[ad_1]
A very wise approach, one would say, as the Binance team succeeded in freezing $4.2 million worth of XRP stolen by Chris Larsen’s exploiter.
Hacken’s latest report suggests, without directly admitting it, that everything points to an inside job from within Ripple’s team, making it even easier for them to succeed in tricking Chris Larsen.
Social engineering can indeed be carried out by friends, family members or colleagues as it involves manipulating individuals into divulging confidential information, performing actions, or providing access to systems or resources that they typically wouldn’t do under normal circumstances.
Friends or family members might have a better understanding of a person’s habits, preferences, or vulnerabilities, which can be exploited to gain their trust or manipulate them into divulging sensitive information or performing actions they wouldn’t otherwise do.
This form of social engineering is often referred to as “familiarity exploitation” or “relationship-based manipulation.”
Outside of the “familiarity exploitation” and “fake job offers” startegies we have seen, attackers who use social engineering are able to develop extremely intricate scenarios involving two or more personas, recruit employee(s) and work on their target for weeks and months.
One of the most arrowing demonstration of how far they can go to entrap their target, is the very elaborate and weeks-long social engineering attack that a certain Thomasg.eth went through, and that almost cost him $125 million.
Although in this peculiar case, the endgame was not to have access to his private keys but to have him click on a wallet drainer, the tactics employed are as relevant as in private key exploits case.
Dive into our report on this case to discover more:
If we step back from social engineering, malicious software, and phishing attempts, there is one particular type of hack that has been at the core of numerous private key exploits: brute force attacks.
A brute force attack is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered.
In the past two years, brute force attacks have mainly affected two entities: Profanity and LastPass, but made countless victims.
Profanity Hack
In 2022, private key exploits linked to the brute force attack of Profanity amounted to around $172 million in losses, with probably more losses that have not been recorded.
Profanity is an Ethereum vanity address generator. Vanity addresses are Ethereum addresses that, instead of looking like an indecipherable sequence of numbers or letters, have some parts of them (prefix and/or suffix generally) created by people to include their name or whatever they choose.
On September 15, 2022, the DeFi protocol 1inch Network raised the alarm about vanity addresses generated by Profanity that could possibly be drained due to a subsequent inherent vulnerability. The 1inch Team closed their argument with the very appropriate “Run, You Fools.”
In the following weeks, at the very least, $172 million was lost by individuals and web3 actors alike. The most devastating private key exploit was algorithmic market maker Wintermute, which lost $162.5 million in one of the greatest hacks recorded in 2022.
After the first hacks, it was revealed that Profanity developers had abandoned the project a few years ago after discovering fundamental security issues in creating private keys.
To generate these addresses, they had limited possible seed values (232); when more seed values are used, wallet addresses are better protected. These limited possible seed values made them highly vulnerable to brute force attacks, which is precisely what has been happening since September 2022.
It was first assumed in January 2022 by Inch co-founder Anton Bukov that within 50 days, a set of 1,000 GPUs could theoretically brute force the private keys of every 7-character vanity address generated by Profanity.
On September 30th, 2022, the crypto firm Amber Group tried to replicate the $162M Wintermute hack with simple hardware, a Macbook M1 with 16GB RAM, which was extremely easy and quick: it took them less than 60 hours in total to mimic the hack.
As of now, every person with funds locked in one of their Profanity addresses could still be subjected to a swift brute force attack.
The Last Pass Case
In 2022, intrinsic vulnerability in vanity-wallet-maker-Profanity wrecked absolute havoc for both retail investors and crypto actors.
In 2023, retail investors were unlucky again. This time the wallet drain came from password manager service LastPass who is, allegedly, leaking away seed phrases.
Blockchain Security Researchers revealed in September 2023 that hundreds of wallets have been silently siphoned for more than $35 million due to LastPass’ encrypted vaults being cracked and offering access to the seed phrases stored within.
This discovery was made possible thanks to Taylor Monahan, lead product manager of MetaMask, who was on the hunt for six months, looking for a cue that would explain how so many “security-conscious” and long-term crypto users could see their wallets being siphoned out of the blue with nothing to indicate it could be due to security breaches or wallet drainers.
She was able to successfully connect the dots to a single common point: LastPass Vault.
Movement of stolen cryptos from individuals who used LastPass to store their crypto seed phrases showing a common denominator — Source: Tayvano_ on Twitter
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.
The 150 victims of this unidentifiable crypto heist had all stored their secret seed phrase on LastPass.
Furthermore, it could all be traced back to a unique signature linked to monthly crypto heists of two to five million dollars that date back to December 2022, one month after the LastPass breach was revealed.
Leading blockchain security researchers allege that some of LastPass’ encrypted vaults were cracked to access to the crypto credentials stored within.
As of now, seed phrases stored in LastPass vaults should be regarded as compromised.
Brute force attacks have not been the only hacks allowing private key exploits. It’s also the case with supply chain attacks.
Supply chain attacks have been among the new types of hacks in the web3 community over the past two years. Four supply chain attacks were reported in 2023, resulting in $237 million in losses and contributing to the second-biggest hack of the year: Mixin Network.
In cybersecurity, a supply chain attack qualifies as a cyberattack that targets organizations and attempts to inflict damage by exploiting the “weaker links” and their vulnerabilities in the supply chain network.
The “Supply Chain Network” encompasses every intermediary and organization used to operate a business.
Every new actor in a supply chain brings with it its own ‘points of vulnerability.’
As a result, supply chain attacks have become one of the most dangerous security threats for businesses and organizations at large.
Applied to the blockchain, a supply chain attack occurred when around 9,223 crypto wallets from Phantom, Slope, Solflare, and TrustWallet on the Solana blockchain were drained of almost $6 million in crypto in August 2022 due to their private keys being compromised.
According to the Solana team, all of the affected addresses, including those of Phantom, Solflare, and TrustWallet, ‘were at one point created, imported, or used in Slope mobile wallet applications.’ Unfortunately, one week prior to the exploit, Slope had decided to use Sentry, an event-logging platform utilized by many websites and mobile apps in the industry, including the Slope wallet for iOS and Android, which turned out to be the ‘weak link.’
Slope did not anticipate how Sentry could turn into a key point of access for hackers.
Based on auditing firms Zellic and OtterSec’s research:
“[…] any interaction in the app would trigger an event log. Unfortunately, Slope didn’t configure Sentry to scrub sensitive info. Thus, the seed phrases were leaked to Sentry”.
In short, anyone with access to Sentry could access users’ private keys, which allowed the hacker(s) to ‘recover wallets that do not belong to them and transfer tokens to their own personal wallet,’ resulting in almost 10,000 people seeing their funds disappear.
In September 2023, the Mixin hack took place.
Mixin, a peer-to-peer transactional network for digital assets, fell victim to a private key exploit when their cloud service provider, Google, was successfully breached and enabled the leaking of their private key, resulting in a $200 million loss. The North Korea state-sponsored hacking group Lazarus is thought to be the mastermind behind the attack.
Web3 actors converging toward each other and becoming even more interwoven to provide better services for web3 users are turning into an ever-lasting trend.
Thus, supply chain attacks will grow as these web3 actors’ supply chains become even more fragmented, creating multiple new points of vulnerability.
[ad_2]
Source link