Cryptohack Roundup: $13M Abracadabra Hack

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, a $13M Abracadabra hack, Treasury lifted Tornado Cash sanctions, Bybit hack update, U.S. authorities will return $7M to scam victims, South Korean faces prison for stabbing crypto CEO, Hollywood director charged for swindling $11 million, Ripple-SEC case wrap-up, Garantex operators flocked to Grinex, Gotbit founder agreed to plea deal, Coinbase targeted in GitHub Actions supply chain attack and Binance suspended an employee over insider risk threat.

See Also: Future-Proof Your Business: A Comprehensive Guide to Application Modernization and Development for Public and Private Sectors

Hackers exploited a vulnerability in the smart contracts of decentralized finance protocol Abracadabra/Spell, stealing ETH tokens valued at $13 million. Security firm PeckShield said the attackers manipulated the liquidation process within the integration of Abracadabra’s “cauldrons” on GMX V2’s pools. The exploit involved using flash loans, which are uncollateralized loans repaid within the same block, to liquidate the attacker’s position and profit from liquidation incentives. Crypto researcher Weilin Li said the borrower had no actual collateral, making the attack possible. The stolen funds were later transferred from Arbitrum to Ethereum. This marks the second major incident for Abracadabra, following a $6.5 million loss in a similar manipulation of its Magic Internet Money stablecoin in January.

The U.S. Department of the Treasury lifted sanctions against Tornado Cash, a cryptocurrency mixer previously linked to North Korean hackers. The decision follows a ruling by a U.S. Court of Appeals for the Fifth Circuit in November 2024, which found that the Office of Foreign Assets Control exceeded its authority in sanctioning the platform.

OFAC sanctioned Tornado Cash in August 2022, accusing it of laundering over $7 billion since 2019. This included $455 million stolen by the Lazarus Group in the Axie Infinity hack, as well as funds from the Nomad and Harmony bridge heists.

Tornado Cash founders Roman Storm and Roman Semenov face charges for facilitating over $1 billion in money laundering, while co-founder Alexey Pertsev was sentenced to over five years in the Netherlands.

Hackers who stole $1.5 billion from Bybit in February are using mixers and peer-to-peer vendors to launder stolen funds. Bybit CEO Ben Zhou said that 86% of the stolen assets – around 440,091 ETH worth $1.23 billion – were converted into 12,836 BTC. The funds were dispersed across 9,117 wallets, averaging 1.41 BTC per wallet. Zhou attributed the laundering efforts to the North Korean Lazarus Group, which has allegedly used mixers such as Wasabi, CryptoMixer and Railgun. So far, 193 BTC equaling around $16 million have been funneled through Wasabi before reaching P2P vendors. Bybit reported that 88.8% of the stolen funds were traceable, while 7.6% are untraceable and 3.5% have been frozen. Data from Arkham shows the Lazarus Group now holds approximately 13,400 BTC, with most of it linked to the Bybit hack.

U.S. authorities will return $7 million to victims of a social engineering scam that tricked them into depositing money into fake cryptocurrency platforms. Fraudsters earned the trust of victims before directing them to fraudulent sites that falsely displayed investment gains. When victims attempted to withdraw funds, they were pressured into sending additional money under the guise of paying taxes on their supposed profits. The perpetrators used over 75 bank accounts under shell companies to funnel the stolen funds abroad. The U.S. Secret Service seized a portion of the funds in 2023 and reached a settlement agreement with the foreign bank holding the money.

South Korean prosecutors reportedly requested a 10-year prison sentence for a man accused of stabbing Haru Invest CEO Lee Hyung-soo during a court hearing in August 2024. The Seoul Southern District Prosecutor’s Office argued the severity of the crime justified the sentence.

The attacker, identified as “Kang,” allegedly stabbed Lee in the neck multiple times with a fruit knife. Although Lee was hospitalized, his injuries were not life-threatening. The attack took place while Lee faced fraud charges over Haru Invest’s alleged involvement in a $962 million scheme that defrauded around 16,000 investors. Prosecutors claim Haru Invest promised high-interest returns despite financial instability. Kang reportedly lost BTC worth $8.3 million and acted out of emotional distress. His defense lawyer argued the charge should be reduced to aggravated assault. The court is set to deliver its verdict on April 4.

