The Penny drops: $611 Million in cryptocurrencies stolen

[Arika]

Summary

Ever the headline of news articles the world over, cryptocurrency, is yet again in the news for large swaths of funds getting stolen.

 

Quotes

Quote

 Poly Network, a protocol for swapping cryptocurrency, including bitcoin, announced on Tuesday that it was hacked, resulting in the loss of $611 million. The hack is suspected to be the largest fraud in "decentralized finance," or DeFi, in history.

The network tweeted the news and urged exchanges to block all of the funds that were taken.

Quote

"We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses," it tweeted, providing three addresses that it says the assets have been transferred to.

 

According to Cryptonews, $273 million in assets was taken in Ethereum tokens, $253 million in tokens on Binance Smart Chain and $85 million in U.S. Dollar Coin (USDC) tokens on the Polygon network.

 

and maybe my favourite quote from the article

 

Quote

"We will take legal actions and we urge the hackers to return the assets," Poly Network tweeted in a thread.

Yes because people who went through the trouble of stealing $611m worth of crypto is really going to just return it because you asked them nicely (see: begged)

 

Quote

The hack, according to The Block, forced O3, a trading pool that uses Poly Network to trade tokens among different blockchains, to suspend its cross-chain functionality.

Researchers suspect that the cause of the hack was a cryptography issue, which is rare in other instances of hacking. The attack on Poly Network may have been similar to the Anyswap exploit, an attack in July that saw $7.9 million stolen when a hacker reversed the private key.

 

My thoughts

I find it interesting that the released the wallet address of where the funds ended up, not quite sure what they think people are going to do with them, except hope that someone will try and hack the money back. For being lauded as "decentralized" and "safe" this sure happens lot.

 

is this going to stop people from using it and praising the block-chain? lol no. But don't kid yourself thinking that your money is protected because of the technology behind it.

 

There need to be vast improvements to security if cryptocurrency ever wants to be treated seriously.

 

Sources

https://www.newsweek.com/611-million-cryptocurrencies-stolen-massive-hack-1617999

[SavageNeo]

Well, im pretty sure they wont get it back. And even if they did, it wont be easy. thats the whole point right?

[Levent]

I too wonder what happens to all these stolen cryptos. BTC-E is no longer there to sell them off, you cant spend them on any legit business either.

Non paywall sources:

https://www.forbes.com/sites/jonathanponciano/2021/08/10/more-than-600-million-stolen-in-ethereum-and-other-cryptocurrencies-marking-one-of-cryptos-biggest-hacks-ever/

https://www.bbc.com/news/business-58163917

[Arika]

2 minutes ago, Levent said:

 

Non paywall sources:

 

is my link paywalled?

[Levent]

3 minutes ago, Arika S said:

is my link paywalled?

Oops my bad, I guess newsweek wasnt one of those, ill remove it off my ublock list.

[CarlBar]

27 minutes ago, Arika S said:

For being lauded as "decentralized" and "safe" this sure happens lot.

 

This is like complaining a super secure OS thats supposed to be hard to hack i hacked by someone who got their hands on genuine administrator privileges and messed with it from the server room.

 

Someone is allways going to need a high level of access on occasion and if that gets accessed by malicious types all the fancy security features in the world won't save you.

[leadeater]

31 minutes ago, Arika S said:

Yes because people who went through the trouble of stealing $611m worth of crypto is really going to just return it because you asked them nicely (see: begged)

But they asked nicely, that's enough isn't it?

[leadeater]

7 minutes ago, CarlBar said:

This is like complaining a super secure OS thats supposed to be hard to hack i hacked by someone who got their hands on genuine administrator privileges and messed with it from the server room.

 

Someone is allways going to need a high level of access on occasion and if that gets accessed by malicious types all the fancy security features in the world won't save you.

Well yes but also "I don't know about that Chief". Outside of clerical errors putting incorrect values in to transfers how many bank computer systems have been hacked and money stolen? Additional question, of that how many times has the money not been able to be retrieved?

[CarlBar]

1 minute ago, James Evens said:

No.

This is like running a datacenter worth of clients and get the admin account hacked which control all of them while calling it decentralized. Guess everybody would lough about you but with crypto people agree it is decentralized.

 

the production and maintenance of the blockchain is decentralised, no one's ever claimed the exchanges are.

[Arika]

1 hour ago, CarlBar said:

 

the production and maintenance of the blockchain is decentralised, no one's ever claimed the exchanges are.

 

 

1 weak link in the (block)chain and the whole thing crumbles. doesn't matter where the problem lies, if it's part of it, it needs to be fixed.

[MageTank]

4 hours ago, leadeater said:

Well yes but also "I don't know about that Chief". Outside of clerical errors putting incorrect values in to transfers how many bank computer systems have been hacked and money stolen? Additional question, of that how many times has the money not been able to be retrieved?

According to every bank heist movie ever, all of them?

