|
|
The Munchables project, which once won the Blast Big Bang game championship, announced that it had been attacked. Meanwhile, according to monitoring by Peidun, the Munchables locking contract has issues, with 17,400 ETH (approximately $62.3 million) stolen.
Subsequently, an investigation by blockchain detective ZachXBT revealed that the attack originated from the developers of the Munchables protocol and was carried out by a North Korean hacker.
Cosine, founder of SlowMist, interpreted on social media, "This is at least the second DeFi project that SlowMist has encountered in this situation. The core developer disguised himself for a long time, gained the trust of the entire project team, and then struck mercilessly when the time came. There are probably many victims."
After Munchables announced the theft, Blast ecosystem DeFi protocol, which is related to the Munchables protocol, announced that it was assessing the losses from this vulnerability. Fortunately, the hacker only stole ETH, and the WETH deposited by users was not affected. Another protocol in the Blast ecosystem also announced plans to airdrop points to those affected by the Munchables attack.
CoderDan, founder of Aavegotchi, later posted on social media, "Pixelcraft Studios, the development team of Aavegotchi, briefly employed the Munchables attacker for some game development work in 2022. His skills were rough and he did seem like a North Korean hacker. We fired him within a month. He also tried to get us to hire one of his friends, who is likely also a hacker."
The hacker's information was quickly further investigated, and ZachXBT discovered that the four different developers employed by the Munchables team were all connected to the attacker, likely the same person. They recommended each other for the work, and payments were regularly transferred to the same two deposit addresses on two exchanges. The wallets of the "four" showed mutual transfer behavior.
North Korean Hackers' Common Strategy: Targeting Developers' Trust Attacks
North Korean hackers are perhaps the most infamous figures in the cryptocurrency field. According to a report by network security company Recorded Future, the most famous North Korean hacker group, the Lazarus Group, has stolen $30 billion in cryptocurrency over the past six years. In 2022 alone, the organization stole $1.7 billion in cryptocurrency.
Unlike technical hackers who exploit protocol vulnerabilities, North Korean hackers often target the development teams behind protocols, abusing trust and opportunistically stealing, as in the case of the Munchables attack.
In 2021, Google's security team discovered that Lazarus had long been lurking on social media platforms such as Twitter, LinkedIn, and Telegram, posing as active industry vulnerability researchers, gaining trust within the industry, and then launching 0day attacks against other vulnerability researchers.
Researchers from security company Mandiant inc. previously stated that they found a suspected North Korean job seeker's profile in 2022 with nearly identical information to other job seekers. Hackers were proficient in copying job information from LinkedIn and Indeed, and applying for positions at some cryptocurrency companies in the United States.
In addition to posing as developers lurking in teams, North Korean hackers also disguise themselves as customers or employers to approach team developers.
In 2022, the Ronin side chain of the Axie Infinity game was stolen for $600 million, the largest theft in the cryptocurrency field. Initially, the Ronin team found that the reason for the theft was an attack on validator nodes. However, in a subsequent investigation, it was discovered that the Lazarus Group, a North Korean hacker organization, had forged a company and impersonated an employer to contact a senior engineer at Axie Infinity developer Sky Mavis through LinkedIn, pretending to recruit with a high salary.
Faced with tempting high salaries, the senior engineer at Axie Infinity showed interest in the "job opportunity" and went through multiple rounds of "interviews." In one of the "interviews," the engineer received a PDF file containing detailed information about the job.
However, the file actually opened the door for hackers to enter the Ronin system. The employee downloaded and opened the file on the company's computer, triggering an infection chain that allowed hackers to infiltrate the Ronin system and control four token validators and an Axie DAO validator.
This type of attack is known as an APT attack. SlowMist's MistTrack previously summarized this attack method: attackers first impersonate, deceive the auditor into becoming a real customer through real-person authentication, and then make real deposits. Under the guise of this customer identity, when multiple official personnel communicate with the customer (attacker), custom Mac or Windows Trojans accurately target official personnel. Once permission is obtained, they move laterally within the intranet, lurk for a long time, and then steal funds.
In this event, after the hacker returned the funds, Blast founder Pacman posted on social media that the core contributors of Blast had obtained $97 million through multi-signature, and all development teams, regardless of whether they were affected or not, should learn from it and take preventive measures to ensure protocol security.
In the dark forest of the crypto world, hidden dangers are hard to guard against. Whether they are users or project parties, they need to be vigilant and take sufficient security precautions.
With the suspected hacker's github address also being disclosed, perhaps due to pressure from all parties tracking them, the hacker has now returned the stolen funds. |
|
Post time 8-4-2024 07:34:13