Filmmaker Carl Erik Rinsch, known for directing “47 Ronin,” was arrested in West Hollywood and charged with fraud and money laundering over a failed $11 million investment in his science fiction series White Horse. Federal prosecutors allege that instead of completing the show, Rinsch used the funds for personal expenses and risky trading in securities and cryptocurrencies, losing most of the money. He reportedly spent millions on luxury cars, legal fees and credit card payments.

The indictment says Rinsch later turned a $4 million Dogecoin investment into $27 million. He faces one count of wire fraud, one count of money laundering and five counts of engaging in unlawful monetary transactions, with potential prison sentences totaling decades. After an initial court appearance in Los Angeles, Rinsch was released on a $100,000 bond. His court date in New York, where prosecutor filed the indictment, is pending.

Ripple CEO Brad Garlinghouse said that the company’s four year legal battle with the U.S. Securities and Exchange Commission has concluded. The SEC accused Ripple in 2020 of raising $1.3 billion through the sale of XRP, claiming it was an unregistered security. While a 2023 court ruling found that some XRP sales were not securities, Ripple was ordered to pay $125 million in fines for institutional sales. A change in SEC management following the inauguration of Donald Trump as president shifted the agency’s stance on crypto regulation. It has dropped multiple cases, including the lawsuit against Ripple. The SEC still needs to formally vote to drop the appeal, but Garlinghouse said the case is effectively over.

Operators of the sanctioned crypto exchange Garantex launched a new platform called Grinex, allegedly continuing their operations from Russia, analytics firm Global Ledger said. An international law enforcement operation in early March seized Garantex servers. U.S. federal prosecutors charged its two suspected administrators with money laundering conspiracy. The Department of the Treasury sanctioned Garantex in 2022 for laundering illicit funds from ransomware attacks and darknet markets. It processed $60 billion in transactions despite the sanctions. Global Ledger claims Grinex uses the same infrastructure as Garantex and has already processed nearly $30 million using a ruble-backed stablecoin A7A5. Garantex is accused of transferring billions in A7A5 tokens to Grinex between February and March. One of the two charged Garantex operators, Aleksej Besciokov, was arrested in India and faces extradition to the United States. Co-operator Aleksandr Mira Serda is at large.

Gotbit founder Aleksei Andriunin agreed to a plea deal with the U.S. Attorney for the District of Massachusetts after facing wire fraud and crypto market manipulation charges. Under the deal, the Russian national will forfeit $22.9 million in stablecoins – $18.7 million in USDT and $4.2 million in USDC – and plead guilty to one count of conspiracy to commit wire fraud and market manipulation and two counts of wire fraud. While facing up to 20 years in prison for the charges, prosecutors will recommend a sentence of up to 24 months and 36 months of supervised release, with no fine due to the forfeiture. Andriunin also agreed to refrain from any cryptocurrency-related activities in the U.S> during supervised release. Extradited from Portugal in February, Andriunin was accused of running fraudulent trading schemes that inflated cryptocurrency prices.

Researchers from Wiz and Unit42 identified Coinbase as the primary target in a recent GitHub Actions supply chain attack that compromised secrets in hundreds of repositories. Attackers injected malicious code into the reviewdog/action-setup@v1 action on GitHub, causing it to leak CI/CD secrets and authentication tokens into logs.

The attackers used a stolen personal access token to push malicious commits, further exposing secrets. While the attack initially focused on Coinbase’s blockchain AI agent framework coinbase/agentkit, the malicious action impacted over 218 repositories out of the 23,000 using changed-files. Coinbase told Unit42 that no assets were compromised in the incident. The investigation revealed that the attackers expanded their efforts to other repositories after failing to achieve their initial objective.

Binance suspended an employee accused of using insider information for personal gain, the exchange said. The staff member who was previously in a business development role at BNB Chain exploited knowledge of an upcoming token generation event to purchase tokens before the event and later sell part of the holdings for profit.

Binance said that the employee, part of the Wallet team, wouldn’t have had access to the information through his current role. But the act constituted front-running, violating company policies. The employee was suspended, pending further disciplinary action. Binance didn’t name the project involved, but users on X, formerly Twitter, speculated that it was related to the Binance Smart Chain memecoin UUU token.