1inch website hacked via supply chain exploit on Lottery player

Decentralized exchange aggregator 1inch's website has been hacked along with other lotto players that use the same front-end platform.

The breach came from malicious code injected into a Lottery player used by many dApps and non-crypto websites. No user wallets are said to have been compromised so far.

1” Users are warned against any interaction.

According to multiple posts on X (formerly Twitter), 1inch and TEN Finance have been victims of this attack so far. However, since the exploit targets Lottery Player versions 2.0.5 and above, the number could be much higher.

Hackers are said to be using these versions to inject malicious code into the websites' front-end JSON files. This code now allows compromised sites to conduct unauthorized transactions, posing a significant risk to users' property and data.

Read more: 9 Crypto Wallet Security Tips to Protect Your Assets

According to information from Blockaid, the attack began with a compromise of Lottery's content server, and a malicious npm package was used to distribute modified code. Blockaid and other security firms have confirmed that unauthorized scripts are being tracked in the package.

“Legitimate sites (non-crypto as well) are now serving malicious content including anti-malware evasion code. @LottieFiles, it looks like attackers managed to push malicious versions of your package, another version is now being uploaded,” wrote Blockaid in a post on X (formerly Twitter).

As of this writing, 1 inch has not released any official statement about the breach. However, the Lottery team has confirmed that it has identified the cause of the breach and is working to remove the affected versions.

Users are strongly advised not to link wallets or interact with affected platforms until security issues are fully resolved.

Crypto hacking continues to escalate.

Security breaches are a major concern of the crypto industry, and malicious activities are growing every year.

Hackers recently reportedly stole $20 million worth of cryptocurrencies from the US government. The money is part of the $3.6 billion the feds seized from the Bitfinex hackers.

Blockchain lender Radiant Capital suffered one of the biggest data breaches this year, losing more than $50 million. The hackers took control of the organization's private keys and quickly depleted these assets.

Read more: Crypto Social Media Scams – How to Stay Safe

However, the investigation and prosecution of these crimes continues. FBT recently arrested SEC X (ex-Twitter) hacker. The defendant is Eric Council Jr., 25, of Alabama.

Earlier this year, the council broke the SEC's X tag and released fake news about Bitcoin ETF approvals, which had a huge impact on the market. However, they believe the Federation Council is not the mastermind of this operation and are trying to negotiate a plea deal with him.

So far, by 2024, crypto-hacking has surpassed $2.1 billion, with CeFi platforms enjoying the greatest success.