Also: A WinRAR Exploit, Balancer Exploits and the DEA Scammed
Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, Cypher rolled out a futuristic compensation plan for victims, hackers exploited crypto users via a WinRAR bug and separately stole $900,000 from Balancer, the DEA lost $500K to a crypto scammer and the EU Data Act’s smart contract provision raised questions.
Crypto trading platform Cypher rolled out a plan to compensate victims of its $1 million hack. The company will distribute the losses across all depositors and eventually intends to make them whole. The company said it will raise funds through an initial DEX offering to issue the users a “debt token,” which represents the value of the assets they are owed. This token grants them the right to funds out of profits that Cypher will eventually generate, after the platform is relaunched.
Hackers have been hacking into crypto and securities trading accounts by exploiting a now-patched zero-day vulnerability in file compression software WinRAR, Group-IB said. Tracked as CVE-2023-38831, the vulnerability allowed hackers to hide malicious scripts in files masquerading as a
.txt file – or any other file format – on the inside of a compressed WinRAR folder. The script delivered various malware families including DarkMe, GuLoader and Remcos RAT. Threat actors targeted public trading forums through posts that purported to share financial analysis.
A hacker stole $900,000 from decentralized finance protocol Balancer on Sunday, days after the company had warned that a vulnerability – the one the hacker exploited – could put user funds at risk. The company said its recent mitigation measures “drastically reduced risks” to a point where only 1.4% of its total assets were at risk, but that it could not pause the protocol entirely. “To prevent further exploits, users must withdraw from affected LPs,” it said.
DEA Victimized in Crypto Scam
The U.S. Drug Enforcement Administration reportedly fell victim to a crypto scam, transferring more than $55,000 in Tether from a hardware wallet after a thief had tricked the law enforcement agency into thinking the scammer’s address was a legitimate address held by the U.S. Marshals Service.
Forbes reported the scammer created a crypto account that closely resembled the Marshals Service’s account number. The DEA, per normal practice, was transferring to the Marshals Service money it had seized during an investigation into digital currency used to launder money from suspected narcotics deals. It made a test transfer of $45.36, attracting the scammer’s attention. The scammer set up a cryptocurrency address that matched the first five and last four characters of the Marshals Service’s account and then airdropped the fake address into the DEA account.
“Airdropping is a legitimate feature in cryptocurrency and sees an individual or entity drop tokens representing a certain value of a currency into someone’s account,” Forbes said. The DEA used the scam account rather than the legitimate account to transfer $55,000 in a single transaction. The agency attempted to recover the funds, but Tether officials “said the money had already gone.”
EU Data Act’s Impact on Web3
A consensus agreement between the European Council and the European Parliament over the European Data Act may have unintended consequences for the development of smart contracts based on digital ledger technology. Described by EU Commissioner Thierry Breton as a “milestone in the reshaping the digital space,” the legislation proposes new rules on access and usage of data generated in the EU. A provision in the bill requires that automated data-sharing agreements, including digital contracts and smart contracts based on distributed ledger technology, contain a kill switch allowing the company to terminate them if a security breach occurs. The legislation does not specify the conditions for safe termination and could clash with smart contracts’ immutable and irreversible nature.
Other Coverage From Last Week
With reporting from ISMG’s Mihir Bagwe in Bengaluru