Blockchain & Cryptocurrency , Next-Generation Technologies & Secure Development
Cryptohack Roundup: Kraken, CertiK Feud Over Zero-Day, $3M
Also: UwU Lend's Hacks, Terraform Labs' Dissolution, Gemini's SettlementEvery week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, CertiK researchers allegedly stole money from Kraken, UwU Lend was hacked, Terraform Labs shut down, Gemini will pay defrauded investors, three entities claimed seized FTX assets, a Chinese bank suffered embezzlement and money laundering, and the SEC's crypto head is leaving.
See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation
Kraken and CertiK in Dispute Over Zero-Day, $3M Theft
Security researchers exploited a zero-day vulnerability in Kraken to steal $3 million and then refused to return the funds, the crypto exchange said, without identifying the researchers. CertiK has identified itself as the security company in question and accused Kraken of threatening its employees.
Kraken Chief Security Officer Nicholas Percoco tweeted that the exchange received a vague bug report on June 9 about a critical vulnerability allowing anyone to artificially increase balances in a Kraken wallet. Kraken's security team identified a flaw that enables attackers to initiate a deposit and receive funds, even if the deposit failed. Percoco clarified that no client assets were at risk, but attackers could temporarily create assets in their Kraken accounts. The team fixed the flaw, which was the result of a recent user interface change that permitted users to deposit and use funds before being cleared.
Kraken then discovered that three users had exploited this bug to steal $3 million from the exchange's treasury. One of them, claiming to be a researcher, first used the bug to deposit $4 in their own account to demonstrate the vulnerability. Then, two of the researcher's associates withdrew $3 million.
The researchers refused to return the crypto or share further information about the bug with Kraken, the crypto firm said. Instead, they demanded a speculative payout for their findings based on what the damage could have been if a hacker had exploited the vulnerability, Percoco said. Their actions were extortion, not ethical hacking, he said. Kraken reported the incident to law enforcement and is treating it as a criminal case.
CertiK said that after identifying and fixing the vulnerability, Kraken's security operation team threatened its employees to "repay a mismatched amount of crypto in an unreasonable time even without providing repayment addresses."
UwU Lend Hacked Twice
Hackers exploited the UwU Lend protocol twice this month, stealing a total of about $23.7 million. On-chain data analytics platform Cyvers said both attacks were carried out by the same hacker. In the first hack on June 10, nearly $20 million was stolen due to a price manipulation attack and in the second hack three days later, $3.7 million was lost. The latest breach occurred just as UwU Lend was beginning the reimbursement process for victims of the first attack.
The protocol said it resolved the vulnerability that led to the initial attack and announced the repayment of over $1.7 million in Wrapped Ether and a total reimbursement of over $9.7 million.
Crypto security firm CertiK told CoinTelegraph that the second exploit was a consequence of the first one. The attacker retained tokens from the first exploit, and although the company paused the protocol, it still recognized the stolen token as legitimate collateral. This oversight allowed the attacker to exploit the remaining tokens and drain additional funds, CertiK reportedly said.
UwU Lend is offering a $5 million bounty for anyone who can identify and locate the attacker.
Terraform Labs to Dissolve Operations
Terraform Labs will dissolve its operations and sell its projects within the Terra ecosystem, announced CEO Chris Amani. The decision follows a $4.47 billion settlement Terraform reached with the U.S. Securities and Exchange Commission stemming from the collapse of the UST algorithmic stablecoin in 2022.
Amani, who succeeded Do Kwon as CEO in July 2023, tweeted that Terraform Labs "always intended to dissolve at some point and that point is now." The firm plans to burn all unvested Luna tokens, Terraform's native cryptocurrency, from its wallets. Amani said that the Terra and Terra Classic blockchains could continue under community control if someone takes ownership of the blockchains.
The SEC charged Terraform and co-founder Kwon in February 2023 for misleading investors and violating federal securities laws by selling unregistered securities. The settlement includes $3.58 billion in disgorgement, a $420 million civil penalty and a prohibition against Kwon serving as an officer or director of any public company. Kwon must contribute approximately $204 million to a bankruptcy estate for compensating investors harmed by the scheme.
Terraform Labs filed for Chapter 11 bankruptcy in Delaware in January.
