Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime
Cryptohack Roundup: Tornado Cash Sees Uptick in Use
Also: WazirX Updates; Fractal ID BreachEvery week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, Tornado Cash saw an uptick in use, updates on the WazirX exploit were released, Fractal ID and LI.FI published breach postmortems, and the U.S. moved to recover pig-butchering losses.
See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation
Tornado Cash
Cryptomixer Tornado Cash saw an increase in deposit volumes during the first half of this year, despite being tangled up in U.S. sanctions and legal challenges. Data from Flipside Crypto indicates that users deposited $1.9 billion in the first half of the year, marking a 50% increase over total deposits in 2023.
The U.S. Office of Foreign Assets Control sanctioned Tornado Cash in August 2022, after North Korea's Lazarus Group used the platform to launder $455 million in stolen cryptocurrency. The sanctions blacklist any wallets that interact with Tornado Cash, preventing their use on legally compliant crypto exchanges.
Tornado Cash nevertheless remains popular among hacking groups that need a method for concealing stolen funds. Arkham Intelligence said that since May, the hacker behind the $100 million Poloniex exchange exploit transferred $76 million to Tornado Cash. And Heco Bridge and Orbit Chain hackers moved $166 million and $48 million, respectively, to the mixer. More recently, a wallet linked to the $235 million WazirX hack was funded through the service.
WazirX Updates
The hacker responsible for the $235 million WazirX exploit converted about $150 million of altcoins into Ether, bringing the total stolen funds held in the cryptocoin to $201 million, said blockchain analytics firm Spot On Chain. The hacker also transferred $57 million worth of stolen funds to two new cryptocurrency addresses, said blockchain security firm PeckShield.
WazirX has halted withdrawals after the security breach wiped out nearly half of its reserves, and it reportedly launched two bounty programs for on-chain investigators. The track and freeze bounty offers up to $10,000 in Tether for information that leads to the freezing of stolen funds, while the white hat recovery bounty offers ethical hackers up to 10% of the recovered amount, recently doubled to $23 million after community feedback.
Elliptic said that the techniques and patterns used in the WazirX attack suggest that North Korean hackers were behind the heist.
Fractal ID Breach Postmortem
Decentralized identity startup Fractal ID published a postmortem of a July 14 data breach that affected about 6,300 users, or 0.5% of its database, compromising names, email addresses, phone numbers, wallet addresses, physical addresses, images and uploaded documents. The Berlin company's website says it provides compliance for crypto protocols such as Polygon, Ripple and Near and serves over 250 clients. The breach occurred through a compromised employee account with administrator access, allowing the hacker to bypass internal data privacy systems, Fractal said. It stopped the attack within 29 minutes through an automated system.
The attackers demanded a ransom, but the company said it declined to pay and notified affected users. It has put in place security measures such as restricting sensitive data access and blocking login attempts from unknown IP addresses.
The compromised machine was infected in September 2022 by the Raccoon info stealer malware, the postmortem says. The employee did not change their password, allowing the hackers to infiltrate the system. Fractal ID said the breach was not due to a software vulnerability but a lapse in operational security policies.
Gnosis Pay, one of the affected companies, reportedly first alerted users to the data breach, before Fractal ID published its statement.
LI.FI Hack Postmortem
Cross-chain blockchain protocol LI.FI blamed human error during a smart contract update for the loss of nearly $12 million in a hack. The report says that the vulnerability arose from improper validation of transactions due to a flaw in how the protocol interacted with a shared LibSwap code library, caused by human oversight during deployment. Security firm Decurity earlier said that an update to one of LI.FI's smart contracts was the root cause.
LI.FI said it is focused on recovering user funds and is working with law enforcement and web3 security firms, requesting affected users to file a form for direct assistance.
Recovering Pig-Butchering Losses
The United States Attorney's Office for the District of Columbia has filed a civil forfeiture action to recover $2.5 million in cryptocurrency lost to pig-butchering scams. The action aims to reclaim funds that the FBI seized from scammers running an investment scam in Thailand. A civil forfeiture allows the U.S. government to seize assets obtained through illicit activities.