Community

A couple of weeks ago, the cryptocurrency community witnessed a peculiar and complex exploit within the Raft Protocol, a decentralized finance (DeFi) platform operating on the Ethereum network. This incident, now widely referred to as the “Raft Protocol Exploit,” stands out not just for its technical intricacy but also for its unusual outcome: the hacker suffering a net loss.The Exploit DetailsThe breach centered around the Interest Rate Posman (IRPM) contract (0x9AB6b21cDF116f611110b048987E58894786C244). An unidentified bad actor manipulated this contract to illegitimately mint 6.7 Million R stablecoin tokens. These tokens were swiftly swapped for 1577 Wrapped Ethereum (WETH), as detailed in the transaction with ID 0xfeedbf51b4e2338e38171f6e19501327294ab1907ab44cfd2d7e7336c975ace7.However, the hacker overlooked a crucial aspect of another smart contract, pivotal for converting these coins into Ethereum (ETH) and transferring them to their address. This contract employed ‘delegatecall,’ a function that utilizes the storage of the parent contract. Notably, the hacker’s wallet address was not initialized in this contract’s storage. Consequently, a staggering 1570 out of the 1577.57 ETH were inadvertently sent to a null address, effectively burning the majority of the stolen funds.The remaining 7.57 ETH was transferred to the exploiter’s address (0xc1f2b71A502B551a65Eee9C96318aFdD5fd439fA). These funds, along with the hacker’s initial funds, were later detected entering the TornadoCash mixer, a platform used for obfuscating the origins of cryptocurrency transactions (transaction ID: 0x6fbc085e6b1ddce157a8b06978623b4b60db176e101f7f85215190bb28a21e3d).Image captured from the Crypto Asset Monitoring Service (CAMS) Dashboard.Analysis and Community ReactionThis case has been extensively analyzed by cybersecurity experts and the cryptocurrency community. Sources such as FrankResearcher’s Twitter account and details from Neptune Mutual’s blog provided insights into the technical aspects of the exploit. Moreover, our research team at Uppsala Security created a CAMS (Crypto Asset Monitoring Service) case report, the case’s dashboard offering a comprehensive overview of the incident.The uniqueness of this exploit lies not only in its technical execution but in its financial outcome. Typically, hackers execute these attacks for financial gain, but in this case, the exploiter ended up with a net loss of approximately 4 ETH. This unexpected turn of events has sparked discussions and analyses in various online forums and social media platforms, with many speculating about the hacker’s motives and potential miscalculations.The Raft Protocol Exploit serves as a reminder of the complexities and risks inherent in DeFi platforms and smart contracts. It also underscores the need for robust security measures and continuous vigilance in the cryptocurrency space. While the financial loss to the hacker might be a deterrent to similar future attacks, it also highlights the unpredictable nature of such exploits and the need for ongoing research and development in blockchain security.ReferencesTwitter post by FrankResearcher: https://twitter.com/FrankResearcher/status/1723099971824582713Neptune Mutual’s blog post on the Raft Protocol Exploit: https://neptunemutual.com/blog/how-was-raft-protocol-exploitedUppsala Securityl’s CAMS dashboard and case report: https://portal.sentinelprotocol.io/cams-dashboard/7dbe6568-c57a-49ee-ba1a-73820777bbd7If you have any details about the Raft Protocol case or if you would like to cooperate with our team on this investigation, please reach out by filling in this contact form.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Uppsala Security is headquartered in Singapore, and has branch offices in Seoul, South Korea and Tokyo, Japan. You can follow Uppsala Security on Telegram, LinkedIn, Twitter, Facebook and Medium.

