How a group of hackers entered BadgerDAO and stole $120 million

Although the blockchain world is taking significant steps forward in terms of security, sometimes the system fails to protect its users. For example, last week, the BadgerDAO exchange was the victim of a hacker attack that, in a few minutes, did a great deal of damage to the portal.

With access to only 23 wallets, the hackers managed to withdraw BTC and ETH worth $120 million. Investigations into the theft are ongoing, and Badger provides full support to the authorities to clarify what happened.

This article will highlight the facts known so far about this sad story.

What we know so far

Robbing a blockchain is not exactly like planning a bank robbery. If a common criminal can steal a small bank branch, hacking a blockchain is complex.

The typical transparency of a blockchain transaction helps us understand what happened. Within minutes, the hackers emptied 23 wallets on BadgerDAO, with few significant transactions.

It is impressive to see, for example, the withdrawal of 896 BTC from a single wallet. This withdrawal alone amounts to over $ 40 million with the current market quote. To achieve this, the hackers activated a malicious script on the portal.

What is even more curious is the logic behind activating this JavaScript software. It seems that the script was active for a few seconds at random daily intervals as early as November 10th. This technique was crucial to avoid the immediate identification of the problem.

When BadgerDAO discovered the problem, it immediately blocked every running smart contract. Unfortunately, this means that the portal stopped working, waiting to know the investigation results.

What appears truly scary is, in reality, the apparent simplicity of overcoming the two-factor authentication system by the hackers. This seems to be the most important node of the matter.

How two-factor authentication works

While readers are likely to use two-factor authentication every day, we find it helpful to explain how it works briefly.

The idea of two-factor authentication is simple and intelligent:

  • First factor: users must first enter their email and password to access a website
  • Second factor: once the first step is completed, users must give an access confirmation through a different source (e.g., a code sent by email)

The creators of this type of system knew well that, in general, the first factor alone is not secure enough. However, since the most used passwords online are straightforward to guess, a hacker can easily overcome this obstacle.

Introducing a second factor should make a hacker’s job virtually impossible. Unfortunately, as we will see shortly, it is important not to overestimate this type of technology.

The opinion of the experts

Anyone who thinks they can peacefully sleep thanks to multi-factor authorization (MFA) is simply wrong. But, unfortunately, such a new and innovative invention can fall victim to the oldest hacker trick: phishing.

Let’s imagine receiving an email from a work colleague’s email address. The message reports a request to click on a seemingly harmless link which, unfortunately, triggers a chain reaction that is very difficult to block.

Tools developed by white-hat hackers (like Evilginx) perfectly bypass an MFA system. The explanation of how this is possible is somewhat technical, and all one needs to know is that a simple click can disable the reliability of such a system.

Phishing education should be regular training for students, employees, and managers. Hackers are getting better and better at this, and, therefore, users need to pay more attention. Badger claims to be very careful about security issues, but this is not enough.

It is impossible to attribute cybersecurity’s responsibility entirely to an exchange; users too must do their part. There are many online courses dedicated to the subject of phishing, and it is good to learn more about it before putting your money at risk.

What seems to have happened

The security of the BadgerDAO portal relies on Cloudflare technology. Unfortunately, the hackers could access the Cloudflare cybersecurity system with ease. A user can enter Cloudflare through a complex API key, which only those who created the account should access.

Viewing the API key requires using the MFA system described in the previous section. A blockchain typically uses the technology known as “Web3”. However, it would appear that the hackers could use the Web2 protocol to bypass the problem.

What we can learn from this story

You are not wrong if you feel like having a déjà-vu while reading this story. PayPal, for example, suffered from a similar attack in 2020. The criminals bypassed the two-factor authentication system of the company thanks to a phishing-related scam.

Other players in the blockchain industry have also suffered from losses due to hackers. No one can forget the $600 million that hackers stole from the Poly Network during the Summer. This amount was (and, we hope, will always be) the highest heist in the DeFi history.

Does complete cybersecurity even exist?

The short answer is simple: no, it does not. There’s a reason if your antivirus software keeps on asking to reboot the system to install new updates. Hackers are getting smarter and better at their job, and cybersecurity is evolving with them.

The problem is that, unfortunately, sometimes hackers prove to be one step ahead of security systems. Sometimes, one step is enough to lose a massive amount of money that it may never retrieve.

We all need to understand the danger of delegating cybersecurity entirely to a piece of code. Internet security needs to be taught and learned continuously, and our antivirus software should not be the only weapon to be updated from time to time.

Bitcoin live price
price change

The malicious script running for about three weeks without attracting attention is also very serious. The activation of the API keys was instantaneous, but their theft was carried out calmly and with care. Nevertheless, platforms like BadgerDAO still have a lot to learn about cybersecurity, and we hope this story is the last of its kind.

