$2 billion stolen in half a year, hackers and regulators are eyeing Web3

Author | Xue Xiaowan

Editor | Zheng Xuan

Web3 has been in a lot of turmoil this month.

At the beginning of August, the star public chain Solana was hacked to steal coins. More than 9,000 wallet addresses were attacked, and the loss was about more than 4 million US dollars. This triggered a wave of panic among users and also caused Solana to fall into a credit crisis.

A few days later, the cryptocurrency mixer Tornado Cash was placed on a sanctions list by the Office of Foreign Assets Control (OFAC), an agency of the U.S. Department of the Treasury, which included more than 40 Ethereum addresses associated with the Tornado Cash protocol, involving over $400 million in assets were frozen.

The coin mixer, which is positioned as a privacy service, has always had a controversial reputation in the crypto community. Among them, the “head” Tornado Cash is even known as the “dirty coin sales cave”.


After Tornado Cash was sanctioned by the U.S. Treasury, the price of its token dropped significantly. |Source: business2community.com

This sanction means that community users in the United States, whether individuals or entities, are no longer allowed to conduct economic transactions with the Tornado Cash platform and its associated wallet addresses. According to past cases, violations may face fines of up to more than $300,000 and up to 30 years in prison.

Then, foreign media revealed that the 29-year-old Tornado Cash developer was arrested in Amsterdam, the Netherlands. The local law enforcement department said that Tornado Cash was suspected of concealing illegal capital flows and assisting money laundering, and has been investigating it since June this year.

Tornado Cash was sanctioned, causing a “stand-up” in the crypto industry. Some people publicly expressed their dissatisfaction, believing that the U.S. Treasury Department’s regulation crossed the border and violated the privacy and freedom of American citizens; others took the lead in responding to the regulation, and Circle, the issuer of the stablecoin USDC, quickly froze the assets in Tornado Cash-related wallet addresses.

Web3 is facing the most severe security test and censorship pressure since its rise. Asset losses in the Web3 space in the first half of 2022 amounted to approximately $2 billion, more than the total loss from hacks for the entirety of last year. The chain reaction that follows is that the hands of regulatory enforcement are getting longer and longer.

In people’s usual cognition, Web3, which emphasizes decentralized logic, should have stronger security and privacy, but now it is being targeted by hackers and regulators. The crypto world is going through turbulent times that have profound implications for its future destiny.

Hackers Heist Solana: An Unsolved “Kan Case”

It has been more than half a month since Solana was hacked and stolen, and the official still has not given the final investigation result.

According to the data provided by the Solana foundation, nearly 60% of the stolen users use the Phantom wallet, and about 30% of the addresses use the Slope wallet, and the iOS and Android versions of the application, according to the analysis of the slowmist technology team of the blockchain security company. have corresponding victims.

Three days after the incident, Slope posted an official wallet address on twitter and publicly stated that it has been working with law enforcement and intelligence companies to track the stolen assets, and if the hackers are willing to return them, they can pay a 10% bounty. “Once these funds are recovered, we will not pursue further investigations or take any legal action.”

The Slope team gave the hackers 48 hours to return the assets, but the bounty offer went unanswered.


Slope Wallet officially issued a bounty offer to hackers. |Source: twitter

Liu Lixin, the founder of the hardware wallet Keystone, still remembers that on the day of the incident, he was pulled into a “war room” with more than 100 white hat hackers, and security experts discussed the possible course of the incident.

“The initial guess was that a certain NFT project was attacked collectively.” Liu Lixin recalled that from the perspective of the number of hacked wallet addresses, the order of eight or nine thousand is usually the common number issued by a certain NFT project. The initial guess was that a certain NFT project was issued. Each NFT project party has done evil, such as malicious authorization.

But this speculation was quickly dismissed. Security technicians found that several of the stolen transactions occurred due to the transfer of assets due to signing with a private key rather than an incorrect authorization. Next, speculations about the cause of the accident include supply chain attacks, hackers bumping into random numbers, and inappropriate signature methods, etc., and they were all overturned one by one.

In the afternoon of the same day, an overseas researcher found that the Slope wallet on the Solana chain was privatized and deployed a third-party application monitoring service Sentry, which would collect the user’s private key or mnemonic and other information, and then upload it to a centralized server.

Sentry is an application monitoring platform that can monitor the exception or error log information that occurs when the application is running in real time. If Sentry finds a system bug, it will notify the technical personnel of the application side by email or other means.

In the crypto world, the Sentry service is widely used, and the Slope wallet is one of them. However, there is a problem to be aware of when using Sentry. If there is a configuration error, Sentry may collect additional data, such as private information such as private keys or mnemonics.

Security experts speculate that in the Solana coin theft incident, Slope mistakenly sent sensitive data such as mnemonics and private keys to Sentry when users created their wallets. This provided an opportunity for hackers to steal private keys stored on Sentry’s centralized servers.

