Cryptohack Roundup: SwissBorg’s $41M Exploit

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, SwissBorg hit by $41M hack, hackers used Ethereum smart contracts to hide malicious npm code, U.S. sanctioned Southeast Asian cybercrime networks, a California man got a 4-year sentence for laundering $36.9M, Kinto to shut down, Venus Protocol will return $11.4M to phishing victim, Nemo Protocol exploited for $2.4M, U.S. federal prosecutors sued to recover $5M in stolen bitcoin, Lagarde urged tighter stablecoin rules for non-EU issuers and the SEC, CFTC will discuss crypto market regulations.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Swiss crypto platform SwissBorg lost about $41 million in Solana tokens following a security breach tied to its earnings program. The company said the incident did not compromise its app directly but stemmed from the exploitation of a partner API.

Blockchain investigator ZachXBT pegged the loss at $41.3 million. SwissBorg said it will tap its SOL treasury to cover “a significant portion” of user balances and is working with white-hat hackers and security firms to recover funds, aiming to make affected users whole.

The company said that no other earnings programs or assets within its proprietary app were impacted. “This is a difficult day for SwissBorg,” a spokesperson said in a video post on X, formerly Twitter, pledging that final reimbursement details would be announced soon.

Cybercriminals are exploiting Ethereum smart contracts to conceal command-and-control instructions in malicious npm packages, found ReversingLabs. Researchers discovered two packages, colortoolsv2 and a clone mimelib2.

Instead of hard-coding malicious links, the packages pulled command and control URLs directly from blockchain contracts before fetching second-stage payloads. Obfuscation made detection and takedown difficult. The attackers also set up fake crypto-themed GitHub repositories, inflated with bogus stars and auto-generated commits to trick developers into incorporating their packages.

Repository maintainers removed the malware. The npm repository is a recurring target for hackers to upload malicious software packages or introduce supply chain compromises (see: Hackers Compromise 18 NPM Packages in Supply Chain Attack).

The U.S. Department of Treasury sanctioned 19 entities tied to large-scale crypto scams in Southeast Asia, including nine groups in Myanmar’s Shwe Kokko region and ten in Cambodia.

Treasury officials said the networks defrauded Americans and also forced thousands of people into modern slavery. Scam operators lured workers into perpetuating the scams through false job offers and coerced them through debt bondage, violence and threats of forced prostitution. Workers are often forced into executing romance scams – building fake relationships before steering targets to phony crypto platforms.

The sanctions freeze all U.S.-linked assets of the designated groups and extend to entities they control. “This industry threatens both financial security and human rights,” said Treasury Under Secretary John K. Hurley.

A U.S. federal judge has sentenced a California man to more than four years in prison for laundering nearly $37 million stolen from investors in a Cambodia-based crypto fraud scheme.

Shengsheng He, 39, of La Puente, also must pay $26.8 million in restitution after pleading guilty to conspiracy to operate an unlicensed money transmitting business. He co-owned Axis Digital Limited, a Bahamas-based shell company that routed funds from victims to overseas accounts.

Prosecutors said scammers posing as crypto investment firms contacted victims through texts, calls, social media and dating apps. Fraudsters funneled money through bank accounts and Axis Digital to Deltec Bank in the Bahamas, later converting the funds into USDT for distribution to scam centers in Cambodia’s Sihanoukville.

Eight additional co-conspirators have entered guilty pleas for their role in the scam.

Kinto, a Ethereum Layer 2 “modular exchange,” will close Sept. 30 following a July exploit that drained $1.55 million from its lending pools. The attack, which minted 110,000 fake tokens and crashed Kinto’s token price by 95%, exploited a smart contract vulnerability flagged just hours earlier by security researchers.

Kinto attempted a comeback through a $1 million recovery effort it dubbed “Phoenix,” which relaunched trading with a new token and partial liquidity replenishment. But the debt burden was unsustainable, leaving financing options exhausted.

Founder Ramon Recuero, who previously led recovery efforts after the Rari Protocol hack, pledged to reimburse affected users. Remaining assets will return 76% of the loan principal to Phoenix lenders, while Recuero is contributing $55,000 of personal funds to cover some Morpho bad debt victims. In announcing the shutdown, he said it’s better for Kinto to wind down rather than drift into “zombie mode.”

Decentralized finance lender Venus Protocol said it reimbursed $11.4 million to Eureka Trading CEO Kuan Sun after he lost funds in a phishing attack earlier this month. Sun had signed a malicious transaction on a fake Zoom client on Sept. 2, granting token approvals that allowed an attacker to drain assets worth about $13 million at the time.

Although Venus itself was not exploited, the platform paused operations within 20 minutes to investigate. An audit confirmed system integrity and a community-approved forced liquidation of the attacker’s wallet enabled the recovery. On-chain security firms PeckShield, Hexagate and Hypernative Labs assisted in the effort.

A $2.4 million exploit drained stablecoins from the market pool of DeFi platform Nemo Protocol. Security firm PeckShield first flagged the incident, saying that the attacker had already bridged stolen USDC from Arbitrum to Ethereum.

Nemo confirmed the breach in a Telegram post, saying all smart contract activity was suspended while investigations continue. The team said that vault assets were secure but has not yet disclosed the root cause.

The exploit coincided with a planned maintenance window for the Nemo App. Nemo, which specializes in yield tokenization to help users trade, hedge and leverage yields, said it will share more details once the inquiry progresses.

The U.S. Department of Justice filed a civil forfeiture complaint to reclaim more than $5 million in bitcoin tied to SIM swap attacks that targeted five victims between October 2022 and March 2023. Prosecutors allege the attackers tricked mobile carriers into transferring victim phone numbers, allowing them to intercept authentication codes and drain cryptocurrency wallets.

U.S. Attorney Jeanine Ferris Pirro said the perpetrators funneled the stolen bitcoin through multiple wallets before consolidating it into an account on crypto casino Stake.com. Investigators said many of the transactions were circular, a laundering tactic designed to obscure the origin of funds by mimicking legitimate flows.

European Central Bank President Christine Lagarde said gaps in the European Union’s cryptoassets regulation leave the region exposed to risks from non-EU stablecoin issuers. Speaking at the European Systemic Risk Board conference, Lagarde said all issuers operating in the trading bloc should face the same reserve requirements as EU-based firms in order to prevent potential runs.

The Markets in Crypto-Assets Regulation, which took effect late last year, requires issuers to hold reserves in bank deposits and allow investors to redeem at par value without fees. But Lagarde said that vulnerabilities exist in joint issuance schemes where only the EU portion of a stablecoin is subject to strict rules, creating opportunities for regulatory arbitrage. In such cases, investors would flock to EU redemptions, quickly exhausting reserves.

The U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission are stepping up efforts to clarify crypto regulation, announcing a joint roundtable for Sept. 29 in Washington, D.C. The meeting is open to the public and webcast live, and will focus on aligning rules for products such as spot crypto assets, perpetual contracts, event contracts and decentralized finance.

In a joint statement, SEC Chairman Paul Atkins and CFTC Acting Chairman Caroline Pham said the agencies aim to harmonize definitions, streamline reporting standards, align capital and margin rules, and explore coordinated innovation exemptions under existing authority. They said that registered U.S. exchanges are already permitted to list and trade certain spot crypto products under current law. Calling it “a new day” for regulation, the chairs said closer collaboration could transform America’s dual-agency framework into a strength for investors and market participants.