Munchables was stolen over 60 million dollars, and the cryptocurrency security losses have exceeded 700 million dollars this year

Author: flowie, ChainCatcher
Editor: Marco, ChainCatcher

In the early morning of March 27, the Blast ecosystem received bad news as its on-chain Web3 game platform Munchables announced it had suffered a serious attack, with over 17,400 ETH (approximately $62.3 million) stolen, marking one of the largest hacking incidents of 2024 so far.

Munchables is an award-winning project from Blast Big Bang. According to the crypto data platform RootData, Munchables recently announced the completion of a Pre-Seed round of financing co-led by Manifold and Mechanism Capital.

After the attack was disclosed, Munchables' TVL plummeted from $96 million to over $34 million.

As of the time of publication, Blast founder Pacman stated that former Munchables developers have chosen to return the funds without any ransom required. However, Pacman also reminded all developers to learn from this incident.

Previously, on-chain detective ZachXBT indicated that the theft of Munchables may have been due to the hiring of North Korean hackers disguised as developers.

"The four different developers hired by the Munchables team are linked to the exploiters, and they are likely the same person. They recommended each other for jobs, regularly transferred funds to the same two exchange deposit addresses, and topped up each other's wallets."

According to an analysis by SlowMist founder Yu Xian, there have been numerous projects recently targeted by social engineering attacks besides Munchables. "SlowMist has encountered a second case of this kind of situation in DeFi projects, where core developers disguised themselves and gained the trust of the entire project team, striking mercilessly when the time was right. There are likely many victims."

Abuse of Trust: A Common Attack Tactic of North Korean Hackers

Compared to technical vulnerability attacks, North Korean hackers opting for social engineering tactics may catch more crypto teams off guard.

It is not new for Munchables to have inadvertently hired dangerous North Korean hackers. The hacker who attacked Munchables had also been briefly hired by the NFT game Aavegotchi. According to Aavegotchi founder CoderDan, "We felt he was a North Korean hacker, and we fired him within a month. He also tried to get us to hire another friend of his who was likely a hacker as well."

Jonwu, a staff member from the privacy protocol aztecnetwork, also publicly shared a bizarre experience of interviewing a North Korean hacker disguised as a South Korean.

In addition to infiltrating teams as employees to launch trust attacks, North Korean hackers are also skilled at initiating trust attacks as employers.

The notorious North Korean hacker group Lazarus Group, which was behind the over $600 million loss in the Ronin cross-chain bridge attack, frequently used the guise of discounted recruitment in 2022 and 2023 to infiltrate target project systems and steal large sums of money.

For example, in the 2022 Ronin cross-chain bridge attack that resulted in over $600 million in losses, Lazarus Group registered a fake company and contacted employees of Axie Infinity and Ronin developer Sky Mavis through LinkedIn, embedding malware in a forged "Offer." After the employee downloaded the "Offer," the hacker infiltrated the Ronin system and obtained validator signatures.

In the 2023 attack where $37 million was stolen from CoinsPaid, Lazarus Group also made a CoinsPaid engineer believe they had secured an interview opportunity with Crypto.com, leading to the download of malware during a technical test, allowing the North Korean hacker to forge an authorization request to withdraw funds from CoinsPaid's hot wallet.

ChainCatcher previously analyzed in “The Hidden Hand Behind Security Incidents like Ronin and KuCoin: A Deep Dive into the North Korean Hacker Group Lazarus Group” that the most adept attack method of Lazarus Group is the abuse of trust, utilizing the target's trust in business communications, internal chats, or interactions with external parties to send malicious files and monitor their daily operations for theft opportunities.

After identifying crypto whales, attackers carefully observe user activity for weeks or months before devising a theft plan.

In January 2021, Google's security team also reported discovering that Lazarus had long been lurking on social media platforms like Twitter, LinkedIn, and Telegram, using fake identities to pose as active industry vulnerability researchers to gain trust and launch 0-day attacks against other vulnerability researchers.

Significant Increase in Blockchain Security Losses

As the bull market revives capital in the crypto market, losses from various blockchain security incidents have also surged.

According to statistics from blockchain security firm Beosin, the total losses from various security incidents have exceeded $700 million since the beginning of 2024.

In January 2024, the total loss from various security incidents caused by hacking, phishing scams, and Rug Pulls amounted to approximately $205 million, an increase of about 93% compared to December of the previous year. In February 2024, this figure rose by 105% compared to January.

In terms of hacking incidents, there have already been two attacks exceeding $100 million. On February 9 and February 12, the crypto gaming platform PlayDapp suffered two private key leak attacks, with attackers minting a total of 1.79 billion PLA tokens, valued at approximately $290 million.

On January 30, Ripple co-founder Chris Larsen claimed that his personal account was hacked for 213 million XRP, worth about $112 million.

Today, the Blast ecosystem's Web3 game platform Munchables was attacked, resulting in a loss of $62.3 million, making it the third-largest attack incident in terms of amount so far in 2024. Additionally, decentralized exchange FixedFloat, South Korean Web3 social music service SOMESING, and Axie Infinity co-founder Jihoz.ron have recently suffered losses in the tens of millions of dollars.

Compared to hacking incidents, the growth momentum of Rug Pull events is even more pronounced. In February 2024, Rug Pull incidents increased by approximately 440% compared to January. Among them, the abnormal outflow of $56.5 million from the hot wallet of Hong Kong exchange Bitforex is suspected to be a rug pull.

The CEO of the exchange has long since resigned, and the official site has stopped processing withdrawals and closed down, with the X account also ceasing updates.