Scan to download
Home
Article
Flash
Token Unlock
Hot Projects
Specials
Columns
ETF
Knowledge Base
Calendar
Activity
Tools

Nexus Mutual founder's handwritten note: 370,000 NXM tokens were stolen by hackers in this way

Chain News
2020-12-23 23:46:58
Collection
Nexus Mutual founder Hugh Karp recounts the process of having 370,000 NXM tokens stolen and the progress of the incident.

Author: Hugh Karp, Founder of Nexus Mutual
*Translator: * Lu Jiangfei

I. Timeline of Events

At 9:40 AM UTC on December 14, I was scammed into approving a transaction totaling 370,000 NXM tokens. I thought this transaction was my mining rewards, but it was sent directly to the hacker, who then liquidated the stolen NXM tokens for Bitcoin and Ethereum, subsequently dispersing these funds to different addresses and exchanges.

At the time, I was using a Metamask wallet connected to Ledger, interacting through the Nexus Mutual application, on a Windows operating system. The private keys on the Ledger are currently safe, and the Nexus Mutual smart contracts and funds were not affected, so it can be concluded that this was likely a personal attack.

II. Events So Far

In this targeted attack, we have gathered the following information:

  1. Around 10:20 AM UTC on December 11, while I was writing an email, my computer screen went black for 2-3 seconds but quickly recovered. I thought it was just a strange occurrence and didn’t pay much attention.
  2. About an hour later, around 11:20 AM UTC on December 11, my disk was infected, and the Metamask wallet extension was replaced with a hacker version. For detailed information, refer to this link and the background.js file.
  3. In fact, I didn’t conduct any cryptocurrency transactions through the Metamask wallet extension until December 14.
  4. At 9:40 AM UTC on December 14, I intended to withdraw some mining reward tokens from the Nexus Mutual application. As usual, MetaMask popped up a confirmation message for the withdrawal request, which was not unusual since a confirmation message appears for every transaction, and everything seemed normal. However, the problem was that this confirmation message contained a fraudulent transaction sent to Ledger. As a result, I clicked "Confirm."
  5. The transaction quickly appeared on Ledger, and after checking the transaction details, I clicked "Approve." In reality, if I had checked the "recipient" address and other transaction details at this point, I might have discovered the issue. However, since Ledger does not directly support NXM, the transaction details did not include readable information such as the recipient.
  6. Then, I received a notification from MetaMask informing me that the transaction was completed, but the Nexus Mutual application was still waiting for the transaction to be confirmed. At this point, I realized something was wrong and checked Etherscan, only to find that the money had been transferred to the hacker's address.

Looking back, my mistake occurred in step 5; I should have been more cautious during the transaction. It can be said that this hacking incident was entirely my responsibility. However, I want to point out that unless you are someone very familiar with cryptocurrency technology, it is difficult to carefully review the relevant information during a transfer, as hexadecimal format information is hard to read. Personally, I have enough technical knowledge and understand what this information represents, yet I still made a mistake, so it is easy for ordinary users to fall into this trap.

Additionally, I had previously been obtaining cryptocurrency reward tokens from trusted websites, such as the Nexus Mutual APP, because I thought trading on official platforms would carry lower risks. However, this hacking incident has shown that regardless of whether a site is trustworthy or the value of the transaction, one must carefully check the information before confirming any transaction.

Now, I plan to initiate an investigation into this hacking incident and track the funds with the help of the community. Thank you all for your support! I would like to thank many people for their support, especially Sergej Kunz, Julien Bouteloup, Harry Sniko, Richard Chen, Banteg, and others whose names I cannot disclose at this time.

III. Summary of Investigation Results

  • In the past, most MetaMask hacking incidents involved tricking users into downloading fake versions of programs containing malicious code, which then stole users' private keys. However, this case is different. My computer was compromised, and the MetaMask application on the disk was tampered with, meaning that there were no warning messages when the browser extension had issues.
  • It is understood that this malicious extension configuration was obtained from coinbene.team, and we traced some IP addresses from this domain, as shown in the image below:

  • My browser was in developer mode, but I am not a developer, so this operation was likely executed by the hacker.
  • We found that other victims had also suffered similar attacks and reached out to them.
  • This attack seems to be highly targeted, as the hacker did not take all the NXM tokens that the victim might have had, indicating that the hacker had likely deployed a pre-prepared transaction payload specifically for me.

