158 hack event(s)
Description of the event: According to information from SlowMist Zone, the OKX DEX contract appears to have encountered an issue. After SlowMist's analysis, it was found that when users exchange, they authorize the TokenApprove contract, and the DEX contract transfers the user's tokens by calling the TokenApprove contract. The DEX contract has a claimTokens function that allows a trusted DEX Proxy to make calls, with its functionality being to invoke the claimTokens function of the TokenApprove contract to transfer tokens authorized by the user. The trusted DEX Proxy is managed by the Proxy Admin, and the Proxy Admin Owner can upgrade the DEX Proxy contract through the Proxy Admin. On December 12, 2023, at 22:23:47, the Proxy Admin Owner upgraded the DEX Proxy contract to a new implementation contract through the Proxy Admin. The new implementation contract's functionality is to directly call the claimTokens function of the DEX contract to transfer tokens. Subsequently, attackers began calling the DEX Proxy to steal tokens. The Proxy Admin Owner upgraded the contract again at 23:53:59 on December 12, 2023, with similar functionality, and continued stealing tokens after the upgrade. This attack may be a result of the Proxy Admin Owner's private key being leaked. Currently, the DEX Proxy has been removed from the trusted list.
Amount of loss: $ 2,700,000 Attack method: Private Key Leakage
Description of the event: Virtual Asset Platform HOUNAX Investigated for Fraud. On November 1, HOUNAX was placed by the Hong Kong Securities and Futures Commission (SFC) on a warning list of "Suspicious Virtual Asset Trading Platforms," which is designed to alert investors to risks. On November 29, Hong Kong police reported that 158 Hong Kong investors had been lured by the unlicensed platform HOUNAX and lost approximately HK$155 million ($19.83 million).
Amount of loss: $ 19,830,000 Attack method: Scam
Description of the event: HTX (formerly Huobi) and its related Heco Bridge were hacked for a combined $113.3 million.
Amount of loss: $ 113,300,000 Attack method: Unknown
Description of the event: Trader Joe, the largest native DEX on Avalanche, tweeted that the team's preliminary analysis identified a potential exploit in a 3rd party analytics plugin hacked JavaScript code used by the frontend.
Amount of loss: - Attack method: Malicious Code Injection Attack
Description of the event: DEX SpookySwap on Fantom tweeted that the team is investigating a frontend vulnerability on their domain. Please do not execute any transactions on the DEX. On November 19, Spooky updated that a 3rd party JavaScript plugin enabled code injection from npm packages. This enabled replacing the spooky router contract on the Spooky Fi frontend with a malicious contract which sent funds that users attempted to swap to the exploiter.
Amount of loss: $ 5,000 Attack method: Malicious Code Injection Attack
Description of the event: About $9m from the dYdX v3 insurance fund were used to fill gaps on liquidations processed in the YFI market, and the CEO said this was pretty clearly a targeted attack against dYdX, including market manipulation of the entire $YFI market.
Amount of loss: $ 9,000,000 Attack method: Price Manipulation
Description of the event: On November 10, the Poloniex exchange was hacked. According to the analysis of the SlowMist, the Poloniex hack currently affects about $130M.
Amount of loss: $ 130,000,000 Attack method: Unknown
Description of the event: On November 8, 2023, CoinSpot was exploited across two of its hot wallets, resulting in a loss of over 1,283 ETH, worth approximately $2.472 million.
Amount of loss: $ 2,472,000 Attack method: Private Key Leakage
Description of the event: Philippine exchange Coins.ph lost 12 million $XRP ($6 million) in a hack.
Amount of loss: $ 6,000,000 Attack method: Private Key Leakage
Description of the event: On October 10th, the BRC20 exchange platform Ordswap issued a tweet, stating that they had lost control of their website domain, and the issue appeared to be related to the website development and hosting company Netlify. They advised users not to access their website until they regained control of the domain. Ordswap users reported that the compromised website was redirecting users to phishing links.
Amount of loss: - Attack method: DNS Hijacking Attack
Description of the event: On September 24th, according to Definalist on Twitter, scammers had deposited fake APT tokens into South Korea's largest exchange, Upbit. After these fake tokens were deposited into numerous user accounts, many users proceeded to directly sell them. The only explanation for this situation is that Upbit's wallet system only checked the type and data and processed deposits and withdrawals.
Amount of loss: - Attack method: False top-up
Description of the event: On September 25th, Cyvers Alerts tweeted that a certain EOA address received 5000 ETH from HTX yesterday, and this morning, they noticed that HTX had conducted a hot wallet migration. It has been confirmed that one of HTX's hot wallets was compromised, resulting in a loss of 8.2 million USD, and the hacker's address has been disclosed. HTX has issued a public statement on the blockchain, addressing the hacker and offering a 5% white hat bonus if the stolen funds are returned by October 2nd; otherwise, they will transfer the information to law enforcement authorities for further action and to prosecute the hacker. Justin Sun also stated that HTX has fully covered the losses incurred from the attack and has successfully resolved all related issues. All user assets are safe and the platform is operating completely normally. On October 7, the HTX attackers returned 4,999 ETH (about $8.2 million) of the stolen funds.
