How Crypto Gets Hacked: Issue #10
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any cryptoassets.
Do your own due diligence.
NOTE: This one is a little long. It’s been awhile since I compiled a post and the topics have piled up. But enjoy!
I was recently on the Behind the Markets podcast with Jeremy Schwatrz. We talked about my “Bitcoin is an Energy Credit” thesis and How Crypto Gets Hacked. You can check that out here:
If you’ve been at the beach over the past month, then maybe you haven’t heard: the Terra blockchain’s stablecoin (UST) depegged from its $1 target price and never recovered, creating the conditions for a bank run and collapsing the entire Luna/Terra ecosystem within a week.
I plan on making a longer form post of my own on algorithmic stablecoins and how these bank runs occur, but I feel like there is already a lot of content out there to pick over if you haven’t seen enough on this story already. The week it happened, it was hard to ignore.
But if you missed it, I enjoyed reading these if you want to get caught up:
This post from Net Interest (Mark Rubenstein) on the similarity between traditional bank runs and algorithmic stablecoins.
The Nansen Report on the UST depeg, analyzing the blockchain data.
The Block: Terra, Luna and UST: How we got here
Too Many Scams to Count
It’s been awhile since I made my last post, and in that time there have been too many scams.
Here’s a quick rundown:
Metamask warned users that their encrypted passwords for the crypto wallet app could be automatically uploaded to the icloud on Apple devices. This resulted in at least one user who lost about $650K in NFTs at the time. The hacker tricked him into giving them access to his icloud account by pretending to be from Apple.
The Bored Ape Yacht Club’s official Instagram account was hacked. The hacker posted a fake link to an airdrop that would give Bored Ape holders free land in their upcoming metaverse project. The link was a phishing scam. When Bored Ape holders connected their crypto wallet with their Bored Ape inside, their valuable NFTs were stolen.
Actor Seth Green was planning on creating a show that starred his own Bored Ape NFT, but he lost it when he clicked a link to a phishing scam. Now he’s not sure he will be able to create the show, because he no longer holds the Bored Ape and therefore no rights to use the NFT’s likeness. He’s trying to get it back from the person the NFT was sold to.
Famous NFT artist Beeple had his Twitter account hacked. The hacker posted a link to a fake raffle for a collaboration NFT with Louis Vuitton, which was in reality another phishing scam that would drain crypto from users wallets. They also posted other phishing links, and netted around $438K in stolen crypto and NFTs.
A deepfake video of Elon Musk was used to promote a cryptocurrency scam called BitVex. It featured a fake interview with Chris Anderson during a TED talk with fake lip movements and voiceovers. On their site, they said Musk was the CEO and featured fake praise from Binance CEO CTZ and Ark Invest CEO Cathie Wood, but it was all a phishing scam.
Someone hacked into the OpenSea discord server and started promoting a scam NFT mint in a phishing attack. They were pretending to promote a new NFT collaboration with Youtube. Only about 10 ETH ($27K) was stolen.
Republican and US Representative Madison Cawthorn is under investigation by the U.S. House Committee on Ethics for a pump-and-dump scheme involving crypto. He received “Lets Go Brandon” (LGB) meme tokens, said on social media the token was going “to the moon” tomorrow, then a NASCAR driver announces he will paint his car with the LGB logo, and then he sold a third of them for a 94% gain.
My Take: This isn’t even the full list of scams and phishing attempts.
It doesn’t matter if it’s from phone calls, Web 2 or Web 3, scams are all around us and we need to be careful about who we trust and what we click on.
Use multi-factor authentication, use new passwords every time, and just stay safe out there!
Note: If you are looking for a hardware wallet for better digital asset security, I would recommend a Ledger, which you can get here.
The Brand New Rekt
I haven’t checked in on Rekt since my last long form post on the news site. They cover hacks in the DeFi and cryptocurrency space, and unfortunately a lot of the same smart contract risk I discussed back then are still happening to new DeFi projects today:
Elephant Money, a DeFi project on the Binance Smart Chain (BSC), was hacked using a flash loan. The flash loan was used to manipulate the price of their ELEPHANT token, purposely creating an arbitrage that the hacker could take advantage of. $22.2M hack.
Fortress, a lending protocol on BSC, was hacked by manipulating the oracle which provided price feed data, because the oracle they were using allowed anyone to change the price feed data (🤦). The hacker also bought so much of the protocol’s governance token they were able to pass a malicious proposal. This allowed them to swap 100 tokens worth $4.50 for $3M worth of other cryptocurrencies.