Here are the most relevant hacker addresses:

Ethereum:

  • 0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1
  • 0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b
  • 0x09923e35f19687a524bbca7d42b92b6748534f25
  • 0x0784051d5136a5ccb47ddb3a15243890f5268482
  • 0x0adab45946372c2be1b94eead4b385210a8ebf0b

Bitcoin:

  • 3DZTKLmxo56JXFEeDoKU8C4Xc37ZpNqEZN

Messaging (?) Channel

  • 0x756c4628e57f7e7f8a459ec2752968360cf4d1aa

IV. What Else Do We Not Know?

First, I do not know how my computer was compromised.

Over the past week, I have spent a lot of time with experts from the antivirus software provider Kaspersky on the infected computer to allow for a complete diagnostic program, but there have been no results yet, and this work is still ongoing.

Who is the hacker?

From what we can see now, this hacker is very skilled, but it also indicates that such attack incidents are likely to continue occurring and will affect more and more people. It can be said that this hacker is very talented and is likely a member of one or more large tech teams. We had a brief conversation with a hacker on Telegram, and based on their trading activities, we believe this hacker is in the Asian time zone.

The investigation is still ongoing, and we will share any available information in a timely manner.

V. Lessons Learned

Some users who are familiar with the DeFi industry are often distrustful of MetaMask; they even set up a "clean" computer specifically to run MetaMask, a device used solely for signing transactions and nothing else.

MetaMask is indeed a target for many hacking attacks, so I have always been very cautious about downloading programs from legitimate sources, but even so, my computer was still infected. If you want to avoid such issues, you can try to distribute your funds across different accounts to minimize losses. Additionally, always check the transaction information on your hardware wallet before signing (easier said than done, especially when interacting with smart contracts).

So far, we have not obtained any open-source intelligence about the hacker, but we have already marked the hacker's addresses on Etherscan. While this is an important step in the investigation, there are still many things to address afterward.

VI. What’s Next?

I know that many teams are looking for the best trading options from both user experience and security perspectives, but as a community, we clearly have a long way to go in this regard. I cannot recommend other solutions, but I will allocate a portion of the funds raised as a bounty to support user experience and security enhancement efforts.

We will announce the details of the bounty later, and I believe this will encourage more people to develop personal wallet security solutions and promote technological advancement.

VII. Open Letter to the Hacker

You used very sophisticated techniques to not only steal funds from me but also to rob many others in the Ethereum community. I know you have sent some of the funds to your backer, so I have given up on recovering this money.

As you know, there are many white hat hackers in the Ethereum community who work anonymously and earn substantial rewards through bounties, gaining fame for their outstanding work. Based on the skills you have demonstrated, I believe you could easily become one of the white hat hackers, allowing you to earn money legally without sending ill-gotten gains to your backer.

I think you can make full use of the skills you possess and gain some recognition from the cryptocurrency community for the right reasons.

Source link: medium.com

Blockchain Security Guide

Blockchain Security Guide

What are the common security issues in blockchain? How to ensure the security of crypto assets and projects?
Topic or theme
Related tags
Metamask Nexus hacker NXM
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
Chain News

Chain News

Understand Alien Worlds in Three Minutes: A Space Exploration Game that Combines DeFi, NFT, and DAO
Understand Alien Worlds in Three Minutes: A Space Exploration Game that Combines DeFi, NFT, and DAO
A picture to understand the investment landscape of the venture capital firm Ribbit Capital
A picture to understand the investment landscape of the venture capital firm Ribbit Capital
Related tags
Metamask Nexus hacker NXM
Related reading
ZKsync was hacked for 5 million dollars, and the cryptocurrency sector has been under attack by hackers for several days
ZKsync was hacked for 5 million dollars, and the cryptocurrency sector has been under attack by hackers for several days
Nexus 2140: Exploring the Integration and Future Opportunities of AI, Web 3.0, and ECOM
Nexus 2140: Exploring the Integration and Future Opportunities of AI, Web 3.0, and ECOM
JuChain: Building a high-performance blockchain technology architecture, joining developers at the Burj Khalifa in Dubai
JuChain: Building a high-performance blockchain technology architecture, joining developers at the Burj Khalifa in Dubai
zkLend hacker was also stolen, is it black eating black or self-directed?
zkLend hacker was also stolen, is it black eating black or self-directed?
Copyright © 2023
About Us
Media Kit
Apply for a column
Disclaimer
RSS LINK
Recruitment
Qiong ICP No. 2021009392
Qiong ICP No. 2021009392
ChainCatcher Building the Web3 world with innovators
Open the app