The founder of Nexus Mutual wrote: 370,000 NXM tokens were stolen by hackers like this

Hugh Karp, the founder of Nexus Mutual, personally described the process of the stolen 370,000 NXM tokens and the progress of the event.

Written by: Hugh Karp, founder of Nexus Mutual Translation: Lu Jiangfei

Editor’s note: If there is further information update, the content of this article will be adjusted in due course.

Time background

At 9:40 am UTC on Monday, December 14th, I was tricked into approving a transaction for a total of 370,000 NXM tokens. I originally thought that this transaction was my own mining reward money, but the result was sent directly to the hacker. The hacker then liquidated the stolen NXM tokens into Bitcoin and Ethereum, and then distributed these funds to Different addresses and exchanges.

I was using the Metamask wallet connected to Ledger to interact through the Nexus Mutual application. The computer is a Windows operating system. Currently, the private key on the Ledger is secure. The Nexus Mutual smart contract and funds are not affected, so basically It can be judged that this time should be just a personal attack.

Plot of events so far

In this targeted attack, we probably know the following points:

1. At around 10:20 UTC on Friday, December 11th, I was writing an e-mail. Suddenly the computer screen went black for 2-3 seconds, but it quickly recovered. At that time, I thought the computer might just be something strange Things, so I didn’t care too much.
2. About an hour later, at around 11:20 UTC on Friday, December 11th, my disk was infected, and the Metamask wallet extension was replaced by a hacker version. For details, please refer to here and the background.js file.
3. In fact, I didn’t use the Metamask wallet extension for cryptocurrency transactions until Monday, December 14.
4. At 9:40 AM on Monday, December 14th, UTC, I want to go to the Nexus Mutual application to withdraw some mining reward tokens. As usual, MetaMask pops up the withdrawal request confirmation message, which is not surprising, because every transaction will pop up the confirmation message, everything looks normal. The problem is that the confirmation message contains a fraudulent transaction sent to Ledger. As a result, I clicked “Confirm”.
5. The transaction appeared on Ledger soon. I checked the transaction information and clicked “Approve”. In fact, if I check the “recipient” address and other transaction information at this time, I may find the problem, but because Ledger has not directly supported NXM, the transaction information does not include the recipient and other related information by default. Read the information.
6. Then, I received a notification from MetaMask, telling me that the transaction has been completed, but the Nexus Mutual application is still waiting to confirm the transaction. At this time, I found that the situation was not right, so I checked Etherscan and found that the money was transferred to the hacker’s address.

Looking back, the place where I made a mistake occurred in the fifth step above. I should be more careful when trading. It can be said that this hacker theft is entirely my own responsibility. But what I want to point out is that unless you are a person familiar with cryptocurrency technology, it is difficult to carefully check relevant information when transferring money. After all, information in hexadecimal format is difficult to read. Personally, I actually have enough technical knowledge and understand the meaning of the information, but I still make a mistake, so it is easy for ordinary users to fall into trouble here.

In addition, I have been obtaining cryptocurrency reward tokens from websites I trust, such as Nexus Mutual APP, because I think the transaction risk on the official platform will be relatively low, but from this hacking incident, I found that whether it is credible or not The site, regardless of the value of the transaction, must carefully check the information before confirming the transaction each time.

Now, I plan to start investigating this hacking incident and track funds with the help of the community. Thank you for your support! Here, I would like to thank a lot of people for their support, especially Sergej Kunz, Julien Bouteloup, Harry Sniko, Richard Chen, Banteg, and some people I’m not able to reveal their names now.

Summary of survey results

• In the past, most MetaMask hacking attacks were to trick users into downloading fake program versions that contained malicious code, and then steal users’ private keys. But this time things are different. My computer has been damaged and the MetaMask application on the disk has been tampered with, which means that there will be no warning message when there is a problem with the browser extension.
• It is understood that this malicious extension configuration was obtained from coinbene.team, and we traced some IP addresses from this domain name, as shown in the following figure:

• My browser has entered developer mode, but I am not a developer, so this operation is probably performed by a hacker.
• We found that other victims had been similarly attacked and contacted them.
• This attack seems to be highly targeted, because the hacker did not take all the NXM tokens that the victim may have, so the hacker seems to have specially deployed a prepared transaction load for me.

Below I will list the most relevant hacker addresses:

Ethereum:

• 0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1
• 0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b
• 0x09923e35f19687a524bbca7d42b92b6748534f25
• 0x0784051d5136a5ccb47ddb3a15243890f5268482
• 0x0adab45946372c2be1b94eead4b385210a8ebf0b

Bitcoin:

• 3DZTKLmxo56JXFEeDoKU8C4Xc37ZpNqEZN

Messaging (?) Channel

• 0x756c4628e57f7e7f8a459ec2752968360cf4d1aa

What else do we not know?

First of all, I don’t know how my computer was hacked.

In the past week, experts from Kaspersky, an anti-virus software provider, and I spent a lot of time on the infected computer to allow a complete diagnostic procedure, but there is no result yet and this work is still in progress.

Who is the hacker?

From what we see now, this hacker is very powerful, but it also shows that the attack is likely to continue to occur and will affect more and more people. It can be said that this hacker is very talented, probably one or more members from a large technical team. We had a brief conversation with a hacker on Telegram. Based on their trading activities, we felt that the hacker was in the Asian time zone.

The investigation is still continuing. If there is any information available, we will share and release it in time.

Lesson learned

Some users who are more familiar with the DeFi industry always don’t trust MetaMask. They even use a “clean” computer to run MetaMask. This device is only used to sign transactions and does nothing else.

MetaMask is indeed the target of many hacker attacks, so I have been very careful to download programs from regular channels, but even so, my computer was still infected. If you want to avoid such problems, you can allocate funds to different accounts as much as possible, so as to minimize losses. In addition, be sure to check the transaction information of the hardware wallet before signing (easier said than done, especially when interacting with smart contracts).

So far, we have not obtained open source intelligence about hackers, but the hacker address has been marked on Etherscan. Although this is an important step in the investigation, there are still many things to deal with in the future.

What’s next?

I know that many teams will look for the best trading options from both user experience and security perspectives, but as a community, we obviously have a long way to go in this regard. I can’t recommend other solutions, but I will take a part of the funds raised and donate it as a bounty to support user experience and security enhancements.

In the follow-up, we will announce the details of the bounty, and believe that doing so can encourage more people to develop personal wallet security solutions and promote technological progress.

Open letter to hackers

You used a very sophisticated technique, not only stealing funds from me, but also stealing large amounts of funds from many others in the Ethereum community. I know that you have sent part of the funds to the boss behind the scenes, so I have given up getting the money back.

As you know, there are many white hat hackers in the Ethereum community who work anonymously. They will get rich rewards through bounty, and they will be famous in the circle for some excellent work. Based on the skills you have demonstrated, I think you can become a member of a white hat hacker, so that you can make money through legal means without sending ill-gotten gains to the boss behind the scenes.

I think you can make the most of these skills you have and get some honors from the cryptocurrency community for the right reasons.

Source link: medium.com