Common Vulnerabilities in Cryptocurrency Hacks

Last month, India’s biggest crypto exchange CoinDCX lost ₹368–378 crore. Not because of a customer hack. But because an internal wallet got compromised. Here’s how it played out 👇 → Attacker hijacked a liquidity wallet → Bridged funds (Solana ↔ Ethereum) → Laundered via Tornado Cash Customer wallets? ✅ Safe. But the breach? ❌ Server-side, deep inside their own infra. Most teams think “cold storage = safe.” Reality check: internal wallets are the real blind spot. Here’s what 99% of teams don’t do when it comes to high-risk wallets,  automation accounts, and liquidity ops. So here’s a 6-point Internal Wallet Risk Audit you can run this week: 𝟭. 𝗪𝗮𝗹𝗹𝗲𝘁 𝗥𝗼𝗹𝗲 𝗠𝗮𝗽𝗽𝗶𝗻𝗴 List every wallet → check what it should do vs what it can do. ⚠️ Red flag: liquidity wallet can move treasury funds. 𝟮. 𝗧𝗿𝗮𝗻𝘀𝗮𝗰𝘁𝗶𝗼𝗻 𝗟𝗶𝗺𝗶𝘁𝘀 + 𝗩𝗲𝗹𝗼𝗰𝗶𝘁𝘆 Can the wallet push $10M at once? Or 10x in 2 min? ⚠️ Red flag: no daily caps or auto-delays. 𝟯. 𝗔𝗽𝗽𝗿𝗼𝘃𝗮𝗹 & 𝗦𝗶𝗴𝗻𝗶𝗻𝗴 𝗪𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀 Who signs off on big moves? Forced multi-sigs? JIT approvals? ⚠️ Red flag: backend automation with always-on keys. 𝟰. 𝗕𝗿𝗶𝗱𝗴𝗲 𝗕𝗲𝗵𝗮𝘃𝗶𝗼𝗿 𝗪𝗮𝘁𝗰𝗵 Monitor transfers across chains. Auto-pause weird routes/off-hours. ⚠️ Red flag: first-time bridge + big amount + midnight = no alert. 𝟱. 𝗞𝗲𝘆 𝗥𝗼𝘁𝗮𝘁𝗶𝗼𝗻 𝗗𝗶𝘀𝗰𝗶𝗽𝗹𝗶𝗻𝗲 How often do you rotate keys? Retire old ones? ⚠️ Red flag: stale keys from 2022 still active. 𝟲. 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 ‘𝗥𝗼𝗴𝘂𝗲 𝗪𝗮𝗹𝗹𝗲𝘁𝘀’ When did you last simulate a compromised wallet? ⚠️ Red flag: confident → but never tested. Know friends or colleagues trading crypto?  ♻️ Re-share this with them, they should know where the real risks are. This wasn’t a crypto-specific failure. It was a visibility, privilege, and control failure. What are your thoughts on the CoinDCX breach? #CyberSecurity #CryptoSecurity #BlockchainSecurity #CryptoNews #DataBreach #HackPrevention #Web3Security #CloudSecurity #InfoSec #CryptoHack #CoinDCX #SecurityAwareness #FinTech #RiskManagement #SecurityTips #HackingNews

On Feb 21, 2025, Bybit (a crypto exchange) detected unauthorized activity during a routine fund transfer process. A deeper investigation revealed something shocking: $1.5 billion had been transferred to an unknown wallet. But this should have been almost impossible. Bybit's wallet is protected by 'multi signature' security, meaning: At least 2 out of 3 authorized personnel must approve the transaction. Yet, somehow, the attacker bypassed this restriction. How? This is the story of the biggest heist in cryptocurrency world known till date. Read on. 𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄 (𝘀𝗶𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝗱): 1) Attacker recons Bybit's infra > Identifies that Bybit uses a 3rd party multisig platform provider (SafeWallet). 2) Attacker targets SafeWallet > Compromises a SafeWallet developer's device > Injects malicious JavaScript code into SafeWallet application hosted on AWS cloud. 3) Here's the interesting part: This injected code executes ONLY when there's a transaction from a Bybit signer > Once activated, the malicious JS code can modify critical fields during a transaction. 4) Bybit's authorized personnel now accesses SafeWallet interface to perform a routine transaction > the malicious code now manipulates the transaction details > Silently replaces the recipient address with attacker address but doesn't reveal this in UI. 5) Both the Bybit's signers, believing everything is normal, authorize the transaction > 1.5 billion $ worth of crypto stolen! 𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀: 1) Hacking is like magic. What you see is not what is real. What was displayed to signers is not what was actually executed. This art of deception is at the core of many sophisticated attacks. The methods evolve, but the concept stays the same. 2) No defense is absolute. Bybit's wallet had strong security. Its not just a multisig wallet but a 'multisig cold' wallet. Cold wallets are usually kept offline until there is a need to access funds i.e. for 99.9% of the time the wallet is not even connected to internet. Yet, this could not stop the attacker. 3) The easiest way to get past a locked door is to convince the owner to open it for you. The attacker knew that stealing multiple private keys was impractical—getting 2 or 3 would be nearly impossible. So they devised a plan so that the legitimate owners themselves execute the what the attacker wanted. 4) The payload was designed to activate only when certain conditions were met. This selective execution ensured that backdoor remained undetected. 2 min after the malicious transaction, the hacker updated the SafeWallet code to remove the backdoor. 5) In a high-stakes game, your enemy might not attack you directly. The most dangerous weakness is the one you don’t see clearly and don't control directly. Assess your supply chain threats rigorously. If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #informationsecurity #supplychainsecurity #malware #cybersecurity #cloudsecurity

