Attackers who hijacked the Curve Finance landing page moved quickly to convert the stolen funds into various tokens across different exchanges, wallets, and mixers.
Decentralized finance (DeFi) protocols continue to be targeted by hackers, with Curve Finance becoming the latest platform to be targeted following a DNS hijacking incident.
On August 9, the automated market maker warned users not to use the front end from its website, after several members of the crypto community pointed out the alleged exploit.
Although the exact manner in which the attack was carried out is still being investigated, the consensus is that the attackers succeeded in cloning the Curve Finance website and redirected the DNS server to the fake page. Users who tried to use the platform saw their funds being deposited in a pool operated by the attackers.
- Circle plans to only support the Ethereum PoS chain when the merger is complete
Curve Finance managed to remedy the situation in time, but the attackers managed to siphon off what was initially estimated to be $537,000 worth of USD Coin (USDC) in the time it took to revert the hijacked domain. The platform believes that its DNS server provider, Iwantmyname, was hacked, which allowed the subsequent events to unfold.
Cointelegraph contacted blockchain analytics firm Elliptic to discuss how the attackers managed to fool unsuspecting Curve users. The team confirmed that a hacker had compromised Curve’s DNS, leading to the signing of malicious transactions.
Elliptic estimates that 605,000 USDC and 6,500 DAI were stolen before Curve found and reversed the vulnerability. Using its blockchain analytics tools, Elliptic traced the stolen funds back to a number of different exchanges, wallets, and mixers.
- Solana hack could lead to claims against its developers and service providers
The stolen funds were immediately converted into Ether (ETH) to avoid a potential USDC freeze, amounting to 363 ETH worth $615,000.
Interestingly, 27.7 ETH was “laundered” through the now OFAC-sanctioned Tornado Cash. 292 ETH were sent to the currency exchange service, FixedFloat. The platform managed to freeze 112 ETH and confirmed the movement of funds according to an Elliptic spokesperson:
“We have maintained contact with the exchange, which confirmed three other addresses where the hacker withdrew funds from the exchange (these were completed orders that FixedFloat was unable to freeze in time). These include 1 BTC address, 1 BSC address, and 1 Bitcoin address. LTC”.
Elliptic is now monitoring these flagged addresses, in addition to the original Ethereum-based addresses. Another 20 ETH was sent to a Binance hot wallet, and another 23 ETH was moved to the hot wallet of an unknown exchange.
Elliptic also warned the ecosystem in general of new incidents of this nature after identifying a listing on a darknet forum that claimed to sell “fake landing pages” for hackers of compromised websites.
It’s unclear if this listing, which was discovered just a day before the Curve Finance DNS hijacking incident, was directly related, but Elliptic noted that it highlights the methodologies used in these types of hacks.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
- Circle plans to only support the Ethereum PoS chain when the merger is complete
- Solana hack could lead to claims against its developers and service providers
- deBridge flags attempted phishing attack and warns of Lazarus Group involvement
- Nomad Announces $19 Million Reward for Funds Lost in Recent Hack
- Threat of North Korean cyberattacks on the rise
- Crypto Scammers Hacked British Army Social Media Accounts
- Bitcoin without internet: an SMS service allows you to send BTC with a text