Posted on

Hacked Bitpoint Exchange Finds $2.3M in Stolen Crypto

Japanese cryptocurrency exchange Bitpoint has reportedly discovered some of its funds that were stolen in a hack last week.

Japanese cryptocurrency exchange Bitpoint has discovered over 250 million yen ($2.3 million) in cryptocurrency — part of a $32 million sum that was stolen last week, local English language daily The Mainichi reports on July 14.

According to The Mainchi, Bitpoint found the stolen cryptocurrency on overseas exchanges that were using a trading system provided by Bitpoint Japan. Bitpoint told The Mainchi that the recent discovery brings the total sum of lost founds down from 3.5 billion yen ($32 million) to 3.02 billion yen ($28 million).

The exchange was initially hacked on July 12. 2.5 billion yen ($23 million) of stolen funds belonged to customers while 1 billion ($9.2 million) belonged to the exchange. Hackers stole Bitcoin (BTC), Litecoin (LTC), Ether (ETH) and XRP from the exchange’s hot wallets.

Bitpoint suspended all services following the hack, while the exchange’s parent firm Remixpoint Inc. shed 19% following the theft. Remixpoint went untraded in Tokyo following the attack due to a reported glut of sell orders.

The recent incident involving Bitpoint follows a record-breaking hack of Japanese exchange Coincheck in January 2018, wherein $534 million of NEM tokens were stolen from Coincheck’s low-security hot wallet.

Bitpoint was one of several exchanges to receive a business improvement order from Japan’s finance watchdog, the Financial Services Agency (FSA), in June of last year. One of the FSA’s main concerns was the exchanges’ compliance with Anti-Money Laundering and Know Your Customer requirements.

The agency also expressed concerns that customer funds were not being kept sufficiently separate from those of the exchanges.

Posted on

0x DEX Protocol Suspended Because of Vulnerability, Funds Safe

The Ethereum smart contract of 0x decentralized exchange protocol has been suspended after the discovery of a vulnerability in its code.

The Ethereum (ETH) smart contract of 0x (ZRX) decentralized exchange (DEX) protocol has been suspended after a vulnerability has been uncovered in its code, the project’s team announced in a Medium post published on July 13.

Per the announcement, third-party security researcher samczsun warned the 0x team about the vulnerability in the exchange smart contract and, after evaluating it, the team suspended the exchange’s contract and the AssetProxy contracts.

The vulnerability would have allowed an attacker to fill certain orders with invalid signatures. The announcement reassures that one has exploited this vulnerability and no users have lost their funds. The only consequence is apparently a temporary suspension of the service:

“Unfortunately, this also means the currently deployed 0x contracts cannot process trades and are unable to be used. A patched version of the Exchange contract — that we are confident fixes this vulnerability — and new AssetProxy contracts are being deployed to the Ethereum mainnet and we expect them to be ready to use later tonight.”

Lastly, the team notes that the vulnerability is not contained in its ZRX token contract and that user funds are safe. They thanked the security researchers while inviting other white hat hackers to participate in 0x’s bug bounty program:

“We also want to extend our sincerest gratitude to samczsun. We continue to offer a generous bug bounty to white hat hackers and community members that identify potential vulnerabilities. ”

As Cointelegraph reported in October last year, ZRX was the first ERC20 token to be listed on the Coinbase cryptocurrency exchange.

At the beginning of May, the Tron Foundation disclosed a fixed vulnerability that could have crashed its blockchain.

Posted on

Japanese Crypto Exchange Bitpoint Suffers $32 Million Hack

Japanese crypto exchange Bitpoint has suspended all services after losing $32 million in a hack involving XRP, Bitcoin and other cryptocurrencies.

Japanese crypto exchange Bitpoint has suspended all services after losing $32 million in a hack involving XRP, Bitcoin (BTC) and other cryptocurrencies.

In an official announcement on July 12, Bitpoint revealed that it had lost around 3.5 billion yen (~$32 million) — 2.5 billion yen (~$23 million) of which belonged to customers and 1 billion (~$9.2 million) to the exchange.

