A crypto exchange Crypto.com confirmed that hackers stole nearly $34 million during Monday's hack. In a Tuesday update, the exchange revealed that hackers stole 443.93 bitcoin ($18.7 million), 4835.25 ether ($15.2 million) and approximately $66,200 in USD. The company faced criticism over its communication after the incident. The company's CEO only confirmed the hack on Wednesday, three days after it took place. In total, the hack affected 483 users. However, Crypto.com said that they fully reimbursed all of them. The…
Although the blockchain world is taking significant steps forward in terms of security, sometimes the system fails to protect its users. For example, last week, the BadgerDAO exchange was the victim of a hacker attack that, in a few minutes, did a great deal of damage to the portal.
With access to only 23 wallets, the hackers managed to withdraw BTC and ETH worth $120 million. Investigations into the theft are ongoing, and Badger provides full support to the authorities to clarify what happened.
This article will highlight the facts known so far about this sad story.
What we know so far
Robbing a blockchain is not exactly like planning a bank robbery. If a common criminal can steal a small bank branch, hacking a blockchain is complex.
The typical transparency of a blockchain transaction helps us understand what happened. Within minutes, the hackers emptied 23 wallets on BadgerDAO, with few significant transactions.
It is impressive to see, for example, the withdrawal of 896 BTC from a single wallet. This withdrawal alone amounts to over $ 40 million with the current market quote. To achieve this, the hackers activated a malicious script on the portal.
When BadgerDAO discovered the problem, it immediately blocked every running smart contract. Unfortunately, this means that the portal stopped working, waiting to know the investigation results.
What appears truly scary is, in reality, the apparent simplicity of overcoming the two-factor authentication system by the hackers. This seems to be the most important node of the matter.
How two-factor authentication works
While readers are likely to use two-factor authentication every day, we find it helpful to explain how it works briefly.
The idea of two-factor authentication is simple and intelligent:
- First factor: users must first enter their email and password to access a website
- Second factor: once the first step is completed, users must give an access confirmation through a different source (e.g., a code sent by email)
The creators of this type of system knew well that, in general, the first factor alone is not secure enough. However, since the most used passwords online are straightforward to guess, a hacker can easily overcome this obstacle.
Introducing a second factor should make a hacker’s job virtually impossible. Unfortunately, as we will see shortly, it is important not to overestimate this type of technology.
The opinion of the experts
Anyone who thinks they can peacefully sleep thanks to multi-factor authorization (MFA) is simply wrong. But, unfortunately, such a new and innovative invention can fall victim to the oldest hacker trick: phishing.
Let’s imagine receiving an email from a work colleague’s email address. The message reports a request to click on a seemingly harmless link which, unfortunately, triggers a chain reaction that is very difficult to block.
Tools developed by white-hat hackers (like Evilginx) perfectly bypass an MFA system. The explanation of how this is possible is somewhat technical, and all one needs to know is that a simple click can disable the reliability of such a system.
Phishing education should be regular training for students, employees, and managers. Hackers are getting better and better at this, and, therefore, users need to pay more attention. Badger claims to be very careful about security issues, but this is not enough.
It is impossible to attribute cybersecurity’s responsibility entirely to an exchange; users too must do their part. There are many online courses dedicated to the subject of phishing, and it is good to learn more about it before putting your money at risk.
What seems to have happened
The security of the BadgerDAO portal relies on Cloudflare technology. Unfortunately, the hackers could access the Cloudflare cybersecurity system with ease. A user can enter Cloudflare through a complex API key, which only those who created the account should access.
Viewing the API key requires using the MFA system described in the previous section. A blockchain typically uses the technology known as “Web3”. However, it would appear that the hackers could use the Web2 protocol to bypass the problem.
What we can learn from this story
You are not wrong if you feel like having a déjà-vu while reading this story. PayPal, for example, suffered from a similar attack in 2020. The criminals bypassed the two-factor authentication system of the company thanks to a phishing-related scam.
Other players in the blockchain industry have also suffered from losses due to hackers. No one can forget the $600 million that hackers stole from the Poly Network during the Summer. This amount was (and, we hope, will always be) the highest heist in the DeFi history.
Does complete cybersecurity even exist?
The short answer is simple: no, it does not. There’s a reason if your antivirus software keeps on asking to reboot the system to install new updates. Hackers are getting smarter and better at their job, and cybersecurity is evolving with them.
The problem is that, unfortunately, sometimes hackers prove to be one step ahead of security systems. Sometimes, one step is enough to lose a massive amount of money that it may never retrieve.
We all need to understand the danger of delegating cybersecurity entirely to a piece of code. Internet security needs to be taught and learned continuously, and our antivirus software should not be the only weapon to be updated from time to time.
The malicious script running for about three weeks without attracting attention is also very serious. The activation of the API keys was instantaneous, but their theft was carried out calmly and with care. Nevertheless, platforms like BadgerDAO still have a lot to learn about cybersecurity, and we hope this story is the last of its kind.