To misquote (and, indeed, to mispunctuate) Charles Dickens: it was the best of blockchains; it was the worst of blockchains.
This week, cryptocurrency company Wormhole lived up to its name by exposing an exploitable vulnerability that apparently allowed cybercriminals to run off with an eye-watering 120,000 Ether tokens.
Assuming a conversion rate of ETH1 = US$2800, that comes out close to $340,000,000.
You’ll find mention of this cyberheist on Wormole’s Twitter feed (@wormholecrypto), under an apparently un-ironic heading that describes the company’s business as:
Interoperability protocol powering the seamless transfer of value and information across 7 high value chains with just one integration”
“Seamless transfer” indeed!
As pointed out by Elliptic, a company that offers blockchain analytics to assist with compliance, the Wormhole team tried the same trick that was used by cryptocoin company Poly Networks when it was defrauded of more than $600,000,000 in August 2021.
The company apparently asked the crooks nicely, in a comment embedded in zero-value Ether transaction aimed at the criminals, to give the money back:
Printing out the input data above in ASCII text instead of as hexadecimal codes reveals an apparent offer to redefine the criminals as bona fide researchers and pay out a $10,000,000 bug bounty…
…if the crooks were to reveal the exploit they used:
We’re sure that anyone who thinks that ransomware payments should be illegalised – and there’s a vocal minority who think they should – will be aghast at this sort of retrospective offer to “give the money back and we’ll write the whole thing up (and off) as legitimate security research”.
Nevertheless, you can understand why a company in Wormhole’s desperate position might make the offer, even if it’s hard to imagine at first thought why crooks who had already – and apparently anonymously – made off with $340,000,000 would waive their anonymity in exchange for a fraction of the amount.
In the Poly Networks hack, the ruse seemed to work: the alleged hacker or hackers did utlimately return most of the stolen funds, with Poly Networks referring to them as “Mr White Hat”, telling them they could keep $500,000, and offering them a role as a security advisor to the business.
We’ve always been happy to report on malware takedowns, cybercrime busts and other disruptions that have removed or reduced cybercriminality, but we’ve also always advised against relaxing too much when that sort of report appears.
Here’s our advice, whether this Emotet “revival” is the same criminals who’ve returned from takedown to active duty or new recruits; whether it’s the old malware code or a re-written variant; whether the new botnet has the same goals or yet more aggressive ones:
If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.