Cryptohack Roundup: BitPay, Euler Finance, Gala GamesAlso: Fireblocks, BitGo Clash; Bitzlato Users Can Withdraw Some Funds
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between March 17 and March 23, regulators in New York ordered BitPay to cough up $1 million for cybersecurity noncompliance, the Euler Finance thief asked to "come to an agreement" with the decentralized platform, Gala Games sued pNetwork for $28 million over a $4.5 billion exploit, crypto wallet ZenGo said it found a worrying vulnerability in the transaction simulation solutions used by decentralized applications, a hacker exploited a months-old bug to steal crypto from ATMs, seized crypto exchange Bitzlato allowed users to withdraw some funds, BlockSec said it prevented a ParaSpace exploit, and BitGo clashed with Fireblocks over a bug report.
The New York State Department of Financial Services on Friday published a settlement order with BitPay, which provides bitcoin payment technology to more than 100,000 merchants worldwide, over an ineffective anti-money laundering program and failure to comply with the department's cybersecurity regulations. The company did not meet the state's cybersecurity risk assessment requirements for its information systems, failed to designate a CISO until May 2022 and failed to meet the requirement of submitting an annual report to BitPay's board of directors regarding the cybersecurity program and material cybersecurity risks facing BitPay. The company will be required to pay a penalty of $1 million within 10 days of the order and continue to boost its cybersecurity and virtual currency business controls, policies and procedure.
Update on Euler Finance
A thief who stole nearly $200 million from Euler Finance said on Monday that they have "no intention of keeping what is not ours," and sought to "come to an agreement" with the decentralized platform. The communication came a day after Chainalysis found that the hacker had sent 100 ETH to a crypto wallet associated with North Korean threat actors. They had already returned $5.4 million by Saturday, after
GameFi's entertainment project Gala Games on Monday filed a lawsuit against cross-chain bridge pNetwork over a $4.5 billion exploit in November 2022. It seeks more than $27.6 million from pNetwork to compensate the costs related to the breach. The theft was allegedly the result of pNetwork's "negligence and tortious interference," as the company did not rectify a misconfiguration in its code, leaked a governance key when deploying the pGALA bridge and executed a recovery plan causing further damage.
A vulnerability in the transaction simulation solutions used by several decentralized applications can allow hackers to steal user assets, crypto wallet ZenGo said. Named after the iconic "red pill" in the film "The Matrix," the malware can detect whether it is being executed in a live or a simulated environment. If it believes that it is "living in the matrix, it can behave in a benign manner, thus deceiving the anti-malware solution, and reveal its true malicious nature only when actually executed in a real environment." The now-fixed bug was present in a solution offered by "many leading vendors," including Coinbase, ZenGo said.
A bitcoin ATM manufacturer suspended cloud services supporting more than 15,000 machines after a hacker exploited a vulnerability in its software and made off with cryptocurrency worth millions of dollars. A hacker on Friday and Saturday exploited the now-patched bug in Prague-based General Bytes' master service interface to access passwords, private keys of ATM users and their hot wallets - digital wallets connected to the internet. General Bytes did not specify the amount the hacker stole, but on-chain data suggests the number is likely to be around $1.54 million (see: Hacker Exploits Months-Old Bug to Steal Crypto From ATMs).
Russian cryptocurrency exchange Bitzlato on Monday allowed users to withdraw up to half of the funds on the platform, weeks after law enforcement action by the United States and Europol shuttered the platform. The funds will be available only in BTC.
No- fungible token lending project ParaSpace on Friday paused transactions on its protocol after discovering a "suspicious transaction," and said it was investigating the security incident. Security firm BlockSec hacked the protocol as a white hat to secure the funds, preventing the black hat from making off with $5 million. "The vulnerability in Paraspace's lending contracts could have allowed the attacker to borrow crypto tokens with less NFT collateral than needed, which may have then allowed the hacker to drain its liquidity," Matthew Jiang, director of security services at BlockSec, told The Block.
Fireblocks, a custody and wallet services provider, said it detected a critical vulnerability in competitor BitGo's Signature Scheme wallet. The now-patched bug would allow hackers to extract the private key of a BitGo TSS wallet. BitGo said the claim was a "publicity stunt" and an attempt to damage BitGo's reputation, as the allegedly vulnerable wallet was only accessible to 20 developers and publicly known before Fireblocks reported it.