Last month, we were pentesting a crypto iOS app for a client. The most dangerous vulnerability wasn’t on the server. 30 minutes in, we found their Moonpay SECRET API Key. Hardcoded. Anyone with basic reverse engineering skills could access: 👉 Access to customer transaction data 👉 Full visibility into financial activity 👉 Zero authentication beyond the leaked key The API call was shockingly simple: GET /v1/transactions Host: api.moonpay.com Authorization: Api-Key sk_live_<SECRET> That's it. No sophisticated exploit. No zero-day. Just a key sitting in plain sight. 𝐇𝐨𝐰 𝐝𝐢𝐝 𝐭𝐡𝐢𝐬 𝐡𝐚𝐩𝐩𝐞𝐧? → A developer hardcoded it during a sprint. "Just temporarily." → It went to production. Passed code review. Sat there for 8 months. → 500K+ downloads later, we found it. 𝐓𝐡𝐞 𝐮𝐧𝐜𝐨𝐦𝐟𝐨𝐫𝐭𝐚𝐛𝐥𝐞 𝐭𝐫𝐮𝐭𝐡: → The fix took 2 hours → The exposure lasted 12 months → This isn't an isolated incident In 2025, we've found critical vulnerabilities in 80% of mobile apps we've tested. Most are completely preventable: → Hardcoded API keys → Weak certificate pinning → Exposed endpoints → Poor key management 𝐇𝐞𝐫𝐞'𝐬 𝐰𝐡𝐚𝐭 𝐰𝐞 𝐫𝐞𝐜𝐨𝐦𝐦𝐞𝐧𝐝: ✅ Never store secrets client-side ✅ Use secure keystores (iOS Keychain) ✅ Implement certificate pinning ✅ Regular security audits—not just code reviews 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧 𝐟𝐨𝐫 𝐲𝐨𝐮: When was the last time YOUR mobile app was pentested? If the answer is "never" or "I don't remember"—you're not alone. But your users' data deserves better. Drop a comment or DM me "iOS" and I'll share our iOS mobile app security checklist same one we use for our clients. Don't wait for an attacker to find what we found. #CyberSecurity #AppSec #PenetrationTesting #MobileSecurity #InfoSec #iOSApp #iOSPentest

🇰🇵 North Korean hackers targeting crypto developers with fake job offers! Security researchers have uncovered a sophisticated campaign by threat actor Slow Pisces (aka Jade Sleet) targeting cryptocurrency developers through LinkedIn. The attackers pose as employers, sending malicious Python coding challenges that deliver RN Loader and Stealer malware. This attack harvests sensitive data including system metadata, iCloud Keychain contents, SSH keys, and cloud configuration files. The same group is linked to February's massive Bybit cryptocurrency hack. 💭Things to Consider: This attack demonstrates how social engineering continues to evolve alongside technical exploits. The targeting of developers, especially in the cryptocurrency space, shows a shift toward compromising the developers rather than just the platforms they create. By focusing on the users with privileged access and using legitimate platforms like LinkedIn and GitHub as delivery mechanisms, attackers are bypassing traditional security controls and exploiting our yearning for career advancement and professional validation. ⚡PROTECT YOURSELF: Cryptocurrency developers should treat unsolicited job opportunities with extreme caution, especially those requiring you to download and run code. Always review the code in a sandboxed environment before execution, verify the legitimacy of recruiters through multiple channels, and maintain separate development environments for untrusted code. Organizations should implement security awareness training specifically addressing these sophisticated social engineering tactics. Share this warning with your developer networks as the next target could be someone you know! #HumanRiskManagement #CyberSecurity #SocialEngineering #CryptoCurrency #MalwareAlert #DeveloperSecurity #ThreatIntelligence #TrustAndVerify