 

"I'm bypassing the mainframe, converting the IP to hexadecimal... IM IN"

[mr moose]

1 hour ago, Arika S said:

 

 

1 weak link in the (block)chain and the whole thing crumbles. doesn't matter where the problem lies, if it's part of it, it needs to be fixed.

I think one of the problems with "decentralized" currency is that everyone thinks decentralized = safer/better/secure/non-corruptible.   But when you have something with no central control (non fiat currency for example) you have many rogue players all with equal access to the core functions of the currency. Sure you can't manipulate a transaction, but that seems to be about the only benefit.   

[Heliian]

 

So, if the coins get "blacklisted" then there will be less in the pool.  Less in the pool means that the price would increase across the board.  The exchange can then make more money from their "misfortune".  

 

Sorry to the peoples who lost their money in this though.

 

The Taliban is for sure making a good chunk off of this crap these days though. 

[Kisai]

Update:

https://www.cnbc.com/2021/08/11/cryptocurrency-theft-hackers-steal-600-million-in-poly-network-hack.html

 

Quote

Hackers have returned nearly half of the $600 million they stole in what’s likely to be one of the biggest cryptocurrency thefts ever.

 

[DDO]

Quote

Yes because people who went through the trouble of stealing $611m worth of crypto is really going to just return it because you asked them nicely (see: begged)

 How did you know?

[DDO]

Sutor, ne ultra crepidam. 

[Quinnell]

24 minutes ago, Kisai said:

Update:

https://www.cnbc.com/2021/08/11/cryptocurrency-theft-hackers-steal-600-million-in-poly-network-hack.html

 

 

Wait, the hackers actually returned some of it???  That's bizarre.

[COTG]

44 minutes ago, Quinnell said:

Wait, the hackers actually returned some of it???  That's bizarre.

returning all of them,  because the vast majority of stables was frozen and his IP was potentially exposed 

[wanderingfool2]

1 hour ago, COTG said:

returning all of them,  because the vast majority of stables was frozen and his IP was potentially exposed 

My working guess though is that they made a deal to return it in exchange for money or something.  It would be an easier way to cash in on it (like returning all the crypto to get a few million, without having to launder the coins somehow).

[c00face]

13 hours ago, Arika S said:

Summary

Ever the headline of news articles the world over, cryptocurrency, is yet again in the news for large swaths of funds getting stolen.

 

Quotes

 

and maybe my favourite quote from the article

 

Yes because people who went through the trouble of stealing $611m worth of crypto is really going to just return it because you asked them nicely (see: begged)

 

 

My thoughts

I find it interesting that the released the wallet address of where the funds ended up, not quite sure what they think people are going to do with them, except hope that someone will try and hack the money back. For being lauded as "decentralized" and "safe" this sure happens lot.

 

is this going to stop people from using it and praising the block-chain? lol no. But don't kid yourself thinking that your money is protected because of the technology behind it.

 

There need to be vast improvements to security if cryptocurrency ever wants to be treated seriously.

 

Sources

https://www.newsweek.com/611-million-cryptocurrencies-stolen-massive-hack-1617999

Given my years in crypto, 98% it's the devs who stole it, or the devs in charge of the assets. It's usually always a team member. The runaway to all of this is, "We got hacked." That's how they can get away with the stolen fund. Usually happens during bear markets when they realize crypto will start crashing 90% - 98% and they want to secure the money for themselves before the big crash. You hardly see it during bullrun because they're just riding the wave before they pull the plug.

[Quinnell]

2 minutes ago, c00face said:

Given my years in crypto, 98% it's the devs who stole it, or the devs in charge of the assets. It's usually always a team member. The runaway to all of this is, "We got hacked." That's how they can get away with the stolen fund. Usually happens during bear markets when they realize crypto will start crashing 90% - 98% and they want to secure the money for themselves before the big crash. You hardly see it during bullrun because they're just riding the wave before they pull the plug.

This is a good reason to be wary of alt coins and especially memecoins.

[tikker]

Fun tidbit: the hacker did a "Q&A" on the blockchain as can be read on https://etherscan.io/tx/0x1fb7d1054df46c9734be76ccc14fa871b6729e33b98f9a3429670d27ec692bc0 (view more -> input data -> view as UTF-8; address matches the one mentioned in the tweet)

Quote

Q & A, PART ONE:

Q: WHY HACKING?
A: FOR FUN

Q: WHY POLY NETWORK?
A: CROSS CHAIN HACKING IS HOT

Q: WHY TRANSFERING TOKENS?
A: TO KEEP IT SAFE.

WHEN SPOTTING THE BUG, I HAD A MIXED FEELING. ASK YOURSELF WHAT TO DO HAD YOU FACING SO MUCH FORTUNE. ASKING THE PROJECT TEAM POLITELY SO THAT THEY CAN FIX IT? ANYONE COULD BE THE TRAITOR GIVEN ONE BILLION! I CAN TRUST NOBODY! THE ONLY SOLUTION I CAN COME UP WITH IS SAVING IT IN A _TRUSTED_ ACCOUNT WHILE KEEPING MYSELF _ANONYMOUS_ AND _SAFE_.

