Delta Prime, a decentralized finance (DeFi) application on the Arbitrum and Avalanche blockchains, has been drained of $6 million due to a private key compromise of an administrator address.

The alarm was raised by security researcher Chaofan Shou, who also spotted last week’s draining of a recently launched token contract by a lightning-fast MEV bot. The loss was initially estimated to be $7 million before being revised down.

Read more: ‘Cryptographic performance art’ drains contract one block after launch 

According to Shou, the compromised admin address on Arbitrum was used to upgrade DeFi Prime’s proxy contracts to a malicious contract which “can inflate the deposited amount of the hacker on all pools.”

The incident comes a month after pseudonymous blockchain investigator ZachXBT alerted teams across the DeFi sector to their possible infiltration by developers working for the Lazarus Group of North Korean state-sponsored hackers.

Commenting on the case, ZachXBT remarked that DeFi Prime was “one of the teams with the DPRK IT workers I reached out to warn (was told they were all removed).”

Read more: A single malicious transaction led to $230M drained from WazirX

Delta Prime has acknowledged the loss, confirming the root cause to be a private key compromise.

The team states that the Avalanche deployment of the platform is safe and that it is currently conducting an investigation into the source of the breach. Users were also told that “the insurance pool will cover any potential losses where possible/necessary.”

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post DeFi app Delta Prime loses $6M after being warned of Lazarus mole appeared first on Protos.

Indian crypto exchange WazirX lost over $230 million worth of assets after addresses governing its multisig wallet were compromised.

Cyvers was the first to flag the outflows, identifying the compromise of WazirX’s Safe wallet by a Tornado Cash-funded attacker on the Ethereum network.

Read more: Hackers switching to centralized exchanges to fund crypto attacks

The alert was followed up by crypto sleuth ZachXBT, who shared the hacker’s primary address, later receiving a bounty for identifying a further funding source that came from an exchange with know-your-customer (KYC) procedures.

WazirX’s acknowledgment of the ‘security breach,’ posted approximately half an hour after the initial alert, states that to “ensure the safety of [customers’] assets, INR and crypto withdrawals will be temporarily paused.”

Safety in numbers?

The affected wallet is a Safe ‘multisig,’ a type of account that requires a specified threshold of authorized addresses in order to confirm transactions. This ostensibly makes multisigs more secure than a regular address controlled by a single private key.

However, in this case, a single malicious transaction was all that was needed to drain WazirX of $230 million worth of crypto assets.

The exploiter was able to pass the transaction either by compromising the authorized addresses directly or via the use of social engineering techniques on the signers.

After describing the incident as ‘Desi Mt. Gox,’ Polygon Network’s CISO, Mudit Gupta posted a full analysis of the hack to X (formerly Twitter). He notes that two addresses were likely compromised, with a further two signatures needed to hit the multisig’s threshold for approving transactions.

Read more: Mt. Gox site down for 24 hours, creditors flag scam login emails 

Gupta highlights that “two signers were tricked into signing malicious transaction (sic) in the name of a normal USDT transfer.”

These two signatures were later used to modify the logic of the Safe multisig wallet, allowing the hacker’s own attack contract (deployed eight days ago) to automate token transfers, which sent the assets directly to the attacker’s address.

Laundering the loot

At the time of writing, the hacker’s primary address contains $136 million of ETH and other tokens, according to data from blockchain explorer Etherscan. 

Much of the stolen assets are gradually being moved on to additional addresses, where they are swapped for ETH. Some funds were also traced to exchanges ChangeNOW and Binance, according to Beosin, which tallied over 200 tokens that had been drained.

SHIB represented almost $100 million of the total loss. Around a third of this has been sold, resulting in a price drop of almost 10%, according to data from CoinMarketCap

Based on the attack vector and funding/laundering patterns, Gupta, ZachXBT, and blockchain forensics firm Elliptic all suspect the hack was carried out by a team of North Korean hackers known as the Lazarus Group.

Read more: Axie co-founder hacked for $10M two years after $625M Ronin attack

Lazarus is suspected to be responsible for a seemingly endless stream of crypto hacks, including last year’s $41 million hack on crypto casino Stake and the $625 million hack of Axie’s Ronin Bridge in 2022.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post A single malicious transaction led to $230M drained from WazirX appeared first on Protos.

Ethereum founder Vitalik Buterin has sent more than $300,000 to coin mixer Railgun which has also been used by North Korea’s Lazarus Group.

Buterin has been using the service for months, — albeit with smaller sums of money — and today he took a definitive stand in support of it and other coin anonymizing services.

In addition to sending 100 ETH through Railgun, he posted a defense of his actions, claiming “Privacy Is Normal” — a phrase borrowed from Zcash. Buterin defended Railgun in particular, claiming that its novel use of zero-knowledge proofs allows users to demonstrate the lawful origin of funds without doxxing transaction histories.

Railgun uses smart contracts to prove membership within ‘custom association sets’ to satisfy certain regulations.

Buterin has advocated for private transactions for years and has spoken positively about Zcash, Monero, privacy-preserving rollups, stealth addresses, and the cryptographic privacy of zero-knowledge succinct non-interactive arguments of knowledge (ZK-SNARKs).

Read more: US Treasury sanctions OTC traders for aiding Lazarus hackers

Coin mixers like Railgun attract bad actors

Financial opacity also attracts bad actors. One of the first use cases for cryptocurrency was facilitating illegal e-commerce via Silk Road. Similarly, Railgun’s privacy has attracted nefarious operators. These include Lazarus Group, the most notorious blockchain hacking group closely tied to North Korea and China.

Lazarus Group has been sanctioned by the US Treasury’s Office of Foreign Assets Control since September 13, 2019 and support for the group is illegal. Lazarus is a frequent user of Railgun.

Nevertheless, crypto’s wealthiest billionaire has unapologetically endorsed one of the tools that Lazarus Group uses. In his words, “privacy is normal,” and anyway, Railgun “makes it much harder for bad actors to join the pool.” 

Much harder for bad actors. How reassuring.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Vitalik Buterin endorses one of North Korea’s favorite coin mixers, Railgun appeared first on Protos.

The United States has sanctioned three people, including two over-the-counter (OTC) crypto traders, for aiding the North Korean hacking group Lazarus.

OTC trader Wu Huihui allegedly helped Lazarus Group convert stolen crypto into fiat. Also sanctioned was Cheng Hung Man, another trader based out of Hong Kong who allegedly used a network of shell companies to help remit the fiat currencies.

The third individual, Sim Hyon Sop, works for Korea Kwangson Banking Corp, a sanctioned entity. He reportedly contributed to the network of shell companies and bank accounts inside China that the North Korean state depends on.

Lazarus is allegedly responsible for a variety of crypto hacks, including the attack on Ronin Bridge, used by Axie Infinity. Funds stolen in Lazarus attacks are reportedly used to help fund North Korea’s ambition of obtaining a nuclear warhead and intercontinental missile capable of delivering it.

Read more: North Korean hackers could grind crypto games for weapons, experts warn

North Korea’s ability to target ‘DeFi’ services and use them as part of its laundering activities was also highlighted in the US Treasury’s recent ‘Illicit Finance Risk Assessment of Decentralized Finance.’ The report recommended more thorough anti-money laundering compliance enforced at companies interfacing with the cryptocurrency ecosystem.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on Twitter, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel. 

The post US Treasury sanctions OTC traders for aiding Lazarus hackers appeared first on Protos.