Source: https://x.com/FixedFloat/status/1775172224216875223CAMS link: https://portal.sentinelprotocol.io/cams-dashboard/57dfd5d2-942b-44ac-9600-7adcf6578a08On February 16th, 2024, the crypto exchange FixedFloat experienced a significant security breach, resulting in a loss of $26 million. Just weeks later, on April 1st, 2024, a second breach was detected. This incident involved the unauthorized transfer of various digital assets, including ETH, USDT, WETH, DAI, and USDC, leading to an additional loss of $2.80 million.Our in-house research team at Uppsala Security examined the second part of the incident, which took place in the first half of April, using in-house built tools such as the Crypto Asset Monitoring Service (CAMS) and the Crypto Analysis Transaction Visualization (CATV). These tools provided more insights and helped break down the malicious actors’ activities and funds movement.Part 1: Incident Description and OverviewOn April 1st, 2024, FixedFloat suffered another hack. The hack was purportedly carried out by the same group of hackers who attacked the decentralized exchange on February 16th, 2024. The hacker’s wallet has been identified as 0xFA0200A7b73F2B36D14815336483039ecC6dea8b, which has received many outgoing transactions from the FixedFloat wallet.The graph below was generated by our Crypto Asset Monitoring Service (CAMS) tool. This tool visualizes the flow of transactions from FixedFloat to the hacker’s wallet (0xFA0200A7b73F2B36D14815336483039ecC6dea8b) and eventually to eXch/Automatic Cryptocurrency Exchange, a decentralized exchange.Image 1: Transaction Flow of the FixedFloat April Hack, generated with Uppsala Security’s Crypto Asset Monitoring Service (CAMS) toolPart 2: Transaction Flow from FixedFloat to Hacker WalletThe list of withdrawal transactions made by the hacker on the FixedFloat account are as follows (TXID, Amount, Token):A Google Spreadsheet containing the above TXIDs can be accessed here.As a result of the list of transactions above, 0xFA0200A7b73F2B36D14815336483039ecC6dea8b obtained a total of 155.7879878 ETH, 1,387,508.56 USDT, 402,254.39 USDC, 70.8044058 WETH and 238,941.23 DAI.Part 3: Swapping of ERC20 tokens to ETHThe following ERC20 tokens were swapped to ETH via multiple transactions on Uniswap (TXID, Amount Swapped In, Amount Swapped Out):A Google Spreadsheet containing the above TXIDs can be accessed here.This brings the total ETH balance of the hacker wallet to 716.8598936 ETH (155.7879878 + 28.9858 + 58.0048 + 257.6408 + 87.5903 + 58.0458 + 70.8044058).This also leaves 100,000 USDC and 239,275.83 DAI, which were not swapped.Part 4: Flow of funds to eXch / Automatic cryptocurrency exchange100,000 USDC and all 238,941.23 DAI were sent to 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55, then to eXch / Automatic cryptocurrency exchange , a decentralized exchange through the following TXIDs:DAI Flow (238,941.23 DAI):TXID 1: 0x11188714ae80f63797f2a2a4d40f6ab112cd1249f9bfb28bcba72b59ca3fff48From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55TXID 2: 0xebf30d73f3f8f1d58e4b51797d3cace70028bc0617a59dae9e14005558873da9From 0xaeC73DCA60F5Ca32c603A7cd6Ffba4fbaF17fd55 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )USDC Flow (100,000 USDC):TXID 1: 0xc7698a5e27fd29486aa6ea50e6b1854ff7a430d6417bebd4cdcb68cf21cc3d88From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xBd856Af6661748E76Ea6b4824874551F09CA1068TXID 2: 0x7054f76d39efa7e890776019b253b1e973acdc7bf972ba67b890ff1eed90988aFrom 0xBd856Af6661748E76Ea6b4824874551F09CA1068 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )The hacker also transfers the ETH to two separate wallets before finally sending them to eXch / Automatic cryptocurrency exchange . The flow of transactions is documented below.ETH Flow 1:TXID 1: 0x677e71f053d1aa13e197a0f7f732a12d11aaa9c81a34bfdb9d7f3713ebed52c9From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0xaeECB06C70EF1949693E1936Bd626cdf348c294bTXID 2: 0x7c6aefb7f1f1ad4cf0426440720389456cdf1813e82e62362b04b61765ceef01From 0xaeECB06C70EF1949693E1936Bd626cdf348c294b to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )ETH Flow 2:TXID 1: 0xbfce45ef5d0790fedcfc973a2f1e5decf82a476f3ae7e8dbd489e8fa43869ca4From 0xFA0200A7b73F2B36D14815336483039ecC6dea8b to 0x9eFB278F1bBdf3c47ADC6cD81EbFb7Fc060f25b6TXID 2: 0x5b59a221949f213cddd2ab93ac3c5fc2b5e2ca75e1c92d4c84dcac3dd6cdd2bbFrom 0x9eFB278F1bBdf3c47ADC6cD81EbFb7Fc060f25b6 to 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123 (eXch / Automatic cryptocurrency exchange )To stay updated with the latest details about the FixedFloat incident and other significant events affecting the Web3 ecosystem, please subscribe to our Medium and follow us on Twitter. If you’re eager to put your investigatory skills to work, check out Chainkeeper, our newest AI powered release currently in Beta. Our team is here to support your investigations and can be reached anytime at [email protected] Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers both end-users and organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea. Follow Uppsala Security on LinkedIn, Twitter, Facebook and Medium.

