Per the post-mortem, the still-anonymous attacker was able to breach a third-party software used by LocalBitcoins, but was quickly shut down. Interestingly, Vera claimed that six cases have been all but confirmed, contradicting the five incoming transactions on the suspicious address. This discrepancy wasn’t addressed, so it can be assumed that the hacker managed to siphon funds into another address.
@LocalBitcoins has apparently been compromised. Users are claiming its forums were redirecting them to a login page that was a phishing website.
— Francisco Memoria (@FranciscoMemor) January 26, 2019
The attack begins January 5th at 19:58:15 UTC. Days pass before anyone notices. The attacker dupes several exchanges in the process including Coinbase, Bitrue, and Gate.io. the attack is simple
- Make a deposit,
- make a withdrawal.
Attacker was having the hashpower to ensure that the transactions he wants to exist exist (deposit) and that the ones he’d rather be forgotten are (withdrawal).
Two addresses certainly involved in the attack possess over 53,000 ETC
A scary scheme by hackers recently successfully lifted Bitcoin from Electrum wallet owners to the tune of approximately $750,000.
The attackers added anywhere between 33 and 50 malicious servers to the Eletrum wallet network. When legitimate owners of Electrum Bitcoin wallets initiated a Bitcoin transaction after December 21, 2018, if the transaction was routed through a malicious server, the user received an error message surging the user to download a wallet app update coming from an unauthorized GitHub depository. Once they download the malicious update, the app asks the user for a two-factor authentication code, which is then used by the thief to steal the user’s funds and transfer the funds to the hacker’s Bitcoin address.
The attacks were reportedly successful because the server messages were delivered as rich-formatted texts, which made the popup alert look authentic and conveniently provided a link for users to click on to apply the update. Following discovery of the heist, Electrum reportedly updated the Electrum wallet app so the messages urging users to download the update no longer appear in rich HTML text. Still, one of the issues with cryptocurrency is the fact that it is not protected by the government and it is unclear what, if anything, these Electrum wallet users can do to get their stolen Bitcoin back.
Turkish investor called Kerem Albayrak, lost $170,000 because he lost his password and wallet recovery information.
“My wallet was newly transferred onto a Blockchain wallet created on the iMac after I had an incident with an offline wallet and got scared. I used an auto generate password by Apple with no iCloud to backup the keychain. When creating the assword, I took a screenshot on the iMac of the recovery phrase which is also now gone.”
Analysis still ongoing
“The negative balance was used in order to fully buyout every market the attackers felt like, they were able to sell without limitations and accumulated 15BTC of non-existent funds. Out of which they only managed to withdraw what he had in total – 8BTC.” from https://twitter.com/MapleChangeEx
Hackers were able to steal $60 million worth of company and user funds belonging to the Zaif Japanese cryptocurrency exchange. The breach occurred last week, but the company discovered the hack on Monday, September 17.
“Investigators are still gathering details, but Zaif said the hack took place on September 14, between 17:00 and 19:00 local time, when the attacker siphoned off three types of cryptocurrencies from the company’s “hot wallets.” [A “hot wallet” is a term used to describe a cryptocurrency addresses with light security measures where a cryptocurrency exchange keeps funds for immediate transactions, such as cryptocurrency-to-cryptocurrency or cryptocurrency-to-fiat (and vice versa) operations.] Zaif says the hacker stole Bitcoin, Bitcoin Cash, and MonaCoin from its hot wallet, all three worth 6.7 billion Japanese yen (roughly $59.67 million) when combined. Of the 6.7 billion stolen yen, 2.2 billion yen — 32 percent — were Zaif funds, while 4.5 billion yen were customer funds. Zaif plans to secure a 5 billion yen loan to pay back affected customers.“
EOSBet Dice, is run by a company named EOSBet Cassino. The app lets users bet EOS cryptocurrency as part of a classic dice game. The hacker operated by sending a transaction to the EOSBet main game account, which exploited a lack of proper parameter checks that allowed the hacker to trick the game into sending back fake earnings.
A wily hacker has scored a thousand dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain.
Customers send a quantity of the EOS cryptocurrency over the network to DEOS smart contracts running Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, it sends them their winnings and their original stake. source
In a statement released on its Medium post on July 26, the company acknowledged the security breach, informing its customers that an unknown attacker managed to gain access to the account of the KICK smart contracts and the tokens of the KICKICO platform on last Thursday at around 9:04 (UTC).