How have some of the largest crypto hacks involved tricking sophisticated teams into signing malicious transactions? For example, the $1.5 billion operational loss at Bybit was due to this. When transferring funds, or interacting with a DeFi product, a transaction must be signed. The largest operational attack in crypto (the Bybit hack) involved tricking the Bybit team into signing a transaction that they thought was legitimate, but actually sent funds to a malicious party (the North Koreans). This attack has also hit many many more - including DeFi protocols, individuals, funds. It is important to have multiple methods of verifying transactions when managing crypto custody. What does this mean to have multiple methods of verifying a transaction? When you go to sign a transaction, there is a batch of data that is produced that we can just call the "unsigned transaction". That unsigned transaction looks like a seemingly random collection of numbers and letters - you need some method to verify that the information you are about to sign is, in fact, what you want to sign. What is the problem? Sometimes your method of verifying the transaction becomes compromised. How can you mitigate this? Here are a few practical examples of solutions: - Have dedicated machines for signing transactions (including automated cloud based signers). - Use a pre transaction tool/service that acts as a separate pair of eyes to look at your transaction. This tool/service should be independent of your operation. - If you are using a crypto custody solution that allows setting signing policies (i.e., setting frequent allowable transactions), take advantage of that and actually set the policies. If the solution's policy engine does what it is supposed to, then this should mitigate risks to an operation's frequently used transactions. - Some custody technology providers implement their own transaction flows. This can include proprietary wallet browser plugins and hardware (usually pushing transaction information to phones), this is one more surface an attacker would have to compromise. Of course, the efficacy of those plugins and flows would need to be secure.

🙃 𝗖𝗿𝗶𝗸𝗲𝘆, 𝘄𝗵𝗮𝘁 𝗮 𝗱𝗮𝘆. Made a technical video on the NPM compromise that has impacted 2 billion + applications. 𝗧𝗟;𝗗𝗥: Potentially one of the largest NPM supply-chain compromises just hit. 18 packages (>2B weekly downloads) were infected with malware via a phishing campaign; the payload targets cryptocurrency and silently swaps wallet addresses. 𝗪𝗵𝗮𝘁 𝗵𝗮𝗽𝗽𝗲𝗻𝗲𝗱 A phishing domain (npmjs[.]help) was registered 3 days ago and used to target popular NPM maintainers with fake MFA/security emails. At least 18 packages tied to a well-known maintainer were hijacked (e.g., debug, chalk, strip-ansi, etc.). Because these are foundational packages, impact is really to the entire ecosystem. 𝗛𝗼𝘄 𝘁𝗵𝗲 𝗺𝗮𝗹𝘄𝗮𝗿𝗲 𝘄𝗼𝗿𝗸𝘀  - Injects into the browser runtime and hooks fetch/XMLHttpRequest. - Hooks wallet APIs (e.g., window.ethereum) to intercept transactions. - When it sees crypto flows, it rewrites destination addresses (often to look-alikes) so funds/approvals go to the attacker. The attackers focused on crypto theft, not persistence or env-var exfiltration (𝘸𝘩𝘪𝘤𝘩 𝘪𝘴 𝘬𝘪𝘯𝘥𝘢 𝘥𝘶𝘮𝘣) 𝗜𝗳 𝘆𝗼𝘂 𝘂𝘀𝗲 𝗰𝗿𝘆𝗽𝘁𝗼 (𝗲𝘀𝗽𝗲𝗰𝗶𝗮𝗹𝗹𝘆 𝗯𝗿𝗼𝘄𝘀𝗲𝗿 𝘄𝗮𝗹𝗹𝗲𝘁𝘀) - Review today’s transactions (Sep 8) and confirm recipients on-chain. - Revoke suspicious approvals/allowances. - Consider moving assets to fresh wallets if anything looks off. 𝗜𝗳 𝘆𝗼𝘂’𝗿𝗲 𝗮 𝗱𝗲𝘃𝗲𝗹𝗼𝗽𝗲𝗿 - Ensure you didn’t build/deploy during the affected window with a malicious version. - Pin/lock dependencies; audit your lockfile. - Rotate sensitive tokens out of caution and monitor logs for anomalies. 𝗞𝘂𝗱𝗼𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗶𝗺𝗽𝗮𝗰𝘁𝗲𝗱 𝗺𝗮𝗶𝗻𝘁𝗮𝗶𝗻𝗲𝗿 QIX 𝗳𝗼𝗿 𝗯𝗲𝗶𝗻𝗴 𝘁𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝘁 𝗮𝗻𝗱 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝘃𝗲 𝗺𝗶𝘀𝘁𝗮𝗸𝗲𝘀 𝗵𝗮𝗽𝗽𝗲𝗻; 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗺𝗮𝘁𝘁𝗲𝗿𝘀. #npm #supplychain #infosec #AppSec #Web3 #cryptosecurity #malware #incidentresponse #javascript #devsecops

