In the final blog of our 2023 review series, Searchlight’s threat intelligence team looks at noteworthy cyberattacks against decentralized financial institutions and cryptocurrency exchanges.
Attacks Against Financial Institutions in 2023
A lot can happen in a year in cybersecurity, and 2023 was no exception. This series of blogs is a retrospective of some of the top trends, changes and continuities observed by Searchlight Cyber’s Threat Intelligence team, covering areas such as cybercriminal forums and marketplaces, threat actor motivations, malware, ransomware, initial access brokers, vulnerabilities, and social engineering techniques. The platforms, tools, actors, and insights featured in this series are based on intelligence gathered from Searchlight’s extensive deep and dark web dataset.
You can find the previous blogs in the series here:
- Hacking Forums and Dark Web Marketplaces.
- Threat Actors and Motivations.
- Malware and Vulnerabilities.
- Cyberattack Techniques.
In the final blog of the series our threat intelligence team looks at noteworthy cyberattacks against decentralized financial institutions (DeFi platforms) and cryptocurrency exchanges – of which there were some notable examples in 2023, as cybercriminals looked to exploit vulnerabilities and flaws in these relatively nascent financial systems. In some cases, this had led to the equivalent of tens of millions of dollars of cryptocurrency disappearing off the books, with some institutions even resorting to paying the attackers “bug bounties” to recoup some of their stolen funds.
Decentralized Financial services, otherwise known as De-Fi platforms, are financial services that rely on a decentralized ledger in a similar way to cryptocurrencies. De-Fi services often make use of new technologies in an attempt to remove third parties from financial transactions, which means this is a constantly evolving landscape.
However, their self contained nature also makes them particularly vulnerable to attacks from malicious actors. This is because these organizations are run by a DAO (decentralized autonomous organization), which is required to vote and reach a consensus on any changes made to the project in any way – including the implementation of security patches and fixes. The resulting delays have created a window of time that cybercriminals work to exploit.
The result is what is known as “bridge” hacks – which include false deposit events, price oracle manipulation attacks, and validator takeover attacks. These are just a few examples of bridge attacks from last year:
BonqDAO provided a DeFi platform run on the Polygon Network that allowed individuals to borrow funds against their digital assets or tokens owned. It operated as an over-collateralized lending platform where users needed to have collateral of higher value than the loan they wanted to take, in order for BonqDAO to mitigate its risk.
On February 1, 2023, BonqDAO suffered an attack in which the price of the lending token was altered, allowing the attacker to “borrow” much more than would have been allowed normally. After this initial price change, the price was altered a second time to a much lower figure, allowing many loans to be liquidated. In total, the attacker made off with roughly $120m.
Balancer – a De-Fi project running on the Ethereum blockchain, similar to De-Fi exchanges such as Uniswap and Curve – was the unfortunate victim of two hacks within a month of each other last summer.
The first attack was reported on August 27, 2023 and was a flash loan attack resulting in roughly $1m worth of funds being stolen. A flash loan attack works by targeting uncollateralized crypto loans, which are essentially loans that are provided up-front with no collateral and are referred to as “flash loans”, with the stipulation that these funds must be repaid within the same transaction. Due to the Blockchain’s execution time, however, there is room for attackers to manipulate variables to cause unintended outcomes. It is worth noting that a week prior to this exploit the team at Balancer had been made aware of the issues and reportedly implemented the required actions to reduce risk.
Then – on September 19, 2023 – Balancer.FI suffered a DNS frontend attack, in which users were prompted on the home page to approve a malicious smart contract that would drain the contents of the users’ wallet and send it to the attacker. Reportedly about US $250,000 in total was siphoned to the cybercriminal as a result of this attack, however, the project’s vault remained safe throughout this process.
On March 28, 2023, SafeMoon experienced an issue with a newly implemented burn feature and, as a result, had roughly $9m equivalent taken from its liquidity pool. The “attacker” used a public burn feature that had been implemented but not intended to be available for the public to use and was able to artificially spike the price of the native SafeMoon token, then, within the same transaction, sold the token at the new inflated value. The incident has been discussed as a “hack” by many, however it has been argued that this was a legitimate feature and therefore this was not truly an “attack” as such. It was later decided between the SafeMoon developers and the perpetrator that 80 percent of the funds would be returned to the developers and 20 percent would be kept as a “bug bounty”, with no criminal charges filed against the individual.
Cryptocurrency exchanges are used by many as to purchase, own, and trade various forms of cryptocurrency. They are the means by which most individuals convert fiat currency, such as GBP and USD, into cryptocurrency and tokens. Some exchanges have experienced significant cybersecurity issues this year:
In April 2023, KuCoin was unable to access its X (formerly Twitter) account for 45 minutes after it was compromised by malicious actors. Within that short window, the actors who gained access to this account began posting false information to get users to deposit funds into an address associated with the actor – resulting in roughly US $22,000 being stolen. KuCoin promised to fully reimburse all those affected by the scam.
October 15 saw Philippines-based exchange Coins.ph likely fall victim of some kind of hack or exploit as – within a 30 minute window – the equivalent of $6m of XRP (Ripple) was transferred from the exchange to an external address. These funds were then dispersed to multiple other exchanges such as OKX, WhiteBit and Orbitbridge. At the time of writing no comment has been made by the exchange on this matter.
While not an exchange, the Taipei trading venture capital group Kronos Research experienced a breach in their security which resulted in roughly $26m equivalent of cryptocurrency being stolen. The organization didn’t have the private keys to their crypto addresses targeted (which is common in attacks within this vector) but the attackers targeted their API private keys instead. Programs that interact with an API can use an API key instead of a password, giving the attackers full access to conduct transactions. On November 27, 2023 Kronos appeared to reach out to the hackers offering them a 10 percent “bug bounty” as long as the other 90 percent of funds are returned. Negotiations with hackers are becoming more frequent and – along with the promise of no charges being filed against them – this is often a much more attractive option for the attackers than having to launder a large amount of stolen cryptocurrency.