Bloomberg reports that shares of Bitpoint’s parent firm Remixpoint Inc. shed 19% following news of the incident, and were untraded in Tokyo as of 1:44 p.m. “on a glut of sell orders.”

Alongside XRP and Bitcoin, a total five different cryptocurrencies had been stored in the affected hot wallets, including Litecoin (LTC) and Ether (ETH).

The exchange’s cold wallets are not reportedly thought to have been compromised, Bitpoint’s announcement indicates.

Bitpoint was one of multiple domestic crypto exchanges to have been served a business improvement order from Japan’s financial regulator, the Financial Service Agency (FSA), during its wide-ranging inspections of industry businesses, per Bloomberg.

As previously reported, the industry record-breaking hack of $534 million of NEM from Japan’s Coincheck exchange in January 2018 had been attributed to the fact that the coins were stored in a low-security hot wallet.  

In 2019, May’s $40 million hack of top crypto exchange Binance has loomed large over the industry — at least eight crypto exchanges have been the target of large-scale hacking incidents in the first half of this year, most recently Singapore-based Bitrue.

Posted on

Polish Crypto Exchange BitMarket Shuts Down Citing Liquidity Loss

Polish cryptocurrency exchange BitMarket announced its shutdown in a message appearing on its official website.

Polish cryptocurrency exchange BitMarket announced its shutdown on its official website on July 8.

When trying to access the exchange through its website, users are instead greeted with the following text message in both English and Polish:

“Dear Users, We regret to inform you that due to the loss of liquidity, since 08/07/2019, was forced to cease its operations. We will inform you about further steps.”

Leading cryptocurrency analytics website CoinMarketCap shows that the trading platform was not popular. The volume reported by the website at press time is $850,080 in the past 24 hours. Still, it is unclear how trading is continuing while the exchange is seemingly closed. Users may still be able to trade on the platform using API keys.

Reddit user OdoBanks pointed out earlier today that the exchange has shown several “red flags” in the weeks leading to its shutdown. Notably, prior to the closure, users have been forced to change their passwords (without any given reason) and their API keys.

Lastly, he also claims that some withdrawal attempts have been halted with the exchange asking the users to comply with additional know-your-client (KYC) measures. In those cases the customers were reportedly asked for a scan of their ID, photo of their face holding the ID and “a note confirming that you are using bitmarket to buy bitcoin for yourself, as an investment (a new requirement).” The user also claims:

“Exchange representatives […] claimed that this was the long overdue KYC requirement and that they were only targeting people with expired IDs. They never addressed users’ accusations of hiding the fact that the exchange has been hacked.”

As Cointelegraph reported at the end of June, Singapore-based crypto exchange Bitrue has suffered a major hack, losing 9.3 million XRP and 2.5 million cardano (ADA) from its hot wallet.

Also in June, Firefox’s zero-day security flaw was used in attacks against major crypto exchange and wallet service Coinbase.

Posted on

Report: Fortress Offers to Buy Mt. Gox Bitcoin Claims at $900 a Piece

Fortress Investment Group has reportedly sent out an email offering to buy Mt. Gox creditors’ bitcoin claims for $900 per bitcoin.

Fortress Investment Group is buying bitcoin (BTC) claims from Mt. Gox creditors, according to a report by CoinDesk on July 8.

The Japan-based cryptocurrency exchange Mt. Gox filed for bankruptcy in 2014 after losing $473 million worth of bitcoin at the time due to an apparent hack. Bitcoin reportedly experienced a subsequent decline in value, dropping by 36% over the month when this took place.

As per the report, Fortress executive Michael Hourigan has sent out a letter to creditors detailing the buyback offer. According an apparent copy of such a letter, Fortress has offered to buy the bitcoin claims back at approximately double the bankruptcy value.

The value of the claims at the time Mt. Gox was declared insolvent was reportedly $451, while Hourigan says Fortress can offer $900 per coin. 

