Category: Security

Cyber Criminals Are Now Hiding Their Stolen Cryptos 13x Faster, Says Report

Cyber Criminals Are Now Hiding Much More Quickly Their Stolen Cryptos, Says ReportA new report unveiled a growing trend of efforts from cybercriminals hiding their stolen cryptocurrencies through different transaction flows. Crystal Blockchain pointed out that since 2019, the volume of stolen bitcoin grew significantly. Only 8% of the Funds Were Transferred to Exchanges With Verification Procedures in 2020 Per the findings, in 2020, the firm said […]

Troubled NZ Crypto Exchange Cryptopia Suffers Another Hack in the Midst of Liquidation Process

Troubled NZ Crypto Exchange Cryptopia Suffers Another Hack in the Midst of Liquidation ProcessControversy still surrounds a liquidated New Zealand cryptocurrency exchange, which allegedly got hacked again. Adding to the $30 million stolen in 2019, Cryptopia reports that it was the target of a another theft incident on February 1, 2021. Hackers Accessed a Dormant Wallet Which Holds XSN Tokens According to, the hackers took around NZD […]

Study: Top-Tier Cryptocurrency Exchanges Increased Their Market Share by 13% Since October 2020

Study- Top-Tier Cryptocurrency Exchanges Increased Their Market Share by 13% Since October 2020A recent study unveiled that top-tier cryptocurrency exchanges increased their market share since October 2020, in the context of lower-risk exchanges. The bitcoin bull market fueled that both retail and professional traders utilized such risk, data shows. Stricter Regulations Boosted Transparency Levels in Crypto Exchanges Per information from crypto market data provider, top-tier crypto […]

US Government Expands Charges Against North Korean Hackers- Authorities Describe Them as The ‘World’s Leading Bank Robbers’

US Government Expands Charges Against North Korean Hackers — Authorities Describe Them as The "World's Leading Bank Robbers"The U.S. Department of Justice (DOJ) unsealed new charges against the North Korean state-sponsored Lazarus Group. The hackers are allegedly responsible for stealing over $1.3 billion in cryptocurrencies and fiat during coordinated cyber-heists. North Korean Hackers Also Developed and Deployed Malicious Crypto Apps According to the announcement, law enforcement expanded charges to Park Jin Hyok, […]

As faith in audits falter, the DeFi community ponders security alternatives

Can new code review models solve DeFi's audit problem?

As the attacks launched against popular decentralized finance (DeFi) protocols grow ever-more complex, the efficacy of audits from major security companies have in turn come under scrutiny — and some members of the DeFi community have already begun building homegrown alternatives.

“I think that now, after all the hacks we’ve had, we basically understand that if you have two audits, three audits, it doesn’t mean you’re safe,” said the co-founder of DeFi Italy Emiliano Bonassi in an interview with Cointelegraph. “This does not mean that audits have no value in this moment, but they are not silver bullets.”

This new reality is what pushed Bonassi to form ReviewsDAO. A simple forum for connecting security experts and projects looking for an extra set of eyes, in the three days since its launch ReviewsDAO has already attracted four volunteer reviewers (including Bonassi), and has matched two reviewers with a project.

Bonassi and ReviewsDAO aren't alone, either. Code 423n4 is another project aiming to jumpstart a security movement within the ecosystem, leveraging an gamified, experimental twist on bug bounties. And likewise Immunefi, another DeFi bounty platform that launched in December last year, is overhauling the security disclosure model by pushing for upwards of 10% of vulnerable funds as a reward. 

Immunefi’s model in particular has already made waves, successfully netting a whitehat a $1.5 million reward.

Three new projects emerging in just two months, and each with their own incentive model — it’s an industry-wide effort Stani Kulechov, the founder of DeFi lending platform Aave, believes will be key to the health and security of the space moving forward.

“Auditors are not here to guarantee the security of a protocol, merely they help to spot something that the team itself wasn't aware of. Eventually it's about peer review and we need to find as a community incentives to empower more security experts into the space.”

