Cryptohack Roundup: $6.1M Wemix Theft

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, $6.1M Wemix theft, OKX suspended services, Vermont dropped Coinbase case

Cryptohack Roundup: $6.1M Wemix Theft

Every week, Information Security Media Group is rounding up cybersecurity incidents in digital assets. This week, Wemix was hit by a major crypto theft, siphoners targeted web3 users on Bybit and an old Trezor bug was disclosed.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Wemix Hit by $6.1M Crypto Theft

Hackers stole crypto tokens valued at around $6.1 million from blockchain gaming platform Wemix, Wemix CEO Kim Seok-Hwan said. The attackers targeted Wemix by exploiting stolen authentication keys used for monitoring the non-fungible token platform Nile, which were likely accessed from a compromised shared repository, according to a report by Yonhap News.

Over a period of more than two months, the hackers systematically executed a series of 15 withdrawal attempts, ultimately succeeding in 13, and laundered the funds through multiple exchanges.

Wemix, developed by South Korea’s Wemade, is used to integrate blockchain technology into games such as Mir4. The company had to suspend operations after the attack to migrate its infrastructure to a more secure environment. It aims to resume service by March 21.

OKX Suspends Web3 Services After Lazarus Attempt

OKX is temporarily suspending its decentralized exchange aggregator services to implement security upgrades, following reports that North Korea’s Lazarus Group attempted to launder $100 million worth of stolen cryptocurrency on the platform.

The move comes after a record-breaking $1.5 million heist from Bybit. Despite reports by Blockworks saying that EU regulators are investigating OKX for unregistered activity and potential breaches of European Union’s anti-money laundering regulations, a spokesperson for the exchange told The Block that they are not aware of any such probe.

The exchange said it detected "coordinated misuse" of its services and is taking several steps to prevent further abuse.

Planned security measures include a system to identify and track hacker-linked addresses on its DEX aggregator, alongside the ability to immediately block these addresses on its centralized exchange.

It is also collaborating with blockchain explorers to enhance transparency and introduce clear labels for highlighting suspicious transactions.

Vermont Drops Coinbase Lawsuit After SEC Case Dropped

Vermont’s Department of Financial Regulation has dropped its lawsuit against Coinbase, following the U.S. Securities and Exchange Commission’s decision to dismiss its own case against the crypto exchange.

The state regulator was preparing to sue the exchange again in response to the SEC’s move. Vermont had accused Coinbase of offering unregistered securities through its staking service, aiming to enjoin the exchange from offering the service in the state.

The regulator cited the SEC’s recent plans to form a task force for crypto regulation as a key factor in their decision to withdraw their show cause order without prejudice.

Coinbase Chief Legal Officer Paul Grewal said in a statement that they are pleased to see the case being dropped and that they continue to be engaged with the SEC on forging a clear path forward for the industry.

The lawsuit, filed in June 2023, was part of a broader crackdown by several U.S. states on crypto firms operating without proper registration.

Now, with several cases being dropped or dismissed and the resignation of SEC Chair Gary Gensler, crypto firms appear to be gaining some legal ground.

Earlier this year, Grewal also filed a Freedom of Information Act request to obtain details on the SEC’s crypto enforcement actions and internal deliberations under Gensler’s leadership.

New Remote Access Trojan Targets Crypto Wallet Extensions

Microsoft has identified a new remote access Trojan called StilachiRAT which targets 20 cryptocurrency wallet extensions on Google Chrome.

The malware is capable of stealing sensitive data, installing programs, performing system administration tasks and more. It can also extract saved credentials from Chrome, monitor clipboard activity for sensitive information and tracks active applications.

StilachiRAT is detected by Microsoft Defender Virus Protection as Trojan:Win32/Stilachi and Variant:Trojan/Stilachi. It uses techniques like deleting system logs (e.g., c:/windows/temp) and manipulating Windows registry settings (e.g., "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun") to achieve persistence on the infected system.

The Trojan can receive commands and report back to a remote command-and-control server, which allows attackers to perform actions like rebooting the system, stealing files, manipulating applications and more.

It is programmed to connect to a specific IP address and port, with a timeout of 30 seconds for establishing the connection.

The targeted crypto wallet extensions include:

MetaMask

Coinbase Wallet

Trust Wallet

TronLink

CCVault

TokenPocket

IX Swap

Guarda

Atomic

Coin98

Bitpie

CoinBurp

Easy