The letter also notes that the purchase could be made in bitcoin or fiat money, and that the offer stands until July 31.

As Cointelegraph reported in April, Mt. Gox creditors may have claims for their lost bitcoins being automatically filed on their behalf. A Reddit user named DerEwige circulated an unverified screenshot of an email, which says:

“The creditors who objected to your self-approved rehabilitation claim withdrew their objections. As a result, the approval of your self-approved rehabilitation claim has become effective, and you no longer need to file an application for claim assessment.”

DerEwige interpreted this to mean that Mt. Gox users that did not file a rehabilitation claim after losing their crypto have had a claim automatically filed on their behalf, which has now been approved.

Posted on

Sophisticated Trading Bot Exploits Synthetix Oracle, Funds Recovered

A trading bot has stolen over $1 billion from synthetic asset platform Synthetix, but the error was quickly fixed, with no users affected…

When Ethereum-based synthetic asset issuance platform Synthetix, which allows users to mint and trade synthetic currencies in a peer-to-peer fashion, lost track of more than 37 million synthetic Ether (sETH) on June 24, the company stopped all trading on its platform. While users only lost trading access for 24 hours, the event led to trades with 1,000x profits equalling $1 billion in less than an hour. The Australian-based company’s synthetic currencies provide access to the value of certain currencies, including Bitcoin and Ether. The platform says it makes it easy for users to hold Bitcoin and Ether, without needing a crypto wallet. 

Synthetix crypto-backed synthetic asset tokens are priced against the euro, Japanese yen, Korean won, Australian dollar and gold. Launched in the summer of 2018, Synthetix also has a stablecoin that tracks the United States dollar. Since Synthetix users trade assets that are representations of their underlying assets and track the prices of those assets, if a user trades sUSD into sBTC at $10,000 per BTC and the price goes up to $12,000 per BTC, they can trade that back into $12,000 of sUSD, making a profit of $2,000 sUSD.

The idea of synthetic digital currencies is not exclusive to Synthetix. Abra offers a service whereby users can receive exposure to any fiat currency (e.g., USD, EUR, PHP) or cryptocurrencies other than Bitcoin (e.g., XRP, DGB) that Abra supports via smart contracts on the Bitcoin and Litecoin networks. If a users deposits 1 BTC into an Abra wallet and then decides to buy 10 XRP with it, Abra creates a smart contract guaranteeing the right to 10 XRP. The user can then exchange the 10 XRP back into BTC, and Abra calculates the amount of BTC the user gains.

An oracle is to blame

Essentially, oracles are used in blockchains to verify real word information and then report back the finding to the blockchain, triggering an implementation of smart contracts. In this case, a Synthetix oracle, responsible for providing external data to Synthetix’s smart contracts, transmitted false data on June 25, which a bot took advantage of. No funds were really “lost,” according to the company. One bot owner’s balance was inflated due to an incorrect sKRW price feed, which he then converted into an inflated amount of sETH. According to Kain Warwick, the founder of the platform, all the sETH were recovered, and the situation has since been resolved. The company contacted the owner of the arbitrage bot that unintentionally hacked the oracle and agreed on a bounty deal with him in order to return the funds. Warwick told Cointelegraph:

“It was a tense negotiation, but because the profit they had made in these trades is backed by SNX collateral there was insufficient collateral to cover the profits, so there would have been no way to cash out these gains. We paid them significantly more than our largest open bug bounty which is $2k, but significantly less than their nominal profit of several billion dollars.” 

The most surprising thing was the level of sophistication the bots employed to target the oracle. According to Warwick:

 “While there have been bots using the system for several months now, recently they have improved significantly. This particular bot was able to take advantage of the mispricing issue immediately, and exploit it repeatedly.”

The bot owner’s balance was inflated due to an incorrect sKRW price feed, which he then converted into an inflated amount of sETH, a synthetic asset that tracks the price of Ether by plugging into an oracle-backed price feed.

