Categories
Security

Thief steals $1 million of Bored Ape Yacht Club NFTs with Instagram hack

A hacker has stolen NFTs worth millions of dollars after compromising the official Instagram account for Bored Ape Yacht Club (BAYC) and using it to post a phishing link that transferred tokens out of users’ crypto wallets.

The hack was disclosed on Twitter by BAYC just before 10AM ET on Monday morning. “There is no mint going on today,” the Tweet read. “It looks like BAYC Instagram was hacked.”

Another tweet from a user unaffiliated with the project claimed to show the image that had been posted from the BAYC account, promoting an “airdrop” — essentially a free token giveaway — for any users who connected their MetaMask wallets.

Unfortunately, BAYC’s warning came too late for a number of holders of the extremely expensive Bored Ape NFTs, along with many other valuable NFTs stolen in the hack. A screenshot posted by one Twitter user showed an OpenSea page for the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all presumably taken from users who connected their wallets after clicking on the phishing link.

The profile page tied to the hacker’s wallet address was no longer visible on OpenSea at time of publication. OpenSea head of communications Allie Mack confirmed to The Verge that the hacker’s account had been banned on the platform, as OpenSea’s terms of service prohibited fraudulently obtaining items or otherwise taking them without authorization.

But given the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms. Seen through NFT platform Rarible, the wallet contained 134 NFTs, among them four Bored Apes and many others items from projects made by Yuga Labs — the creators of BAYC — such as Mutant Apes and Bored Ape Kennel Club.

Independently, each of the stolen Apes is worth well into six figures based on the most recent sale price. The lowest priced Ape, #7203, last sold four months ago for 47.9 ETH — equivalent to $138,000 at current exchange price. Ape #6778 was last sold for 88.88 ETH ($256,200), while Ape #6178 sold for 90 ETH or $259,400. And Bored Ape #6623 was the most valuable of all, sold three months ago for 123 ETH ($354,500) — meaning that collectively the total value of the four stolen Apes is just over $1 million.

It is not known yet how the hacker was able to compromise the project’s Instagram account. In a statement sent to The Verge by email and also posted on Twitter, Yuga Labs said that two-factor authentication was enabled at the time of the attack and that the security of the Instagram account followed best practices. Yuga Labs also said that the team was actively working to establish contact with affected users.

Though NFTs can be bought and sold for huge sums of money, they are often held in smartphone wallets rather than more secure environments because the popular decentralized crypto wallet application MetaMask only supports NFT display on mobile. It also encourages users to manage NFTs through the smartphone app rather than the browser-based extension. This means that the use of Instagram to deliver a phishing link is an effective way to steal NFTs, as the phishing link is more likely to be interacted with from a mobile wallet.

While security advice in the crypto space suggests NFT holders never connect their wallet to an unknown or untrusted third party, the fact that the phishing link was sent through the official BAYC social media account likely convinced the victims that it was legitimate, raising difficult questions about where exactly the fault lies.

Yuga Labs did not respond to an email from The Verge asking whether victims of the hack would be compensated by the project for their losses.



Repost: Original Source and Author Link

Categories
Game

‘Diablo Immortal’ has reportedly earned $24 million since release

Two weeks , Blizzard’s has earned approximately $24 million for the , according to . In an estimate it shared with , the analytics firm said the free-to-play game was downloaded almost 8.5 million times over the same timeframe, with 26 percent of downloads originating in the US. The bulk of Blizzard’s revenue from Diablo Immortal has also come from America. To date, US players contributed about 43 percent of all the game’s earnings.

To put Immortal’s early financial success in context, Hearthstone, the only other mobile game Blizzard has , earned about $5 million in May. Despite the vocal backlash to Immortal’s monetization systems, it’s probably safe to say no one expected the game to fail out of the gate. Instead, the worry for many fans was a scenario where Immortal was so successful for Blizzard that it went on to inform how the studio monetizes its future games.

For the time being, that fear seems unfounded. Diablo franchise general manager Rod Fergusson recently would feature a different set of monetization systems than Immortal. “To be clear, D4 is a full-price game built for PC/PS/Xbox audiences,” he tweeted after the game’s recent showing at Microsoft’s recent Summer Game Fest . Separately, Blizzard announced this week Overwatch 2 .

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link

Categories
Security

Beanstalk founders dismissed concerns about governance attacks before losing $182 million

On April 17th, the decentralized finance (DeFi) project Beanstalk Farms was exploited for $182 million after an attacker mounted a lightning-fast hostile takeover, buying a controlling stake of tokens and immediately voting to send themself all of the funds.

The incident sparked discussion around “governance attacks,” a way of manipulating blockchain projects that use decentralized governance structures by gaining enough voting rights to reshape the rules.

In the wake of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this kind of attack, but they dismissed community members’ concerns.

The Beanstalk exploit was made possible by another DeFi mechanism known as a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time. In the case of the recent hack, the attacker borrowed close to $1 billion in cryptocurrency assets through a service called Aave, exchanged them for a 67 percent share in the Beanstalk project, voted through their own proposal to withdraw the entire treasury, and returned the borrowed funds — all in less than 13 seconds.

Though the attack shocked Beanstalk users — some of whom claimed to have lost six-figure sums of money — the threat of a governance attack was raised in Beanstalk’s Discord server months previously and in at least one public AMA session held by Publius, the development team behind the project.

On February 12th, in a discussion room centered around a proposal to accept more kinds of cryptocurrency tokens in the “Silo” (Beanstalk’s central fund reserve), a user with the screenname Mr Mochi wrote:

Because of governance attacks, bribes and voter manipulation, governance doesn’t always go as it should. Is this a risk we are willing to take or will there also be an Emergency DAO (like Curve’s) who can block potential attacks?

Later they added:

There’s absolutely ways to mitigate some of this concern in an elegant manner … As far as I can tell, the current rule-set does not account for flash loan governance attacks or rugpull tokens.

Replying to the comment, a Publius admin account wrote that such manipulation was “not a concern in any capacity until Stalk [governance token] is liquid.”

A concern about flash loans was also raised in an AMA-style session hosted by Publius on April 12th, a video of which is available on YouTube. Around 6 minutes into the video, a participant asks via chat: “Can the team go into … why the protocol isn’t susceptible to flash loan type attacks?”

In response, a member of Publius discusses protections against price manipulation via flash loans but doesn’t address the possibility of flash loan-driven governance attacks.

With Beanstalk’s assets entirely depleted by the attack, the project has launched a 10-day fundraiser to try to replenish the lost funds. Without the benefit of VC funding, the company lacks the kind of deep pockets that have helped other hacked protocols backstop even bigger losses. But with the fate of the company hanging in the balance, the success of the fundraiser will depend largely on the community’s trust in the founding team to not make similar mistakes again.

Reached via Discord, Publius had not responded to a request for comment by time of publication.



Repost: Original Source and Author Link

Categories
Security

Block is contacting 8.2 million customers after a former employee downloaded company reports

Block, the parent company of products like Cash App and Tidal, said in an SEC filing that a former employee downloaded “certain reports” that “contained some US customer information” without permission from Cash App Investing (via Protocol).

Data in the reports, which Block said were downloaded on December 10th, included “full name and brokerage account number” and for “some customers” included “brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.” The employee, who downloaded the data after they left the company, had access to the reports “as part of their past job responsibilities,” according to Block.

“The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information,” Block said. “They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted.” Block says it is contacting “approximately 8.2 million current and former customers” in regards to the incident.

“At Cash App we value customer trust and are committed to the security of customers’ information,” Cash App spokesperson Danika Owsley said in a statement to The Verge. “Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information.”

Update April 5th, 7:34PM ET: Added Cash App statement.

Repost: Original Source and Author Link

Categories
Game

Claims process begins in $18 million Activision Blizzard harassment settlement

The US Equal Employment Opportunity Commission (EEOC) has begun accepting claims related to Activision Blizzard’s $18 million settlement with the agency. Starting today, current and former US employees of the publisher who believe they experienced sexual harassment or gender discrimination while working at its offices from September 1st, 2016 to March 29th, 2022 can file for an award. Those who decide to take part in the claims process can also make specific non-monetary requests of Activision Blizzard and the EEOC. For instance, they can ask that the publisher remove harmful documents such as disciplinary notices from their personnel file.

It will be interesting to see how many workers apply for an award. When the settlement was first approved by a federal judge in late March, many current and former Activision Blizzard employees criticized the EEOC for not going nearly far enough to hold the company accountable. The fact claimants won’t be able to take part in future litigation against Activision Blizzard, including the ongoing lawsuit from California’s fair employment agency, may also make some workers reluctant to file. Then there’s the amount itself. Former employee Jessica Gonzalez is appealing the settlement on the basis that $18 million is insufficient redress for everyone who may come forward with a claim against Activision Blizzard.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link

Categories
Security

US blames North Korean hacker group for $625 million Axie Infinity theft

The US Treasury Department blames North Korean hacking group Lazarus for stealing $625 million in cryptocurrency from the Ronin network, the blockchain backing the Axie Infinity play-to-earn crypto game, according to a report from Vice. On Thursday, the Department of Treasury updated sanctions to include the wallet address that received the funds and attributed it to the Lazarus group.

In an updated post about the incident, the Ronin network, which is owned by developer group Sky Mavis, explains the US Department of Treasury and FBI have pinned the attack on Lazarus. “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk,” the post reads. “We expect to deliver a full post mortem that will detail security measures put in place and next steps by the end of the month.” Ronin says it will bring its bridge back online “by the end of the month.” The bridge allows users to transfer funds between other blockchains and Axie Infinity and has been blocked off since the attack.

As noted by Vice, the flagged wallet address currently contains over $445 million USD (148,000 Ethereum) and sent almost $10 million (3,302.6 ETH) to another address less than a day ago. Crypto transaction tracker Etherscan labels the address as “reported to be involved in a hack targeting the Ronin bridge.”

On March 29th, hackers made off with $625 million worth of Ethereum in one of the biggest crypto heists to date. According to cryptocurrency investigation group Chainanalysis, the Lazarus group is tied to North Korea’s intelligence agency and was responsible for seven attacks last year. The group gained notoriety for hacking Sony Pictures in 2014, leaking The Interview, a comedy set in North Korea directed by Seth Rogen. It later used Trojan malware to steal millions from ATMs across Asia and Africa in 2018 and has also been linked to WannaCry ransomware.

Repost: Original Source and Author Link

Categories
Security

Beanstalk cryptocurrency project robbed after hacker votes to send themself $182 million

On Sunday, an attacker managed to drain around $182 million of cryptocurrency from Beanstalk Farms, a decentralized finance (DeFi) project aimed at balancing the supply and demand of different cryptocurrency assets. Notably, the attack exploited Beanstalk’s majority vote governance system, a core feature of many DeFi protocols.

The attack was spotted on Sunday morning by blockchain analytics company PeckShield, which estimated the net profit for the hacker was around $80 million of the total funds stolen, minus some of the borrowed funds that were required to perform the attack.

Beanstalk admitted to the attack in a tweet shortly afterward, saying they were “investigating the attack and will make an announcement to the community as soon as possible.”

Beanstalk describes itself as a “decentralized credit based stablecoin protocol.” It operates a system where participants earn rewards by contributing funds to a central funding pool (called “the silo”) that is used to balance the value of one token (known as a “bean”) at close to $1.

Like many other DeFi projects, the creators of Beanstalk — a development team called Publius — included a governance mechanism where participants could vote collectively on changes to the code. They would then obtain voting rights in proportion to the value of tokens that they held, creating a vulnerability that would prove to be the project’s undoing.

The attack was made possible by another DeFi product called a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time (minutes or even seconds). Flash loans are meant to provide liquidity or take advantage of price arbitrage opportunities but can also be used for more nefarious purposes.

According to analysis from blockchain security firm CertiK, the Beanstalk attacker used a flash loan obtained through the decentralized protocol Aave to borrow close to $1 billion in cryptocurrency assets and exchanged these for enough beans to gain a 67 percent voting stake in the project. With this supermajority stake, they were able to approve the execution of code that transferred the assets to their own wallet. The attacker then instantly repaid the flash loan, netting an $80 million profit.

Based on the duration of an Aave flash loan, the entire process took place in less than 13 seconds.

“We are seeing an increasing trend in flash loan attacks this year,” said CertiK CEO and co-founder Ronghui Gu. “These attacks further emphasize the importance of a security audit, and also being educated about the pitfalls of security issues when writing Web3 code.”

When implemented properly, DeFi services benefit from all the security of blockchain, but their complexity can make code difficult to fully audit, making such projects an attractive target for hackers. In the case of the Beanstalk hack, the Publius team admitted that they had not included any provision to mitigate the possibility of a flash loan attack, although presumably this was not apparent until the situation occurred.

A request for comment (sent to the Publius team through Discord) has not yet received a response as of press time.

Brian Pasfield, CTO at cryptocurrency lending platform Fringe Finance, said that decentralized governance structures (known as DAOs) could also create problems.

“DAO governance is currently trending in DeFi,” Pasfield said. “While it is a necessary step in the decentralization process, it should be done gradually and with all the possible risks carefully weighted. Developers and administrators should be aware of new points of failure that can be created by developers or DAO members intentionally or by accident.”

For investors in Beanstalk who have lost their staked coins, there may be little recourse. In a message posted immediately after the hack, the Beanstalk founders wrote that it was “highly unlikely” the project would receive a bailout since it had not been developed with VC backing, adding “we are fucked.”

In the project’s Discord server, many users claim to have lost tens of thousands of dollars of invested cryptocurrency. Since the attack, the hacker has been moving funds through Tornado Cash, a privacy-focused mixer service that has become a go-to step in laundering stolen cryptocurrency funds. With much of the stolen money now obscured, it’s unlikely to be traced and returned.

In the wake of the attack, the value of the BEAN stablecoin has tanked, breaking the $1 peg and trading for around 14 cents on Monday afternoon.



