Web3 projects have lost more than $2 billion to hacks this year

In the first six months of 2022, Web3 projects have lost more than $2 billion to hacks and exploits — more than all of 2021 combined.

That’s according to research from blockchain auditing and security company CertiK, which on Thursday released its quarterly Web3 security report covering Q2 of this year. The report paints a sobering picture of a cryptocurrency space still plagued by hacks, scams, and phishing schemes while also facing relatively new threats like flash loan attacks.

CertiK puts particular focus on this last category of threat, which has been created by the invention of flash loans: a decentralized finance mechanism that lets borrowers access extremely large amounts of cryptocurrency for very short periods of time. If used maliciously, flash loans can be used to manipulate the value of a certain token on exchanges or buy up all of the governance tokens in a project and vote to withdraw all of the funds, as happened to Beanstalk in April.

In total, CertiK’s report claims that a total of $308 million was lost across 27 flash loan attacks in Q2 2022 — an enormous increase compared to just $14 million lost to flash loans in Q1.

Phishing attacks also increased in frequency between Q1 and Q2 of this year, with CertiK recording 290 in the most recent quarter compared with 106 in the first three months of the year. Discord was the vector for the vast majority of phishing attempts, a signal of its continuing popularity as the social network of choice for the cryptocurrency and NFT scene, despite ongoing security concerns.

In slightly more positive news, so-called “rug pulls” — where the founders of a project halt development and abscond with the funds — are becoming less common, though tens of millions of dollars were still lost in this way. CertiK found that a total of $37.46 million was lost to rug pulls in Q2 of this year, down 16.5 percent from the previous quarter, though the report attributes much of this decrease to the current crypto winter, which may be driving away the less experienced investors who are likely to be fooled by scam projects.

Repost: Original Source and Author Link

Tech News

Brain genius hacks an Apple AirTag… but don’t panic

When I hear something’s been hacked, it conjures images of Le Carré-style spies and national security leaks, but this isn’t always the case. Sometimes, it’s just a brain genius hacking an Apple AirTag.

Over the weekend, Twitter user Stacksmashing managed to break into Apple’s tracking device. They also managed to dump the firmware of Apple’s new device (although this hasn’t been made public).

Feast your eyes on this:

We can all agree on one thing: this is cool. Apple is renowned for the strong security of its devices, so actually hacking an AirTag is a fantastic achievement. But there’s a bigger question to answer…

Should we be worried that someone hacked an AirTag?

Let’s try and break this down logically. First, we need to find out exactly what Stacksmashing managed to achieve. From a user perspective, the most notable element is they managed to alter the NFC URL.

Effectively, when you tap an AirTag with your phone, it normally directs you to Apple’s Find My service. Stacksmashing managed to alter this so it opened a website of their choice. Like this:

Obviously this could be used to redirect someone towards a malicious website, but this hacked AirTag opens up another question: can it be used for even more nefarious purposes?

A point raised in the Twitter thread is whether or not this hacked or jailbroken AirTag could be used for tracking and recording. Effectively, someone could disable anti-stalking measures and follow you. It’s also broadly possible to use the accelerometer inside the hardware to record audio. In other words, an AirTag could become a spying device.

So… should you be worried?

Not really. At least not yet. In order to hack the AirTag, Stacksmashing had to take it apart, whip out the soldering iron, and power it externally. In other words, if someone’s going to do this with an AirTag you own, it’s gonna take a lot of time and access.

If someone really wants to spy on you, there are far easier ways to do than this. An AirTag being hacked isn’t going to impact you currently.

Really, we should be pleased that someone’s managed this feat. Apple is bound to take note of this and, hopefully, will take further steps to ensure that these devices can’t be easily used to erode someone’s privacy.

Still, massive respect to Stacksmashing. This is cool as fuck.

Did you know we have a newsletter all about consumer tech? It’s called Plugged In –
and you can subscribe to it right here.

Repost: Original Source and Author Link