Cryptohack Roundup: Tornado Cash HackAlso: Tornado Cash Lawsuit Heats Up, Inferno Drainer, Trezor and Celer
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. In the days between May 19 and 25, a hacker exploited Tornado Cash to gain control of the platform and steal $1 million, plaintiffs in a Coinbase-bankrolled lawsuit asked a judge to rule that the U.S. government had violated the First Amendment when sanctioning Tornado Cash, attackers used crypto phishing as a service to steal $6 million, Trezor hot wallet was found to have a potential hardware vulnerability and Celer patched a bug.
Hacker Exploits Tornado Cash
A hacker exploited crypto mixer Tornado Cash to take full control of the decentralized platform and steal $1 million over the weekend. The hacker concealed malicious code in a proposal on the governance-run platform. The validators overlooked the malicious code and passed the proposal, giving the hacker unbridled control of the platform to siphon off funds and also to potentially introduce other malicious proposals or even backdoors for future exploits. The hacker laundered stolen ETH and TRON tokens on Tornado Cash Router, the platform's obfuscation service. Then, it appears, the hacker had a change of heart. On Monday, they proposed patching the vulnerability and handing back control of the platform to the community. Voting is expected to conclude by Saturday.
Plaintiffs Argue Against Tornado Cash's Sanctioning
Plaintiffs in a Coinbase-bankrolled lawsuit that seeks to overturn the U.S. Department of Treasury sanctions against Tornado Cash said the court should immediately grant a ruling in their favor finding that the federal government exceeded its authority and violated the First Amendment. Smart contracts are not property, Tornado doesn't have an interest in the smart contracts and the sanction prevents citizens from "interacting with open-source code to engage in a wide range of speech protected by the First Amendment," plaintiff attorneys argued.
The Treasury Department filed its own motion for summary judgment, writing that the plaintiffs' "repeated refrain that Tornado Cash is 'decentralized' does not change the fact that, at bottom, it is a group of individuals who are organized to act in concert, in service of operating, promoting, and updating their mixing service for anonymous digital currency transactions, and making money in the process." The plaintiffs are free to interact with Tornado's source code, "which is activity explicitly licensed" by the Treasury.
Nearly $6M Stolen Via Phishing-as-a-Service Offering
Hackers used the services of Inferno Drainer, a vendor that provides phishing websites, to steal $5.9 million from 4,888 victims, Scam Sniffer said. The scam-as-a-service vendor has so far provided hackers with code for 689 phishing websites of more than 220 popular crypto projects, in exchange for a 20% cut of the assets the attackers steal using the service, it said.
Potentially Vulnerable Trezor T Hardware Wallet
Cybersecurity firm Unciphered on Wednesday claimed it had exploited a hardware vulnerability in SatoshiLabs' Trezor T model hardware crypto wallet to extract private keys. The company said the hack requires physical possession of the device. Hardware wallets store private keys offline and are considered more secure than their internet-connected counterparts. Trezor reportedly acknowledged the claim, telling The Block that the demonstration depicted a vulnerability similar to a previous RDP one, and that it had addressed the issue in newer devices.
Celer Patches Bug
Cross-chain protocol Celer on Wednesday patched a vulnerability that allowed hackers to manipulate the decentralized platform's governance process to steal funds and potentially alter its functioning. Jump Crypto discovered the bug on Celer's State Guardian Network blockchain. Celer said "no funds were at immediate risk at the time of discovery."