Cryptohack Roundup: $223M Cetus Exploit

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, a $223M Cetus Protocol hack, a U.S. judge overturned Mango Markets hacker convictions, a class action lawsuit against Coinbase, Cork Protocol’s $12M exploit, fake software sites spread crypto stealing malware, a violent crypto-linked kidnapping and Australia launched civil penalty proceedings against the ex-ACX exec.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Cetus Protocol, a decentralized exchange on the Sui and Aptos blockchains, suffered a $223 million exploit after an attacker exploited a vulnerability in its liquidity pool smart contract. The flaw stemmed from an open-source code package used in its Concentrated Liquidity Market Maker model, allowing manipulation of pool liquidity. The attacker bridged some funds to Ethereum and swapped tokens into ETH and USDC.

Cetus has paused smart contracts and traced the hacker’s Ethereum wallet. It offered the hacker a settlement to return the stolen funds and keep $6 million as “bounty” to avoid legal consequences. Validators on Sui meanwhile voted to freeze $162 million of the stolen assets, though critics questioned the network’s decentralization. Cetus also launched a community vote to unlock its treasury and secure a Sui Foundation loan, enabling 100% user fund recovery if successful.

A U.S. federal judge vacated two fraud convictions and acquitted a third against Avraham Eisenberg, the trader accused of exploiting decentralized finance platform Mango Markets. U.S. District for the District of Southern New York Judge Arun Subramanian ruled that prosecutors tried Eisenberg in the wrong court. “Eisenberg was never in New York in connection with this scheme; he was in Puerto Rico,” Subramanian wrote.

The judge also acquitted Eisenberg of a wire fraud charge, concluding that manipulating a price oracle to inflate collateral value on a platform without explicit rules did not constitute a legal violation. Prosecutors argued Eisenberg’s actions were deceptive but the court found insufficient evidence to meet the legal threshold.

The government could decide to retry Eisenberg on the two fraud counts. He still faces a four-year prison sentence from an unrelated conviction for possession of child sexual abuse material. Mango Markets faced legal and operational turmoil post-exploit and shut down earlier this year.

Coinbase shareholders filed a class action lawsuit against the crypto exchange, alleging it failed to disclose critical information that led to a drop in its stock price. Filed in the U.S. District Court for the Eastern District of Pennsylvania, the lawsuit accuses Coinbase of not informing investors about a December data breach – only revealed in May – in which employees were bribed to leak user data.

Following the disclosure, Coinbase’s stock fell 7.2%, closing at $244. The suit, led by investor Brady Nessler, also claims Coinbase did not disclose that its U.K. subsidiary CB Payments violated a 2020 agreement with the Financial Conduct Authority. Plaintiffs argue these omissions caused substantial financial harm, estimating potential breach-related costs between $180 million and $400 million. Coinbase CEO Brian Armstrong and CFO Alesia Haas are named as defendants. The suit seeks damages for investors who bought Coinbase shares between April 2021 and May this year.

Decentralized finance platform Cork Protocol, which is focused on trading risks tied to asset depegging, suffered an exploit losing about $12 million in wrapped staked ETH. Cyvers analysts said the attacker used a malicious contract to withdraw 3,761.87 wstETH, though the stolen funds have only been converted to ETH and remain consolidated, contrary to the usual post-hack laundering tactics. Cork founder Phil Fogel confirmed the exploit, saying that the team has paused all contracts while it investigates the breach.

A cybercriminal group dubbed Dark Partners is running a global malware campaign by creating fake download sites that mimic popular AI tools, crypto platforms and VPN services. These cloned websites distribute infostealers, Poseidon for macOS and Lumma for Windows and malware loaders like PayDay to steal cryptocurrency and sensitive data such as browser cookies, private keys and wallet credentials.

A web3 researcher with a pseudonym g0njxa discovered that the malware was disguised as legitimate tools like Sora, Runway, MetaTrader, Ledger and TikTok Studio. The PayDay Loader, targeting Windows, is digitally signed with stolen certificates and uses a stealthy VHD-based persistence method. Poseidon Stealer on macOS targets browsers and desktop wallet apps using a custom DMG launcher.

The malware exfiltrates data to command-and-control servers, one of which was hidden as a Google Calendar link. The signing certificates are now invalid, putting the campaign on hold and g0njxa identified over 250 related domains and extensive indicators of compromise to aid ongoing investigations.

New York City police arrested 37-year-old John Woeltz and a 24-year-old woman accomplice in connection with a kidnapping and torture of an Italian tourist. Days later, a 32-year-old Miami resident in connection to the crime, William Duplessie, turned himself in to the police and faces charges of kidnapping, assault, unlawful imprisonment and criminal possession of a weapon.

The victim, lured to a SoHo apartment under the pretense of a business meeting, was allegedly held captive, beaten and tortured in an attempt to extort access to his crypto accounts, reportedly worth millions. The tourist escaped and alerted authorities, leading to the arrests. Police discovered Polaroid photos documenting the abuse, including one showing a gun aimed at the victim’s head. Woeltz was denied bail, and faces multiple charges, including kidnapping, unlawful imprisonment, assault and firearm possession.

Down under financial watchdog the Australian Securities and Investments Commission launched civil penalty proceedings against Allan Guo, the former executive behind the now-defunct ACX cryptocurrency exchange.

Guo is accused of breaching his duties by mismanaging customer funds, misrepresenting operations and failing to keep proper records during his tenure at ACX, which collapsed in 2019. Customers have since been unable to access their funds, with ACX’s parent company Blockchain Global owing more than AU$22.7 million – or US$14.6 million – in unsecured creditor claims, said ASIC.

The regulator began investigating last year after receiving a report from liquidators detailing potential violations of the Corporations Act. Guo was temporarily barred from leaving Australia in February last year but exited the country in September after the travel ban was lifted. ASIC said it continues to investigate other former Blockchain Global directors, including Samuel Xue Lee and Ryan Zijang Xu.