Stay up to date with our latest articles

More posts

Crypto.com Admits Hackers Stole $34 Million From Users

A crypto exchange Crypto.com confirmed that hackers stole nearly $34 million during Monday's hack. In a Tuesday update, the exchange revealed that hackers stole 443.93 bitcoin ($18.7 million), 4835.25 ether ($15.2 million) and approximately $66,200 in USD. The company faced criticism over its communication after the incident. The company's CEO only confirmed the hack on Wednesday, three days after it took place. In total, the hack affected 483 users. However, Crypto.com said that they fully reimbursed all of them. The…

Hacker Returns 800k in ETH to Multichain Hack Victim

The Multichain hack has cost users $3 million so far. However, one victim managed to get back most of their money - by talking to the hacker directly. A "white hat" hacker returned about 800k in Ether to a hacking victim. However, the hacker kept $150,000 as a "tip" for keeping the funds safe. The CTO of crypto wallet ZenGo Tal Beery highlighted the conversation between the hacker and his victim on the blockchain. The hacker presented himself as a…

GameStop Wants to Launch Its NFT Marketplace

In the pre-covid era, the gaming giant GameStop experienced a slow decline in its sales, surpassed by the online market and the success of streaming gaming platforms. Luck would have it that a group of willing to do anything traders brought this company back into fashion via a popular group on Reddit. Many have seen a parallel between the retail investing community that boosted GameStop's share price and that which invests in cryptocurrencies. Today, the paths of the crypto world…

What Is CBDC In Crypto?

The cryptocurrency trading revolution exploded more than ten years ago and led to an almost unprecedented economic and financial earthquake. As a result, people are learning to change their approach to payment and investment systems, pushing up the price of many cryptocurrencies. Such a rapid change has not gone unnoticed on the boards of the world's major central banks. In fact, in an increasing number of countries, central banks are working on launching centralized digital currencies, known as CBDC. This…

How Social Leaders on Shrimpy help Investors Maximize Profits from Crypto Trading

The emerging trend of social trading allows millions of investors to interact with their peers and learn from accomplished traders in the crypto market. Every market participant wants to become a profitable crypto trader and maximize earnings from the ongoing crypto boom. Unfortunately, navigating the highly volatile space while grasping the complex learning curve that involves fundamental/technical analysis can be rather daunting. Becoming successful in the crypto market requires time to develop a working strategy that empowers investors to execute…

Decentralized Exchanges 2022: Which is the Best Crypto DEX to Trade on?

Market experts believe that the survival and growth of crypto largely depend on decentralization. The good news is that decentralized exchanges or DEXs have become highly popular, and the crypto market sees this as an opportunity to save the essence of traditional blockchain. Each decentralized exchange platform has the potential to revive and thrive crypto market. Moreover, each new DEX platform comes with its own set of features. There are several methods to use DEXs and make money.  Decentralized exchange…

Michael Saylor Says MicroStrategy Will Never Sell Its Bitcoin

MicroStrategy remains fully committed to its macro-strategy of investing everything it can into Bitcoin. Company CEO Michael Saylor recently confirmed that the company would “never” sell its Bitcoin, even given the current state of the market. Though the asset has helped the institution profit tremendously overall, it is down on its 2021 positions. HODL Forever, Says Saylor The CEO affirmed his devotion to Bitcoin in a recent interview with Bloomberg. However, Saylor dismissed the thought when asked whether he was…

Crypter Network Debuts an Engage-to-Earn Reward System

Crypter Network, a Facebook-like platform combining decentralized finance (DeFi) and social media, is ready to launch its Engage-to-Earn reward system. The project allows users to earn simply by engaging with their friends and the larger community on the social network. Crypter users will get rewards for posting, liking, sharing, or commenting on content from their profile. Also, they can show off their NFTs, discuss trading tactics, and interact with crypto influencers, thought leaders, and newbie/veteran traders. Crypter only keeps track…

Europe Should Ban Crypto Mining, Top Regulator Says

A top European regulator called on European authorities to ban all crypto mining to reduce CO2 emissions. Vice-chair of the European Securities and Markets Authority Erik Thedéen said that crypto mining is a huge issue for Europe. In his native Sweden, Bitcoin mining has become a "national problem," he said in an interview. Mining could pose a risk for the country's climate change goals written out in the Paris Agreement. The solution? Steer the crypto industry away from the proof…

The SEC vs. Ripple Lawsuit Heats Up After Fair Notice Confusion

Ripple is in the spotlight again for its lengthy, ongoing cryptocurrency lawsuit with the Securities and Exchange Commission (SEC). This time, the court has ruled against a defendant claiming that the term "dealer" had no fair notice. Therefore, it would have less binding authority than the “investment contract” term. Nevertheless, attorney Hogan quickly explained that it is the Commission's fault and the burden is on them. Meanwhile, SEC has filed a letter of supplemental authority. This document should support its…