“No silver bullets”

Bonassi should be a familiar name to anyone who has kept up with the recent spate of exploits. The Italian developer is one of the half-dozen or so white-hat hackers who frequently convene in the wake of an attack in an effort to replicate the exploit and help projects patch the vulnerabilities

Ask just about any DeFi founder about Bonassi and his fellow post-exploit “war room” whitehats, and they’ll be quick to sing their praises.

“The DeFi community is blessed to have whitehats such as Samczsun and Emiliano. Their efforts [...] makes the space not only more secure but also highlights the narrative that there is lot of people within our ecosystem that cares for the success of the space,” said Kulechov.

While the whitehats’ response skills are widely appreciated, ReviewsDAO is in some ways an effort to cut back the frequency with which projects need them.

In Bonassi’s view, tension between the needs of projects and the limited resources of auditing firms is weakening the security of the Defi space writ large: auditors are always busy, but teams in the thick of the DeFi innovation race need to remain agile. While a project might want an audit on a few small changes, availability and costs often necessitate a larger order, leading to code “chunking.”

“Since they are not available, you usually prepare a bunch of stuff you want reviewed and ship it to them. The interaction is really, let’s say ‘snapshot-based,’ rather than having a continuous collaboration,” said Bonassi.

So, how to enable more frequent security reviews that better met the needs of projects? Bonassi says he initially considered a Gitcoin grant for a whitehat group as a solution, but ultimately determined that such a model would be overly-centralized and wouldn’t be able to scale. None of his whitehat peers had insight on how to solve the problem, either, so he opted for simplicity.

“If you don’t have any sort of idea, start from the basics: start a forum, let’s say a ‘market,’ where people can ask for reviews big or little, and also offer their expertise.”

He’s not aiming to replace audits and auditing companies entirely, Bonassi notes, and instead envisions the DAO as one that can help younger projects better prepare for an audit by providing “continuous review” and “liquid auditing.”

It’s a model that security expert Maurelian at OptimismPBC thinks leaves space for big auditing firms, while also acknowledging that there needs to be other security solutions as well. 

“IMO there is real value to an audit by a high quality firm, and nothing else really serves as an 'alternative', but I also think there is an issue of over-reliance on audits to provide security,” he said. 

Bonassi also believes ReviewsDAO could eventually become a kind of auditing “University,” where people with specialized knowledge can branch into other areas and young developers can grow into fully-fledged auditors — both taking stock of and bolstering the developer resources across DeFi.

“My goal is also to map people and projects — having a transparent place where people can exchange information, help us to understand how many people who are, basically, from a security perspective good enough, are present in the ecosystem.”

Skin in the game

While it meets a clear market need, Bonassi says there are no current plans for monetization or a ReviewsDAO token.

“I think that initiatives like this one should be community goods,” he argues.

This effort to avoid capital incentives is more than just idealism. These new auditing projects are arising because the current model isn’t fully sustainable, says Bonassi — a model that is “transactional,” meaning auditors don’t have as skin in the game that a more fully-engaged partner might. As a result the entire DeFi landscape (one which the auditors should ostensibly be securing) is suffering.

“They’re not a relationship. It’s not a partnership,” Bonassi says.

Nonetheless, even public good often have public funding, and it’s an open question whether developers  — who are often overworked to begin with — will be willing to donate time at what Andre Cronje calls the “Emiliano Bonassi Rate”: for no reward other than the recognition.

Bonsai notes that multiple major DeFi protocol founders have offered grants, which thusfar have been turned down. He’s stubborn to see if developers are willing to give back to the space that’s often given them so much, even when there’s other, potentially lucrative options available.

“What we really need in this ecosystem is more people who work on it — let’s say, someone may hate me but, less forks if they’re not adding value [...] I don’t want to end up in the ICO era. I don’t want to go back to 2017.”

Early returns on the effort are promising. Coverage/insurance protocol Cover was the first project to be matched with a reviewer via ReviewsDAO.

“It was great,” says Pumpkin, a core dev for Cover Protocol and Ruler Protocol. “I was one of the few Emiliano shared the idea with right before release. I loved it immediately as it is what I have been looking for (to get external code reviews and more easily and quickly) [...] I am not sure what will come out from the review, but the forum is certainly working well as intended.”

