The Monero project has admitted that one of its wallets was compromised in September by an unknown source, resulting in a loss worth approximately $437,000 at current exchange rates.
The administrator of the Monero project, who goes by the alias Luigi, announced on November 2nd that the project's Community Crowdfunding System (CCS) wallet was depleted of 2,675.73 XMR on September 1st.
The team behind Monero is still trying to figure out how the breach occurred, but said it may be related to an attack in which the community has been leaking wallets on an ongoing basis since April. .
The funds were leaked during nine separate transactions that took place within minutes.
Other wallets in the project were unaffected, including the general fund used to support project development and, in some cases, donate to major community initiatives such as conferences and research.
Project administrators are “taking additional precautions” to protect other wallets associated with Monero, such as enabling multisig and requiring multiple individuals to sign off on a given transaction. .
“It's possible that the attackers didn't realize what they were stealing. In that case, we would like them to think that they stole funds that individuals donated to specific things that Monero contributors are working on.” Ta. Another maintainer.
“This attack is unconscionable, as they took funds that our contributors may have been relying on to pay rent or buy food. If we become aware of this, we will correct this. I strongly urge you to take action.”
Wider wallet exfiltration attacks
Atomic Wallet was attacked earlier this year, ultimately leading to a mysterious outflow of funds from over 5,000 crypto wallets.
Those behind the attack reportedly made at least $100 million in profits, with 10 victims losing more than $1 million. According to Elliptic, the average loss for each wallet was $2,800.
The blockchain analytics provider attributed the attack to North Korea's state-run Lazarus Group, which has stolen more than $2 billion in several heists.
How do they get in?
The question of how Lazarus is infiltrating these wallets remains unanswered. In response to this attack, Atomic Wallet contacted the victims to gather information about the setup in order to determine the source of the breach, but has not yet released the results.
In October, Atomic Wallet revealed that it was able to work with a major cryptocurrency exchange to freeze $2 million in stolen funds in connection with an earlier incident. Details of the ongoing investigation into the mass breach have not been made public, but it is being assisted by blockchain forensics experts Chainaries and Crystal.
“This is a huge threat to crypto wallets,” said Taylor Monahan, lead product manager and owner of MetaMask, a cryptocurrency wallet software company that tracks attacks that deplete wallets. Said The profile of the victims was “most impressive”, with all victims coming from “reasonably safe” and reputable organizations.
A wide variety of cryptocurrencies and blockchains have been targeted, including Bitcoin, Monero, and Ethereum, with both 12-word and 24-word seed length wallets compromised.
Monaghan noted that most of the victims were well-known and large sums of money were stolen each time their wallets were cleaned, suggesting it may be a targeted operation.
In response to community discussion over the possibility that the LastPass breach was responsible for leaking seeds to the raided wallets, she said she is “confident” that the seeds were stolen from password managers.
“The number of victims who only had a specific group of seeds/keys stored in LastPass is too large to ignore,” Monaghan said. I have written.
“To date, LastPass has not provided any useful indicators of compromise or information that could lead to attribution (IP, UA, etc.).
“Furthermore, most users whose wallets were compromised had very secure LastPass passwords, and it is legally impossible to brute force them, meaning that someone could still be undetected. How did they compromise hundreds of users' vaults one by one? LastPass has yet to share some key details about its security posture and what was compromised by the attackers. I have not.
“I want to emphasize that LastPass can and should do more here. This is an unfortunate failure on the part of the company.”
The idea that the LastPass breach was responsible for these attacks was supported by an independent blockchain researcher who goes by the alias ZachXBT.
According to the report, on October 25th alone, more than 25 different victims had their wallets removed, and a total of $4.4 million was stolen. account The incident was “a result of the LastPass hack,” the company said.
LastPass CEO Karim Toubba said: register There is currently no evidence linking the company's breach to the ongoing wallet leakage attack.
“The work these researchers are doing to understand cryptocurrency theft is important,” he said. “Since the first claims emerged linking the 2022 LastPass security incident to cryptocurrency theft, we have reached out to researchers to investigate these claims.
“At this time, there is no evidence directly linking these events to LastPass. We strongly encourage security researchers with evidence to contact the LastPass threat intelligence team at securitydisclosure@lastpass.com.”
Although these wallet-draining attacks began in April, the techniques used to execute them have not yet been established. ®
