88% of Nomad Bridge exploiters were 'copycats' — Report

Published at: Aug. 11, 2022

Close to 90% of addresses taking part in the $186 million Nomad Bridge hack last week have been identified as “copycats,” making off with a total of $88 million worth of tokens on Aug. 1, a new report has revealed.

In an Aug. 10 Coinbase blog, authored by Peter Kacherginsky, Coinbase's principal blockchain threat intelligence researcher, and Heidi Wilder, a senior associate of the special investigations team, the pair confirmed what many had suspected during the bridge hack on Aug. 1 — that once the initial hackers figured out how to extract funds, hundreds of “copycats” joined the party.

According to the security researchers, the “copycat” method was a variation of the original exploit, which used a loophole in Nomad's smart contract, allowing users to extract funds from the bridge that wasn't theirs.

The copycats then copied the same code but modified the target token, token amount, and recipient addresses.

But while the first two hackers were the most successful (in terms of total funds extracted), once the method became apparent to the copycats, it became a race for all involved to extract as many funds as possible.

The Coinbase analysts also noted that the original hackers first targeted the Bridge’s wrapped-Bitcoin (wBTC), followed by USD Coin (USDC) and wrapped-ETH (wETH).

As the wBTC, USDC and wETH tokens were present in the largest concentrations in the Nomad Bridge, it made sense for the original hackers to first extract these tokens.

White-hat efforts

Surprisingly, Nomad Bridge’s request for stolen funds yielded a 17% return (as of Aug. 9), with the majority of those tokens being in the form of USDC (30.2%), Tether (USDT) (15.5%), and wBTC (14.0%).

Because the original hackers mostly exploited wBTC and wETH, the fact that most of the returned funds came in the form of USDC and USDT suggests that the majority of the funds returned were from white-hat “copycats.”

Meanwhile, approximately 49% of the exploited funds (as of Aug. 9) have been transferred elsewhere from each of the recipient’s addresses.

Related: $2B in crypto stolen from cross-chain bridges this year: Chainalysis

Coinbase also noted that the first three recipient addresses were funded by Tornado Cash, an Ethereum-based protocol that allows users to transact anonymously. On Monday, the U.S. Treasury sanctioned all USDC and ETH addresses linked to the protocol.

The Nomad Bridge hack has become the fourth largest DeFi hack ever and the third biggest in 2022, following the $250 million Wormhole Bridge hack in February and the $540 million Ronin Bridge hack in March. Cross-chain bridges of these kinds have been accused of being too centralized, making it an ideal site for attackers to exploit.

Tags
Related Posts
Wallet Creator Offers $250K to Anyone Who Can Crack the ‘Hack-Proof’
Offline cold storage cryptocurrency wallet service provider GK8 is offering a bug bounty of up to $250,000 to the first person who can hack its product. GK8 — which presents its solution as a “hack-proof digital vault” that needs no direct or indirect connection to the internet — will place 14 Bitcoin (BTC) (over $125,000 at press time) in its wallet. Anyone who succeeds in breaking into the wallet will pocket its proceeds, plus an additional $125,000 prize. The bounty program will run from Feb. 3 (9:00 a.m EST) through February 4, 2020 (9:00 AM EST). Mitigating state-sponsored attacks and …
Blockchain / Jan. 28, 2020
Trident Crypto Fund Data Breach: 266,000 Passwords Stolen
In a major privacy breach, the usernames and passwords of more than a quarter of a million Trident Crypto Fund customers have been stolen and published online. Technical director of cybersecurity firm DeviceLock Ashot Oganesyan told Russian news outlet IZ the database — which contains email addresses, cellphone numbers, encrypted passwords and IP addresses — had been uploaded to various file sharing websites on February 20. Earlier this week, hackers decrypted and published close to 120,000 of the passwords, potentially enabling them to log into affected users’ accounts and access their funds. 10,000 Russians affected Oganesyan said that while attacks …
Blockchain / March 6, 2020
Binance Falls From Top 10 in CryptoCompare’s New Crypto Exchange Rankings
London-based crypto data provider CryptoCompare has updated its crypto Exchange Benchmark, removing Binance cryptocurrency exchange from the list of the top 10 exchanges. Binance, the second biggest crypto exchange by daily trade volume to date, is not included in the CryptoCompare’s list as the rankings do not rely on aggregate volume data in its analysis, the firm said in a press release to Cointelegraph on Nov. 19. In order, the top 10 crypto exchanges in CryptoCompare’s second Exchange Benchmark are: Gemini, Paxos’ itBit, Coinbase, Kraken, Bitstamp, Liquid, OKEx, Poloniex, bitFlyer and Bitfinex. Binance was ranked seventh in the first Exchange …
Blockchain / Nov. 20, 2019
Crypto app targeting SharkBot malware resurfaces on Google app store
A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements. A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on Fox IT’s blog. We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! …
Blockchain / Sept. 5, 2022
Main hacker in Transit Swap exploit agrees to return remaining funds
On Monday, decentralized finance (DeFi) protocol Transit Swap announced that it had reached an agreement with its biggest hacker for the return of funds. Approximately one week prior, a hacker exploited an internal bug on a swap contract within the protocol and caused other individuals to imitate the security breach, leading to a loss of over $23 million in user funds. However, the main hacker has since returned approximately 70% of exploited funds thanks to the help of security companies such as Peckshield, SlowMist, Bitrace, and TokenPocket. They quickly tracked down the hacker by identifying their IP address, email address, …
Blockchain / Oct. 10, 2022