Hacker makes off with $5.7M after ransacking social token platform

Published at: March 16, 2021

Social token platform Roll suffered a hot wallet breach, resulting in hackers draining at least 3,000 ETH worth $5.7 million on March 15. 

At roughly 8am UTC, digital asset management platform MyCrypto reported that a hacker may have compromised the private keys for Roll’s hot wallet, allowing them to transfer funds from users’ accounts at will.

After approximately 12 hours, Roll responded to the attack, announcing the hacker had stolen and liquidated a large number of tokens, and that withdrawals had been suspended across the platform:

“The attacker has sold all the tokens. There is no further user action suggested.”

Roll added that it had launched a $500,000 fund to “help creators and their communities" affected by the incident.

The attacker stole 11 different social tokens, including $WHALE, $RARE, and $PICA. The stolen funds were then transferred to Tornado Cash, a privacy tool often used by hackers to launder stolen funds. The hacker then traded the tokens for Ether on the popular decentralized exchange, Uniswap.

Markets for the tokens stolen in the breach began to dump within hours of the attack, quickly accumulating losses of more than 90%. Some of the worst-hit included $PICA, $WHALE, and $FWB, who plummetted 99.6%, 99.3%, and 92.35% respectively.

As a result of the attack, the market cap of social tokens on the platform fell from $1.5 billion as of March 12 to $365 million as of this writing.

With only 2.17% of its supply compromised, $WHALE was one of the only tokens to quickly recover, trading above $30 at the time of writing.

A social token is an ERC-20 token users can create on platforms like Roll in order to engage with their community or sell assets.

Roll’s reaction to the breach has garnered mixed reactions on Twitter, with the $500k fund receiving particular attention.

500 000$ fund??I'm a creator and our community just lost EVERYTHING..The $PICA just went to 0... I lost like months of salaryAs smaller creative communities we just expect more than this.. Hoping for a full refund. Confidence there will be seriously damaged either way

— Maxime Hacquard (@HacquardMaxime) March 14, 2021

Twitter user “LoB” added: “$10 million in a hot wallet without the multisig that you promised creators was in place, 12 hours to make a response to the incident, and $500k to be split across a dozen projects? Yikes.”

Tags
Blockchain
Ethereum
Hacks
Hackers
Private Keys
Related Posts
The impact of Bitcoin hacking incidents on the crypto market
In the 2013–2017 period, 29 hacks occurred in the Bitcoin market where a total of 1.1 million Bitcoin were stolen. Noting that the average price for Bitcoin (BTC) in December 2020 exceeded $20,000, the corresponding monetary equivalent of losses is more than $22 billion, which strongly highlights the societal impact of this criminal activity. What did crypto exchanges do to address this problem? Nowadays, about 90% of exchanges use some kind of cold storage system, which means that digital assets are stored offline. Keeping Bitcoin offline considerably reduces the threat from hacking attacks. Related: Roundup of crypto hacks, exploits and …
Blockchain / Jan. 24, 2021
‘Blockchain Bandit’ Has Stolen 45,000 ETH by Guessing Weak Private Keys, Report Claims
A “blockchain bandit” has managed to amass almost 45,000 ether (ETH) by successfully guessing weak private keys, according to a report released by Independent Security Evaluators on April 23. Adrian Bednarek, a senior security analyst, said he discovered the sophisticated hacker by accident. While guessing a private key is meant to be a statistical improbability, he managed to uncover 732 private keys through his research — giving him the ability to complete transactions as if he was the account holder. The report notes that rather than using a brute force search for random private keys, it used a combination of …
Blockchain / April 23, 2019
Crypto.com breach may be worth up to $33M, suggests onchain analyst
Onchain analyst claims that Crypto.com's loss in the latest security breach might have been worth more than the reported $15 million. Pseudonymous ErgoBTC, an on-chain analyst at Bitcoin (BTC) research firm OXT Research, claims that the Crypto.com security breach that was said to have resulted in the loss of 4.6K ETH ($15 million), may be worth up to $33 million. Adding another 444 BTC to the previously reported 4.6k ETH from yesterday's @cryptocom hack. Still no acknowledgement of loss, despite large outflows from the custodial wallet into ETH's Tornado Cash and a well known BTC tumbler (as detailed below). pic.twitter.com/GalJKM6bi9 …
Blockchain / Jan. 19, 2022
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022