Also: Milk Sad Vulnerability, FBI Forfeiture, X Crypto Scams
Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week’s roundup incidents includes Argentina’s investigation into WorldCoin; hackers’ exploitation of Libbitcoin, Zunami and RocketSwap; Curve Finance’s compensation plans for hack victims; the FBI’s $1.7 million forfeiture; and X’s crypto scam problem.
Argentina is the latest country to investigate OpenAI founder Sam Altman’s digital identity project and new cryptocurrency WorldCoin. The country’s Public Information Access Agency will analyze the processes and practices WorldCoin follows to collect, store and use personal data, the agency said.
The countries primarily seek to establish how the company stores, processes and uses sensitive data. WorldCoin aims to offer a global “digital passport” to prove the holder is a human and not an AI bot. The service, which launched July 24, stores on a blockchain iris scans made using the company’s bowling ball-sized “orb.” It offers free cryptocurrency in some countries as an incentive to join.
Milk Sad Vulnerability
Hackers are exploiting a vulnerability in Bitcoin development toolkit Libbitcoin that was used to steal at least $900,000 worth of crypto from multiple blockchains and has affected 2,600 Bitcoin wallets since May, said information security firm Distrust.
The vulnerability, dubbed Milk Sad after the first two words of the seed phrase generated by the bug, allows exploiters to “re-compute and find a victim’s originally used entropy after a maximum of about 4.29 billion attempts if they have specific characteristics to look for to see if they successfully found a cryptocurrency wallet.” Anyone with basic programming skills and an average gaming PC could brute-force this key space in a few days of computation, the researchers said.
The Libbitcoin team said it was too busy to respond when Distrust informed it of the vulnerability on July 22 and said on Aug. 3 that the issue need not be characterized as a bug, the security company’s researchers said.
Hackers exploited a price manipulation vulnerability on decentralized finance platform Zunami Protocol to steal more than $2.1 million and launder it via the U.S. government-sanctioned crypto mixer Tornado Cash, said security firm PeckShield. Zunami acknowledged the attack and said a team was investigating the incident.
Decentralized exchange RocketSwap lost $870,000 in a hack due to multiple vulnerabilities, including storing user private keys on its cloud servers. Hackers brute-forced their way into the systems, transferred the stolen assets to the Ethereum blockchain and created a memecoin called LoveRCKT. The memecoin’s popularity tripled its price in a day, soaring from $0.00000001 to $0.00000003, shortly before plummeting by more than 90%.
Curve Finance Update
Curve Finance said it is mulling a distribution plan for the victims after recovering 70% of the funds stolen in a recent $73 million hack. The hackers involved in the theft, along with ethical operators, returned the funds over several days. The company will continue to investigate the location of the missing funds.
The Federal Bureau of Investigation seized $1.7 million worth of cryptocurrency as part of three-month operation that concluded in May, it said in a Thursday notification. The digital assets, which included BTC, ETH, USDT, Monero and DAI tokens, were held across geographies and exchanges, including popular ones such as Binance.
Crypto Scammers Attack X Users
Bad actors have attacked more than 365 victims in cryptocurrency giveaway scams on X, siphoning off $870,000 between June 2022 and 2023. The social media platform formerly called Twitter has been home to more than 95,111 scam lists created by 87,617 accounts in the period, San Diego State University researchers said. Nearly 44% of the spam accounts continued to be active as of last week. The results are based on conclusions from an in-house, fully automated scam detection system called GiveawayScamHunter.