Cryptohack Roundup: Hacker Yields Control of Tornado CashAlso: Tron Patches a Big Bug, Binance Privacy Coin Delisting And More
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between May 26 and June 1, Tornado Cash validators regained control after a million-dollar hack, Tron patched a bug that could be exploited for $500 million and Binance said it would delist privacy coins in four European countries. Also, the U.S. SEC settled with two Coinbase insider traders and the Hong Kong police set up a platform to curb the metaverse and Web3 cyber risk.
See Also: 2022 Unit 42 Incident Response Report
The Tornado Cash hacker on Saturday handed back control of the decentralized platform to its community after seizing control in late May, as 100% of validators voted in favor of the bad actor's proposal to give them back the reins. The hacker continues to use the crypto mixer to launder digital assets they stole. The hacker exploited the crypto mixer by concealing malicious code in a proposal, which the validators of the governance-run platform passed. This gave the hacker full control of the platform, allowing them to steal $1 million and potentially introduce other malicious proposals or even backdoors for future exploits. The hacker laundered stolen ETH and TRON tokens on Tornado Cash Router, the platform's obfuscation service.
Tron's $500M Vulnerability
Blockchain network Tron fixed a critical bug that hackers could have exploited for $500 million, said 0d, the cybersecurity research team at dWallet Labs that reported the vulnerability. The critical zero-day vulnerability in Tron's multisig accounts could give hackers unrestricted access and the ability to siphon off digital assets in the accounts, its Tuesday blog post said. 0d reported the vulnerability to Tron via a bug bounty program in February, and the blockchain firm fixed it "within days." Tron is among the largest blockchain networks in terms of total value, locked at $6 billion, second only to Ethereum.
Binance's Delisting of Privacy Coins in Europe
Crypto exchange Binance is set to delist 12 privacy coins in certain European countries, ahead of the European Union's new regulation curbing cryptocurrency money laundering. Starting June 26, the crypto exchange will delist Decred, Dash, Zcash, Horizen, PIVX, Navcoin, Secret, Verge, Firo, Beam, Monero and MobileCoin in France, Italy, Poland and Spain, it said in an email to customers.
The European Banking Authority looks to amend its money laundering and terrorist financing risk factor guidelines to address risks that originate from services that contain privacy-enhancing features, potentially including privacy coins.
Coinbase Insider Traders Settle With US SEC
The U.S. Securities and Exchange Commission on Tuesday settled insider trading charges against former Coinbase product manager Ishan Wahi and his brother Nikhil Wahi. The brothers allegedly used insider knowledge to purchase "at least" nine crypto assets before they were listed on Coinbase, the SEC said in a July 2022 complaint. The agency filed a motion for final judgment and sought disgorgement of ill-gotten gains with interest. Both the brothers previously pleaded guilty to conspiracy to commit wire fraud. Ishan Wahi received a prison sentence of two years and forfeited 10.97 ether and 9,440 Tether, while Nikhil Wahi received a sentence of 10 months and forfeited $892,500. Their friend Sameer Ramani, also involved in the crime, is at large.
Hong Kong Cops Join Metaverse
The Hong Kong police's cybersecurity unit on Saturday launched a metaverse platform to raise cyber risk awareness of Web3 and the metaverse. Dubbed CyberDefender, the platform will focus on technology crime prevention, as the "decentralized nature of virtual assets in Web3 may also increase the likelihood of cybercriminals targeting endpoint devices, virtual asset wallets and smart contracts,” said Ip Cheuk-yu, chief inspector of the Cyber Security and Technology Crime Bureau. Virtual asset crime spiked significantly in Hong Kong in the first quarter of 2023. Victims lost $570 million in the period - a 75% year-on-year increase.