Maurelian also believes there’s hope for the perhaps-idealistic model — and that it may be more transactional than it seems at first blush.

“You get what you give. So participating in a project like this is probably a good idea if you're planning to be in the space for the long haul,” he said.

Even if some developers donate time to curry future favors, Emiliano remains resolute is his vision that efforts secure the ecosystem should come from a place of altruism and love.

“That’s the ideal we should push. And since we have a lot of money, and this industry has a lot of money, you’re not supposed to need bounties, you’re supposed to do it because you love this industry. This is a call-out to all the people that want to grow the ecosystem.”

Cream Iron Bank $36M Flash Loan Attack: Markets Re-Enabled While Asset Borrow Is Paused

Cream Iron Bank Flash Loan Attack: Markets Re-Enabled While Asset Borrow Is PausedFollowing the Cream Iron Bank flash loan attack, preliminary findings of a probe have shown that contracts and markets still function normally. As a result, markets have now been re-enabled while the asset borrowing function has been paused. The Cream team also reveals that investigations are continuing. The Exploit After the exploit, the value of […]

Expert warns Hackers are Targeting Russian Government’s IT Infrastructure to Mine Cryptocurrencies

Expert Warns on Hackers Targeting Russian Government's IT Infrastructure to Mine CryptocurrenciesA state-affiliate cybersecurity expert warned about hackers exploiting the Russian government’s IT facilities to mine cryptocurrencies. The deputy director of the National Coordination Center for Computer Incidents believes such threat actors have been very active in recent times. Global Cybersecurity Landscape Remains ‘Tense’ According to TASS, Nikolai Murashov pointed out that hackers managed to inject […]

German Authorities Can’t Access Bitcoins Worth $65 Million ‘Seized’ From Hacker

German authorities have been unable to gain access to more than 1,700 bitcoins belonging to a convicted hacker, who kept silent about how to access his crypto stash while serving his prison sentence. German prosecutors in the Bavarian town of Kempten said Friday that they have been unable to gain access to more than 1,700 […]

International Operation Disrupts Ransomware Group Netwalker by Tracing Cryptos With the Help of Blockchain Analysis

International Operation Disrupts Ransomware Group Netwalker by Tracing Cryptos With the Help of Blockchain AnalysisIn collaboration with Bulgarian authorities, the U.S. Department of Justice (DOJ) disrupted a well-known ransomware gang’s infrastructure. Law enforcement seized their servers and traced the illicit funds with the help of blockchain forensic analytics via Chainalysis. US Authorities Seized Over $454,000 Worth of Cryptocurrencies Per the U.S. Department of Justice’s announcement, the coordinated action took […]

Study: 60% of Digital Asset Holders Store Funds on Exchanges While Half Derive an Income From Crypto

Study: 60% of Digital Asset Holders Store Funds on Exchanges While Half Derive an Income From CryptoDespite the risks that come with storing crypto assets with third parties, the findings of a new study suggest many cryptocurrency holders still trust exchanges with the safekeeping of their funds. Conducted by Binance Research, the study finds that 60% of “the general population store their cryptocurrencies on an exchange.” In contrast, 26% of the […]

Former UK Cyber Intelligence Official Pushes for Law Change to Stop Bitcoin Ransomware Payments

Former UK Cyber Intelligence Official Urges for Law Change to Stop Bitcoin Payouts in Ransomware IncidentsA former U.K. cybersecurity chief has raised concerns that ransomware incidents are close to “getting out of control.” Ciaran Martin has also called for laws to prevent people from paying bitcoin to cybercriminals. Former Official Claims Most of the Cybercriminals Are Based in Russia During an interview with The Guardian, Martin, who was the head […]