After an investigation, Slope issued a statement saying that while the aforementioned security breach does exist, the number of Slope addresses that were attacked was a small fraction of the total number of wallet addresses stolen this time. At present, there is no evidence that the official Sentry has been hacked and attacked, because the Sentry service used by the Slope wallet is deployed on a private server.

In addition, according to the specific data, among the addresses derived from the private key and mnemonic on the server, there are only 5 Ethereum addresses and 1388 Solana addresses that intersect with the victim’s address. In other words, only half of the more than 2,700 wallets hacked by Slope this time have Sentry vulnerabilities, which cannot explain how the rest of the user wallets were hacked.

According to the investigation results that have been obtained, there are 4 known attacker addresses, and the stolen assets have not been further transferred on the Solana chain, but on the ETH chain, some funds have been transferred to suspected OTC personal wallet addresses, and the remaining Some were converted to ETH and then transferred to Tornado Cash.

Web3 “Crisis”

At the same time that Solana was attacked, the cross-chain bridge Nomad Bridge was also attacked. It is worth noting that there are hundreds of hackers involved in the attack on Nomad Bridge, even including “white hats”, with a loss of nearly 200 million US dollars.

Zhang Lianfeng, Chief Information Security Officer (CISO) of SlowMist Technology, told Geek Park that there are two main types of attacks on Web3:

  • One is on-chain attacks, such as fake recharge, reentrancy attack, replay attack, rearrangement attack, etc. Such attacks are often more secretive and need to be identified through professional code security audits, complete on-chain analysis, monitoring and early warning.

  • The second is off-chain attacks, such as advanced long-term threats (APT), phishing, supply chain attacks, etc. These are common security problems in traditional Web2, but they have a great impact on the ecological security of Web3.

In April of this year, Jay Chou lost the NFT of the boring ape number 3738 worth over 3 million yuan because he accidentally clicked on the fishing link.


Jay Chou’s stolen Boring Ape NFT. |The picture comes from the Internet

Web3 comes with its own financial attributes, and under the temptation of money, it is more likely to be targeted by hackers. As the number of Web3 players continues to expand, cryptocurrency crime is also showing a rapid upward trend.

According to statistics from the SlowMist Hacked Archives, in the first half of 2022, the loss of assets in the Web3 field is close to US$2 billion, which has exceeded the total loss caused by hacking vulnerabilities in the whole of 2021.

2022 is therefore called “the worst year since the rise of Web3”. Among them, the cross-chain bridge with low degree of decentralization and large amount of liquidity is the most seriously damaged.

As of June 30, a total of 7 cross-chain bridge security incidents have occurred this year, with losses exceeding $1 billion, accounting for more than half of the total asset losses in the first half of the year. Among the 4 incidents in which the loss amounted to hundreds of millions of dollars in the first half of the year, 3 incidents affected the cross-chain bridge.

A more representative example is the attack on Ronin Network, the side chain of blockchain game Axie Infinity, which caused a loss of $624 million, and the attack on Wormhole, the cross-chain bridge project of Solana, with a loss of $326 million.

In addition to cross-chain bridges, blockchain wallets are also “hardest hit” by security incidents.

The wallet is a tool for users to manage encrypted assets, and it is also the account entry for users to enter various Web3 applications. The interaction and transactions in the encrypted world are carried out through the wallet.

The wallet contains addresses generated based on public and private keys, which appear to be a set of strings of letters and numbers. The private key can be understood as the password of the Web2 payment tool, and the person who masters this “password” is the real owner of the encrypted asset.

Therefore, the private key is generally the key information stolen by hackers. Generally speaking, most wallets will be connected to the network, and the risk factor of private key leakage is high.

After the cryptocurrency is stolen by hackers, the main flow is the money laundering scene, with the coin mixer as the representative “accomplice”.

The original idea of ​​a coin mixer based on privacy protection is to eliminate the traces of users’ transactions on the chain, but it is used by hackers as a money laundering tool after transferring stolen assets. Tornado Cash, which was sanctioned not long ago, has “laundered” more than $7 billion worth of virtual currency since its creation in 2019.

In May of this year, the United States sanctioned the centralized currency mixing platform Blender on the grounds that Blender was suspected of helping the well-known North Korean hacker group Lazarus Group to clean up some of the assets stolen from Axie Infinity.


Lazarus Group is a North Korean cyber-hacking group that has stolen over $400 million worth of cryptocurrency in 2021. |Source: bleedingcomputer.com

Regulatory forces represented by the U.S. government are targeting currency mixers, and the hackers’ wishful thinking may not be so loud in the future. Sanctioning crime is important, but another key issue is that the crypto world urgently needs a better security solution that strikes a balance between property, privacy protection and crime regulation.

Whether it is an individual player who is trying Web3 or a builder of All in, before leading to a brave new world, they must walk through a dark forest full of safety traps.

Head image source: bitcoinist.com

This article is reproduced from: https://www.geekpark.net/news/306964
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment