Crypto Protocol Publicly Announces Flaw, Users Relentlessly Owned by Hackers

January 19, 2022 Off By Lorenzo Franceschi-Bicchierai

Earlier this week, a platform that allows users to swap tokens between blockchains publicly announced that there was a flaw that made accounts vulnerable to hackers. The announcement, predictably, prompted several hackers to rush and try to exploit the vulnerability. One of them stole more than $1.4 million dollars, and another one offered victims to return 80 percent of the funds they stole in a message posted to the Ethereum blockchain, keeping the rest as “tips for me saving your money” on Wednesday.

In just a few hours since the second hackers’ announcement, all hell has broken loose. 

In the official Telegram channel of Multichain, the platform that was previously known as Anyswap, countless victims are asking whether the company will return their money, and complaining that scammers are trying to impersonate the company in an attempt to steal even more money from victims.

“How long will this process take I don’t understand how no one [is] making a big deal about this exploit and the team seams [sic] to just be brushing it if like no big deal wtf,” a user wrote. “This is just ridiculous over 400 ether get exploited and we just gunna act like no big deal.”

Another user doubled down: “How is the team not making this their priority ppl lost wether [wrapped ether] and seems like nobody cares shouldn’t u guys be able to see all the wallets that have been affected. The ticket didn’t have an option for lost wether from the hack.”

Do you have any information about this hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com

“What are the affected contact addresses,” asked another user. “Again you are basically asking users to trust your UI to be comprehensive. Why should I trust that if there are no token removal buttons, then I’m safe?”

“God damn I got a lot of Dm’s from scammers after that question,” another user complained. 

A Multichain developer and Telegram channel admin, who goes by Marcel, said that the team is taking actions, “just not public ones yet.”

“It is a big deal,” Marcel added. “Please stay calm.” 

multichain-telegram.jpg
A screenshot of the Multichain Telegram channel. (Image: Motherboard)

Multichain did not immediately respond to a request for comment. Marcel said he passed the message to the company’s “response team” in China, who would respond when they wake up. 

Meanwhile, more hackers have joined the heist, with more than $1 million stolen since Wednesday afternoon for a total of roughly $3 million, according to Tal Be’ery, a cybersecurity researcher who has been monitoring the hack. 

In a bizarre twist, one of the victims of the hack, who lost around $1 million, is trying to negotiate with the second hacker who posted a message on the blockchain, offering a reward if the hacker gives back the money, also on the blockchain. 

“First and foremost thanks for getting the weth. I was not aware of the hack and realized the situation only because the weth never arrived in my wallet after the cowswap transaction,” the victim wrote in a message spotted by Be’ery, who is chief technology officer of ZenGo, a crypto wallet app. “Considering the amount at stake, would you accept 50 eth as a fair tip?”

Be’ery criticized Multichain for the way it handled the vulnerability, saying that by announcing it publicly before notifying all users, the company tipped the hackers and prompted them to start stealing money. 

In an online chat, Be’ery said Multichain should win the Pwnie Award, a tongue-in-cheek award that gets handed out at the Black Hat cybersecurity conference in Las Vegas, “for the worst way to treat a vulnerability.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.