California Man Loses $27,000 in Bitcoin After Falling Prey to Crypto Scammers

Californian Man Loses $27,000 in Bitcoin After Falling Prey to SIM Swapping Crypto ScammersIn Daly City, California, authorities are investigating a crypto scam incident where a man lost $27,000 worth of bitcoin. A 48-year-old man claimed the scammers tricked him into giving them the keys to his wallet. Scammer Impersonated a Crypto Wallet Hardware Firm Ledger Representative Per KTVU FOX 2, the unnamed victim received a text message […]

DDoS Attackers Return With Massive Extortion Campaigns in the Wake of Bitcoin Prices Surging

DDoS Attackers Return With Massive Extortion Campaigns in the Wake of Bitcoin Prices SurgingThreat actors have been finding opportunities in bitcoin’s bullish trend to increase their extortion campaigns. Hackers are actively threatening companies with DDoS attacks unless they pay for bitcoin ransoms. Bull Run Prices Push Extortionists to Increase Bitcoin Ransom Demands According to an alert issued by security firm Radware, there have been several reports between December […]

Ledger owners report chilling threats after 20K more records leaked

“Are you able to imagine all the possible consequences that can occur to you and your loved ones?” said the scammer.

Ledger users are receiving threatening emails in the wake of the hardware wallet manufacturer reporting that 20,000 more of its customers have been affected by another massive data breach.

One or more extortionists using the names Darrin Burlew and Denni Hornig have reportedly sent emails to users who say their personal information was released as a result of the data breach at Ledger in June and July of last year.

Reddit user Crypthomie, a former flight attendant based in the United Arab Emirates, said his Ledger owning father received a message today. The email included his name, home address, and phone number and demanded 0.3 Bitcoin (BTC) or 10 Ether (ETH) — worth roughly $12,000 — or he'd face physical violence. Crypthomie made headlines in the crypto space last by being unable to pay back a $100,000 loan to buy BTC at the height of the 2017 bull run.

“I am taking this very seriously and Ledger has made a very big mistake,” said the Redditor. “I know that those scammers sending emails by hundreds are just trying their luck by creating fear, but when it comes to the safety of your family it's another story.”

“Don't be fooled people, no one will come to your home to kill you but this feeling of insecurity is a scandal and Ledger has to do something about it.”

Other Ledger users report receiving similar emails with demands for a crypto ransom to be paid within 24 hours or they will face “horrifying” consequences.

“Are you able to imagine all the possible consequences that can occur to you and your loved ones?” said the scammer in another email. "I hope you do not ruin every little thing for yourself by making the wrong choice.”

While real world attacks to steal cryptocurrency are much rarer than hacks or scams, they do occur. Bitcoin engineer Jameson Lopp (who lives off the grid) maintains a list of news articles reporting attacks in “meatspace” to steal cryptocurrency.

The threats came a day after Ledger announced that data from roughly 20,000 more users had been leaked via Shopify, blaming “rogue members” the platform’s support team.

The original data breach in June and July 2020 included 1,075,382 email addresses from users subscribed to the Ledger newsletter, and the personal information (including home addresses) of 272,853 hardware wallet orders. Cointelegraph reported last month that the hackers responsible for the breach had made all the Ledger customers’ information publicly available, increasing the risk of phishing attacks, blackmail, and kidnapping.

In response to these attacks, Ledger stated it would be working with analytics firm Chainalysis and others to keep track of the scammers’ wallets. Ledger said it will report any illicit transactions to law enforcement, at which time it may be able to “freeze the crypto assets should they land on exchanges.” Ledger has also arranged a bounty of 10 BTC — roughly $390,000 at the time of publication — ”for information leading to successful arrest and prosecution” of the scammers.

However, some Ledger users who believe they are still at risk seem unsatisfied with the firm’s response, expressing incredulity over the lack of security and demanding compensation.

“That 10 BTC bounty fund should be given to the affected customers and not the bounty hunter,” said Twitter user CryptoPilot2.

Others pointed out the irony in a firm offering high-end crypto security suffering such a massive data breach. "I was about to buy your wallet and saw the news the next day,” said user illtech8.

“Your entire brand is based upon trust, and now nobody trusts you. There isn't a recovery from this.”

By continuing to use the site, you agree to the use of cookies. more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.