It’s no secret that scams and malicious actors run rampant in the crypto sphere, particularly during bullish market phases. Regrettably, the frequency of scams and malicious activities on X, one of the most widely-used social platforms in the blockchain and cryptocurrency industry, has escalated in recent months. In this article, we’ll explore three common examples of threats lurking in the Web3 space on the X platform and provide insights on how users can proactively safeguard themselves against falling prey to these deceitful schemes.1. Malicious Actors Pretending to be Crypto Journalists/Reporters and sending Calendly Phishing Link InvitesThis tactic has witnessed a significant increase in usage over recent months. Malicious actors exploit the direct messaging feature on X, assuming the identity of journalists affiliated with reputable organizations to target various high-profile individuals or projects under the guise of arranging interviews. What enhances the credibility of these messages is the seemingly authentic appearance of the accounts — they often display the blue verification checkmark and maintain an active feed with recent pertinent activity. Moreover, they furnish what appears to be legitimate email addresses, complete with the corresponding domain.The screenshot below exemplifies an instance where an individual impersonated a Cointelegraph journalist, representing just one among numerous occurrences circulating on the X platform. One notable red flag is the urgency conveyed in their inquiry. Typically, scammers employ time-sensitive tactics to coerce potential victims into overlooking suspicious indicators.Image 1 — Fraudulent message using the X platform “Direct Message“ functionIn these instances, malicious actors aim to gain unauthorized access to targeted X accounts for nefarious purposes. Their strategy involves sharing seemingly legitimate Calendly links, which, when clicked, prompt users to grant the app permissions to perform actions on their behalf. Once authorized, the attackers can exploit the compromised X accounts to disseminate phishing links or promote fraudulent activities, such as fake airdrops or crowdfundings. This deceptive tactic is designed to mislead the followers of the targeted account, potentially resulting in the loss of their digital assets.To protect yourself from such threats, it’s essential to exercise caution and verify the authenticity of accounts that reach out through the DM function on X before interacting with them. Directly contacting the organization they claim to represent can help confirm their legitimacy. Additionally, avoid clicking on any links and carefully review any displayed terms and conditions before proceeding. Whenever feasible, generate your own Calendly links for meeting bookings rather than relying on links provided by others.To monitor third-party app access to your X account, navigate to “Settings and privacy” > “Security and account access” > “Connected accounts.” Here, you can review the list of connected apps and revoke access for any that appear suspicious or unauthorized. Taking this proactive approach helps mitigate the risk of unauthorized account access and potential security breaches.2. Targeting Potential Victims Through X AdsAnother tactic observed on the X platform involves the creation of deceptive Ad campaigns aimed at deceiving users. While these ads typically undergo review by the X team to ensure compliance, there has been a noticeable increase in fraudulent ads slipping through the cracks. One notable instance occurred within the Dymension community, a recently launched project that garnered significant attention in the crypto community. Additionally, malicious actors exploited two other aspects to attract users and generate enthusiasm: the involvement of the Binance exchange, widely utilized in the crypto community, and the promise of airdrops, which naturally attracts users seeking such opportunities. It’s worth noting that, in this case as well, the impersonating accounts have a blue checkmark, further enhancing the deception of the posts.Image 2 — Deceptive Ad campaigns on the X PlatformTo safeguard against these malicious tactics, users should exercise increased caution when encountering posts that are part of an Ad campaign but do not originate from the official account of the specific project. As demonstrated by the examples above, it’s evident that the URLs associated with these Ads are not the official URLs of the Dymension project. Therefore, it’s essential to be wary of clicking on any links and to verify the existence of any ongoing initiatives with the project’s officials. Another method to avoid being targeted by such Ads is to have a Premium+ X account, albeit at a monthly cost.3. Hijacked Official X AccountsLastly, members of the Web3 community must exercise heightened scrutiny even when engaging with posts shared by official accounts of the projects they follow. A recent incident exemplifying this necessity is the recent hijacking of the Trezor X account, a renowned manufacturer of cryptocurrency hardware wallets. This incident was particularly unfortunate, given that followers would not anticipate a security-focused project to undergo such a breach. Subsequently, the Trezor team released a dedicated statement addressing the breach. Investigations revealed that malicious actors successfully posted from the official Trezor X account, employing the tactic outlined in the preceding section of this article. This involved sharing a malicious Calendly link in a X direct message, enabling unauthorized posting from the official Trezor X account.Image 3 — Deceptive post shared by hackers from the official Trezor X accountWhat steps can users take in such a situation? Always question the content posted on X, even if it appears to be from official sources, and refrain from engaging in any activities until multiple official sources have confirmed the legitimacy of the opportunity. It’s crucial to bear in mind that legitimate opportunities will never require you to share your private keys, and that transferring cryptocurrency assets is an irreversible action.Regrettably, navigating the landscape of online threats has become an ongoing challenge in the dynamic Web3 environment. At Uppsala Security, we’ve developed advanced tools to provide proactive protection against malicious activities such as fraudulent wallet addresses, phishing URLs, and impersonation attempts. One such solution is our UPPward Extension, available for Brave, Chrome, Edge and Firefox browsers, designed to alert users when they’re on the verge of interacting with potential threats.Furthermore, if you’ve been unfortunate enough to fall victim to hacking, scams, or fraud resulting in the loss of your cryptocurrency assets, our dedicated in-house research team stands ready to assist. We offer comprehensive investigation services aimed at uncovering the details of such incidents and, where possible, facilitating the recovery of stolen assets. If you’ve experienced such a setback, we encourage you to reach out through our Digital Assets Tracking Services.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers both end-users and organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea. Follow Uppsala Security on Telegram, LinkedIn, Twitter, Facebook and Medium.

