Network of fake Twitter accounts impersonating crypto security firms phish panicked victims

A screenshot of Twitter's trending topics sidebar, showing that #OpenSeaSecurityBreach, #OpenSeaHackAlert, and #CryptoSafetyConcerns were trendingTwitter trending topics on November 14 (attribution)
On the evening of November 14 I logged on to Twitter to notice that #OpenSeaHackAlert and related hashtags were trending. But they were trending not because OpenSea had truly been hacked, but because a huge network of fake accounts with usernames similar to those of PeckShield, CertiK, and zachxbt — well-known accounts that alert crypto traders to possible scams — were spamming the hashtag. Hoping to spark panic into crypto holders who had used the popular service, as well as other services like Uniswap which they were claiming were breached, the phishers shared links to sites that would supposedly help users revoke access to their wallets by those services, securing their assets. Instead, however, those malicious sites would drain the wallets.

According to researcher zachxbt, who himself was one of the impersonated, the scammers have stolen more than $300,000 in various assets using this technique.

This is not the first time such a technique has been used — a scammer attempted a similar, though less successful, scheme in April 2022. Scams like this take advantage of the poor UX in the crypto world for tracking and revoking wallet permissions that have been granted, requiring people to use third-party websites created for this purpose. Some of them are legitimate, but there are many malicious copies of these revocation sites that prey upon users who may be acting quickly in fear that their assets are at risk.

Up to $1 billion stored in early Bitcoin wallets may be at risk due to "Randstorm" vulnerability

While trying to help a Bitcoin holder who lost their password, researchers at Unciphered discovered a major flaw in the way early Bitcoin wallets had been created. Thanks to a flaw in an open source software library called BitcoinJS, which was later incorporated into many wallet software projects to generate Bitcoin wallets with random keys, wallets created prior to 2016 may be vulnerable to cracking. Wallets created before March 2012 are at particular risk, as the roughly 6% of those that are vulnerable (and which hold a combined ~55,000 BTC, or ~$100 million) could be cracked without requiring major computing resources.

Unciphered worked with various wallet providers to contact people whose wallets may be vulnerable, though ultimately it is up to those wallet holders to secure their funds by creating new wallets and transferring their tokens. Unciphered also noted that some Dogecoin, Litecoin, and Zcash wallets may be vulnerable due to shared code.

Wallet drainer steals more than $60 million in six months

A wallet drainer service has facilitated the theft of more than $60 million in various assets from almost 100,000 victims since May 2023. According to research group ScamSniffer, the drainer has recently started using functionality in the Ethereum network called CREATE2 to generate new addresses for each malicious signature. This allows the drainer to sidestep security alerts built into some crypto wallet software that would flag known malicious addresses.

ScamSniffer identified one victim who lost almost 17,000 GMX (~$927,000) to this drainer after signing a malicious transaction.

Wallet linked to Binance deployer loses $27 million in apparent hack

An attacker apparently stole $27 million in the Tether stablecoin from a wallet that had just withdrawn the funds from their Binance account. The hacker quickly converted the funds to evade attempts at freezing the stolen assets.

Crypto researcher zachxbt observed that the wallet targeted for the theft had in 2019 received a transfer from the Binance deployer, suggesting that the compromised wallet may have some ties to Binance itself.

Raft exploited for $3.3 million, then hacker screws up

An attacker exploited the Raft defi project after finding a vulnerability that allowed them to mint 6.7 million of Raft's R stablecoin without any backing.

The attacker then went to convert the R into ETH, which they would then be able to launder and cash out. However, an error in the attacker's code caused 1,570 ETH ($3.25 million) to be sent to the burn address, rendering it permanently inaccessible to everyone including the hacker. Only 7 ETH remained. However, because they had to spend ETH to fund the attack, the hack ultimately resulted in a loss of 4 ETH (~$8,000) for the perpetrator. Oops.

As a result of the hack, the R stablecoin lost its dollar peg, plummeting down to around $0.70. Raft acknowledged the attack and announced that they had paused minting.

Poloniex hacked for more than $120 million

Assets including Bitcoin, Ethereum, and Tron's TRX token, priced at more than $126 million, were stolen from Justin Sun's Poloniex cryptocurrency exchange. Researchers are still homing in on the exact amount of funds that were stolen from the company's hot wallets across multiple blockchains, but suffice to say it's a lot.

Poloniex was initially tight-lipped, posting on Twitter that they had "disabled for maintenance" an exchange wallet. Justin Sun later updated that they were investigating the "hack incident", and promised to "fully reimburse" the massive theft... somehow. He later tweeted that they would offer a 5% "bounty" to the hacker if they returned the funds within a week, threatening to "engage law enforcement" otherwise.

CoinSpot exchange exploited

The Australian cryptocurrency exchange CoinSpot appears to have been hacked for around 1,283 ETH (~$2.4 million). In two separate transactions, the ETH was transferred out of CoinSpot's hot wallet, then bridged to Bitcoin via Thorchain and another bridge.

Wintermute declares friendship over with Near Foundation and Aurora Labs after they refuse to send $11 million

"Public service announcement or 'how we are not really friends with Near Foundation and Aurora Labs going forward'", wrote Wintermute CEO Evgeny Gaevoy on Twitter. He launched into a thread accusing Near and Aurora of refusing to honor a previous agreement to facilitate the redemption of around 11.2 million USN, the de-pegged stablecoin of the Near network. Wintermute said they had helped FTX to sell that quantity of the USN tokens, providing them with dollars to disburse to creditors, under the belief that Near and Aurora would help them honor the USN redemptions at $1.

However, Near later decided it would not honor the redemption, accusing Wintermute of trying to pull off an arbitrage trade with the distressed asset. They also, somewhat curiously, claimed that the funds that were provided to Wintermute by the FTX estate may have been the tied to illegal activities. Aurora also described Wintermute's claims as "unfounded", and accused Wntermute of "tr[ying] to exploit the programme to profit from the purchase of distressed assets from the Alameda estate".

Wintermute has promised to "pursue all legal avenues" against the Near Foundation and Aurora Labs.

MEV bot exploited for almost $2 million

An MEV bot was exploited after an attacker discovered a vulnerability in its code that allowed anyone to call one of its functions that sold wBTC for wETH. Using a flash loan to imbalance a wETH/wBTC pool on Curve, the attacker then caused the bot to purchase wBTC at its inflated price. They then sold the wBTC for a profit. Altogether, the exploiter made off with 1,047 ETH ($1.975 million).

Arrests made in $300 million Indian crypto scam

Indian police have arrested around eighteen people, including four police officers, in connection with a $300 million cryptocurrency scam that affected around 100,000 people in Himachal Pradesh. Victims were invited to invest in a cryptocurrency called Korvio Coin (KRO), but later the scam incorporated other tokens as well. Around 5,000 government officials and around 1,000 police fell victim to the scam, with some themselves becoming promoters.

The scam was allegedly orchestrated by Subhash Sharma, who has not been apprehended. This particular fraud was uncovered in September, but has been ongoing since as long ago as 2018.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.