The CEO of crypto exchange Gate.io claims people are trying to “ruin his Friday” after rejecting unverified rumors that the crypto exchange had been breached and that user funds were at risk. 

Reports of Gate.io’s hack were shared by X account Aggrnews, which claimed, “GATE RUMOURED TO HAVE BEEN HACKED, RECOMMENDED TO WITHDRAW: SOURCES.”

However, Gate.io’s CEO, Kevin Lee, denounced the claim, replying, “Deposits, withdrawals, and trading are all currently operating normally.”

He added, “Someone is trying to ruin my Friday. Stop the FUDs.”

Minutes later, the official Gate.io X account posted, “The security team has not detected any abnormalities, nor have any security agencies reported issues.”

Read more: Bitcoin Lightning bug could jam and steal millions of dollars

The rumor seemingly originated from an account called NaniXBT, who admitted they “did zero checking” on a source that was ultimately a tipoff from their “homie.”

“If youre here about the gate hack i did zero checking on it btw homie pinged me and i just sent to a few gcs im in i got no other info,” NaniXBT said. 

Aggrnews apparently saw NaniXBT’s story in his personal telegram chat and published it online. Subsequently, a partner of Aggrnews, BWEnews, also shared it using an automated bot.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post ‘Someone is trying to ruin my Friday’ says Gate.io CEO after hack rumors appeared first on Protos.

Bitcoin developer Antoine Riard has disclosed two new bugs that affect wealthy node operators within the Lightning Network, a payments protocol with over $500 million worth of BTC capacity.

The transaction jamming attack exploits Bitcoin Core software’s transaction selection, announcement, and propagation mechanisms of Lightning Network-connected Bitcoin full nodes.

Dubbed “transaction relay throughput overflow attacks,” the bugs allow an assailant to steal bitcoin (BTC) from the wealthiest Lightning nodes. Although there’s no evidence that a thief has actually exploited these bugs, Lightning implementation providers Éclair and Core Lightning are already working on software patches.

Specifically, the cost- and time-intensive attack is only worth the effort for victims with more than roughly $130,000 worth of BTC and is best suited for nodes holding above half a million dollars.

Bitcoin Lightning transaction relay throughput overflow attacks

The attack would enable a thief to steal funds from the victim’s Lightning channel by preventing time-sensitive transactions such as justice transactions from propagating through the network. After jamming the node for 32 Bitcoin blocks (Core Lightning defaults) or 140 blocks (Éclair defaults), the robber could make off with an irrevocable bounty.

In regular clock time, that would mean approximately 5.5 hours to steal from a default Core Lightning node or 24 hours for a node running Éclair default software.

By default, nodes limit the number of unconfirmed transactions they transmit or accept at any given time to reduce the chance of various denial-of-service (DoS) attacks. The attacker can conduct a high overflow jamming attack that blocks the victim from sending a justice transaction by continuously overwhelming the node with high fee rate transactions. 

By default, a Bitcoin Core node will always choose to propagate the highest fee transactions first and queue lower fee transactions — even if one of those lower fee transactions is the nodes’ own Lightning Network justice transaction.

This is one bug that Core Lightning and Éclair are patching, thanks to Riard’s responsible disclosure.

Again, the high overflow jamming attack blocks the victim from sending an anti-theft transaction by continuously overbidding with higher fee transactions, hence the name “high overflow.”

For this reason, the attack is expensive — with initial estimates north of $130,000 throughout the hours of the attack.

In addition to this high overflow jamming attack, Riard explained another variation of the transaction jamming bug: low overflow.

A variation with thousands of low-fee transactions

The low overflow is a cheaper variant but less reliable for the attacker. Here, to save money, the attacker targets a victim trying to send a transaction to nodes with a maximum unrequested transactions queue of 5,000 per peer.

The attacker floods the victim with a large number of transactions using a minimum transaction fee rate. The victim then announces these transactions to its peers and the peers try to drain the queue by requesting those transactions. If the attacker can maintain a queue of over 5,000 transactions, the attack might be successful. 

Technically speaking, the low overflow attack leverages Lightning nodes’ interaction with Bitcoin Core’s MAX_PEER_TX_ANNOUNCEMENTS default, causing inbound transactions to overflow this threshold.

Read more: New Bitcoin Lightning Network bug: Unattributed payment routing

Patching the bug

Riard proposed several mitigations for Lightning Network node software implementations. These providers are working on patches, including random transaction rebroadcasting, more aggressive fee-rebroadcasting, limitation of identical finality time-sensitive transactions, and over-provisioning of transaction relay throughput with peer nodes.

