Bankroll is reportedly attacked and CoW laundering| Cointelegraph
2024.09.23 12:24
|
|
DeFi exploits: Bankroll is reportedly drained of $230,000
According to a Sept. 23 X post from blockchain security platform TenArmor, a hacker attacked the decentralized finance protocol Bankroll Network on Sept. 22, draining $230,000 from it.
TenArmor posted an image of the attack transactions. It shows numerous transfers of BNB from a BankrollNetworkStack contract to itself, each worth $9,679,645.51.
Two other transfers are for $9,435,877.94, one of which comes from a PancakeSwap exchange pool and is sent to an account ending in “47D7,” while the other comes from the “47D7” account and is sent to the BankrollNetworkStack contract.
The difference between the self-transfers and the transfer to the account is $243,767.57, which is approximately equal to the $235,000 stated as the loss amount.
Given this information, the attacker may have exploited a vulnerability that allowed them to withdraw more than they deposited and used flash loans to make the initial deposit.
Bankroll Network attack transactions. (TenArmorAlert)
Blockchain data confirms that the transfers happened at 4:50 pm UTC on Sept. 22. Cointelegraph contacted the Bankroll Network team via Telegram but did not receive a response by the time of publication.
DeFi exploits are a frequent cause of losses to Web3 users. Users should carefully research a protocol’s security before using it. Protocols that are audited by reputable smart contract security firms are more likely to be secure, although this cannot 100% guarantee that vulnerabilities don’t exist.
Bankroll Network has not confirmed that this transaction is an exploit, and security researchers may report new information about it as their investigations continue. This is a developing story and may be updated over time.
Phish of the week: Phisher moved $250,000 through CoW
On Aug. 28, a phishing attacker who previously drained a crypto whale’s wallet of $55.4 million moved some of the stolen loot through the CoW decentralized finance protocol in an attempt to launder it, according to blockchain security platform PeckShield.
In the process, the attacker converted the stolen DAI stablecoin to ETH. The platform detected the transaction on Sept. 14 when the attacker transferred the ETH to a new address.
(PeckShield)
When displayed on Etherscan, the alleged money laundering transaction is shown in a list of 33 individual trades that were performed as part of a “MoooZ1089603480” function call. The account labeled “Fake_Phishing442897” sent $260,000 worth of DAI stablecoin to CoW and received approximately 106.29 ETH in exchange.
Phishing attacker alleged money laundering transaction. (Etherscan)
The function was called by what appears to have been a third-party paymaster account or relayer. By having a third-party call the function, the attacker may have hoped to fool analytics systems and prevent the funds from being traced; however, the strategy failed.
The alleged attacker received $3,000 worth of the DAI on the previous day, which they had obtained by swapping ETH through CoW.
Going further back through time, they had originally received some of the ETH on Aug. 20. At that time, they received 3,879.58 ETH (approximately $10,000,000 based on the price of ETH at the time) from CoW, which they obtained by trading DAI for it. The ETH was then sent through several intermediate addresses before arriving at the address that was later detected by PeckShield’s system.
Read also
Features
Thailand’s crypto islands: Working in paradise, Part 1
Features
Blockchain Startups Think Justice Can Be Decentralized, but the Jury Is Still Out
According to PeckShield, the funds can ultimately be traced back to a $55.4-million phishing attack against a large account or “whale.”
A phishing attack is a type of scam that involves tricking a person into giving away sensitive information or performing an action that the scammer desires. In the context of cryptocurrency, it usually involves tricking a user into authorizing token approvals. Once the victim makes these token approvals, the attacker uses them to drain the victim’s wallet.
Crypto users should inspect the addresses they interact with carefully. If a user accidentally approves a malicious contract to transfer their tokens, they can easily lose their funds to an attacker. This particular victim’s funds are being split between different wallets and swapped for other tokens in a seemingly endless attempt to evade analytics programs. If the attacker manages to confuse the programs well enough, they may even be able to safely transfer the funds to a centralized exchange and cash out, at which point the money will probably be lost forever.
Luckily, security firms have been able to track the funds so far, and there is still some hope that authorities may eventually be able to recover them.
Malware corner: D-Link discloses Telnet vulnerabilities
Networking device manufacturer D-Link disclosed five vulnerabilities in some of its router models on Sept. 16, according to cybersecurity firm CyberRisk Alliance. These vulnerabilities could allow attackers to gain access to a user’s home network and, potentially, devices holding their crypto wallets.
The first two vulnerabilities, named CVE-2024-45695 and CVE-2024-45694, allow attackers to use a “stack-based overflow” to gain access to a router, at which point they can “execute arbitrary code on the device,” according to a report from cybersecurity firm CyberRisk Alliance. The first vulnerability only affects the DIR-X4860 and DIR-X5460 router models, whereas the second affects the DIR-X5460 alone.
The three other vulnerabilities affect the aforementioned DIR-X4860 as well as the discontinued COVR-X1870. These devices allow hardcoded credentials to be used to log in, as long as Telnet is enabled.
Under normal circumstances, an attacker should not be able to activate Telnet on the device. However, the vulnerability identified as “CVE-2024-45697” allows an attacker to activate Telnet service on the device whenever the internet or WAN port is plugged into the modem. This means that the attacker can log in and start executing operating system (OS) commands.
The final two vulnerabilities, CVE-2024-45696 and CVE-2024-45698, also allow an attacker to use Telnet to log in and execute OS commands. With CVE-2024-45696, the attacker can send specific packets to “force” Telnet to become enabled, although this particular vulnerability can only be exploited by someone who already has access to the WiFi network the device is operating on. With CVE-2024-45698, the attacker can bypass user input validation in the Telnet service, allowing them to inject OS commands.
D-Link has urged its users to upgrade their devices to the latest firmware to protect themselves against any attacks stemming from these vulnerabilities.
Crypto wallet users should take extra care to ensure their home network is not vulnerable to an attack. Cybercriminals can use a home network breach to monitor a crypto user’s online behavior, which may then be used to plan further attacks that ultimately result in the loss of crypto funds.
Subscribe
The most engaging reads in blockchain. Delivered once a
week.
Christopher Roark
Some say he’s a white hat hacker who lives in the black mining hills of Dakota and pretends to be a children’s crossing guard to throw the NSA off the scent. All we know is that Christopher Roark has a pathological desire to hunt down scammers and hackers.
