Showing posts with label crypto hack. Show all posts
Showing posts with label crypto hack. Show all posts

Axie Infinity's Ronan Network Hack Actually WORSE Than Previously Reported - Now Crypto's 2nd Largest Crime...

Axie Infinity Hack

The amount initially reported at the time of the incident was $540 million, that has now risen to $615 million by the time of publishing this article - officially making this crypto's second-largest crime.

Discovery began when a user reported being unable to withdraw money from the Ronin bridge, already six days after the heist, Ronin Network developers detected the hack Tuesday morning.

The Ronin Network is an Ethereum side chain, largely utilized as the payment rails for the popular play-to-earn game Axie Infinity, providing game players with lower transaction fees.

The incident occurred on March 23 when the attackers used hijacked private keys to "create bogus withdrawals" through a backdoor method, emptying 173,600 ether (ETH) and 25.5 million of the stablecoin 'USD coin' according to a blog post from the Ronin network.

Validator nodes are used in blockchains to validate, vote on, and keep track of transactions. Ronin is made up of nine distinct validator nodes. Five of the nine nodes must approve a withdrawal or deposit in order for it to be recognized.

According to the Ronin Network, attackers obtained a signature by exploiting a backdoor flaw in the decentralized autonomous structure of the play-to-earn game.

“As of right now users are unable to withdraw or deposit funds to Ronin Network. Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed” Ronan network says.

Stolen funds were done in 2 transaction to this wallet: https://etherscan.io/address/0x098b716b8aaf21512996dc57eb0615e2383e2f96

Strange Decisions, Signs This May NOT 'Sophisticated' Hackers...

In a surprising move, some has been transferred into accounts on the crypto exchange FTX - a centralized exchange that works with law enforcement and will surely return the stolen funds it possesses. 

There's new movement on the wallet as well, it appears they're trying to use a bridge to move some of the remaining funds to another blockchain.

Limited Options...

Where could they go from here? In my opinion, every option is a bad move.. 

Mixers that scramble transactions of multiple peoples coins then spit them back out, in theory making them untraceable, do not have nearly enough liquidity to leave the hackers with any real progress.  Maybe 0.5% per day could be 'cleaned' this way.  Tracing large amounts through mixers is as simple as seeing who was sent the most at the end of the mixing process.

To use mixers to clean the dirty crypto and stay hidden would require them to do daily amounts so small the process would take decades.

Privacy coins perhaps? That won't work either.

The public data on privacy coins would also make it obvious which wallet belongs to them - they simply have too much to stay under the radar Similar to using mixers, they would need to do transactions so small if they want to stay hidden and blend in with everything else, it would take years before they could actually spend what they stole.

Worst case is the hackers maybe being able to walk away with $5 million of it in the end.  Making this an incredibly stupid decision - committing a $600 million crime, and leaving with $5 million.

In Closing...

While this may sound like a disaster for Ronin Network at the moment, software exists today used by exchanges and law enforcement capable of tracking every step these coins take.  Spending any of this in the real world will be nearly impossible. 

The things people normally do with millions of dollars, like luxury travel, homes, cars, are all things that would instantly expose the identity of the criminals.

I would bet on most or all of the funds being recovered in the neat future.

-----------
Author: Ross Davis
Silicon Valley Newsroom
GCP | Breaking Crypto News

Crypto Thief Arrested in US After Stealing $1M+ From 75 Victims in 20 States...

Crypto news
While mainstream media reports are making this kid sound like a mastermind, the truth is, this trick takes virtually no skills whatsoever.

That's why it's so disturbing.

19 year old Yousef Selassie was arrested and charged with first-degree grand larceny and identity theft when authorities traced 75 victims back to him as he began to spend his earnings.

“He sought them out based on the industries they were involved in” said Brooklyn Assistant DA James Vinocur, explaining how Yousef targeted people in tech believing they were more likely to own high amounts of cryptocurrency.

A search of his residents found 9 phones, 3 flash drives, and 2 laptops - all containing evidence against him.  He plead not guilty.

Shockingly simple...

Authorities say he used a "SIM swap" to pull it off, and when you hear how easily this is done, it will shock you.
  • Get a blank SIM card (available on Ebay and hundreds of other sites) 
  • Put it into a cellphone.
  • Call the target's cellphone provider.
  • Pretending to be the target or someone close to them, say you recently lost your phone, you ordered a new one, and need it activated.
  • They will ask for the SIM card's ID number.
  • If everything went correctly, your phone is now on the victims account, you control their phone number, you receive their calls and texts.
  • Using the 'I lost my password' feature everything from crypto exchanges to online banking has, have them text a code to reset it.
  • Since the text messages now go to you, you're now able to reset the passwords to whatever you wish.
  • That's it, you have full access to everything. 
Some tricks used to get the customer service rep from the cell phone company to comply include pretending to be someones personal assistant, which would explain why you may not be able to answer every question they ask you.

Or, pretend to be elderly, make every step take way longer than usual, make the customer service rep frustrated and by the time they figure out what you need them to do, they'll rush to get you off the line.

Who's to blame?
Absolutely, it's the cellphone providers.  In almost every case a rep from the company doesn't go through the process of verifying they are talking to the true account owner, or, as mentioned above when they believe they're speaking with someone's personal assistant, they will forgive not knowing things like the mothers maiden name.

The solution? This can be tough, because sometimes we forget what we chose as our passwords or pins. I've never had to do this process myself, and I have no idea what answers I gave to the security questions when I signed up... 8 years ago now.

But frankly, if I forgot, it's my fault.  So perhaps a foolproof system where the customer service reps cannot change SIM information without first entering information given by the customer is the way to go. 

If they forgot, a verification code will have to be mailed to the customer's home address. It could be sent overnight (for a fee) and people will have to accept this is being done in the name of protecting their data.

These days, so much of our lives are on our phones.  It's a change that happened without much thought behind it, but most people don't feel like losing their phone is the same as losing their wallet with their credit cards in it.  But really, it's exactly like that.

Could someone call a bank and get someone else's login information by saying they are their personal assistant? Would the bank reps forgive not knowing a few pieces of personal information? Hell no.

Now keep in mind, through someones cellphone you can access that same account! That's why cellphone providers need to operate with the same security standards as the bank. 

-------
Author: Ross Davis
E-Mail: Ross@GlobalCryptoPress.com Twitter:@RossFM

San Francisco News Desk