$11 million Bittensor phishing, UwU Lend and Curve fake news, $22 million Lykke hack

Crypto-Sec is a biweekly collection of cryptocurrency and cybersecurity stories and tips.

Biggest Phishing of the Week: TAO Holders Lose $11.2 Million

In June, users of the Bittensor (TAO) artificial intelligence platform lost more than 28,000 tokens worth $11.2 million at the time in the largest phishing attack reported to date. The attack was reported by on-chain detective ZachXBT on his Telegram channel.

The attackers split the funds into 18 different wallet accounts and then consolidated them into 16 accounts, ZachXBT reported. The 16 accounts then linked tokens from the TAO Network to Ethereum and exchanged them for ETH and USDC stablecoins using three different decentralized exchanges.

Splitting funds into multiple wallets and then combining them again is a common tactic for fraudsters and is designed to bypass money laundering detection systems in centralized exchanges. It is this pattern of splitting and recombining that led ZachXBT to conclude that this was a phishing attack.

Cryptocurrency phishing attacks are a type of scam where attackers create fake websites that appear to be part of a legitimate protocol, such as a decentralized exchange or lending app. However, this site is actually malicious and has not been approved by the legitimate protocol team. When a user authorizes a fraudulent app to use their tokens, instead of doing what the user expects, they steal the tokens.

Phishing scams are one of the most common ways cryptocurrency users lose their funds due to attacks.

White Hat Corner: Microsoft’s ‘Zero Click’ Vulnerability Patch

According to Security Week, Microsoft has patched a vulnerability that could allow attackers to execute code without downloading or executing files on Outlook users’ devices. Cybersecurity firm Morphisec reportedly discovered the flaw.

A potential attack would only require the user to open a malicious email, without the user having to download or execute any files. For this reason, Morphisec called this flaw a “zero-click vulnerability.”

Morphisec reported that the flaw could allow attackers to “exfiltrate data, gain unauthorized access to systems, and perform other malicious activities.”

Cryptographic software wallets use keyvault files stored on the device to sign transactions, so these files could potentially be stolen through such attacks, leading to cryptocurrency loss.

Despite Microsoft’s patch, some devices may still be running older versions of Outlook, so “users are encouraged to update their Outlook clients as soon as possible,” the report said.

Microsoft has marked this vulnerability as “Important,” but not “Important.” The flaw affected previous versions of Outlook 2016, Office LTSC 2021, 365 Apps for Enterprise, and Office 2019, but newer versions of these apps are not vulnerable.

DeFi Exploit of the Week: UwU Lend Exploited Twice

DeFi protocol UwU Lend On Ethereum was exploited twice by the same attacker in three days. As reported by blockchain security platforms Peck Shield and Cybers, the first attack occurred on June 10 and resulted in the loss of $20 million from the protocol, while the second attack on June 13 resulted in an additional $3.7 million loss.

In a June 12 “The team has now identified a vulnerability unique to the sUSDe marketplace oracle, which has now been resolved,” it claimed.

According to blockchain security platform Peck Shield, attackers manipulated the sUSDe oracle used by the protocol to display false prices. This allowed some liquidity pools to lend $20 million more than they otherwise would have been able to lend. The attackers then took these funds for themselves and did not repay the loan.

To elaborate further: The protocol’s sUSDe oracle used average prices derived from multiple liquidity pools. Using large flash loans, the attacker was able to change prices in four of the following pools: FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe. This affected the price recorded by the sUSDe oracle and changed the collateral requirements for lending on the protocol. Attackers could use these changed requirements to obtain under-collateralized loans, default on the loans, and fleece the borrowed funds.

Related: What is a flash loan in DeFi?

Approximately $14.4 million worth of leaked funds were transferred to accounts ending in EB70, and another $4.6 million were transferred to accounts ending in 5EB6. The stolen loot consisted entirely of Ethereum (ETH), as the attackers exchanged all other tokens for ETH immediately after the attack.

On June 12, the UwU team announced the repayment of non-performing debt for Tether (USDT), DAI, and crvUSD to allow these markets to restart.

Related: UwU Lend suffered a $20 million hack.

However, the day after this announcement, Cybers announced that the attackers had launched a second exploit targeting UwU Lend. The second attack targeted uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT pools, causing $3.7 million in losses.

UwU Lned’s exploit had a knock-on effect that ended with the Curve CRV token in free fall and multi-mansion-owning founder Michael Egorov liquidating $140 million in stablecoin positions.

This led to news reports that Egorov proposed burning 10% of the supply of CRV tokens, worth $37 million, to stabilize the price of the token.

Unfortunately, the burn story was a hoax tweeted by an Egorov impersonator trying to phish users. In fact, Egorov told Cointelegraph:

“This information was tweeted by a fake account along with a fraudulent link. “Few journalists would publish news about this without checking the facts.”

Deepfake Scam: OKX Users Lose $2 Million

According to a translated report from Chinese cryptocurrency media outlet Wu Blockchain, one OKX user lost more than $2 million due to a deepfake scam created through artificial intelligence (AI). The attackers purchased Lai J. Fang Chang’s personal data from Telegram and used it to create “an AI-synthesized video application to change mobile phone numbers.”

The video allegedly tricked OKX platform employees into approving changes to Chang’s password, email address, and Google Authenticator device, bypassing all two-step authentication controls. The attackers then withdrew all of Chang’s cryptocurrency to wallet accounts they controlled.

OKX is reportedly currently investigating the attack.

Related: AI-powered cryptocurrency crime is just beginning — Elliptic Report

CEX: SomaXBT alleges hack cover-up on Lykke exchange.

On June 9, blockchain researcher SomaXBT accused Lykke Exchange of hiding $22 million in losses from the June 4 hack. Researchers began looking into the issue after noticing several Lykke users complaining that they were unable to withdraw their funds. The exchange reportedly announced through Discord that the platform is undergoing maintenance.

However, SomaXBT said its investigation found that over $19 million in Bitcoin (BTC) and ETH had been transferred from multiple wallet accounts to new addresses, suggesting the exchange may have been hacked. The researcher claimed that Lykke is “still trying to hide this fact” as five days have passed without the exchange issuing an official statement.

The next day, Lykke acknowledged the attack and apologized to users for the inconvenience caused by his inability to retract it. She also promised to reward all users, claiming she has “solid capital reserves and a diversified portfolio” for this.

Related: Lykke cryptocurrency exchange admits to hacking after withdrawal suspension

subscribe

The most interesting read on blockchain. Delivered once a week.

Christopher Locke

Some say he is a white hat hacker living in the black mining hills of the Dakotas and pretending to be a child crossing guard to get off the scent of the NSA. All we know is that Christopher Roark has a pathological desire to hunt down scammers and hackers.