He also proposed changes to Bitcoin Core itself to assist Lightning Network operators. However, changes to Bitcoin Core typically take far longer and need more reviews than Lightning software implementations.

Riard’s Critical Vulnerability Error (CVE) request number 178025 is tracking bug patches of his high and low transaction relay throughput overflow attacks.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Bitcoin Lightning bug could jam and steal millions of dollars appeared first on Protos.

Hackers took over the X account of the crypto podcast UpOnly yesterday and posted a fraudulent token using the brand’s likeness.

UpOnly host Brian Krogsgard, otherwise known as Ledger, said that he noticed that the account wasn’t under his control when he got home at 2:00 am GMT. Unfortunately, the cause of the breach was a mystery to Ledger. He said that it was not a SIM swap incident.

“There is no token,” Krogsgrad assured his followers. “UpOnly twitter account hacked (not sure how yet), they removed my only session from being logged in.”

Fellow co-host Jordan Fish, aka Cobie, unlocked his private X account briefly to warn users not to click on anything coming from the UpOnly podcast account. 

It seems the hacker changed the handle from @uponlyTV to @RanByLyoni and attempted to shill a fraudulent token as if it were an official UpOnly token. 

These token posts are now deleted. All that remains is a handful of posts made by the hackers, bragging about making a six figure sum off Cobie’s likeness. A request for Cobie to reach out to the hackers and “make a deal” has also been left up.

Reads more: Questions Haliey Welch and the $HAWK team won’t answer

The new handle meant that the original @uponlyTV handle was free for the taking. As web3 security expert Plum noticed, it was quickly snagged by someone called “Rusty.” This new account is now suspended.  

The hackers have claimed to be two X users, meth and Lyoni, who deny their involvement. Plum said, “IDK yet who IS behind the hack but both of them have contacted me and said it ain’t them .” Plum also assured that they know who Rusty is and that the “name is safe.” 

UpOnly’s last livestream on YouTube was over two years ago. Since then, UpOnly hasn’t been particularly active. The pair have teased some sort of 2024 Europe tour with a live audience, but as the year comes to a close, it’s unlikely to happen.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post UpOnly hacker claims they ‘made six figures’ using Cobie’s likeness appeared first on Protos.

Solana’s web3.js library was compromised yesterday in a supply chain attack that installed malicious packages capable of stealing the private keys of users and draining their funds.  

The attack was reported by Solana developer @trentdotsol and specifically affected versions 1.95.6 and 1.95.7 of the Solana web3.js library.

Since then, a wave of Solana-based developers have come out to confirm they are not impacted by the exploit. Unaffected firms include Solflare, Phantom Wallet, and Helium. 

Solana’s web3.js is a JavaScript library accessible to developers wanting to build Solana-based apps. Reports suggest that maintainers of the library may have been targeted by a phishing campaign as attackers gained access to the “publish-access account.”

Read more: ‘Solana killer’ Sui does Solana things — goes offline for 2 hours

Through this account, the attackers introduced a private key stealer into the two versions of Solana’s web3.js library with an ‘addToQueue’ function that stole under the guise of Cloudflare headers. According to Solscan, the attackers stole close to $160,000.

Solana research firm Anza posted, “This is not an issue with the Solana protocol itself, but with a specific JavaScript client library.” 

It stressed it “only appears to affect projects that directly handle private keys and that updated within the window of 3:20pm UTC and 8:25pm UTC on Tuesday, December 2, 2024.”

It claims the two exploits were “caught within hours and have since been unpublished,” and asked, “all Solana app developers to upgrade to version 1.95.8. Developers pinned to `latest` should also upgrade to 1.95.8.”

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Solana dev library web3.js compromised to steal private keys appeared first on Protos.

Dubai-based crypto exchange XT.com has suspended withdrawals after a hacker reportedly stole up to $1.7 million before converting it into ether (ETH). 

A statement from XT this morning claims the exchange suffered an “abnormal transfer” of crypto from its platform wallet with the address 0xdb3ded7731c781224ec292e2163d9554c094fd7c.

“The amount involved in this incident is approximately 1 million USDT across 12 different currencies,” XT claimed.

However, the crypto security firm PeckShieldAlert reports that the exchange appears to have been hacked. It claims that the stolen funds were converted into 461.58 ETH, worth almost $1.7 million at the time of writing, and are sitting in an Ethereum address. 

Read more: Hacked X and Insta accounts used for Pump Fun rug pulls

XT claims, “Our technical team is currently conducting an urgent investigation,” and noted it will release a “Merkel Tree Asset Proof System” in mid-December as a means of improving security and transparency. 

It also stressed that the theft would not affect its users as its reserves are 1.5x larger than the user assets it holds. “These assets are owned by the platform and will not in any way harm the interests of our customers or users,” the exchange added. 