The error led to an API on the platform to report a price 1,000x higher for the rate of the Korean Won (KRW). Synthetix’s private price oracle misreported the price of KRW. The oracle had taken an average of just two remaining prices due to an earlier unrelated outage. According to the platform’s founder, there were a number of issues leading to the event. Warwick told Cointelegraph:

“Two API’s had different independent outages simultaneously, and our error handling and aggregation logic failed to handle this. The pricing error was intermittently setting the rate for KRW to 1000x more than it actually was. And this happened multiple times within a one hour window. Each price error increased the bot’s trading profit by 1000x, so after three cycles the bot had made over $1b.” 

Synthetix’s forex rate feeds have most major currencies, but they were only using three API’s for less utilized currencies like the Korean won. Warwick also believes the fact that a trader could generate so much profit so quickly speaks to both the strengths and weaknesses of the Synthetix platform: 

“Because there are no counterparties traders can make very large trades with low slippage, which means the system can handle large trading volume, potentially billions of dollars per day given the current throughput of Ethereum. But the profit potential is constrained by the SNX collateral in the system (currently around $30m USD) so profits are also effectively capped to the current total value of SNX.”

According to Synthetix, the platform has added additional redundancies to its price feeds and a more efficient exception tool to prevent errors of this type.

Posted on

Monero Discloses Bug Allowing XMR to be Stolen from Exchanges

One of the security vulnerabilities enabled attackers to trick exchanges into thinking they had deposited large sums of monero.

Several security vulnerabilities have been disclosed by Monero, including one that could have been exploited to steal xmr from exchangesreports on the breach disclosure platform HackerOne revealed on July 3.

The vulnerability theoretically enabled attackers to send counterfeit xmr to an exchange. Once the fraudster’s account was credited, they could then convert it into other coins and make a withdrawal, leaving the exchange out of pocket.

Describing the critical breach they uncovered, the lead developer for CUT coin added:

“It is our belief that the vulnerability cannot be used to “mint” real, transactable monero out of thin air.”

A bounty of 45 xmr (about $4,000) was paid to the developer for their efforts.

Most of the vulnerabilities recently disclosed to HackerOne were identified a few months ago, but they have since been resolved.

In April, monero developers fixed a bug concerning the Ledger hardware wallet that made it look like user funds had disappeared.

The privacy-focused altcoin is 14th in the rankings of the biggest cryptocurrencies by market capitalization according to CoinMarketCap.

Posted on

Mt. Gox Founder Knew of Security Risks Years Before Collapse, Lawsuit Claims

Two traders are suing Mt. Gox founder Jed McCaleb, and allege he knew of “serious security risks” years before 850,000 BTC was stolen in a devastating hack.

Mt. Gox founder Jed McCaleb is being sued by two traders who used the doomed exchange, court documents filed on May 19 show.

Joseph Jones and Peter Steinmetz have accused the ex-CEO of fraudulently and negligently misrepresenting the exchange.

The pair also allege that McCaleb was aware of “serious security risks” back in late 2010 or early 2011 — more than three years before 850,000 bitcoin (BTC) was stolen in an audacious hack. Their complaint adds:

“Rather than secure the exchange, McCaleb sold a large portion of his interest in the then sole proprietorship, and provided avenues to the purchases to cover-up security concerns at the time without ever informing or disclosing these issues to the public.”

Both of the plaintiffs describe themselves as experienced cryptocurrency traders. They said they were reassured by McCaleb following a “dictionary attack” in 2011, where a fraudster stole coins after targeting accounts with weak passwords.

The court document alleges that 80,000 BTC was already missing at that time, and claims that McCaleb sold a majority of his interest in Mt. Gox to Mark Karpeles instead of staying to repair the security issues.

While Jones said he owned 1,900 BTC at the time of Mt. Gox’s bankruptcy in February 2014 (worth $24 million at press time,) Steinmetz said he owned 43,000 BTC — crypto that would be worth more than $542 million at today’s rates. Both men are still in pursuit of their lost funds, and say they would not have used Mt. Gox had they known about the “significant security concerns” that existed in 2011.

