On the first day of December, an unidentified threat actor breached the front-end interface of the Bitcoin platform BadgerDAO although some investigators contend that the cyberattack may have happened much earlier.
It turns out that hackers used the breach to access and steal large customer transactions, one of the transactions was valued at more than $50 million in Bitcoin. The total amount of stolen cryptocurrency was reported to be more than 2,000 bitcoin and 151 ethereum.
According to investigators the various forms of wrapped cryptocurrency was moved to the threat actor’s address after conversion to renBTC, a tokenized form of the cryptocurrency on the Ethereum blockchain, then changed to the bitcoin blockchain.
The large amounts of money were further spread across numerous bitcoin addresses before possibly being obfuscated through crypto mixing services.
The crypto platform confirmed the breach in a tweet (See screenshot) and went further to publish a recent blog post intimating the sequence of events that led to the user loss of funds to the hack.
Figure 1: A Twitter statement by BadgerDAO to confirm the cyberattack.
According to BadgerDAO, the hackers took advantage of a flaw in the account creation process of the software firm Cloudfare Inc. and made away with $130 million in cryptocurrencies.
The details surrounding the hack point to a phishing attack that can be dated back to December 2 although the decentralized finance platform confirmed that their systems were not impacted by the cyberattack.
At this point, the crypto firm has confirmed that more than $9 million of the stolen crypto can be recovered considering that the threat actor transferred the funds but has not yet withdrawn the money from the company’s vaults.
Part of the BadgerDAO statement read:
“On Dec 2 2021, a series of unauthorized transactions occurred, resulting in the loss of funds from Badger users. Following the exploit, Badger engineers worked with cybersecurity firm Mandiant to investigate the incident and have prepared the following initial report.
At this time, Badger believes that, as publicly reported, the phishing incident that occurred on 2 Dec, 2021 was the result of a maliciously injected snippet provided by Cloudflare Workers. Cloudflare Workers is an interface to run scripts that operate on and alter web traffic as it flows through Cloudflare proxies. The attacker deployed the worker script via a compromised API key that was created without the knowledge or authorization of Badger engineers. The attacker(s) used this API access to periodically inject malicious code into the Badger application such that it only affected a subset of the user base.”