Wormhole cryptotrading company turns over $340,000,000 to criminals

To misquote (and, indeed, to mispunctuate) Charles Dickens: it was the best of blockchains; it was the worst of blockchains.

This week, cryptocurrency company Wormhole lived up to its name by exposing an exploitable vulnerability that apparently allowed cybercriminals to run off with an eye-watering 120,000 Ether tokens.

Assuming a conversion rate of ETH1 = US$2800, that comes out close to $340,000,000.

You’ll find mention of this cyberheist on Wormole’s Twitter feed (@wormholecrypto), under an apparently un-ironic heading that describes the company’s business as:

Interoperability protocol powering the seamless transfer of value and information across 7 high value chains with just one integration”

“Seamless transfer” indeed!

Let’s rewrite history


As pointed out by Elliptic, a company that offers blockchain analytics to assist with compliance, the Wormhole team tried the same trick that was used by cryptocoin company Poly Networks when it was defrauded of more than $600,000,000 in August 2021.

The company apparently asked the crooks nicely, in a comment embedded in zero-value Ether transaction aimed at the criminals, to give the money back:

Printing out the input data above in ASCII text instead of as hexadecimal codes reveals an apparent offer to redefine the criminals as bona fide researchers and pay out a $10,000,000 bug bounty…

…if the crooks were to reveal the exploit they used:

We’re sure that anyone who thinks that ransomware payments should be illegalised – and there’s a vocal minority who think they should – will be aghast at this sort of retrospective offer to “give the money back and we’ll write the whole thing up (and off) as legitimate security research”.

Nevertheless, you can understand why a company in Wormhole’s desperate position might make the offer, even if it’s hard to imagine at first thought why crooks who had already – and apparently anonymously – made off with $340,000,000 would waive their anonymity in exchange for a fraction of the amount.

In the Poly Networks hack, the ruse seemed to work: the alleged hacker or hackers did utlimately return most of the stolen funds, with Poly Networks referring to them as “Mr White Hat”, telling them they could keep $500,000, and offering them a role as a security advisor to the business.

Thanks, but no thanks

This time, the cybercriminals don’t seem to have come to the party. Instead, vaguely mysterious blockchain startup Jump Crypto seems to have, hmmm, jumped in with money of its own to backfill the third-of-a-billion-sized, ahhh, wormhole opened up by Wormhole’s exploitable cryptocurrency code:  
So, according to Wormhole“All funds have been restored and Wormhole is back up,” and, “The team is working on a detailed incident report and will share it asap.” Not a word about the disaster, however, on Wormhole’s blog or website, which still leads unashamedly with the words THE BEST OF BLOCKCHAINS in giant text… …albeit with an unintentionally hyper-accurate strapline underneath in tiny characters: “Move information and value anywhere.”

What to do?

As the saying goes, you couldn’t make this stuff up. So, as we did after the Poly Networks hack, where customers’ funds similarly vanished and later reappeared as if by magic, we’ll leave you with some general cryptotrading advice, rather than anything specific to this incident:
  • If you’re thinking of getting into the cryptocurrency scene, never invest more than you can afford to lose. And when we say “lose”, we mean “lose everything”, not merely “fail to make any profit”. There are more than 10,000 different cryptocoins currently in existence, many of which were kicked off by cash injections from early investors. Not all cryptocoins can or will follow the Bitcoin pattern of going from a few cents in value in 2010 to just under $40,000 each in February 2022. Even worse, some are unreconstructed scams in which the “creators” of the cryptocoinage collect startup funds from early investors in what’s known as an ICO (initial coin offering), only to run off without ever establishing a new cryptocurrency or trading site at all.
  • If you plan to buy and hold cryptocurrency, keep as much of you can offline in what’s known as a cold wallet. A cold wallet is an encrypted file that you keep where you won’t lose track of it, and where other people can’t use it unless they know your password. Be careful of trusting too much of your investment to hot wallet situations, where you need to trust other people totally, just so you can trade faster and more aggressively.
We started by misquoting Mr Charles Dickens, so we’ll end by reminding you that the quotation goes on to say, “It was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity.” Remember that trust is quick to evaporate precisely because it is supposed to take time to gain in the first place.

What to do?

We’ve always been happy to report on malware takedowns, cybercrime busts and other disruptions that have removed or reduced cybercriminality, but we’ve also always advised against relaxing too much when that sort of report appears.

Here’s our advice, whether this Emotet “revival” is the same criminals who’ve returned from takedown to active duty or new recruits; whether it’s the old malware code or a re-written variant; whether the new botnet has the same goals or yet more aggressive ones:

    • Old malware rarely actually dies. Sometimes, as happened with floppy disk boot sector viruses, malware families get killed off by technological changes. But the truth is that once a technique is out there, and is known to work, even modestly well, someone new is likely to copy it, re-use it, or revive it. So we live with the sum of the threats of the past as well as all the genuinely new tools, techniques and procedures that come along.
    • Don’t focus on individual malware families or malware types when planning your protection. Emotet may be well-known, and rightly feared, but its method of operation (MO) is widely copied in many, perhaps most, malware attacks these days, and this MO has been in use since malware first became a money-making game. In some senses, an initial infection by nmalware like Emotet is the end of one attack chain, because it doesn’t itself contain specific malware tools such as password stealers, keyloggers, cryptominers or ransomare scramblers. But it is also very much the start of a whole new attack chain, ready to receive and deploy “updates” or “plugins” – new malware samples that may vary over time, by region, by victim’s computer type, or simply at the whim of the criminals in command-and-control.
    • Consider managed threat response (MTR). If you don’t have the time or expertise to keep track of criminality on or against your network on your own, an MTR service can help you ensure that you chase back any attacks that you do detect to their root cause. Sometimes, this might be a weak password or an unpatched server, but often it’s down to “beachhead” malware like Emotet. If you find and remove only the end of the attack chain, but leave the entry point in place, then the command-and-control crooks behind that beachhead malware will simply sell you out to the next cybergang that’s willing to pay the asking price.

If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.