Cryptohack Roundup: $7M KiloEx Theft

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, a KiloEx exploit, Block fined $40M, U.S. Securities and Exchange Commission guidance on crypto laws, Senate Democrats slammed NCET disbandment, $4.3M scam disrupted, guilty plea in $3.3M tax evasion and a South Korea ban on crypto apps.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Decentralized exchange KiloEx suffered a $7 million exploit across Base, BNB Chain and Taiko after a hacker manipulated its price oracle system, said Web3 security firm Cyvers. The attacker, whose wallet was funded through Tornado Cash, exploited an access control vulnerability to feed false price data to KiloEx. This allowed them to open leveraged positions and drain funds, including over $3 million in a single transaction. KiloEx confirmed the breach, halted trading and is now tracing the stolen funds with security partners. In a public appeal, the platform offered the attacker 10% of the loot as a reward if 90% is returned. If ignored, KiloEx vowed to involve law enforcement and expose the hacker’s identity.

Block, Inc., the fintech company formerly known as Square, will pay $40 million to settle allegations by the New York Department of Financial Services that it failed to maintain adequate anti-money laundering controls for its Cash App’s bitcoin services. Regulators found that the company did not update its AML program to match its rapid growth and complexity, leaving compliance gaps, including poor customer due diligence and a lack of risk-based controls to monitor high-risk crypto transactions. Regulators said the company allowed largely anonymous Bitcoin transactions to go unchecked. As part of the settlement, Block must appoint an independent monitor to oversee improvements. This is Block’s second major AML-related settlement in 2024, following an $80 million agreement with 48 state regulators in January.

The U.S. Securities and Exchange Commission published guidance to clarify how federal securities laws apply to certain securities offerings and registrations in the crypto asset market. It offers direction for issuers whose operations involve blockchain networks, applications, or investment contracts tied to crypto assets. The statement does not define whether a crypto asset is a security, a matter of contention between the SEC during the Biden administration and regulation-wary crypto enthusiasts. The guidance says the SEC does not require registration if the crypto asset is not a security or part of an investment contract. The guidance targets entities issuing equity or debt related to blockchain projects, registering investment contracts tied to initial coin offerings, or issuing crypto assets that offer profit-sharing or voting rights. It also applies to companies incorporating non-fungible tokens into video games.

Six Democratic senators, including Massachusetts Sen. Elizabeth Warren, criticized Deputy Attorney General Todd Blanche for disbanding the Department of Justice’s National Cryptocurrency Enforcement Team and scaling back crypto-related prosecutions. In a letter published Thursday, lawmakers said easing enforcement enables money laundering, sanctions evasion, drug trafficking and child exploitation. They particularly objected to Blanche’s directive to stop targeting crypto exchanges and mixers, tools often used by cybercriminals and state-backed hackers including North Korea. The letter argues that halting digital asset crime investigations undermines the Bank Secrecy Act and weakens anti-money laundering safeguards. The Senators also said NCET played a critical support role for state and local law enforcement, warning that dismantling it will impair crypto crime investigations nationwide. The letter comes amid broader deregulation efforts under President Donald Trump, including his repeal of an IRS rule requiring decentralized finance platforms to report trading data.

The U.S. Secret Service and the British Columbia Securities Commission launched “Operation Avalanche” to combat a widespread Ethereum scam known as approval phishing. The joint effort is aimed at identifying compromised crypto wallets and alerting victims before further losses occur. Approval phishing scams trick users into unknowingly authorizing malicious smart contracts that give scammers control over their assets. By collaborating with Canadian police, securities regulators, crypto exchanges and a blockchain analytics firm, the team uncovered wallets that had collectively lost $4.3 million. Authorities have begun notifying affected users.

Waylon Wilcox, 45, of Pennsylvania pleaded guilty to underreporting income after earning over $13 million from the sale of 97 CryptoPunk NFTs in 2021 and 2022. By failing to disclose the profits, he avoided nearly $3.3 million in taxes. Wilcox’s guilty plea marks the first major U.S. tax evasion case tied to NFT sales. The IRS requires taxpayers to report capital gains from virtual currency and NFTs. Wilcox faces up to six years in prison, though the plea deal may shorten his sentence. The IRS said it remains committed to cracking down on crypto-related tax evasion.

South Korea’s Financial Services Commission blocked 14 unregistered foreign crypto platforms, including KuCoin and MEXC, from Apple’s App Store. Prompted by a request from the Financial Intelligence Unit, the move prevents new downloads and updates for these apps within the country. This follows a similar ban on Google Play Store apps. Under South Korean law, foreign crypto service providers must register with the FIU before operating in the country; noncompliance carries penalties of up to five years in prison or fines of 50 million won, or approximately $35,000.