Cryptohack Roundup: $6.1M Wemix Theft

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, $6.1M Wemix theft, OKX suspended services, Vermont dropped Coinbase case, new RAT-targeted crypto wallet extensions, TJ Stone got prison time, Nebraska’s new crypto ATM rule, Trezor disclosed a potential bug in older wallets and British prosecutors charged a former police officer for 50 Bitcoin theft.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Hackers stole crypto tokens worth around $6.1 million from blockchain gaming platform Wemix, CEO Kim Seok-Hwan said. The attackers infiltrated Wemix by exploiting stolen authentication keys used for monitoring the non-fungible token platform Nile, likely accessed from a compromised shared repository, Yonhap News reported. They orchestrated the theft for over two months, attempting 15 withdrawals and succeeding with 13, and laundered the funds through multiple exchanges. Developed by South Korea’s Wemade, Wemix integrates blockchain technology into games such as Mir4. The company suspended operations after the attack to migrate its infrastructure to a more secure environment, aiming to resume service by March 21.

OKX Web3 temporarily suspended its decentralized exchange aggregator services to implement security upgrades following reports that North Korea’s Lazarus Group attempted to launder $100 million worth of stolen cryptocurrency on the platform. The move comes after a record-breaking $1.5 million heist from Bybit. Despite reports saying that EU regulators were investigating OKX, the exchange denied the claims, accusing Bybit of spreading misinformation. OKX said it detected coordinated misuse of its services and is taking steps to prevent further abuse. Planned security measures include a system to identify and track hacker-linked addresses on its DEX aggregator, alongside real-time blocking of these addresses on its centralized exchange. OKX is also collaborating with blockchain explorers to enhance transparency and label suspicious transactions.

Vermont’s Department of Financial Regulation dropped a lawsuit against Coinbase, following the U.S. Securities and Exchange Commission’s decision to dismiss its own case against the crypto exchange. The state had accused Coinbase of offering unregistered securities through its staking service. The regulator cited the SEC’s recent plans to form a task force for crypto regulation as a motive for withdrawing its show cause order without prejudice. Coinbase Chief Legal Officer Paul Grewal welcomed the decision. Filed in June 2023, the case was part of a broader crackdown involving several U.S. states. Now with mounting dismissals and the resignation of SEC Chair Gary Gensler, Coinbase and other crypto firms are gaining legal ground. Grewal also filed a Freedom of Information Act request to uncover details on the SEC’s enforcement actions under Gensler’s leadership.

Microsoft uncovered a remote access Trojan called StilachiRAT. The malware targets 20 cryptocurrency wallet extensions on Google Chrome, including MetaMask, Coinbase Wallet, Trust Wallet and TronLink. It also extracts saved credentials from Chrome, monitors clipboard activity for sensitive information and tracks active applications. StilachiRAT employs techniques including deleting system logs and manipulating Windows registry settings to maintain persistence. It can execute commands from a remote command-and-control server, allowing attackers to reboot systems, steal data and manipulate applications. Microsoft did not attributed StilachiRAT to any known threat actor.

Brooklyn-based podcaster and crypto personality Thomas John Sfraga, aka TJ Stone, was sentenced to nearly four years in prison for wire fraud involving fake cryptocurrency and real estate schemes. A federal court also ordered Sfraga to forfeit $1,337,700. He convinced at least 17 victims to invest in non-existent construction projects and a bogus cryptocurrency digital wallet, falsely promising returns of up to 60% within three months. Sfraga used the stolen funds for personal expenses and to repay earlier victims. In total, he defrauded investors of around $2 million. Adding to his deception, Sfraga claimed to operate multiple businesses, including the fictional Vandelay Contracting Corp, a reference to the fictional Vandelay Industries from the sitcom Seinfeld.

Nebraska Governor Jim Pillen has signed into law a bill to combat fraud and protect users of cryptocurrency kiosks and ATMs. Known as the Controllable Electronic Record Fraud Prevention Act, the bipartisan legislation requires kiosk operators to be licensed under the Nebraska Money Transmitters Act. It also mandates clear disclosures of service terms and fraud warnings.

Trezor disclosed a potential vulnerability in its older Safe 3 crypto wallet that could allow attackers to compromise devices using a physical supply chain attack. Identified by rival Ledger’s security team Donjon, the issue involves a voltage glitching technique that manipulates the wallet’s microcontroller to reveal sensitive data. The exploit requires expertise and physical access and primarily affects users who may have purchased their device through unofficial channels. Trezor said that its latest Safe 5 model and earlier models such as Trezor Model One and Model T are not impacted. The company is not advising immediate action for Safe 3 users who bought from authorized sources but warns that third-party access could pose a risk.

The U.K. Crown Prosecution Service has authorized charges against National Crime Agency officer Paul Chowles for allegedly stealing 50 bitcoin during a 2017 investigation into online organized crime. Forty two-year-old Chowles faces 15 charges, including 11 counts of concealing, disguising or converting criminal property, three counts of acquiring or possessing criminal property, and one count of theft. He is scheduled to appear at Liverpool Magistrates’ Court on April 25. The NCA handles serious and organized crime across the United Kingdom. The CPS, responsible for prosecuting criminal cases, announced the charges following an investigation by Merseyside Police.