On March 22nd, Google issued an emergency security update for its Chrome browser as 3.2 billion users were potentially at risk of being attacked. This update highlighted a single security vulnerability that could have a big impact on everyone, but specifically crypto users.
Not much is publicly known at this stage about CVE-2022-1096 other than it is a “Type Confusion in V8.” This refers to the JavaScript engine employed by Chrome. The security flaw includes the open-source Chromium Project and it’s possible this update comes as a response to users reporting their crypto ‘hot wallets’ being hacked through a browser.
Earlier this week, Arthur Cheong, the founder of DeFiance Capital and a known crypto whale announced via Twitter that his crypto wallet had been hacked causing him to lose over $1.5 million USD in tokens and NFTs.
Found out the likely root cause for the exploit, it’s a targeted social engineering attack. Received a spear-phishing email that really seems to be sent by one of our portco with content that seems like general industry-relevant content.
They are likely targeting all crypto peep pic.twitter.com/SegYBcoLX2
— Arthur 🌔⛩️🦔👻 (@Arthur_0x) March 22, 2022
The hack targeted what is called a ‘hot’ wallet. A hot wallet is directly connected to the internet rather than a ‘cold’ wallet, also known as a hardware wallet, where assets can be stored offline and remain offline for safekeeping and security. After seeing sophisticated hacks such as this, it’s safe to say that storing cryptocurrencies in cold wallets offer far more secure solutions to holding cryptocurrencies.
Weeks earlier, Ledger had warned users to be aware of Blind Signatures and the dangers that come with them, while continuing to advise users to proceed with caution when browsing DApps (decentralized applications) and other related websites.
Two primary hot wallets that were being targeted held a crypto balance valuing over $1.5 million USD; most of which contained NFTs under the ‘Azukis’ collection. These popular NFTs were immediately sold on OpenSea below market price, resulting in the hacker acquiring funds in the fastest possible manner.
Luckily, the cry was heard by the entire crypto community and actions were made with haste. Supporters swiftly acquired some of the stolen Azuki NFTs from the blacklisted hacker and were mercifully willing to return the NFTs to Arthur at a base price rather than reselling them at their current market value, allowing them to profit 7-8+ ETH (worth around $24k USD) in exchange. Not all heroes wear capes.
Altogether, the hacker was able to acquire 78 different NFTs from five widely known collections. And that’s not all.
Not only focusing on Azuki’s and other NFTs collectibles, they also managed to steal 68 wrapped ETH (wETH), 4,349 staked DYDX (stkDYDX) and 1,578 LooksRare (LOOKS) tokens, tallying to a whopping $293,281.64 at the time of the attack.
Following the announcement, Arthur himself investigated deep into the exploit and discovered the hacker must have obtained access to his wallet by sending him what is known as spear-phishing emails. This alone revealed that the emails received were issuing requests to access Arthur’s Google Docs content in full. At first glance, these requests seemed to be from two ‘legitimate’ sources of his. Immediately after opening the shared file, the hacker gained an unauthorized passage to the seed phrase of his hot wallet. In other words, the master password to the hot wallet was compromised instantly, granting the thief access to all crypto wallets connected to Google Chrome and siphoning the hard-earned assets right in front of him.
Similar hacks and exploits are nothing new to the crypto industry. However, and it’s very unfortunate to say, these attacks are becoming extremely intricate and identical catastrophic events can happen to even the most experienced users. This display of tragedy is evidence that anyone can fall victim to similar cyberattacks and nothing is ever really “100% secure” as some may claim.
As the recovering cyberattack victim later tweeted “didn’t expect this to happen to me.”
Well not sure what happened, need to take time to figure it out. Didn’t expect this to happen to me as well.
Guess no more hot wallet usage then.
— Arthur 🌔⛩️🦔👻 (@Arthur_0x) March 22, 2022
Following the hack, Arthur’s recommendations were to always put security first. Examples include using a trusted password manager, enabling 2-factor authentication (not via phone numbers to avoid sim card jailbreaks and sim-swapping), and to adopt cold storage wallets, namely Ledger hardware wallets to ensure your funds are SAFU in perpetuity.
Guest post by Felix Mohr from Crypto Fight Club
Felix Mohr is the CTO and co-founder of Crypto Fight Club. Aside from spearheading all blockchain and game developments for Crypto Fight Club, Felix (aka MakerOfGloves) has been in crypto since 2016 as a certified fintech professional from the University of Hong Kong as well as the co-founder of MohrWolfe. His focus now is to bridge adoption and security to the play-to-earn space on GameFi through building NFT games and decentralized blockchain product lines.