Beanstalk, a stablecoin protocol, was hacked using a flash loan to control their governance. The hacker used the flash loan to acquire enough of their governance token to be able to pass a malicious proposal. The proposal allowed the hacker to drain crypto from the platform. There was no delay set up on proposal executions, so the proposal passed immediately before anyone could stop it. Then they converted it to ETH and mixed it through Tornado Cash. $181M hack.
But others are getting more sophisticated:
Inverse finance, an Ethereum lending protocol, was hacked by a professional. They withdrew ETH from the mixer TornadoCash (to hide the origin’s identity), swapped the ETH for the INV (Inverse) token in a low liquidity asset pool, and then spammed the network in order to be the first to take advantage of the now-inflated price of the INV asset, blocking any flash bots from arbitraging the trade to bring it back to a more reasonable price. They had to understand not only MEV and how flash bots operate but also how to take advantage of it. $15.4M hack. Very scary.
My take: Seems like DeFi is still relearning the same lessons. Code audits don’t seem to be doing enough.
But crypto is in a bear market right now and it may remain that way for some time. I’m going to assume that because token prices seem to keep falling right now that there won’t be as many new and inexperienced cryptocurrency project launches, but I could be wrong.
Tornado Cash and North Korea
Going back to one of my favorite topics: Tornado Cash!
To recap, Tornado Cash is a mixer protocol on the Ethereum blockchain. Mixers are used to “obfuscate” transaction history on the blockchain. People use them because they want privacy and don’t want all their transaction history viewable to everyone for eternity, which is what the blockchain provides. When someone puts ETH into Tornado Cash, they essentially mix it with other ETH in a collective pool, and then withdraw the ETH from a completely new address, breaking the linkage in the blockchain to the identity of the original user. Investigative blockchain firms like Chainalysis and Elliptic use the term “obfuscate” because it is technically not impossible to find out who the person is or where the funds are going, it just makes it much more difficult.
Tornado Cash in the news once again, this time because everyone knows the North Korean-backed Lazarus Group is using their protocol to launder all the funds they stole from the recent Ronin sidechain hack.
The US Treasury’s Office of Foreign Assets Control (OFAC) identified the origin of the hack as an address tied to the Lazarus Group. You can see the sanctioned address through Etherscan and all the transactions they made since then.
Tornado Cash knows this address is sanctioned, and gets oracle data from Chainalysis on sanctioned addresses to block. But what they and Chainalysis don’t know at the moment are all the other addresses North Korea may be using to offload their ETH from the mixer.
Shortly after Friday morning’s mix, Tornado Cash tweeted it uses a data feed from Chainalysis to “block [Office of Foreign Assets Control] sanctioned addresses from accessing the dapp.”
CoinDesk has not been able to confirm when the oracle integration went live. Either way, it only affects Tornado Cash’s front end, meaning savvy users can still interact with the smart contracts powering the decentralized service. The primary wallet hasn’t attempted to move funds through Tornado Cash since that tweet, but the operators of the sanctioned wallet only seem to send funds once a day.
Neither fact would make much of a difference for Lazarus’ laundering. Chainalysis added one wallet – the sanctioned “Ronin Bridge Exploit” address – to its free-to-use oracle service yesterday, and not the intermediary addresses the hackers are using.
From the US Treasury press release:
“Today, for the first time ever, Treasury is sanctioning a virtual currency mixer,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”
The virtual currency mixers that assist criminals are a threat to U.S. national security interests. Treasury will continue to investigate the use of mixers for illicit purposes and consider the range of authorities Treasury has to respond to illicit financing risks in the virtual currency ecosystem.
My Take: FINALLY! Personally, I’m glad that the US government is taking action against mixers, who were made with good intentions but in practice seem to only really benefit criminals and hackers who try to steal from other protocols.
They may come for Tornado Cash and all the other mixing services as well soon, unless they completely open up their entire transaction history to US authorities and comply with all KYC and AML regulations.
Note: For further reading, you can learn more about how Tornado Cash works by checking out this detailed Certik article here.
In a great historical example of the traceability and permanence of the blockchain, Wired wrote a long-form story of how IRS criminal investigators followed the money and eventually caught up to hundreds of users of a child abuse site and took them down. They used Chainalysis’ blockchain tracing techniques to help find them.
I think it’s definitely worth the read, but keep in mind it does mention viewing child abuse material.
Paypal’s VP of Blockchain on the Future of Payments
Jose Fernandez da Ponte is the Senior Vice President of PayPal’s “Blockchain, Crypto and Digital Currencies” business unit. I thought he had some interesting things to say in a recent opinion piece about what the future of crypto-payments may look like.
