Cryptohack Roundup: Multichain Lost $228M - Nobody Knows WhyAlso: Crypto-Focused Law Enforcement Action Involving Silk Road, OpenSea
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. This week, Multichain saw unauthorized outflow of $125 million, the Department of Justice announced its first DeFi smart contract-focused indictment, Silk Road boss Ross Ulbricht's aide and two others were sentenced, and the FTC and the SEC turned up the heat on Celsius.
Multichain: Hack or Rug Pull?
Cross-chain bridge protocol Multichain experienced "unusually large, unauthorized withdrawals" of more than $125 million on July 6, followed by an additional $103 million on Tuesday. But that's not the only unusual part of this story. Nobody in the community, including the company itself, can confirm the reason behind the outflow or who withdrew the funds.
Security firm Chainalysis said the outflow "appears to be a hack or rug pull by insiders."
Chainalysis floated the theory of it being an insider job as it says that the exploit is likely due to compromised administrator keys. "While it's possible those keys were taken by an external hacker, many security experts and other analysts think this exploit could be an inside job or rug pull," it said. The suspicion that the incident may be a rug pull likely comes from a tweet the company posted in May, announcing that it had been unable to contact its CEO to resolve a separate issue.
For now, Multichain has stopped its service indefinitely, an announcement scammers and phishers are already reportedly taking advantage of. Stablecoin issuers Circle and Tether also froze more than $65 million in assets transferred by Multichain.
First DeFi Smart Contract-Focused Indictment
The DOJ on Tuesday unsealed an indictment against Shakeeb Ahmed, charging him with wire fraud and money laundering, both of which carry a maximum prison sentence of 20 years. The complaint alleges the 34-year-old senior security engineer at an international technology company used his expertise with reverse-engineering smart contracts and blockchain auditing to defraud a decentralized cryptocurrency exchange and its users to steal $9 million.
In July 2022, he allegedly exploited a vulnerability in one of the DeFi platform's smart contracts to insert fake pricing data and inflate the price of the coins before withdrawing them, and he also carried out flash loan attacks. Ahmed allegedly suggested returning most of the stolen funds, keeping $1.5 million for himself, if the crypto exchange did not press charges. The agency did not name the Solana-based exchange but mentioned that it is incorporated outside the U.S. Ahmed used multiple obfuscation techniques - including swapping, chain-hopping and using overseas exchanges - to launder the stolen funds, the indictment showed.
On Tuesday, the DOJ announced the 20-year prison sentence of Roger Thomas Clark, a 61-year-old Canadian citizen. Clark served as the top adviser to Ross Ulbricht, the owner and operator of online illicit black market Silk Road. Clark is known by various aliases including Plural of Mongoose, Variety Jones, VJ, and cimon. In addition to the prison sentence, Clark was ordered to forfeit $1,606,150 and will face three years of supervised release. He pleaded guilty in January 2020.
"Silk Road was a secret online marketplace for illegal drugs, computer hacking services and a host of other criminal activity," U.S. Attorney Damian Williams said. "Roger Thomas Clark was a central figure in helping to lead Silk Road and in advocating violence, even murder, to protect this digital drug empire." It was one of the first online marketplaces to exclusively use cryptocurrency to facilitate illegal transactions, approximated to be about $213 million. The platform also allowed criminals to launder the hundreds of millions of dollars they made from unlawful transactions (see: Feds Announce Silk Road Cryptocurrency Haul).
The DOJ on Monday unsealed an indictment charging 25-year-old Soufiane Oulahyane, aka Soufiane Oulahya, with impersonating marketplace OpenSea to steal cryptocurrency and non-fungible tokens. He stole $450,000 worth of digital assets from a victim in Manhattan in September 2021 by using "one of the oldest tricks in the criminal playbook" - spoofing - and applying it to the crypto space, according to U.S. Attorney Damian Williams.
Prosecutors said Oulahyane used paid advertisements on popular search engines to make sure his spoofed, malicious website appeared first when users searched for "OpenSea." When victims entered their login credentials or other private information on the spoofed website, the data was sent automatically to an email account that Oulahyane controlled.
If found guilty, he faces a maximum prison sentence of 47 years for wire fraud, use of an unauthorized access device, affecting transactions with an access device to receive something of value that is equal to or greater than $1,000 and aggravated identity theft. He is currently in custody in his home country of Morocco on foreign charges.
An attacker on Tuesday stole $1.53 million from Arbitrum-based Rodeo Finance, marking the second cyberattack against the decentralized finance protocol this month.
The hacker exploited a code vulnerability in the protocol's price oracle, which determines the price of the crypto tokens on the platform. The exploit caused the platform's total value locked to plummet from $20 million to under $500. The attacker moved a portion of the stolen crypto to the Ethereum blockchain and routed it through crypto mixer Tornado Cash to obfuscate the flow of funds, PeckShield said. The exploiter's wallet currently holds nearly 400 ETH tokens. In a separate incident on July 5, an attacker stole at least $50,000 from the platform.
Two federal agencies turned up the heat Thursday on bankrupt cryptocurrency platform Celsius Network, charging co-founder Alexander Mashinsky and banning the firm from doing business in the United States.
The Federal Trade Commission on Thursday reached a settlement with Celsius Network's co-founders for swindling consumers out of millions of dollars by "falsely promising that deposits would be safe and always available." The company misappropriated customer deposits worth more than $4 billion, "routinely" made unsecured loans of about $1.2 billion, and lied to the public about the safety of its platform and the lack of liquidity on it, the FTC said.
The agency also levied a penalty of $4.7 billion against the crypto lender, but it suspended the judgement to "permit Celsius to return its remaining assets to consumers in bankruptcy proceedings."
A proposed settlement with the New Jersey-based company and its affiliates seeks to ban the entities from "offering, marketing, or promoting any product or service that could be used to deposit, exchange, invest, or withdraw any assets."
Co-founders Alexander Mashinsky, Shlomi Daniel Leon and Hanoch "Nuke" Goldstein marketed the platform as being safer than banks because "we have less risk, we have much less risk," the FTC complaint said. The co-founders have not agreed to the FTC settlement, and the case against them is expected to proceed to federal court.
Also on Thursday, the Securities and Exchange Commission charged Celsius - along with Mashinsky - with fraud, failing to register the offer and sale of securities, making false and misleading statements to investors and engaging in market manipulation.
"Celsius lied to investors by presenting itself as a safe investment opportunity and a chance to gain financial freedom, but behind the scenes the company operated a failing business model and took significant risks with investors' crypto assets," said Gurbir Grewal, director of the SEC's Enforcement Division.