$55M DeFi Saver phish, copy2pwn hijacks your clipboard: Crypto Sec

Crypto Scams, Hacks and Exploits and How to Avoid Them: Crypto-Sec

Fish of the Week: Diffie Savings User Loses $55 Million on DAI

A user of DeFi Saver, a decentralized financial management protocol, suffered a rare phishing attack on August 21. According to an X-Post from blockchain security firm Global Ledger, the attacker tricked a user into reassigning ownership of a DeFi saving proxy contract.

The victim attempted to make a transaction shortly thereafter, but was unsuccessful. The attacker then changed ownership again and drained his smart contract wallet of all Dai (DAI) stablecoins, worth over $55 million in total.

Blockchain data shows that the DAI originated from the victim's address, not the victim's address, indicating that the attacker must have used the victim's collateral to withdraw DAI instead of withdrawing directly from the victim's account.

The victim's smart contract wallet was marked “DSProxy #166,776” on Etherscan. In the year On August 20, the account owner invoked the “Editor” function and listed the malicious phishing account as the new owner. The owner may have been tricked by a malicious web application into approving this transaction. It was a costly mistake as the victim is now $55 million poorer.

Web3 users should carefully review contract addresses before approving transactions. Many protocols list their public contract addresses in their documentation, and users can check these addresses to ensure that what they are about to connect to is registered there. This can often save users from losing money due to phishing attacks, although no security method is 100% foolproof.

DeFi Exploits: iVest Announces Shutdown After Losing $156,000

Decentralized finance (DeFi) protocol iVestDAO has announced that it will not reopen after suffering a $156,000 exploit. It has previously stated that the protocol will compensate investors and reopen later. However, an iVest Telegram administrator told Cointelegraph that it was shut down on August 15.

“Unfortunately, we are unable to continue the work, so we have closed the project and are recovering our money from our pockets,” the manager said, calling this development “a tragedy”.

In a public statement on the protocol's website, iVest said the group is “reimbursing our owners out of pocket.” However, the total amount of funds is “non-refundable and there is no method that can replace 100% of the group's personal funds.”

He said the group was “hurt and defeated” but “will pick up the pieces and move on with our lives”.

iVest was exploited by a ‘null address' donation attack on August 12.

Malware Corner: Copy2pwn Bypasses Windows Smart Screen

A new exploit called “copy2pwn” is being used by malware operators to bypass protection in the Windows Smart Screen program, according to a report from Security Week. The vulnerability has been patched in the latest version of Windows, but some devices have not yet been updated and may still be at risk.

The exploit can be used to install malware, which causes private keys to be lost in software wallets.

Copy2pwn is identified as CVE-2024-38213 and was reportedly discovered by Trend Micro's Zero Day Initiative. Windows uses the Web-based Distributed Authoring and Versioning (WebDAV) protocol, which is designed to allow users to easily share and edit Web-based content.

But cybercriminals have been able to bypass smart screen protections by failing to access the WebFlag mark when content hosted on WebDAV shares.

According to reports, malware operators have been using copy2pwn to install DarkGate on users' devices. DarkGate is a sophisticated malware program that is difficult and efficient at stealing data, according to cybersecurity firm Socradar.

Crypto users who rely on Windows Smart Screen for malware protection should consider upgrading to the latest version of Windows as soon as possible.

Clipboard Hacker Beats Hackathon Participant

Porter Adams, a software engineer at ZKsync network developer Mater Labs, encountered crypto-stealing malware in an unusual location on August 25. On a friend's hackathon participant's PC.

Adams posted a video of the reported incident on X.

The participant was trying to send Ether (ETH) to a specific address on the Sepolia test network. But Adams discovered that the man's device was infected with clipboard hacking software.

Whenever the user tries to copy and paste a crypto address, the malware will paste the developer's address instead, causing the user to send crypto to the wrong address and lose it forever.

Fortunately, the participants were using a testnet with ETH that had no real value. But if the participant went home and made real crypto transactions with this device, they could have easily lost all their money. “I rescued a hackathon participant from malware today,” Adams said in the post.

When cutting and pasting addresses, crypto users are advised to check the pasted address to make sure it is the same as the address they intend to copy. If it is found to be a different address, the device may be infected.

Subscribe

A very engaging read in Blockchain. It is given once a week.

Christopher Roark

Some say he's a white-hat hacker who lives in the dark mining hills of Dakota and pretends to be a baby crossing guard to throw the NSA off his scent. All we know is that Christopher Roark has a pathological interest in hunting down fraudsters and hackers.