Poulter Hit in Flash Credit Attack, Man Gets 24 Years for Fraud: Crypto-Sec

Crypto-Sec is Cointelegraph's bi-weekly collection of crypto and cybersecurity stories and tips.

Poulter Finance has launched a “classic” flash loan attack

Fantom-based decentralized finance (Diffi) protocol Polter Finance took out more than $7 million in a “classic” flash loan attack on Nov. 18, according to blockchain analyst Nick Franklin.

The attacker artificially inflated the value of SpookySwap's management token BOO by “borrowing almost all BOO tokens from LP.” [the liquidity pool]He said. Once the price is high enough, the attacker is able to “place 1 BOO and drain all the pools.”

Data obtained by Blocksec Falcon confirms that there were only 269,042.22851562786 tokens in the liquid pool before the attack.

The attacker then borrowed 269,042.22851562785 BOO tokens ($1.3 million based on the BOO price at the time) with a flash loan, leaving only 0.000000000001 tokens.

Since the value of a token in a decentralized exchange is determined by the ratio between it and the traded token, this must have caused the price of BOO to rise.

The attacker then deposited one BOO token and proceeded to borrow $9.1 million worth of Flocked Phantom (FTM) tokens, earning $7.8 million in the process.

The attacker then repeated the attack to find other tokens including Magic Internet Money (MIM), sFTMX, Axelar USDC (axlUSDC), Bitcoin (BTC), Ether (ETH) and USD Coin (USDC). Some estimates put the attack at a total cost of $12 million.

Related: Crypto Lender Polter Finance Suspends Operations After $12M Hack

Franklin didn't guess how the raider was able to recover enough BOO to pay off the flash loan. However, one possible explanation is that they bought from another liquid pool at a much lower price.

As the value of these tokens can often be easily manipulated, Diffie users should consider the risks of depositing into platforms with low liquidity tokens.

The founder of Poulter Financial, known as Ghost, has filed a police report on the incident and is trying to negotiate with the attacker.

CoinPoker was hit by a hot wallet hack

Crypto poker platform CoiPoker was recently the victim of a private key hack, according to a report by blockchain analytics platform Syvers on November 18. The attacker made transactions on various networks including BNB Smart Chain, Ethereum and Polygon.

In the year On November 16, the poker platform tried to open negotiations with the attacker by posting a message to the Ethereum network.

“We are aware of activity involving stolen funds from wallet addresses [beginning with 0x3c17]” the message stated. “We want to establish a secure relationship to resolve this matter constructively. [ …] We are willing to discuss terms including a bonus for a safe return of the money.

Blockchain data shows that the attacker deposited most of the stolen funds into private mixer Tornado Cash, making it difficult to trace, potentially creating a weakness in the platform's bargaining chip.

Web3 users should be aware that if a centralized gaming platform is hacked and loses customer deposits, they may lose their money. Fortunately, CoinPoker seems to be resistant to this particular attack, as withdrawals seem to be working normally now.

24-year-old man admitted to bank-fraudulent crypto fraud

An Elkhart man has been sentenced to 24 years in prison in connection with the failed Heartland Tri-State Bank crypto scam, according to a Nov. 5 report from U.K. tech news site The Record. The mastermind of this fraud is still not caught by the authorities.

According to the report, 53-year-old Shane Haynes was the CEO of Heartland Tri-State Bank at the time when he contacted the crypto scammer on WhatsApp in 2023.

The scammer allegedly convinced Hans to invest in a fake cryptocurrency investment scheme. But Hans didn't just contribute his own money. He embezzled funds from the Elkhart Church of Christ and the Santa Fe Investment Club.

In addition, Hans later started withdrawing money from the bank himself. More than $47 million was withdrawn from Heartland Tri-State Bank deposits and sent to this crypto scam, but the scam did not generate any real profits, and the money simply went into the pockets of the unnamed founder.

The bank's chief financial officer eventually informed the authorities of Hans's embezzlement. But at that time, the losses were so large that it exceeded the bank's capitalization, leading to bankruptcy.

In the year According to a July 2023 CNN report, the failed bank was first bailed out by the U.S. Federal Deposit Insurance Corporation and then bought and reopened by Dream First Bank of Syracuse.

According to the report, authorities were able to recover $8 million from Hans' wallet, but the remaining $39 million was lost forever.

Crypto investors may be skeptical of crypto investments that cannot be tracked on the blockchain through a public block browser. These types of “projects” often turn into fiction.