Cryptohack Roundup: Euler Finance, SafeMoon, BitKeepAlso: A Failed Hack, Self-Funding APT Group and Adaptable Crypto Criminals
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between March 24 and March 30, SafeMoon lost $9 million in a hack, the Euler Finance hacker returned $177 million of the stolen $200 million, hackers used Clipper malware, BitKeep compensated victims of its December exploit amid a funding round-led rebrand, and a hacker unsuccessfully attempted to drain Swerve Finance funds. Also, THORChain continues to function despite verified vulnerability in its code, APT43 hackers are stealing cryptocurrency to fund their own upkeep, threat actors are repurposing a malware traditionally used as banking Trojans to attack crypto users, and ParaSpace resumes operations and increases its bug bounty reward after a cyberattack.
A hacker drained nearly $9 million from BNB chain-based exchange SafeMoon on Tuesday, taking advantage of a recent buggy update. The attacker exploited a public burn bug, PeckShield said, which means the hacker artificially increased the price of a specific token and sold enough tokens back in the same transaction to make off with the funds.
Update on Euler Finance
A hacker who stole $200 million from Euler Finance returned $177 million to the decentralized finance protocol, promising to return the rest "ASAP."
"I only look after my safety, and that is the reason for the delay. I'm sorry for any misunderstanding," the hacker, who goes by the name Jacob, said in an on-chain message on Tuesday. Separately, Web3 security firm SlowMist said that the Euler Finance exploit was likely a failed attempt by the same hacker behind the Ronin Bridge attack and on Wednesday detailed the technical analysis behind its speculation.
Crypto-Stealing Clipper Malware
Hackers adopted a technique originally used to steal funds via banking Trojans for decades to target cryptocurrency users, Kaspersky said on Tuesday. Attackers are deploying a malware disguised as the Tor browser and have stolen $400,000 so far in 2023. The malware, which replaces a user's wallet address in their clipboard with the cybercriminal's own wallet address, has victimized more than 15,000 users across 52 countries.
Multichain wallet BitKeep on Wednesday said it fully compensated victims of the $8 million December exploit, in which a hacker swapped a legitimate app update with a malicious APK to steal funds from users. It will continue to process "irregular" claims beyond the 11,090 affected wallets made whole again, it said. In the aftermath of a $30 million investment, BitKeep will now be rebranded as Bitget Wallet and will have access to a $300 million fund to compensate users in case of future security events.
Theft Fail at Swerve Finance
A hacker tried to unsuccessfully drain funds from Swerve Finance for more than a week, according to a Saturday tweet from Igor Igamberdiev, head of research at Web3 security firm Wintermute. He said that the hacker attempted to deploy a governance attack in which he would gain enough voting power to pass proposals allowing him to steal about $1.3 million worth of crypto tokens from the platform. The alleged hacker, who Igamberdiev identified as joaorcsilva, replied to the tweet thread, claiming that he had only been trying to secure the funds to hide them from other potential exploiters. Swerve Finance did not issue a statement on the incident.
A security vulnerability forced cross-chain liquidity protocol THORChain to pause its network for a few hours on Tuesday. It resumed functioning when the company said it was confident that the bug could not be exploited at the moment. Its security head provided the technical details of how the vulnerability was not a threat and asked users to stand by for more information.
North Korean threat actors are stealing cryptocurrency to fund their own upkeep under an apparent mandate from Pyongyang to be self-sufficient, threat intel firm Mandiant said. The firm on Tuesday said that it has spotted a group it dubs APT43 laundering stolen digital assets through rented cryptocurrency mining services. The group, which overlaps with activity attributed to North Korean groups Kimsuky or Thallium, is primarily a cyberespionage operation.
Update on ParaSpace
Non-fungible token lending project ParaSpace resumed transactions on its protocol on Saturday, a week after it halted operations to recover from the March 17 cyberattack. It has partnered with security firm BlockSec and increased the reward for spotting critical bugs from $20,000 to $200,000.