Cryptohack Roundup: Merlin, Kucoin, Trust and UniSat WalletAlso: Indictments Against DPRK Money Launders; UK Urged to Improve Crypto Seizure
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between April 21 and April 27, hackers stole $1.8 million from Merlin, $22,638 from Kucoin and $170,000 from Trust Wallet users. Attackers targeted UniSat Wallet a day after its launch, the U.S. indicted two men for laundering crypto stolen by North Korean hackers, and a U.K. parliamentary panel heard plans to improve its digital assets seizure abilities to curb cybercrime.
A hacker on Wednesday allegedly stole $1.82 million from decentralized exchange Merlin immediately after its code was audited by CertiK. The auditing company said its initial probe suggests that the hack was likely due to a private key management issue and not necessarily a code exploit. DeFi exchange eZKalibur claimed to have identified the malicious code.
A 45-minute compromise of Kucoin's Twitter handle on Monday led to users losing about $22,638 in digital assets after they interacted with fraudulent tweets on the page. "Kucoin will fully reimburse all verified asset losses caused by the social media breach and the fake activity," it said after regaining access to the Twitter account. The company said it was investigating the incident and added that the exchange remained secure.
Trust Wallet on Saturday said it patched a security vulnerability that had led to its users losing nearly $170,000, secured "most at-risk funds" and is set to reimburse customers whose funds were stolen. The bug, discovered by a bounty hunter in one of the company's open-source libraries, only affected wallet addresses generated between Nov. 14 and 23, 2022.
Hackers launched double-spend attacks - which allow perpetrators to spend the same digital token twice - on UniSat Wallet by exploiting a vulnerability in its codebase. "During our testing last week, we simulated different approaches to double-spend attacks and made improvements and enhancements to the code. Unfortunately, certain problems were still exposed in the initial public version," UniSat Wallet said on Monday. The attack took place within a day of the wallet's launch. The company did not specify how much the attacker had stolen but said it will compensate users who lost money. It also appears to have identified the hacker.
Alleged Money Laundering for DPRK
The U.S. on Monday unsealed indictments against Chinese and Hong Kong nationals Huihui Wu and Hung Man Cheng for their roles in channeling cryptocurrency stolen by North Korean hackers into hard currency and goods. An unsealed indictment accuses the cryptocurrency traders of converting virtual currency into fiat currency directly or by funneling converted stolen cryptocurrency into front companies that used the money to pay for goods such as tobacco and communications devices. Department of Treasury officials said Wu provided material support to Pyongyang threat actor Lazarus Group, while Cheng provided material support to Wu (see: US Indicts Chinese National for Laundering DPRK Crypto).
UK Urged to Boost Crypto Asset Seizure Skills
The United Kingdom should augment its cryptocurrency asset seizure abilities as part of an effort to combat ransomware and other cybercrime, a parliamentary panel heard. Lagging seizure abilities are a roadblock to identifying and disrupting activities of ransomware hackers who launder extortion payments through cryptocurrencies, said Aidan Larkin, CEO of Asset Reality, a London-based asset recovery firm. Larkin testified Monday before Parliament's Joint Committee on the National Security Strategy. The committee in October opened an inquiry into ransomware (see: UK Urged to Beef Up Seizures of Criminal Crypto).