The hackers exploited a vulnerability in its Vault contract tied to Ethereum’s transient storage feature. Meanwhile, the crypto space is still reeling from the massive $1.4 billion Bybit exchange hack in February, which was orchestrated by North Korea’s Lazarus Group. In parallel, cybersecurity firm Threat Fabric uncovered a new Android malware, Crocodilus, that is designed to steal crypto wallet seed phrases through fake overlay screens and social engineering tactics.
SIR.trading Hit by Major Hack
The Ethereum-based DeFi protocol SIR.trading, which is also known as Synthetics Implemented Right, suffered a devastating hack that resulted in the complete loss of its total value locked (TVL). The protocol’s TVL amounted to close to $355,000 at the time of the attack.
The exploit happened on March 30 and was first flagged by blockchain security firms TenArmorAlert and Decurity, both of which issued warnings on social media to alert the community. After the incident, the protocol’s pseudonymous founder, Xatarrer, described the hack as ”the worst news a protocol could receive” but expressed hope that the team will try to keep the project alive despite the severe setback.
According to Decurity’s analysis, the attack was executed through a sophisticated manipulation of a callback function in SIR.trading’s vulnerable Vault contract. This function relied on Ethereum’s transient storage feature that was introduced in last year’s Dencun upgrade. The attacker was able to exploit this feature by substituting the real Uniswap pool address used in the callback with an address they controlled. This made it possible for them to siphon the protocol’s funds into their own wallet. Blockchain security firm TenArmorAlert explained that the attacker repeatedly triggered this callback function to fully drain the vault’s assets.
SupLabsYi, a researcher from security firm Supremacy, offered some more technical details into the hack, and stated that it may point to an emerging security flaw in Ethereum’s transient storage mechanism. This feature was designed to allow for cheaper, temporary data storage, reducing gas fees, but it is still relatively new and untested at scale. The attack on SIR.trading is one of the first known exploits targeting its potential vulnerabilities.
After the exploit, TenArmorAlert reported that the stolen funds were moved to an address funded via Ethereum’s privacy solution Railgun. SIR.trading’s founder has since reached out to Railgun in an effort to track or recover the stolen assets.
The protocol prided itself in being a safer alternative for leveraged trading, and previously disclosed in its documentation that despite audits, its smart contracts could contain undetected bugs. It specifically pointed to the vault mechanisms as a potential area of vulnerability due to their complex logic.
Crypto’s Biggest Hack
Other exploits also recently turned heads in the crypto space. It seems like North Korea-affiliated hackers scaled back their operations during the second half of 2024 while preparing for what would become the largest crypto hack in history. The industry was shaken on Feb. 21 when the Lazarus Group, which is a notorious hacking collective linked to North Korea, orchestrated a sophisticated attack on the crypto exchange Bybit. This attack resulted in the theft of more than $1.4 billion.
According to blockchain analytics firm Chainalysis, illicit activity tied to North Korean cyber actors declined after July 1 of 2024, despite a surge in attacks earlier that year. Eric Jardine, Chainalysis’ cybercrimes research lead, suggested that this slowdown coincided with geopolitical developments, particularly the summit between Russia and North Korea. This meeting reportedly led to the reallocation of North Korean resources, including military personnel, to help in Russia’s war effort in Ukraine. Jardine speculated that this shift may have also allowed the Lazarus Group to regroup, select new targets, and prepare for the massive Bybit attack.
(Source: Chainlaysis)
The attack was executed with precision, and the hackers were able to launder the stolen funds through the decentralized cross-chain protocol THORChain within just ten days. Despite this, blockchain security experts were still optimistic that at least a portion of the funds could still be recovered.
The Bybit hack shed some light on the vulnerability of even the most secure centralized exchanges to highly sophisticated cyberattacks. Analysts noticed that the incident had similarities to other major hacks, like the $230 million attack on WazirX and the $58 million exploit on Radiant Capital. Meir Dolev, co-founder and CTO of blockchain security firm Cyvers, explained that the attackers compromised an Ethereum multisig cold wallet by tricking signers into unknowingly approving a change to the smart contract’s logic. This deceptive transaction allowed the hackers to seize control of the wallet and drain its contents.
North Korea hacking activity (Source: Chainalysis)
Throughout 2024, North Korean hackers were responsible for stealing more than $1.34 billion worth of digital assets across 47 separate incidents, according to Chainalysis. This was a 102% increase from the $660 million that was stolen in 2023 and accounted for an alarming 61% of all crypto stolen globally last year.
Crocodilus Malware Targets Crypto Wallets
Exploits are not the only danger threatening crypto users and their funds. Cybersecurity firm Threat Fabric recently uncovered a new and highly sophisticated malware targeting Android users, and it is specifically designed to steal cryptocurrency seed phrases and take over devices.
The malware is called Crocodilus, and it employs fake overlay screens to deceive users into revealing sensitive information, including the recovery phrases of their crypto wallets. In a report that was published on March 28, Threat Fabric analysts shared details about how Crocodilus manipulates victims by displaying a warning message urging them to back up their wallet key in a specific time frame, typically 12 hours, or risk losing access to their funds. This social engineering tactic leads users to their seed phrase, which the malware then captures using its accessibility logger.
Once the seed phrase is obtained, the attackers gain full control over the victim’s wallet and can drain its contents. Crocodilus not only targets crypto wallets but also possesses the advanced capabilities of modern banking malware. It can harvest data through screen captures, launch fake overlay attacks, and remotely control infected devices. The infection typically occurs when users inadvertently download software embedded with the malware, which bypasses Android 13’s built-in security protections.
Example of the overlays used (Source: Threat Fabric)
After installation, Crocodilus prompts users to enable accessibility services, which is a request that allows the malware to communicate with its command-and-control server. This connection enables it to receive instructions, including which applications to target and which overlays to use. The malware runs continuously in the background, monitoring app activity and launching overlays when targeted apps, particularly banking or crypto apps, are opened. During this process, it can mute the device’s sound and operate without the user’s knowledge.
Threat Fabric’s research indicates that Crocodilus primarily targeted users in Turkey and Spain so far, but the firm warned that the scope of the attack is likely to expand. Analysts also pointed out indications in the malware’s code suggesting the developers may speak Turkish and speculated that the threat actor known as Sybra could be involved.
This article was originally Posted on Coinpaper.com
