Wormhole cryptotrading company turns over $340,000,000 to criminals
Credit to Author: Paul Ducklin| Date: Fri, 04 Feb 2022 17:38:40 +0000
To misquote (and, indeed, to mispunctuate) Charles Dickens: it was the best of blockhains; it was the worst of blockchains.
This week, cryptocurrency company Wormhole lived up to its name by exposing an exploitable vulnerability that apparently allowed cybercriminals to run off with an eye-watering 120,000 Ether tokens.
Assuming a conversion rate of ETH1 = US$2800, that comes out close to $340,000,000.
You’ll find mention of this cyberheist on Wormole’s Twitter feed (@wormholecrypto), under an apparently un-ironic heading that describes the company’s business as:
Interoperability protocol powering the seamless transfer of value and information across 7 high value chains with just one integration”
“Seamless transfer” indeed!
Let’s rewrite history
As pointed out by Elliptic, a company that offers blockchain analytics to assist with compliance, the Wormhole team tried the same trick that was used by cryptocoin company Poly Networks when it was defrauded of more than $600,000,000 in August 2021.
The company apparently asked the crooks nicely, in a comment embedded in zero-value Ether transaction aimed at the criminals, to give the money back:
Printing out the input data above in ASCII text instead of as hexadecimal codes reveals an apparent offer to redefine the criminals as bona fide researchers and pay out a $10,000,000 bug bounty…
…if the crooks were to reveal the exploit they used:
We’re sure that anyone who thinks that ransomware payments should be illegalised – and there’s a vocal minority who think they should – will be aghast at this sort of retrospective offer to “give the money back and we’ll write the whole thing up (and off) as legitimate security research”.
Nevertheless, you can understand why a company in Wormhole’s desperate position might make the offer, even if it’s hard to imagine at first thought why crooks who had already – and apparently anonymously – made off with $340,000,000 would waive their anonymity in exchange for a fraction of the amount.
In the Poly Networks hack, the ruse seemed to work: the alleged hacker or hackers did utlimately return most of the stolen funds, with Poly Networks referring to them as “Mr White Hat”, telling them they could keep $500,000, and offering them a role as a security advisor to the business.
SHOULD RANSOMWARE PAYMENTS BE LEGAL? AND OTHER HARD QUESTIONS…
No audio player visible below? Listen on Soundcloud directly.
Prefer text to audio? Read a full transcript instead.
Thanks, but no thanks
This time, the cybercriminals don’t seem to have come to the party.
Instead, vaguely mysterious blockchain startup Jump Crypto seems to have, hmmm, jumped in with money of its own to backfill the third-of-a-billion-sized, ahhh, wormhole opened up by Wormhole’s exploitable cryptocurrency code:
.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.
— Jump Crypto 🦬 (@JumpCryptoHQ) February 3, 2022
So, according to Wormhole, “All funds have been restored and Wormhole is back up,” and, “The team is working on a detailed incident report and will share it asap.”
Not a word about the disaster, however, on Wormhole’s blog or website, which still leads unashamedly with the words THE BEST OF BLOCKCHAINS in giant text…
…albeit with an unintentionally hyper-accurate strapline underneath in tiny characters: “Move information and value anywhere.”
What to do?
As the saying goes, you couldn’t make this stuff up.
So, as we did after the Poly Networks hack, where customers’ funds similarly vanished and later reappeared as if by magic, we’ll leave you with some general cryptotrading advice, rather than anything specific to this incident:
- If you’re thinking of getting into the cryptocurrency scene, never invest more than you can afford to lose. And when we say “lose”, we mean “lose everything”, not merely “fail to make any profit”. There are more than 10,000 different cryptocoins currently in existence, many of which were kicked off by cash injections from early investors. Not all cryptocoins can or will follow the Bitcoin pattern of going from a few cents in value in 2010 to just under $40,000 each in February 2022. Even worse, some are unreconstructed scams in which the “creators” of the cryptocoinage collect startup funds from early investors in what’s known as an ICO (initial coin offering), only to run off without ever establishing a new cryptocurrency or trading site at all.
- If you plan to buy and hold cryptocurrency, keep as much of you can offline in what’s known as a cold wallet. A cold wallet is an encrypted file that you keep where you won’t lose track of it, and where other people can’t use it unless they know your password. Be careful of trusting too much of your investment to hot wallet situations, where you need to trust other people totally, just so you can trade faster and more aggressively.
We started by misquoting Mr Charles Dickens, so we’ll end by reminding you that the quotation goes on to say, “It was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity.”
Remember that trust is quick to evaporate precisely because it is supposed to take time to gain in the first place.