Amount of loss: $ 8,200,000 Attack method: Unknown
Description of the event: On September 20th, the DeFi liquidity protocol Balancer fell victim to a DNS hijacking attack. Funds have been directed to an address starting with 0x6457, resulting in a total loss of approximately $350,000. The attacker’s fee came from the phishing group AngelDrainer. The attacker may be related to Russia.
Amount of loss: $ 350,000 Attack method: DNS Hijacking Attack
Description of the event: A massive suspicious withdrawal occurred on cryptocurrency exchange Remitano, with $2.7 million worth of cryptocurrency being withdrawn. Some blockchain analysts believe the exchange may have been hacked. Tether has frozen an address allegedly used by an attacker that held $1.4 million worth of cryptocurrency.
Amount of loss: $ 2,700,000 Attack method: Wallet Stolen
Description of the event: On September 13th, the Hong Kong Securities and Futures Commission issued a statement titled "Regarding Unregulated Virtual Asset Trading Platforms," stating that the virtual asset trading platform JPEX did not have a license from the Commission and had not applied for one. On September 14th, the JPEX community discovered that the withdrawal limit on the JPEX platform was only 1000 USDT, while the withdrawal fee was as high as 999 USDT, effectively preventing users from withdrawing their funds. As of October 3rd, the police have received reports from 2,467 victims, involving approximately HKD 1.522 billion in total.
Amount of loss: $ 194,337,178 Attack method: Scam
Description of the event: The cryptocurrency exchange CoinEx suffered a hacker attack. The cause of the incident was initially determined to be the leakage of hot wallet private keys. The damage caused is estimated to have reached US$70 million, and the impact has affected multiple blockchains. CoinEx tweeted that it had identified and quarantined suspicious wallet addresses related to the hack and that deposit and withdrawal services had been suspended. On September 13, SlowMist found during the analysis process that CoinEx hackers were related to Stake.com hackers and Alphapo hackers. CoinEx hackers may be the North Korean hacker group Lazarus Group.
Amount of loss: $ 70,000,000 Attack method: Private Key Leakage
Description of the event: Stablecoin issuer Paxos admitted in a statement that the account that paid out nearly 20 BTC in fees in a single transaction in the early hours of September 11 belonged to the company. Paxos claims that end users have not been affected and all user funds are safe. The announcement comes after users on twitter speculated that PayPal could be responsible for the transaction, as analytics platform OXT identified relevant wallet accounts belonging to PayPal. A Paxos spokesperson said: "PayPal takes no responsibility for this as this error was caused by Paxos itself. This transaction affected Paxos company operations, Paxos customers and end users were not affected, and all customer funds are safe. This was caused by a vulnerability in a single transfer, which has now been fixed. Paxos is contacting miners to recover the funds."
Amount of loss: $ 500,000 Attack method: Transfer Vulnerability
Description of the event: On September 7, crypto trust company Fortress said on twitter that its customers were affected by a "compromised third-party provider of cloud tools," but that there was no loss of funds. On September 13, Fortress Trust founder and CEO Scott Purcell said that the company lost $12 million to $15 million in cryptocurrencies in a recent hack, most of which was Bitcoin but two stablecoins. A small amount of USDC and USDT were also stolen, and the company immediately made up for the loss. "Of the 225,000 customers, only 4 customers were actually affected." Purcell repeatedly emphasized that the fault of the security breach lies with the third-party provider, not the Fortress Trust or the company's hosting partners Fireblocks or BitGo. The vendor has been identified as Retool, and Retool admitted that it was the victim of a phishing attack.
Amount of loss: $ 15,000,000 Attack method: Third-party Vulnerability
Description of the event: On August 7, 2023, Cypher, a Solana-based decentralized exchange, tweeted that it had been attacked. The attacker exploited a bug related to the mechanism involving segregated margin sub-accounts to attack Cypher's main contract, causing it to eventually withdraw more funds than initially deposited, leading to a bad debt in the system. The attacker stole 15,452 SOL, 149,205 USDC, and other tokens for a loss of over $1 million. The attacker’s address is suspected to be HHm4wK91XvL3hhEC4hQHo544rtvkaKohQPc59TvZeC71. On August 18, Cypher stated that approximately $600,000 has been frozen on various centralized exchanges (CEXs), and the return of these funds will depend on the cooperation of these CEXs and seizure orders issued by law enforcement agencies.
Amount of loss: $ 1,000,000 Attack method: Contract Vulnerability
Description of the event: Some community users reported that the encrypted exchange named ZT Global was suspected of running away. Since the announcement of system upgrade and maintenance on July 28, transactions on the platform have been disabled. The TG channel has been banned and the founder cannot be contacted. At 21:00 on July 31, the exchange announced that it had completed maintenance and resumed trading functions, but the trading page showed that only 0.0006 BTC ($17) of buying orders pushed up the price of BTC on the platform and maintained it at 60,000 The price of USD and ETH also fluctuated violently in the case of tens of dollars of trading volume.
Amount of loss: - Attack method: Rug Pull