Cryptohack Roundup: $100 Million Atomic Wallet HeistAlso: Floating Point Group, Sturdy Finance, Hashflow Hacked
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. This week, Atomic Wallet, FPG, Sturdy Finance and Hashflow suffered hacks involving millions of dollars, hackers phished followers of popular Twitter accounts and an Australian bank wanted to limit crypto use.
North Korea's Lazarus Group stole more than $100 million from Atomic Wallet, marking the threat actor's first major known attack this year, Elliptic said in a June 6 report (see: Cryptohack Roundup: Court Summons for Binance Chief).
The Pyongyang threat group compromised at least 5,500 wallets in the attack. The noncustodial decentralized wallet service has not yet disclosed the root cause of the attack. Atomic Wallet on June 3 said "less than 1%" of its users had been affected.
Elliptic said it recovered $1 million of the stolen funds so far, which prompted the hacker to begin laundering funds via U.S.-sanctioned Russian exchange Garantex. The hacker on Thursday resumed laundering activity, using a process similar to the one used in last year's $100 million Harmony hack, MistTrack said.
Floating Point Group
Floating Point Group suspended operations on Sunday out of an "abundance of caution" after a hacker stole at least $15million to $20 million from the crypto brokerage firm, according to a Wednesday tweet. The company said that to prevent further attacks, it locked out all third-party accounts and migrated wallets until the full scope of the incident has been made clear.
"To the exploiter: as we have seen with recent hacks, exploits are not as easy to escape from as they used to be. That said, we are willing to offer you $100k as a bounty, and will not pursue you further if you send the remaining funds to 0x4e489d9863c9bAAc6C4917E1221274760BA889F5," the company's 23-year-old founder Sam Forman wrote in a tweet.
The unknown attack exploited a vulnerability in Sturdy Finance's code to manipulate the price of cryptocurrency on the platform and siphon off coins at an inflated value. Sturdy Finance halted operations after the incident and said that no other funds had been placed at risk.
A hacker exploited a smart contract vulnerability to steal at least $600,000 from trading firm Hashflow in a Wednesday hack, PeckShield said. The bug is likely in the platform's bridge contract - a service the trading firm offers to help customers swap coins between multiple blockchains. The company acknowledged the theft, saying that it will make the victims whole and that its decentralized exchange was "in no way impacted and remains fully operational." In a turn of events, it appears that a white hat hacker siphoned off the funds, but Hashflow did not confirm that claim.
Hackers Hack Popular Public Figures to Phish Crypto Users
Scammers have hacked into Twitter accounts of eight popular public figures, including OpenAI CTO Mira Murati and crypto critic Peter Schiff, to promote phishing scams and steal $1 million, blockchain sleuth ZachXBT said in a tweet. “While the majority of these attacks were the result of a SIM Swap, it seems other accounts were potentially stolen with a panel,” he said in a Friday Twitter thread, referring to a Twitter administrator's panel. The hacked accounts include Pudgy Penguins founder Cole Villemain, NFT collector Steve Aoki and Bitcoin Magazine editor Pete Rizzo.
Commonwealth Bank of Australia
The Commonwealth Bank of Australia wants to make it tougher for the country's citizens to send money to crypto exchanges, due to scams associated with the industry. “With the incidences of scams increasing and in many cases customers suffering significant losses from being scammed, the introduction of 24-hour holds, declines and limits on outbound payments to cryptocurrency exchanges will help reduce both the number of scams and the amount of money lost by customers," said James Roberts, general manager of group fraud management services at Commonwealth Bank. The bank looks to cap the amount Australians can send to a crypto exchange at AUD $10,000 per month.