Gemini to Pay $50M to Defrauded Investors
Crypto exchange Gemini will pay $50 million in digital assets to Gemini Earn investors as part of a settlement with New York's attorney general. The office said Gemini misled thousands of investors about the risks associated with the Gemini Earn program, which claimed to allow customers to loan their crypto to now-bankrupt Genesis Global Capital to earn up to 7.4% annual percentage yield.
James said that Gemini falsely marketed the Earn program as a safe investment opportunity and eventually locked investors out of their accounts. The settlement is expected to ensure full recovery for all defrauded investors and help them reclaim the assets they invested in the Earn program.
Gemini is banned from conducting any crypto lending programs in New York state.
Gemini announced last month that Earn users would recover $2.18 billion of their crypto in kind, meaning customers who lent one bitcoin would receive one bitcoin back. Final Earn distributions will be available in customers' accounts within seven days, according to Gemini's statement.
3 Entities Claim Seized FTX Assets
Three separate groups filed claims over the assets seized from former FTX CEO Sam Bankman-Fried following his criminal conviction.
The FTX debtors' estate, led by CEO John Ray III, filed a claim for six categories of assets seized by government prosecutors. These include funds at banks associated with Alameda Research and FTX Digital Markets, two private jets, funds at Silvergate Bank belonging to Bankman-Fried and former FTX CFO Luk Wai Chan, political contributions made by Bankman-Fried and other FTX executives, and proceeds from the sale of Robinhood shares held by Emergent Fidelity Technology Ltd.
The FTX debtors' estate argued that these assets never belonged to Bankman-Fried, as they were acquired through criminal activities and funded by debtor assets. They said that reclaiming these assets will benefit all creditors and stakeholders involved in the Chapter 11 bankruptcy proceedings and FTX Digital's liquidation in the Bahamas.
Two other claimants have also filed for a share of the assets.
Antigua's court-appointed liquidators and lawyers representing FTX creditors in a class action suit in the U.S. District Court for the Southern District of Florida contested the claims. They seek $625 million from Emergent, including $20 million in cash and proceeds from the Robinhood shares. They argued that Emergent's purchase of Robinhood shares, directed by Bankman-Fried due to his 90% ownership stake, was independent of any wrongdoing at FTX or Alameda. They also said they had the right to recover professional expenses incurred while defending against Bankman-Fried's attempts to seize Emergent's assets.
A simultaneous class action suit led by lawyers representing the largest FTX creditor group, headed by Sunil Kavuri, argues that the forfeited assets, including Robinhood shares, should return to customers and alleges the debtors' estate has conflicts of interest. The lawyers claim these assets are derived from fraud on FTX customers and should be distributed in-kind.
The FTX debtors' estate insists the bankruptcy court should grant its claim to maximize recovery for victims and minimize costs, working with the government to comply with federal laws. Each filing requests a hearing, but the timing remains unclear.
$248M Scheme in Chinese Bank
A local Chinese bank uncovered a 1.8 billion yuan or $248 million embezzlement scheme involving two former executives and a former shareholder who used cryptocurrency to launder the funds, reported Chinese financial news outlet The National Business Daily.
A 44-year-old suspect surnamed Chen assisted former executives of the Bank of Huludao, a commercial bank in Northeast China, in laundering at least 250 million yuan or $34.4 million through his bank accounts, the news outlet said.
In August 2020, Li Yulin, the former party secretary of the Bank of Huludao, and Li Xiaodong, its former acting president, along with two other suspects, allegedly embezzled 2.6 billion yuan by manipulating nonperforming assets. The following month, these suspects illegally converted over 1.8 billion yuan into foreign currency and transferred the funds to company bank accounts in Hong Kong under their control, the news outlet reported.
In September and October 2020, these individuals purchased cryptocurrencies through WeChat groups, including one named Longmen Inn, and then used other vendors to sell the cryptocurrencies abroad. The proceeds were converted into U.S. dollars and sent to bank accounts owned by Hong Kong companies.
Chen was found guilty of money laundering, sentenced to two years and three months in prison and fined 2 million yuan. The cases concerning the other executives' alleged misconduct were handled in separate legal proceedings.
SEC Crypto Head Resigns
David Hirsch, head of the U.S. Securities and Exchange Commission's Crypto Asset and Cyber Unit in the Division of Enforcement, left the agency after nearly nine years. Announcing his departure on LinkedIn, Hirsch did not reveal his future plans but said that he would share more details after taking a break. Before joining the SEC, Hirsch served as a legal advisory board member at the NYU Center for Cybersecurity.