Hackers Steals $120 Million in Crypto from DeFi Website

According to reports, a yet-to-be-identified person or persons have stolen $120.3 million (in crypto) in a major heist by hacking into the BadgerDAO decentralised finance (DeFi) system. PeckShield, a blockchain security service, identified the hack and has begun investigating the lost cash. It was discovered that after forcing accounts to transfer money to their crypto address, the hackers plundered the crypto wallets of dozens of customers.

BadgerDAO announced they are investigating the hack after PeckShield made their discovery public. They’ve also put smart contracts on hold for the time being to prevent more withdrawals. When the limitation is lifted remains unknown.

While the investigation is still underway, Badger team members have informed consumers that they suspect the problem was caused by someone installing a malicious script into their website’s UI. It would intercept Web3 transactions and insert a request to transfer the victim’s tokens to the attacker’s selected address for any users who interacted with the site while the script was active.

PeckShield pointed to one transfer that dragged 896 Bitcoin valued at more than $50 million into the attacker’s coffers. The hackers made off with a massive 2,100 BTC tokens and 151 ETH in total. According to the investigation, the malicious code first emerged on November 10th, and the attackers executed it at seemingly random intervals to evade discovery.

Decentralized finance (DeFi) systems use blockchain technology to allow cryptocurrency owners to conduct more traditional financial transactions, such as lending and earning interest. “Relax knowing you never have to give over the private keys for your crypto, you can withdraw whenever you want, and our strategists are working day and night to put your assets to work,” BadgerDAO assures users. Its protocol allows Bitcoin owners to “bridge” their funds to the Ethereum platform via its token, allowing them to take advantage of DeFi opportunities they would not otherwise have access to.

“Data forensics experts Chainalysis have been recruited to uncover the entire scope of the event,” the company added. “Authorities in both the US and Canada have been informed, and Badger is working completely with external investigations as well as progressing with its own.”

Badger is also investigating how the attacker supposedly gained access to Cloudflare using an API key that was supposed to be protected by two-factor authentication. While the attack did not disclose any specific faults in Blockchain technology, it did hack the older “web 2.0” technology that most users must utilize to complete transactions. “Multi-factor authentication solutions protect our accounts from phishing assaults and bulk credential stuffing.” Despite this, experts have repeatedly cautioned about targeted phishing assaults that can circumvent it, and toolkits to automate the process have been available for years.

BadgerDAO’s hack is not the first DeFi hack of the year. The $120.3 million adds to the already massive tally for the year. Between January and July 2021, DeFi hacks accounted for 76% of all hacks, according to AtlasVPN, a virtual private network (VPN) platform. In 2020, $129 million was taken in DeFi attacks, but by July this year, the figure had more than doubled to $361 million. A hacker stole $55 million in cryptocurrency assets from bZx, a decentralized finance (DeFi) platform that allows users to borrow, loan, and speculate on cryptocurrency price fluctuations, in November of 2021. The company stated, “a bZx developer was sent a phishing email on his personal computer with a malicious macro in a Word document disguised as a valid email attachment.”

Following the theft, bZx restricted its website’s user interface to prevent users from making fresh deposits and collaborated with several cryptocurrency exchanges to track down the perpetrator to freeze and perhaps retrieve the stolen assets. DeFi protocols have lost $1.4 billion through attacks by November 3 this year, according to statistics from digital assets research firm The Block’s data dashboard. The good news was that the DAOs could retrieve more than half of the stolen funds.

Defi introduced the project “lossless” in October 2021, which assisted in the recovery of $16.7 million from the Cream Finance breach. Lossless also intends to release a security solution to help DeFi projects prevent attacks and exploits on their platforms.

Lossless named white hat security expert Pascal Caversaccio as a key figure in the successful recovery of the stolen monies in a tweet. According to reports, part of this mitigation included a 24-hour freeze on suspected transactions to allow for thorough investigations.

Lossless’ chief business development officer, Dominykas A. van Otterlo, told Cointelegraph that the hack mitigation tool would use the project’s knowledge base gathered from painstakingly hunting down hackers. Lossless aimed to provide DeFi projects with security support on the Ethereum, Polygon, and Binance Smart Chain networks and deployment on layer-two protocols.

Enjoyed this post? Never miss out on future posts by following us.»