Cryptohack Roundup: KyberSwap Hacker Demands ControlAlso: Treasury Calls for Stronger Sanctions Powers; Aerodrome, Velodrome Hacks
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. This week, a KyberSwap hacker demanded total control, the U.S. Treasury called for additional tools to sanction crypto baddies, the Aerodrome and Velodrome DeFi platforms' front ends were hacked, a scam-as-a-service wallet drainer shut down, Indexed Finance thwarted hijacking attempts, and the Hounax crypto exchange scam cost $18.9 million and a record-breaking $3 million transaction fee.
KyberSwap Hacker Demands Control
The perpetrator of a $46 million crypto theft against KyberSwap demanded complete control over Kyber, temporary ownership of KyberDAO and access to company records. The hacker also demanded that Kyber surrender all on-chain and off-chain assets, stating that his "best offer" is valid until Dec. 10. The demand comes after the hacker complained about "threats, deadlines and general unfriendliness" from Kyber executives.
Kyber earlier proposed a bounty deal suggesting a 90% fund return in exchange for the hacker keeping the remaining 10%. The company threatened legal action and involved law enforcement.
The initial hack employed an infinite money glitch for a sophisticated smart contract exploit that affected KyberSwap pools across various networks including Avalanche, Polygon, Ethereum, Arbitrum, Optimism and Base Layer 2 networks.
US Treasury Calls for Additional Tools to Sanction Crypto Baddies
The same day that it announced the seizure and sanctions against cryptomixer Sinbad, the federal government publicly urged Congress to grant additional authority to combat illicit actors in the digital asset industry. Deputy Treasury Secretary Wally Adeyemo called for the creation of a secondary sanction regime subjecting firms that continue to do business with a sanctioned firm to the same blacklisting from the U.S. financial system.
Adeyemo also said dollar-backed stablecoins outside the U.S cannot "have the privilege of using our currency without the responsibility of putting in place procedures to prevent terrorists from abusing their platform."
Aerodrome, Velodrome DeFi Platforms' Front Ends Hacked
Decentralized finance platforms Aerodrome and Velodrome on Tuesday reported compromises to their front ends. Both platforms issued announcements on the social network formerly known as Twitter, cautioning users against interacting with the platforms during ongoing investigations. Crypto investigator ZachXBT tracked approximately $40,000 in stolen funds, tracing them to two wallet addresses.
DefiLlama data indicates Aerodrome has a total locked value of approximately $63 million and Velodrome holds more than $131 million. Aerodrome, developed by Velodrome Finance, is an automated market maker using the Base protocol.
Nigerian Politician Arrested for Crypto Wallet Heist
The Nigeria Police Force apprehended former electoral candidate Wilfred Bonse for alleged involvement in the theft of approximately $246,153 from Patricia Technologies' crypto wallet. According to Public Relations Officer Olumuyiwa Adejobi, Bonse is accused of assisting hackers in laundering $61,538 from the stolen funds. Bonse faces charges related to theft, conversion of cryptocurrency wallets and unauthorized fund diversion. The arrest is linked to the Patricia Technologies heist in May. Patricia Technologies has faced scrutiny after the hacking incident and has since introduced measures including the conversion of customer assets to its native Patricia Token for future repayment, according to local media reports.
Indexed Finance Thwarted Hijacking Attempts
Ethereum-based project Indexed Finance thwarted two hijacking attempts on its decentralized autonomous organization. Former core contributor Laurence Day shared the community's efforts in overcoming the attacks, in which both assailants aimed to control the DAO's approximately $120,000 in digital asset holdings through malicious proposals.
The first proposal, which has no title or description, was defeated with coordinated votes against it. The proposal came from North Korea, Day said. To prevent a potential copycat attack, the Indexed DAO approved a "poison pill" proposal, giving it the authority to burn the remaining funds if needed. The anticipated second attack involved negotiations, in which the attacker initially sought 50% of the treasury. After a warning about burning the entire treasury, the attacker accepted an offer of $10,000 worth of Dai cryptocurrency. The DAO's control will now return to its founders, who plan to compensate victims of a 2021 hack with the remaining treasury funds.
Scam-as-a-Service Wallet Drainer Shuts Down
Inferno Drainer, a crypto wallet-draining service, announced its permanent shutdown after aiding phishing scammers in pilfering almost $70 million in crypto this year. The team declared on Telegram that it's "time to move on." Operating since early 2023, Inferno Drainer, like its predecessor Monkey Drainer, took a 20% cut of users' stolen funds. Web3 anti-scam platform Scam Sniffer calculates Inferno Drainer has stolen nearly $70 million from over 100,000 victims since February.
Hounax Scam Costs $18.9 Million
Hong Kong authorities disclosed Monday that 145 users have fallen victim to a scam orchestrated by the unlicensed cryptocurrency exchange Hounax, resulting in a loss of approximately $18.9 million. The Hong Kong Securities and Futures Commission received 18 complaints by Nov. 27, ranging from $1,539 to $1.2 million, according to local media. Hounax falsely claimed to be licensed and established ties with legal financial institutions. This incident follows the JPEX exchange scandal in Hong Kong earlier in the year, which prompted regulators to tighten crypto regulations.
Record $3M Bitcoin Transaction Fee Connected to Cold Wallet Hack
A Bitcoin user claiming to be the victim of a recent record-breaking $3 million transaction fee has alleged a hack. The user, who accidentally paid an 83.65 BTC fee worth more than $3.1 million, created a new account, @83_5BTC, and stated that 139 BTC had been, transferred to a new cold wallet, which was immediately moved to some other wallet. The user suggested a script with a peculiar fee calculation might have been running on the wallet. Verification by developers including Mononaut and Casa Co-Founder Jameson Lopp, authenticated the user's ownership of the funds. The incident likely resulted from a low-entropy wallet, making it susceptible to hacking. The fee paid was precisely 60% of the total stolen funds, indicating an automated script strategy. Mononaut advised against entropy shortcuts and recommended using Multisig for large sums.