NOW EVERYONE SMELLS A SENSE OF CONSPIRACY. INSIDER? NOT ME, BUT WHO KNOWS? I TAKE THE RESPOSIBILITY TO EXPOSE THE VULNERABILITY BEFORE ANY INSIDERS HIDING AND EXPLOITING IT!

Q: WHY SO SOPHISTICATED?
A: THE POLY NETWORK IS DECENT SYSTEM. IT'S ONE OF THE MOST CHALLENGING ATTACKS THAT A HACKER CAN ENJOY. AND I HAD TO BE QUICK TO BEAT ANY INSIDERS OR HACKERS, I TOOK IT AS A BONUS CHALL

Q: ARE YOU EXPOSED?
A: NO. NEVER. I UNDERSTOOD THE RISK OF EXPOSING MYSELF EVEN IF I DON'T DO EVIL. SO I USED TEMPORARY EMAIL, IP OR _SO CALLED_ FINGERPRINT, WHICH WERE UNTRACABLE. I PREFER TO STAY IN THE DARK AND SAVE THE WORLD.

 

 

  

14 hours ago, Arika S said:

is this going to stop people from using it and praising the block-chain? lol no. But don't kid yourself thinking that your money is protected because of the technology behind it.

True. One should even consider it more risky, as it's completely your own responsibility with nobody backing you up. This is why it's so tricky to make this mainstream and why I think perhaps it should never be. You don't want people to have this level of control over their funds or, conversely, lack thereof.

 

I do think it's worth highlighting the other side of the coin: the hacker is instantly "known" due to the blockchain's public nature, so anything happening to and from this address can immediately be traced and flagged as suspicious.

[wanderingfool2]

11 hours ago, Arika S said:

 

 

1 weak link in the (block)chain and the whole thing crumbles. doesn't matter where the problem lies, if it's part of it, it needs to be fixed.

I would argue that the exchanges are a bit out of the scope of the cryptos.  In effect, cryto is like a transfer mechanism (where verification is done).

 

It's like saying TLS 1.3/https needs to be fixed because it doesn't prevent keylogging or server compromises.  That's not the point of it, so it's wrong to blame the mechanism...blame the companies involved, or the education of users not to keep crypto in companies that don't have established track records (or insurance that will cover you).

 

13 hours ago, leadeater said:

Outside of clerical errors putting incorrect values in to transfers how many bank computer systems have been hacked and money stolen?

Yea, sadly this is quite a frequent thing...actually there are also the accounts of people losing access to their bank accounts (drained) because the bank had someone come in to be claiming to be the account holder.  I've also had to do banking, with cash pickups from a business...had I wanted to I could have made off with millions just by knowing their procedures and their failure to check ID's at certain points (albeit it would be illegal, and I would never consider doing anything remotely like that, plus it would leave a massive trail).

 

Another story (unverified), was from my networking prof. while I attended school (he worked in network security).  He mentioned that a bank that he had accepted a consulting job for a bank that was using Windows 95 still.  This was back in like 2007 time, so they were running 5 year out of data systems at that point (sadly he didn't say which bank due to a NDA)

 

[BuckGup]

23 minutes ago, c00face said:

Given my years in crypto, 98% it's the devs who stole it, or the devs in charge of the assets. It's usually always a team member. The runaway to all of this is, "We got hacked." That's how they can get away with the stolen fund. Usually happens during bear markets when they realize crypto will start crashing 90% - 98% and they want to secure the money for themselves before the big crash. You hardly see it during bullrun because they're just riding the wave before they pull the plug.

Yup that's what happened with NiceHash. They actually paid back 100% of what was stolen though and that was upwards of $60 million I think

[leadeater]

1 hour ago, wanderingfool2 said:

Yea, sadly this is quite a frequent thing...actually there are also the accounts of people losing access to their bank accounts (drained) because the bank had someone come in to be claiming to be the account holder.  I've also had to do banking, with cash pickups from a business...had I wanted to I could have made off with millions just by knowing their procedures and their failure to check ID's at certain points (albeit it would be illegal, and I would never consider doing anything remotely like that, plus it would leave a massive trail).

What you describe are all clerical errors though, and lack of following required processes. Also remember banks have the power to forcibly take back money, so unless you've withdrawn to cash, which means you'll have police knocking on your door, recovery is millions times more likely than with crypto.

 

These should all be old problems anyway, unless your banks are horrifically stupid or incompetent. Here the humans have been removed from the chain and you cannot just call up or go in to a bank branch and claim to be somebody and gain access or do a money transfer, you will be directed to a computer terminal in the branch or to the ATM and told to do it there.

 

If you truly have lost access to your account then it's a real long and pain in the ass to prove you are who you are.

 

Because the real rub here, for all the times something has happened almost always the money is recovered. But I've still never heard of any cases of somebody actually gaining access to a banks computer system who was not already an employee or contractor who already had access.

 

Social engineering is not computer system hacking unless it results in you with access to the computer system.