Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime
Cryptohack Roundup: Judge Approves FTX-CFTC Settlement
Also: WazirX's Post-Hack Plan, Mango Markets Hacker's Plea for DismissalEvery week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, FTX settled with the CFTC, the Mango Markets hacker sought dismissal of charges, WazirX said it will reverse trades, Solana fixed a vulnerability, the SEC sued NovaTech and settled with Ideanomics, and researchers discovered a new way to steal crypto private keys.
See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation
Court Approves FTX-CFTC $12.7B Settlement
A federal judge ordered defunct crypto exchange FTX and its sister firm Alameda Research to repay creditors $12.7 billion. The settlement resolves a 20-month lawsuit initiated by the Commodity Futures Trading Commission. The CFTC did not impose a civil penalty as part of the settlement, which includes $8.7 billion for defrauded investors and $4 billion in disgorged funds. The order also bans FTX and Alameda from engaging in digital asset commodity transactions in the future. Creditors must decide by Oct. 7 whether to receive payouts in cryptocurrency or U.S. dollars.
Mango Markets
Avraham Eisenberg, found guilty of exploiting Mango Markets, is seeking to have his conviction thrown out or to receive a new trial. In a 77-page motion, his lawyers argued that the U.S. District Court for the Southern District of New York was an improper venue and that the government failed to prove Eisenberg intended to manipulate the price of a perpetual futures contract on the decentralized crypto exchange. They said that Eisenberg was in Puerto Rico during the relevant activities, and the government relied on mischaracterizations in its case.
Prosecutors said Eisenberg manipulated the price of MNGO Perpetuals, acquiring $110 million in crypto, leading to Mango Markets losing about $116 million. He was arrested in 2022 but claimed his actions were a legal trading strategy and returned $67 million to Mango Markets, keeping $47 million.
Eisenberg's sentencing is scheduled for Nov. 13.
WazirX to Reverse Trades Made After $230M Hack
Indian crypto exchange WazirX said it will reverse all trades made after its withdrawal freeze on July 18, following a $230 million hack. The exchange stated that user portfolio balances will be restored to their status before the attack. Blockchain analytics firm Elliptic said that North Korean hackers were likely behind the hack. WazirX halted trading after the attack and later proposed a "socialized loss strategy" via a social media poll, which faced strong criticism.
Solana Fixes Security Vulnerability
Solana fixed a security vulnerability by securing a majority of the network's stake before making the issue public, according to a validator who goes by the name Laine. Solana Foundation privately contacted known network operators, aiming to discreetly patch the vulnerability to prevent exploitation by making the fix available through a GitHub repository, allowing operators to independently verify and apply it. Nearly 70% of the network’s stake was secured within a day of the patch distribution, after which the organization made the vulnerability's knowledge public. Solana Labs also made a Discord announcement urging all remaining operators to update their systems to version 1.18.21.
US SEC Sues NovaTech
The U.S. Securities and Exchange Commission sued NovaTech founders Cynthia and Eddy Petion, alleging they ran a pyramid scheme that raised over $650 million in cryptocurrency. The lawsuit includes the company NovaTech and six promoters. The scam allegedly affected more than 200,000 investors globally. Regulators said NovaTech asserted it would invest funds in cryptocurrency and foreign exchange markets but instead used the money to pay existing investors, promoters' commissions and personal expenses. One of the promoters, Martin Zizi, agreed to a partial settlement without admitting guilt.
The SEC lawsuit isn't NovaTech's only legal imbroglio. New York Attorney General Letitia James in June sued NovaTech and its founders for defrauding thousands of investors, particularly immigrant Haitians. James said the company found victims through prayer groups, social media and WhatsApp group chats.
US SEC Settles With Ideanomics
The U.S. Securities and Exchange Commission settled fraud charges with electric vehicle company Ideanomics for misleading financial reporting and deceiving the public about its performance. An SEC investigation found that between 2017 and 2019, Ideanomics and its senior executives made significant misrepresentations regarding the company's financial performance, particularly inflating revenue figures related to crypto assets. In 2019, the company falsely reported over $40 million in revenue from a fraudulent crypto asset transaction. The investigation found former Chairman and CEO Zheng Wu, current CEO Alfred Poor, and former CFO Federico Tovar engaged in various fraudulent activities, including issuing false revenue guidance and concealing Wu's personal interests in related businesses. The parties agreed to settle without admitting or denying the charges. Wu will pay over $3.3 million and faces a 10-year ban from corporate leadership. Tovar and Poor will each pay $75,000 in penalties. Ideanomics agreed to a $1.4 million penalty and will hire an independent compliance consultant to strengthen its accounting controls.
Dark Skippy
Security researchers uncovered a method called Dark Skippy, which allows hackers to extract private keys from bitcoin hardware wallets using only two signed transactions. This vulnerability potentially affects all hardware wallet models, but it requires victims to download malicious firmware. Unlike previous methods that required posting many transactions, Dark Skippy can work with a small number, even if the seed words were generated on a separate device. Researchers Lloyd Fournier, Nick Farrow and Robin Linus said the attack exploits a wallet's firmware by embedding parts of the user's seed words into "low entropy secret nonces," which are used to sign transactions. These signatures, once posted to the blockchain, can be analyzed by hackers to reveal the full seed words. Farrow and Linus co-founded hardware wallet manufacturer Frostsnap, and Linus developed bitcoin protocols ZeroSync and BitVM.