Date:: March 22nd, 2022
Amount Stolen:: $1,700,000
Laundered Via:: Tornado Cash - March 24th, 2022 - 5x100 8x10 8x1
Tags:: 🔑 DangerousPassword SquidSquad (Protected)
Arthur_0x, founder of DeFiance Capital, lost $1.76M as a result of a spear Phishing campaign with a wallet stealing malware
In total, Arthur appears to have lost 78 different NFTs from five collections, mostly “Azukis. He also lost 68 wrapped Ether (wETH), 4,349 staked DYDX (stkDYDX) and 1,578 LooksRare (LOOKS) tokens. The hacker began moving assets at about 12:30 am UTC, then promptly put all the NFTs up for bid on the OpenSea NFT marketplace. As of the time of writing, the hacker’s wallet held 545 ETH, worth about $1.6 million.
Found out the likely root cause for the exploit, it's a targeted Social Engineering attack.
Received a Spear-Phishing email that really seems to be sent by one of our portco with content that seems like general industry-relevant content.
Was being careless on this one since it comes from 2 seemingly legitimate sources
Once I open the file then I see the images below and then it proceed to the normal PDF document, didn't suspect what's wrong back then:
Hacker steals more than $1.5 million after compromising wallets belonging to crypto whale Arthur_0x over the past 30 days, and Azuki NFTs have been going for 12.5 ETH ($37,600)
The attacker had not yet sold all the NFTs they had stolen, but within two hours of the attack they had 545 ETH (about $1.6 millionin their wallet
Arthur_0x wrote on Twitter that they had previously only ever used a hardware wallet on their PC, but when they started more regularly trading NFTs they'd started using a hot wallet
Kenetic Capital - jehan@kenetic.capital is the email that phished Arthur_0x - he was taken by Lazarus earlier in the year
"Hot wallet on mobile phone is indeed not safe enough", they wrote on Twitter, "Guess no more hot wallet usage then." They also wrote, "The only thing I can say to the hacker is: you mess with the wrong person" and tweeted the wallet address to which the NFTs were being transferred, asking for it to be blocklisted
"Based on our research and conversation with leading cyber security experts, we believe Bluenoroff are running an organized campaign to target all the prominent organizations in the crypto space...."
-
Compromised: 0xc8acf47df30286159220e8d58467a614dc07bc72
-
Attacker: 0xe47e8cd58c8e95f765e642d7dcb898f622cefa83
-
Attacker: 0xb09e66b66b7daa35699496ff560e1034990e5e3a
-
Laundry: 0x785B9940eAf44be2B832C61816fF873B97A8ad63
- https://twitter.com/arthur_0x/status/1514890461969731584
- https://twitter.com/NickCarlsen1/status/1506768133121478657
- https://twitter.com/Arthur_0x/status/1506096947576205313
- https://twitter.com/Arthur_0x/status/1506109296701890563
- https://twitter.com/Arthur_0x/status/1506167899437686784
- https://twitter.com/cr0ssETH/status/1506086576601849857
- Annex 95: Suspected DPRK cyberattacks on cryptocurrency-related companies (2017-2023) investigated by the Panel