For this adoption to happen, it is necessary to acknowledge that a payment is more than just a transaction. It involves more than the streamlined transfer of value from one wallet to another. It includes processes sometimes taken for granted, like managing transaction disputes and reconciliations, detecting fraud, preventing illegal activity, processing chargebacks and bank reversals, integrating with accounting systems and handling taxes and financial reporting.
The payment layer must also provide auditable transaction mechanisms that maintain the privacy of merchants and consumers while preventing illegal activity in the network. There is a need for identity attestations that are compatible with a decentralized environment and provide adequate proofs on-chain. Continued improvements in network and transaction monitoring and anti-money laundering measures are required, both in terms of technology platforms and uniform data sharing mechanisms. And, finally, custody mechanisms must continue to evolve at the speed of the industry and provide secure storage and utility for an increasingly diverse set of assets.
I hear many crypto-advocates who believe there is no middle ground where we can achieve both privacy and preventing illegal activity through blockchain payment rails, but it sounds like Jose believes there is a path forward.
I agree: in order for this to work we will need to make both privacy and law enforcement a priority. It shouldn’t be an either-or decision. One can hope.
Binance Working with Russian FSB
In a long report, Reuters reported recently that Binance may be handing transaction data over to the Russian FSB, allowing them to spy on opposition leaders and their crypto donations in the country:
Navalny's chief of staff, Leonid Volkov, told Reuters that Russia's proposed regulatory framework could let the Kremlin identify the opposition group's crypto donors. Since Navalny's arrest in January 2021, his anti-corruption foundation has publicly encouraged backers to donate via Binance, telling them this was the safest way to do so because, unlike with bank transfers, authorities would not know donors' identities.
"These people will be in danger," said Volkov, who runs the foundation from Lithuania. If Binance wants to protect its customers, Volkov went on, it should "never do anything with the Russian government." The Kremlin declined to comment on Navalny's crypto fundraising or Binance's operations.
Russia is Binance’s second largest market behind China. In march they processed almost 80% of all rouble-to-crypto trades.
Eventually Navalny started receiving bitcoin donations, and the Russian authorities went after him:
After the explosion in Navalny's bitcoin donations, the FSB started exploring how to identify his crypto donors, according to the person familiar with the matter. The FSB, the person said, instructed Rosfin to find a way to achieve that goal. Responding to questions from Reuters, Rosfin said it is prohibited from disclosing measures to combat terrorist financing. It said Navalny was involved in "terrorist activity."
In the article they say that Binance enlists “angels” to promote and advertise their platform to traders. And that Binance is drawing praise from Russian party leaders for teaching them about the benefits of crypto.
My Take: Binance has always seemed to be on the shady side, so I guess it isn’t surprising that they would willingly work with an authoritarian and oppressive government.
But is the USA any different in this regard? Doesn’t the US want to investigate all the transactions on the blockchain? Aren’t they doing that now?
The difference is we have freedoms and a constitutional right to privacy. It’s one thing to break the law, it’s another to go after political opponents just because you want to stay in power. That’s why getting the laws and regulations around digital assets right is going to be crucial in the coming years.
I don’t want us to end up in libertarian distopia, but I also don’t want an authoritarian state ruling over us. Still hoping as a country we can find a middle ground.
Insider Trading is Still Insider Trading
Former product manager at NFT exchange OpenSea, Nathaniel Chastain, is being charged by the US Department of Justice for “wire fraud and money laundering in connection with a scheme to commit insider trading in Non-Fungible Tokens.”
U.S. Attorney Damian Williams said: “NFTs might be new, but this type of criminal scheme is not. As alleged, Nathaniel Chastain betrayed OpenSea by using its confidential business information to make money for himself. Today’s charges demonstrate the commitment of this Office to stamping out insider trading – whether it occurs on the stock market or the blockchain.”
FBI Assistant Director-in-Charge Michael J. Driscoll said: “In this case, as alleged, Chastain launched an age-old scheme to commit insider trading by using his knowledge of confidential information to purchase dozens of NFTs in advance of them being featured on OpenSea’s homepage. With the emergence of any new investment tool, such as blockchain supported non-fungible tokens, there are those who will exploit vulnerabilities for their own gain. The FBI will continue to aggressively pursue actors who choose to manipulate the market in this way.”
Maximum sentence is 20 years in prison for one count of wire fraud and one count of money laundering.
And this probably won’t be the last case about insider trading in digital assets we hear about:
Turns out that insider trading is still insider trading, even in the metaverse. Welcome to the future of crime and law enforcement.
Thanks for reading!