Repost: Original Source and Author Link

Categories
Security

US State Department announces $10 million bounty after Costa Rica ransomware attack

In the wake of a massive ransomware attack on the Costa Rican government in April, the US government issued a notice last week declaring a bounty potentially worth millions of dollars on people involved with the Conti ransomware used in the hack. Rodrigo Chaves Robles, Costa Rica’s recently sworn-in president, declared a national emergency due to the attack, according to CyberScoop.

According to BleepingComputer, the ransomware attack affected Costa Rica’s ministries of finance and Labor and Social Security, as well as the country’s Social Development and Family Allowances Fund, among other entities. The report also says that the attack affected some services from the country’s treasury starting on April 18th. Hackers not only took down some of the government’s systems, but they’re also leaking data, according to CyberScoop, which notes that almost 700GB of data has made its way onto Conti’s site.

The Department of State Bureau of International Narcotics and Law Enforcement Affairs (INL) Offers  Rewards of up to $10,000,000 United States dollars for Information Leading to the Identification or Location of key leaders, and up to $5,000,000 United States dollars for Information Leading to the Arrest, and/or Conviction of the Owners/Operators/A...  Conti Ransomware as a Service Group  Contact the FBI with any tips by phone or internet: Phone: +1-800-CALL-FBI +1-800-225-5324 

The US State Department says the attack “severely impacted the country’s foreign trade by disrupting its customs and taxes platforms” and offers “up to $10 million for information leading to the identification and/or location” of the organizers behind Conti. The US government is also offering $5 million for information “leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate” in a Conti-based ransomware attack.

Last year, the US offered similar bounties on REvil and DarkSide (the group behind the Colonial Pipeline attack). REvil is largely thought to be defunct after the US reportedly hacked the group’s servers and the Russian government claimed to have arrested several members.

The Costa Rican government isn’t the only entity to fall victim to Conti’s ransomware. As Krebs On Security notes, the group is particularly infamous for targeting healthcare facilities such as hospitals and research centers.

The gang is also known for having its chat logs leaked after it declared that it fully supported Russia’s government shortly after the invasion of Ukraine began. According to CNBC, those logs showed that the group behind the ransomware itself was having organizational issues — people weren’t getting paid, and there were arrests happening. However, like many ransomware operators, the actual software was also used by “affiliates,” or other entities who used it to carry out their own attacks.

In Costa Rica’s case, the attacker claims to be one of these affiliates and says that they aren’t part of a larger team or government, according to a message posted by CyberScoop. They have, however, threatened to carry out “more serious” attacks, calling Costa Rica a “demo version.”

Repost: Original Source and Author Link

Categories
Game

‘Stardew Valley’ has sold more than 20 million copies

Six years after its initial release,  has sold more than 20 million copies. Creator Eric Barone shared news of the accomplishment in an update posted to the game’s and an interview with . “The 20 million copies milestone is really amazing,” he told the outlet.

But what’s even more impressive is the increasing pace of Stardew Valley’s sales. It took four years for the game to sell its first 10 million copies. Since September 2021, it has sold 5 million units. “The average daily sales of Stardew Valley are higher today than at any point,” Barone said. “I’m not exactly sure why that is. My hope is that the game is just continuing to spread via word of mouth, and the more people that are playing it, the more people will share the game with their friends.”

Barone told PC Gamer he plans to continue working on Stardew Valley but is now primarily focused on , a new action RPG he announced last fall. “Ultimately I have to follow my heart or else the quality of the content will suffer,” Barone said.

Twenty million copies sold is an impressive feat for any game, let alone one that a single person developed. Barone began working on Stardew Valley after graduating with a computer science degree from the University of Washington Tacoma. He found that he couldn’t land a position in his field following the 2008 financial crisis, so he started developing the game to hone his craft. He then spent the next four years working on the project before finally releasing Stardew Valley at the start of 2016. Bloomberg journalist Jason Schreier documents the entire saga in his excellent 2017 book .

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link

Categories
Game

A hacker named Bowser agrees to pay Nintendo $10 million to settle a civil piracy suit

A Canadian hacker named Gary Bowser (yes, like Mario’s nemesis) has agreed to pay the company $10 million to settle . Bowser, who was part of Switch hacking group Team Xecuter, was accused of being part of a “cybercriminal enterprise that hacked leading gaming consoles,” as notes. Nintendo argued Bowser violated the company’s copyright and it seems the hacks were not in another castle.

News of the settlement emerged several weeks after Bowser pleaded guilty to . He was fined $4.5 million in that case and faces up to 10 years in prison. Bowser, who was arrested in the Dominican Republic in October 2020 and deported to the US, admitted to having “developed, manufactured, marketed, and sold a variety of circumvention devices” that let people play ROMs on consoles. 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.



Repost: Original Source and Author Link