Over $8 Million in Cryptocurrency Tokens Stolen from Nexus Mutual Founder Hugh Karp’s Personal Account: Report

On December 14, 2020 (at 09:40 am UTC), CertiK Skynet discovered a very large transaction from Hugh Karp, Founder of Nexus Mutual, a “people powered” alternative to insurance built on Ethereum, which transferred 370,000 NXM tokens to an unknown cryptocurrency account. The total value of digital tokens is around $8.33 million.

 

The CertiK security investigation team reportedly launched an investigation and performed an analysis. The team believes that the transaction was a “targeted attack towards the account of Mr. Hugh Karp.”

The attacker’s account address is as follows:

0x09923e35f19687a524bbca7d42b92b6748534f25, and some of the digital tokens obtained by the attack have now been traded at decentralized or non-custodial trading platform the 1inch.exchange through the transaction: 0xfe2910c24e7bab5c96015fb1090aa52b4c0f80c5b5c685e4da1b85c5f648558a.

The attack transaction hash is as follows: 0x4ddcc21c6de13b3cf472c8d4cdafd80593e0fc286c67ea144a76dbeddb7f3629

As noted by the CertiK team:

“According to the official disclosure, after obtaining remote control of Hugh Karp’s personal computer, the attacker modified the Metamask extension used on the computer and misled [or tricked] him to sign [a different] transaction, which eventually transferred a huge amount of tokens to the attacker’s account.”

Based on the details of the incident disclosed (so far), the CertiK research team “conjectured that when Hugh used Metamask as usual, the extension modified by the attacker generated the transfer request for the huge amount of tokens before Hugh signed the transaction with his hardware wallet.”

The researchers further noted that the browser extension (as an application) is somewhat similar to the front-end of a typical web-based app. They’re all coded in HTML and JavaScript, the CertiK team explained. They added that “files of the browser extension are stored in the user’s computer.” They also mentioned that “regarding the methods hackers used to modify the Metamask extension,” the CertiK research team has made the following conjectures:

  • The hacker managed to gain control of Hugh Karp’s PC. After doing that, they were able to  open the browser via the remote desktop and “directly installed the modified Metamask extension.”
  • The hacker “found the installation path of Metamask extension on Hugh Karp’s personal computer, modified the code, and loaded the modified extension into the browser after the modification.”
  • The hacker or attacker “modified the browser extension with the built-in command-line tool.”

The CertiK team confirmed that the official disclosure stated that Hugh Karp had “used a hardware wallet.” While the specific model wasn’t revealed, it “should be Trezor or Ledger, which are the only two supported by Metamask,” the CertiK researchers noted. They pointed out that “in the case of using a hardware wallet, transactions in Metamask need to be confirmed and signed with the private key in the hardware wallet.”

They further explained:

“When Trezor or Ledger confirms the transaction, the recipient’s address will be displayed on the hardware screen for the user to confirm. In this attack, the hacker should not be able to modify the displayed address on the hardware screen. It is speculated that when Hugh Karp made the final confirmation on the hardware wallet, he did not notice that it was the address of the hacker.”

The CertiK report also noted that “the importance of insurance is fully illustrated by this incident that the account of the founder of a blockchain insurance platform was attacked.” They warned that “no matter who you are and what role you play, hackers will not bypass you in the blockchain network because of your fluke.”

The CertiK security verification team recommends that “any security system and operating environment requires not only program security verification, but also professional penetration testing to verify the security of the overall product.”

They also suggested that “in order to prevent the loss of digital assets from any non-technical reasons, the project team should purchase insurance for their products/solutions in a timely manner so that there will be multi-level protections for the project and investors, and the loss from any attack can be compensated in time.”



Sponsored Links by DQ Promote

 

 

Send this to a friend