Cryptohack Roundup: M2, Metawin Exploits

Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, Metawin hacks, LottieFiles attack, hackers used Ethereum smart contracts to target npm developers, Craig Wright faced contempt of court, Alameda sued KuCoin, Binance sought dismissal of a U.S. Securities and Exchange lawsuit, and Immutable received a Wells Notice.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Hackers breached centralized crypto exchange M2 to steal $13.7 million in assets, including Bitcoin, Ether and Solana. M2 said that it had restored customer funds and implemented enhanced security measures to protect user interests.

A hacker stole over $4 million from crypto casino Metawin’s Ethereum and Solana hot wallets, exploiting a “frictionless withdrawal system,” said CEO Richard ‘Skel’ Skelhorn. Blockchain investigator ZachXBT linked 115 theft addresses to the hack, adding that funds were transferred to KuCoin and a HitBTC service. While Metawin initially disabled withdrawals, they have since resumed. In a message on Discord, Skelhorn implied he covered the loss personally, saying, “I just emptied my piggy bank … We keep building.”

A supply chain attack on animation workflow platform LottieFiles’ npm project Lotti-Player allowed threat actors to inject a crypto wallet drainer into websites, potentially causing a loss of $723,000 in Bitcoin for at least one user. The attack targeted specific Lottie Web Player versions 2.0.5, 2.0.6 and 2.0.7 by embedding a script that prompts users to connect their cryptocurrency wallets to Web3 applications, automatically draining assets. LottieFiles reverted to version 2.0.4. Since many users accessed the library via third-party CDNs without specifying a version, they unknowingly received the compromised release, which redirected them to a phishing domain with a history of crypto scams. LottieFiles said that the breach originated from a stolen developer authentication token and that its other resources remained unaffected.

Hackers are targeting npm developers in an ongoing campaign by deploying hundreds of typosquatted packages designed to resemble popular libraries, tricking developers into installing cross-platform malware. Checkmarx, Phylum and Socket said that the campaign first flagged on Oct. 31, uses Ethereum smart contracts to handle command-and-control server address distribution.

The typosquatted packages, over 287 of which have been published so far, target developers using libraries like Puppeteer, Bignum.js, and various cryptocurrency libraries. The malicious packages contain obfuscated JavaScript that triggers upon installation, retrieving a next-stage binary based on the operating system from a remote server. The binary establishes persistence, exfiltrating sensitive information back to the server. The JavaScript interacts with an Ethereum smart contract using ethers.js to obtain the C2 server’s IP address. This decentralized blockchain-based infrastructure makes it challenging to block since threat actors can update IP addresses, bypassing traditional takedown methods. Error messages in Russian indicate that the attackers may be Russian speakers, though their identity remains unclear.

Craig Wright, an Australian computer scientist who claimed to be Bitcoin’s creator, reportedly faces a contempt of court case over his $1.2 billion lawsuit against Bitcoin Core developers and Jack Dorsey’s Square. British High Court Judge James Mellor halted Wright’s case until the contempt application hearing on Dec. 18, filed by the Cryptocurrency Open Patent Alliance, which alleges that Wright violated a previous ruling by launching new legal actions tied to his disproven claims of Bitcoin authorship. Wright denies the breach, citing his investment interests in Bitcoin, not identity claims. Another hearing on Nov. 26 will address his potential in-person court attendance.

FTX subsidiary Alameda Research is reportedly suing KuCoin to recover over $50 million in frozen assets. Filed on Oct. 28 in the U.S. Bankruptcy Court in Delaware, the claim states that KuCoin refused to release the assets, originally worth $28 million at the time of FTX’s collapse in November 2022. Alameda argues that KuCoin’s withholding of funds violates the Bankruptcy Code and seeks asset recovery and damages. KuCoin said that the funds were flagged due to “suspicious activities” and claimed unsuccessful attempts to contact account holders. In a similar proceeding, FTX last month settled with Bybit, adding $228 million to its estate.

Binance and its former CEO Changpeng Zhao have filed a motion to dismiss the SEC’s amended complaint challenging its claims on crypto assets. Binance’s legal team argued that the SEC incorrectly classifies the tokens as securities, a stance it says contradicts a court ruling recognizing that crypto assets are not inherently securities and that each transaction must independently meet securities laws. The SEC’s amended complaint alleged that even “blind” transactions, where buyers do not know the asset origin, could be deemed securities trades. Binance asserted that the SEC’s amended claims “fail as a matter of law” and should be dismissed..

Blockchain gaming platform Immutable said that the U.S. Securities and Exchange Commission issued it a Wells notice, indicating the agency may take enforcement action against it for alleged securities law violations. Immutable said the SEC’s focus may involve its 2021 listing and private sales of its IMX token, but added that details in the notice were limited.