary roles, the recipient role is used to receive the NEXT tokens of the claim, and the beneficiary role is the address that is eligible to receive NEXT tokens, which has been determined when the Connext protocol announces the air investment qualifications. When the user makes a NEXT token claim, the contract will perform two checks: one is to check the signature of the beneficiary role, and the other is to check whether the beneficiary role is eligible to receive the airdrop. During the first check, it will check whether the recipient passed in by the user is signed by the beneficiary role, so the random incoming recipient address cannot pass the check if it is not signed by the beneficiary. If you specify a beneficiary address to construct a signature, even if it can pass the signature check, it cannot pass the second check on the eligibility for airdrops. Airdrop claim eligibility checks are checked through Merkle proofs, which should be officially generated by the Connext protocol. Therefore, users who are not eligible to receive airdrops cannot bypass the check to receive other people's airdrops. On September 7, Connext released a post-mortem analysis, stating that the attacker performed DOS operations on Tokensoft’s API, causing the claim database and UI to crash. During this process, 274,956 NEXT from 253 wallets (not related to Connext) were claimed (0.26% of the total airdrop) and sold for approximately 40,000 USDT before ordinary users were able to claim it. But Connext was not compromised in any way. After the DOS attack ended, airdrop claims returned to normal.
Amount of loss: $ 39,000 Attack method: DoS Attack
Description of the event: According to reports, Cyberport Hong Kong was hacked and the information, company documents, identity documents and other information of start-up companies were obtained by hackers, totaling about 436 GB of company data. As can be seen in the post of X, an account that focuses on Internet security, the hacker's website asked for about US$300,000 (approximately HKD 2.35 million) for the stolen information. On September 6, Hong Kong Cyberport responded to a cyber security incident suspected of being hacked, saying that Cyberport had discovered a cyber security incident involving an unauthorized third party intruding into some of Cyberport's computer systems. Cyberport is very concerned about the incident and has immediately taken action to control it, including handling the alarm and shutting down the affected computer equipment. It has also quickly launched a detailed investigation with the assistance of independent cybersecurity experts. Cyberport has also notified the relevant authorities and the Office of the Privacy Commissioner for Personal Data in Hong Kong.
Amount of loss: - Attack method: Information Leakage
Description of the event: A fake Lybra Finance token executed a exit scam on September 5th. Deployer added 60 WETH to LP and removed 83 WETH, profiting 23 WETH (~$37k).
Amount of loss: $ 37,000 Attack method: Exit Scam
Description of the event: Saber DAO, the automated market maker for stablecoins on Solana, tweeted that its Discord had been attacked and that it had blocked the attackers.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The encrypted gambling platform Stake.com has been attacked, including the ETH/Polygon/BSC chain, and the loss has reached 41 million US dollars. On September 5, Stake co-founder Edward Craven confirmed the hack but said the platform’s private keys had not been compromised. Craven said the attack was a "sophisticated breach" that targeted the company's services used to authorize transactions on the Ethereum, Polygon and BNB Chain blockchains. On September 6, the US Federal Bureau of Investigation (FBI) stated that the North Korean hacker group Lazarus Group was responsible for the Stake.com attack.
Amount of loss: $ 41,000,000 Attack method: Wallet Stolen
Description of the event: NFT marketplace Paras tweeted that its discord was under attack. Please do not click on the link, mint, or approve any transactions.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The CoredeFinance project performed an exit scam and EOA (0x18500) made a profit of 27 ETH (~$43,900).
Amount of loss: $ 43,900 Attack method: Rug Pull
Description of the event: Balthazar tweeted that his Discord was under attack and please do not click on the link, mint, or approve any transactions.
Amount of loss: - Attack method: Discord was hacked
Description of the event: A Brazilian YouTuber, Ivan Bianco, accidentally leaked the mnemonic of his cryptocurrency wallet during a live stream on his Fraternidade Crypto channel, resulting in the theft of nearly $60,000 worth of cryptocurrency and a batch of NFTs. Fraternidade Crypto has around 34,000 subscribers on YouTube. During the live broadcast, Bianco opened a file recording the mnemonic phrase, which allowed an unknown person to take control of his wallet and steal its funds. Bianco reported the incident to police after missing the funds. He also claimed that an unidentified man contacted him on Discord after the funds were stolen. The anonymous person identified himself as the money thief and expressed regret for his actions before hanging up and leaving. After the call ended, the wallet that stole most of the funds returned a total of approximately $50,000 worth of crypto assets to Bianco.
Amount of loss: $ 10,000 Attack method: Mnemonic Leakage
Description of the event: Lamas Finance's Discord is under attack, phishing site is lamas[.]co/airdrop, please do not click on the link, mint or approve any transactions.
Amount of loss: - Attack method: Discord was hacked
Description of the event: On September 1, community users discovered that Gitcoin’s official X account was suspected to have been stolen. The thief had used the account to post some phishing information. On September 9, Gitcoin tweeted that it had regained access to the official Twitter account. In the details of the incident later released by the official, Gitcoin stated that it still did not know how the thief bypassed the 2FA verification, but it would continue to investigate and implement stricter security measures in the future.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: The BabyShia project implemented an exit scam. The deployer (0xCbcd8) has earned 133 ETH (about $226,000).
Amount of loss: $ 226,000 Attack method: Rug Pull
Description of the event: For months, Ethereum layer 2 solution Starkware has repeatedly warned users that their funds would be lost if they did not take action before upgrading, but some users apparently did not see these notifications, which resulted in many users being locked out. Locked out of StarkWare accounts, losing access to funds, totaling $550,000 in affected accounts. Due to community pressure, Starkware has re-enabled the ability to upgrade wallets.
Amount of loss: $ 550,000 Attack method: Wallet not upgraded
Description of the event: The private key of the BitBrowser browser user was suspected to be leaked, and many members of the encryption community reported that the private key was stolen. BitBrowser issued a notice, admitting that the cached data of the server may have been invaded, and the case has been reported. Users whose wallets have enabled extended data synchronization are at risk of being stolen. It is recommended to take immediate measures to transfer wallet assets. Cos, the founder of SlowMist, said on Twitter that the leakage of the private key of BitBrowser users has caused at least $520,000 in losses.
Amount of loss: $ 520,000 Attack method: Private Key Leakage