OSINT Knowledge Base

Bitkeep Hack ~ $1 million stolen

An unknown hacker targeted the token swap service offered by BitKeep, a multi-chain crypto wallet.

The exploiter was able to steal $1 million in crypto tokens from users that had approved tokens on the BitKeep's swap service, also called a swap router, on the BNB Chain and Polygon. The stolen funds were later routed through crypto mixer Tornado Cash in an effort to obfuscate activity.

"BitKeep Swap was hacked, and our development team has managed to contain the emergency and stopped the hacker. The attack was directed to the BNB Chain, causing a loss of about $1 million," the team tweeted.

Igor Igamberdiev, Research Director, Data at The Block, explained that BitKeep’s swap contract had previously contained a logic error that allowed the hacker to make a malicious call and seize users' funds. The vulnerability emerged from the BitKeep swap contract’s lack of input validation, allowing the attacker to trick input values. This means the exploiter was able to make illegitimate swaps from addresses that had approved to spend on BitKeep’s swap router.

BitKeep says it will refund all victims that had funds stolen during the incident.

Transit Finance Hacker Returns Some Funds - $28.9 million

A hacker stole $28.9 million by exploiting a bug in decentralized exchange aggregator Transit Finance on Sunday. Within two days of the theft, the thief returned nearly $18.9 million, keeping a $2 million "bug bounty.”

The hacker capitalized on an exploit on Transit Swap's swap contract

In a blog post published on Monday, Transit Swap said that $18.9 million has been returned after a slew of security firms helped triangulate the hacker's IP address.

Transit Finance's internal security team and blockchain security firms PeckShield, SlowMist, Bitrace and TokenPocket helped uncover the attacker's IP, email and associated on-chain addresses over the weekend, the victim company said in a series of tweets on Sunday.

"The incident is still being progressed and resolved, and we will continue to communicate and try our best to recover more assets for users," it added in a Monday update.

The incident affected a "large number of users" who will be refunded "as soon as possible," the company said, without providing specific numbers.

The attacker also became the victim of a cyberattack, with an arbitrage bot stealing $1.1 million when the attacker illegally transferred stolen funds from a user account, SlowMist

Moola Market Hacker Returns $7.8 million

Moola Market, a lending protocol on the Celo blockchain, suffered an $8.4 million exploit. Hours later, the attacker returned 93.1% of the stolen funds ($7.8 million) to Moola's wallet.

"Following today's incident, 93.1% of the funds have been returned to the Moola governance multi-sig," the team tweeted.

The attacker kept the remaining funds some 700,000 CELO tokens ($518,000) as a negotiated bounty reward that the team had previously offered.

The attacker took advantage of the low liquidity of MOO, the native token on Moola's lending protocol on the Celo blockchain. They inflated the value of MOO on a decentralized exchange called Ubeswap and leveraged the tokens as collateral to drain user assets deposited into the protocol.

More specifically, the attacker started out with 243,000 CELO tokens ($182,000) held in their address on the Celo network. The next step was depositing 60,000 CELO tokens on Moola and borrowing 1.8 million MOO tokens. The attacker then used their remaining CELO tokens to rapidly inflate the price of MOO.

The perpetrator moved on to leverage the increased value of their MOO tokens as collateral to borrow other assets in a loop. By using just $182,000 in CELO, they were able to drain 8.8 million CELO ($6.5 million), 765,000 cEUR ($700,000), 1.8 million MOO ($600,000), and 644,000 cUSD ($600,000) from Moola Market, per on-chain transactions.

While the project has recovered most of its funds, the activity on the lending protocol remains paused for the time being.

Mango Market Hacker Returns Funds, Says Hack Was Legal

In a bizarre twist in the alleged hacking of Solana-based trading platform Mango Markets last week, the alleged hacker has come forward and returned some of the lost funds, claiming that he undertook a legal strategy to manipulate the cryptocurrency trading platform.

A Twitter user by the name of Avraham Eisenberg has claimed responsibility for removing the funds. In a series of tweets, Eisenberg claimed that everything he did was legal because he used the protocol as it was designed, “even if the development team did not fully anticipate all the consequences of setting parameters the way they are.”

Eisenberg was previously claimed to have undertaken a “flash loan” attack that resulted in the loss of about $116 million from Mango Markets. A flash loan attack is a decentralized finance attack where a cybercriminal takes out a flash loan — a noncollateralized loan from a lending protocol — and then manipulates the price of a crypto asset on one exchange to sell it quickly on another.

The claims that a flash loan attack was used to take the funds were disputed initially. Although there are some similar elements, what Eisenberg did is more of a case of traditional market manipulation.

The Block explained Saturday that Eisenberg undertook an allegedly legal strategy that required $10 million to drain the funds from Mango Market. The trade is said to have worked by manipulating the “price oracle” to inflate the Mango token price threefold, from 30 cents to 91 cents. That boosted the value of Eisenberg’s collateral and allowed him to borrow more funds from the protocol.