Editor's Note: This article comes fromChain News ChainNews (ID: chainnewscom)Editor's Note: This article comes from
Chain News ChainNews (ID: chainnewscom)
Chain News ChainNews (ID: chainnewscom)
, by Hugh Karp, Founder of Nexus Mutual, translated by Lu Jiangfei, published with permission.
time background
At 9:40 AM UTC on Monday, December 14th, I was tricked into approving a transaction for a total of 370,000 NXM tokens. I thought the transaction was my own mining reward money, but it turned out to be sent directly to the hacker, who then liquidated the stolen NXM tokens into Bitcoin and Ethereum, and then distributed the funds to Different addresses and exchanges.
I was using a Metamask wallet connected to Ledger, interacting through the Nexus Mutual application, the computer is a Windows operating system, the private key on the Ledger is currently safe, and the Nexus Mutual smart contract and funds are not affected, so basically It can be judged from the above that this time should be just a personal attack.
In this targeted attack incident, we probably know the following:hereFriday Dec 11th around 10:20 UTC, I was writing an email when suddenly the computer screen went black for 2-3 seconds but came back on quickly, at the time I thought the computer might just be doing something weird Things, so I didn't pay much attention to it.
About an hour later, at around 11:20 UTC on Friday, December 11, my disk was infected, where the Metamask wallet extension was replaced by a hacked version. For details, refer to
here
and background.js file.
In fact, I didn't trade cryptocurrencies through the Metamask wallet extension until Monday, December 14th.
On Monday, December 14th at 9:40AM UTC, I wanted to go to the Nexus Mutual app to withdraw some tokens for the mining rewards. As usual, MetaMask pops up the withdrawal application confirmation message, which is not surprising, because every transaction will pop up a confirmation message, and everything looks normal. But the problem is that this confirmation contains a fraudulent transaction sent to Ledger. As a result, I clicked "Confirm".
The transaction quickly appeared on Ledger, and I checked the transaction information and clicked "Approve". In fact, if I check the "recipient" address and other transaction information at this time, I may find the problem. However, since Ledger does not directly support NXM, the transaction information does not include the recipient and other relevant information by default. read information.
Then, I got a notification from MetaMask that the transaction was done, but the Nexus Mutual app was still waiting to confirm the transaction, at which point I realized something was wrong, checked Etherscan, and found that the money had gone to the hacker's address.
Looking back, the place where I made a mistake occurred in the fifth step above, and I should have been more careful when trading. It can be said that this hacking incident is entirely my own responsibility. But I want to point out that unless you are a person who is very familiar with encryption technology, it is difficult to carefully check the relevant information when transferring funds. After all, the information in hexadecimal format is difficult to read. Personally, I myself actually have enough technical knowledge to understand what these messages mean, but I still make mistakes, so ordinary users can easily stumble here.
In addition, I have been obtaining cryptocurrency reward tokens from websites I trust before, such as Nexus Mutual APP, because I think the risk of trading on the official platform is relatively low, but from this hacking incident, I found that no matter whether it is credible or not The site, regardless of the transaction value, must double-check the information before confirming the transaction every time.
Now, I plan to start investigating this hack and trace the funds with the help of the community, thank you for your support! Here, I would like to thank many people for their support, especially Sergej Kunz, Julien Bouteloup, Harry Sniko, Richard Chen, Banteg, and some others whose names I am not comfortable to disclose at this time.
Summary of Findings
In the past, most MetaMask hacks involved tricking users into downloading a fake version of the program that contained malicious code and then stealing users' private keys. But this time the situation is different. My computer was corrupted, and the MetaMask application on disk had been tampered with, which meant no warning message would appear when there was a problem with the browser extension.
It is understood that this malicious extension configuration was obtained from coinbene.team, and we traced some IP addresses from this domain name, as shown in the figure below:
This attack appears to be highly targeted as the hackers did not take all the NXM tokens the victim might have, so it appears the hackers have deployed a pre-prepared transaction payload just for me.
Ethereum:
0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1
0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b
0x09923e35f19687a524bbca7d42b92b6748534f25
0x0784051d5136a5ccb47ddb3a15243890f5268482
0x0adab45946372c2be1b94eead4b385210a8ebf0b
Bitcoin:
3DZTKLmxo56JXFEeDoKU8C4Xc37ZpNqEZN
Messaging (?) Channel
0x756c4628e57f7e7f8a459ec2752968360cf4d1aa
Below I will list the most relevant hack addresses:
Ethereum:
Bitcoin:
What else do we not know?
First, I don't know how my computer was compromised.
Over the past week, I have spent a lot of time with experts from antivirus provider Kaspersky on the infected computer allowing a full diagnostic procedure, but nothing has come of it yet, the work is still a work in progress.
Who are the hackers?
From what we have seen so far, this hacker is very powerful, but it also shows that attacks are likely to continue and affect more and more people. It can be said that this hacker is very talented and is likely to be one or more members from a large technical team. We had a brief conversation with a hacker on Telegram who we believe to be in an Asian time zone based on their trading activity.
The investigation is still ongoing, and if any information becomes available, we will share and publish it in a timely manner.
lessons learned
Some users who are more familiar with the DeFi industry always don’t trust MetaMask. They even use a “clean” computer to run MetaMask. This device is only used to sign transactions and does nothing else.
MetaMask has indeed been the target of many hackers, so I have been very cautious about downloading programs from legitimate sources, but even so, my computer was infected. If you want to avoid such problems, you can try to allocate funds to different accounts, which can minimize losses. Also, be sure to check your hardware wallet for transactions before signing (easier said than done, especially when interacting with smart contracts).
So far we have had no open source intelligence about the hacker, but the hacker address has been flagged on Etherscan, and while this is an important step in the investigation, there is still much to be done.
What's next?
I know there are a lot of teams looking for the best deal options from both a user experience and security perspective, but as a community we clearly have a long way to go in this regard. I can't recommend another solution, but I will take a portion of the funds raised and donate it as a bounty to support user experience and security improvements.
We will announce the details of the bounty in the future. We believe that doing so will encourage more people to develop personal wallet security solutions and promote technological progress.
An Open Letter to Hackers