In April, Mt. Gox rehabilitation trustee Nobuaki Kobayashi successfully petitioned a Japanese court to extend the deadline for the submission of rehabilitation plans to October 2019.

Meanwhile, back in March, former CEO Mark Karpeles was given a suspended jail sentence after being found guilty of tampering with financial records.

Mt. Gox was once the world’s biggest crypto exchange, and McCaleb later went on to become the founder of Ripple and the co-founder of Stellar.

Posted on

U.K.’s Biggest Store Tesco Pumps Bitcoin With ‘Bill Gates’ Twitter Scam

No consumers sent funds to an address promoted via the social network, with Tesco managing to restore order.

The largest supermarket chain in the United Kingdom was left red-faced this week after hackers took over its Twitter account to promote a bitcoin (BTC) scam. The news surfaced via IT magazine Bleeping Computer on June 25.

Tesco, which has almost 550,000 Twitter followers, lost control of its account and began claiming it would give away free bitcoins in return for investments.

The hackers appeared to have an affinity with Microsoft founder, Bill Gates, using his avatar and changing Tesco’s handle to ‘Billgatesmsc.’

“Bitcoin is on the rise again! One day, it will without doubt replace fiat currencies,” one deleted tweet read in a style which closely mimicked previous scams involving ethereum (ETH) which pervaded Twitter last year.

“I’d like to give back to the community, therefore any bitcoin you send to this address, I will send back double! Comment your BTC address below when done.”

The address the hackers supplied never received any funds. Tesco subsequently regained access to its account, deleting all traces of the episode. 

It remains unknown how the hackers managed to compromise the account.

The timing appeared deliberate; as Cointelegraph continues to report, bitcoin is currently trading at its highest since the end of its record-breaking bull market in December 2017. 

The cryptocurrency has broadly returned to public consciousness, thanks mainly to increased mainstream media coverage. 

“It’s been about a month since this new wave of scammers started up again. Last time was August-December 2017,” educator and ‘Mastering Bitcoin’ author, Andreas Antonopoulos, wrote last week about the increasing prevalence of scammers this year. 

“The price dump in crypto made them go away and now they’re back.”

Scams such as Tesco’s meanwhile continue to appear outside the crypto industry, with Sweden’s government another recent victim. In April, attackers successfully managed to tweet that the country had changed its official currency to bitcoin. 

In an interview later on, the person responsible told local press outlet Trijo that personal political leanings formed his motivation for compromising the Social Democrats’ Twitter page.

“I simply think socialism is wrong,” he said.

Posted on

Europol Arrests Six People Allegedly Behind $27 Million Bitcoin Theft

Europol arrests 6 unnamed individuals in the U.K. and the Netherlands under suspicion of involvement in a multimillion-dollar crypto theft.

Europol, in conjunction with the United Kingdom’s South West Regional Cyber Crime Unit, the Dutch police, Eurojust, and the U.K.’s National Crime Agency (NCA), has coordinated the arrests of six people suspected of stealing over $27 million in cryptocurrency, according to a press release on June 25.

The attackers reportedly were involved in typosquatting, a fraudulent means to steal credentials by setting up a scam website with a similar name to an established one—hence the “typo” in “typosquatting”—and then recording login data. 

In this case, the report notes that Europol believes the hackers were able to use typosquatting to steal login details, letting them gain access to client wallets and the funds inside. Europol reports that the hackers used this scheme to steal from at least 4,000 bitcoin (BTC) users in 12 different countries.

The six individuals were reportedly based in the U.K. and the Netherlands. As per the report, Europol provided coordination for the British and Dutch agencies, who shared information and evidence at their headquarters preceding the arrests.

As previously reported by Cointelegraph, malware watchdogs found a Cryptohopper clone website stealing crypto login credentials. The website uses the same logo as the genuine crypto trading tools website Cryptohopper to trick users into installing its executable, which downloads and runs mining and clipping trojans designed to steal cryptocurrency.