Three hours ago, XT said it had to suspend coin withdrawals because of a “wallet upgrade and maintenance.”

The exchange claims to have 7.8 million registered users. Coingecko puts its 24-hour trading volume at almost $3.4 billion and claims it has almost $48 million in exchange reserves.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post XT exchange suspends withdrawals after reported $1.7 million hack appeared first on Protos.

Decentralized finance (DeFi) application Delta Prime, which operates on the Arbitrum and Avalanche networks, suffered an estimated $4.5 million hack on Monday.

This is the second incident to hit the ‘yield farm’ in less than two months, bringing combined losses to approximately $10.5 million. The serial hacker responsible also looks to be a keen ‘farmer,’ putting $2 million to work on other platforms.

Blockchain security firm Peckshield suggested that Delta Prime “may want to take a look” at a suspicious transaction in which funds were sourced via a flash loan from the Balancer protocol.

Read more: DeFi app Delta Prime loses $6M after being warned of Lazarus mole

A follow-up post identified the loss as linked to “the lack of input validation in claiming possible rewards.”

The official Delta Prime response to the incident estimates losses at $4.5 million and states that “the protocol [is] paused on both chains, the risk is contained.” Meanwhile, the project’s most recent X (formerly Twitter) thread had been an explainer on reimbursement tokens for victims of the previous hack.

According to X user yieldsandmore, the address responsible for the attack is an “experienced serial exploiter.” They also appear to be a keen DeFi user.

On Arbitrum, two addresses were identified as holding the profits from the exploit, which total approximately $700,000. However, as Peckshield notes, on Avalanche, where the majority of the funds ($4.1 million) were stolen, the exploiter is using around $2 million of the spoils to farm rewards on two DeFi protocols, LFJ (formerly Trader Joe) and Stargate.

Today’s hack comes just under two months after Delta Prime confirmed having lost $6 million to a private key compromise. Prolific blockchain investigator ZachXBT had previously warned of North Korean infiltrators in a number of DeFi projects, Delta Prime included.

To combat the threat of state-sponsored hackers working as moles within DeFi teams, some teams have resorted to a simple (but apparently effective) screening process.

Read more: North Korean hackers posing as devs exposed with ‘I Hate Kim Jong Un’ test

According to Harrison Leggio, co-founder of token launchpad g8keep and known as Pop Punk on X, challenging potential hires to type “i hate kim jong un, fuck north korea” may be enough to scare them off.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post DeFi project Delta Prime hacked again — months after private key leak appeared first on Protos.

David O’Leary-endorsed crypto exchange M2 was hacked on Thursday with nearly $14 million being stolen from multiple hot wallets, according to crypto sleuth ZachXBT.

M2 confirmed that the hack took place at 3:16 AM (GMT+4) and that $13.7 million was stolen. It added in a security update that it tackled the incident within 16 minutes and that, “the situation has been fully resolved and customer funds have been restored.” 

The exchange has also contacted the police and relevant legal authorities, “to ensure this matter is dealt with thoroughly and appropriately.”

Read more: M2: Did Mr. Wonderful endorse the next FTX?

It said, “M2 has taken full responsibility for any potential losses, demonstrating our unwavering commitment to safeguarding our customers’ interests.” The security update also states M2’s services are up and running again with added controls in place.

The exchange launched in Abu Dhabi last November and was co-founded by Phoenix Group’s ‘Group CEO,’ Bijan Alizadeh Fard, and Stefan Kimmel, a former exec at the Commercial Bank of Dubai and Kraken MENA. This structure also links the firm to the UAE government’s head of military and police procurement. 

TV personality O’Leary endorsed M2 last November, claiming it would be the largest regulated crypto exchange with billions of dollars in backing and that it would poach half of Binance’s accounts.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Crypto exchange M2 reimburses victims after $14M Halloween hack appeared first on Protos.

Ethereum protocol EigenLayer has fallen victim to an X (formerly Twitter) hack that shared phishing links and very likely stole $800,000 from a single victim, according to security analysts.

The first phishing link, posted at 11:20 am, claimed that the “EIGEN stakedrop Phase 2 is now open,” and that a supposed supply of EIGEN tokens would be distributed. This post has since been deleted. 

However, several similar messages have been uploaded by the account, including a seven-part thread and a disclaimer warning that any posts beyond the final one might be phishing attempts.

The hackers even uploaded a picture of a dog wearing a flower headpiece to bait users into clicking the harmful links.

Read more: Radiant Capital’s $50M crypto hack underlines DeFi’s multisig dependence

Security analyst Scam Sniffer claimed, “EigenLayer’s X account was compromised and posted phishing tweets” and that the link may install malware, steal secret recovery phrases, and feature fake metamask sites. 