A serious vulnerability just came to light in Ethereum smart contracts. Over $10 million sat exposed for months. The issue came from uninitialized ERC1967Proxy contracts. Attackers quietly set their own implementations before the real deployers could. Then they faked upgrade events to make Etherscan show everything as normal. It worked. The contracts behaved as expected. But under the surface, a backdoor gave full control to the attacker. And there was no easy way to remove it without resetting the contract and triggering the same exploit again. The team at VennBuild noticed unusual activity. With help from researchers at Dedaub, Pascal Cavarsaccio, Seal 911, and others, they tracked the issue, mapped out thousands of affected contracts, and ran a full-on rescue. Over 36 hours, they worked with protocols to reconfigure contracts and pull funds before it was too late. Some projects recovered hundreds of thousands. Most users never knew they were at risk. It's likely the attacker was waiting for something bigger. They stayed quiet. So did the rescue team, until the danger passed. You can read the full story here: https://lnkd.in/dKswfaeH #web3 #blockchainsecurity #smartcontracts #infosec #ethereum #DeFi #crypto

Attention, cryptocurrency experts. Following the USA elections, the attention drawn to the digital currency ecosystem seems to have triggered threat actors. It has been detected that a malware-laden update was published through a cryptocurrency library on PyPI. On November 21, 2024, PyPI was notified about a malicious package, "aiocpa", involved in a credential exfiltration attack. The attack involved injecting obfuscated code designed to exfiltrate sensitive data, including tokens, API servers, and other Crypto Pay-related credentials, to a Telegram bot. The exact extent of the data's use remains unknown to PyPI's security team. The malicious maintainer embedded obfuscated code within the library. This code targeted and exfiltrated sensitive credentials to a pre-configured Telegram bot. The module's internal name on disk was cryptopay, which could be mistaken for the unrelated and legitimate PyPI package cryptopay. The attacker behind the aiocpa malware employed an advanced evasion strategy to avoid detection. While the malicious payload containing obfuscated code was included in the package uploaded to PyPI, the corresponding GitHub repository remained clean. By keeping the repository malware-free but synchronized with the same version numbers, the attacker created an illusion of legitimacy, misleading users and security systems that rely on cross-referencing package versions between PyPI and GitHub. This tactic exploits the reliance on GitHub as a trusted source, increasing the potential for successful malware distribution. Packages of this nature, capable of widespread distribution, can have devastating consequences. The package in question has approximately 12,000 downloads. Combined with the systems it integrates into and the structures established in the background, this could lead to an increase in the number of infected machines. Linked resources are below: - https://lnkd.in/ddN3hrSu - https://lnkd.in/dQQmDXFQ - https://lnkd.in/dWHt3SVF Review where and how the "aiocpa" library is being utilized in your projects or systems. If the library was used, immediately rotate any credentials, tokens, or API keys that might have been exposed. Be aware, cyberpunks! ^-^/ #cybersecurity #informationsecurity #dataprivacy #privacy #threatintelligence #threathunting #technology #cryptocurrency

🚨 Bybit Hack: The Largest Crypto Heist in History 🚨 $1.46 BILLION stolen—and counting. That’s 16% of all previous crypto hacks combined. But here’s the scariest part: ❌ No code exploit ❌ No leaked private keys ✅ Just humans being tricked Bybit’s own multisig signers approved the transactions, thinking they were routine transfer. But the attacker manipulated their UI, made the UI show a different transaction than what was actually being signed. This is next-level social engineering: 🔍 Identified and targeted all multisig signers 🦠 Infected their devices with malware 🖥️ Altered the UI to display a fake, legitimate-looking transaction ✍️ Tricked all signers into approving it 💡 Key lessons for crypto security: 🔸 Multisigs are not foolproof if signers can be compromised 🔸 Cold wallets aren’t automatically safe 🔸 Even the best code can’t fix human vulnerabilities 🔸 Supply chain attacks are getting more sophisticated The game has changed !