Scam Sniffer also noted that someone lost $800,000 worth of mETH after signing a permit phishing signature around the same time. “The victim very likely clicked the phishing tweet from EigenLayer,” it noted.

At the time of writing, the account is still sharing phishing links.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post EigenLayer X hackers who likely stole $800K now posting dog pics appeared first on Protos.

Yesterday, lending platform Radiant Capital suffered a loss of over $50 million worth of crypto when the project’s multisig wallet was compromised.

The incident offers a stark reminder of the importance of key management in the industry, and the potential for damage when signer addresses are compromised.

According to blockchain security firm SlowMist, private keys to three of 11 addresses were compromised in order to “transfer ownership of the LendingPoolAddressesProvider contract to a malicious contract controlled by the attacker.” This was then used to drain lending markets on two networks: Arbitrum and BNB Chain.

Read more: Three DeFi hacks net $10 million in 48 hours despite ‘renaissance moment’

Crypto auditor Ancilia Inc. alerted the community, instructing users to revoke token approvals to the affected contracts, and adding updates as the losses mounted.

Unfortunately, the security experts were also reportedly duped into sharing a wallet drainer link from a spoofed account, ‘Radiarnt Capital.’

Radiant Capital’s official X (formerly Twitter) account acknowledged the incident approximately two hours later, as well as confirming the list of compromised contracts. In the meantime, regular marketing material was published and screenshots emerged of a team member assuming users had fallen victim to a “phising” (sic.) attack.

The stolen funds — $19 million and $32 million worth of BNB and ETH respectively — are currently held in attacker addresses on BNB Chain and Arbitrum. Radiant Capital previously lost $4.5 million to a well-known bug in January of this year.

Wider threat

The news underlined the decentralized finance (DeFi) sector’s reliance on multisig wallets to secure crypto worth billions of dollars.

L2BEAT researcher donnoh.eth pointed out the sheer scale of funds secured across the sector, with the threshold for each multisig displayed alongside the value held within.

Read more: Blast L2 hack prompts debate over centralization of Ethereum rollups

The figures show that just two compromised signatures could lead to losses of $676 million on Starknet. A total of $1.756 billion is secured by just three signatures apiece across Blast (by far the best value-for-key for potential hackers), Frax, Taiko, and Kinto.

Four-signature thresholds secure $1.197 billion in total between Linea, Metis and, Loopring. Finally, $1.44 billion Mantle has the highest threshold, but with 13 possible signers come more opportunities for would-be spear phishing targets.

Multisig wallets are a common security feature for crypto users, especially projects that manage funds as a team or for making critical upgrades to their platforms. An established threshold of signatures is required to send transactions, with no single address able to do so alone.

Read more: DeFi app Delta Prime loses $6M after being warned of Lazarus mole 

However, multisigs represent a ‘honeypot’ target for black hats, with extraordinarily large sums extracted on occasion.

In July, Indian crypto exchange WazirX lost $230 million after two signer addresses were compromised, and a further two were likely tricked into signing a malicious transaction. In March 2022, the now infamous Ronin Bridge attack saw over $600 million stolen, which went unnoticed for almost a week.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Radiant Capital’s $50M crypto hack underlines DeFi’s multisig dependence appeared first on Protos.

Russian hackers are using a network of AI-based ‘nudify’ sites to deliver malware capable of stealing crypto wallet login details.

As reported by 404 Media, cybersecurity researchers Silent Push discovered that Russian ransomware group Fin7 has created at least seven different AI-generated deepfake sites that create non-consensual nude images.

The sites steal crypto credentials and other sensitive data using ‘RedLine’ and ‘Lumma’ malware. Users are infected after downloading the supposed nudify software through a Dropbox link, or by applying for a free trial, which also prompts users to download the malicious malware.  

Read more: High treason charge for Russian man who ‘sent crypto to Ukraine’

According to Zach Edwards, a senior threat analyst for Silent Push, the nudify pivot targets “men with a decent amount who use other AI software or have crypto accounts.”

“There’s a specific type of audience who wants to be on the bleeding edge of creepy (while ignoring new laws around deepfakes), and who are proactively searching out deepfake AI nude software,” Edwards told 404 Media. 

Russian hackers are hot this week after the US took enforcement action against crypto exchanges Cryptex and PM2BTC, and a suspected money launderer for ransomware users and a number of other criminal enterprises.

On Wednesday, Russia announced that it arrested almost 100 people suspected of laundering on behalf of cybercriminals and hackers.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Russian hackers are using deepfake porn sites to steal crypto appeared first on Protos.