At Uppsala Security, we have developed a robust suite of cybersecurity tools specifically designed for the Web3 environment. These tools are exclusively tailored for Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. Our team of seasoned security experts is committed to meticulously investigating prominent hacks, scams, and other malicious activities within the Web3 ecosystem. Our mission is to enhance the safety and integrity of this rapidly evolving space. By identifying and apprehending malicious actors, we facilitate a smoother adoption path for innovative decentralized technologies, contributing to a more secure and trustworthy digital future.On December 14th 2023, the Ledger Connect Kit experienced an exploit that shooked the worldwide crypto community. However, the issue has since then been resolved.The breach began when a phishing attack deceived a former Ledger employee, leading to the unauthorized upload and distribution of compromised versions of the Ledger Connect Kit. This malicious software was specifically engineered to divert user funds to an attacker-controlled wallet, identified as 0x658729879fca881d9526480b82ae00efc54b5c2d.The aftermath of this security breach saw the attacker’s wallet amass approximately $250,000 USD in various tokens. The bulk of these were stETH (34.8 units, valued at around $78,000 USD), USDC (60,340 units), and USDT (27,000 units). Additionally, the hacker acquired about 7 ETH and transferred numerous tokens to another wallet under their control, marked as 0x1b9f9964A073401a8BC24f64491516970bB84E47. Here, a significant portion of the tokens, including 34.8989 stETH and 60,000 USDC, were swiftly exchanged for ETH, totaling 34.5841 and 26.1515 ETH respectively. The hacker also gained possession of 50 diverse NFTs, all of which remain in the aforementioned wallet.Further investigations revealed additional wallets potentially linked to the hacker: 0x412f10AAd96fD78da6736387e2C84931Ac20313f, which is suspected to be connected with the Ledger phishing attack, as well as 0xd41138112Ace58D87Db07e4B5ED61740A6cBA6EB and 0x634984866301511696AC3fdC41Fa4700e11609CE, associated with a ChangeNOW user account. Currently, the majority of the stolen funds are held in wallets 0x1b9f9964A073401a8BC24f64491516970bB84E47 and 0x658729879fca881d9526480b82ae00efc54b5c2d.Uppsala Security’s Crypto Analysis Transaction Visualization (CATV) tool stands out as one of our most effective transaction tracking solutions available in the decentralized space. It has played a crucial role in several rigorous investigations, aiding victims in successfully recovering their lost funds. Earlier this year, the CATV tool also proved instrumental in an investigation conducted in collaboration with INTERPOL.The CATV tool was also used by our investigative team for this specific incident, and the graph visualizes the transaction flow from the wallet address 0x658729879fca881d9526480b82ae00efc54b5c2d to the ChangeNOW Exchange.Image captured from the Crypto Analysis Transaction Visualization (CATV) Dashboard.Ledger Connect Kit Incident — Fund distributionWallet Address 1: 0x658729879fCa881D9526480B82aE00EFc54B5c2d (Annotation: Ledger Exploiter)Estimated Funds held:340.2671 USDC27,011.00319 USDT522,338.2018 GALA311,922.3308 TOKEN31,553.66706 MUBI0.152605 aEthWBTC47,881.85104 0x028,0013.6813 BEAM1,715,952,879 PLEB21,679.44229 PAAL1.17132 ETHx1,818,442,420 PEPE43,496.21023 DINO4,753.199999 RARE255,641.9237 DOG2,539,115.608 RACA0.174921 swETH484.463348 BONE4,250,000,000 CAW784,268.8768 NPC11.642887 aLINK18.7 AXS1,386.407018 PEAR85.00114 RSC0.17 AAVE369,698,608 PEPE28,500.130745 VEIL2. Wallet Address 2: 0x1b9f9964A073401a8BC24f64491516970bB84E47 (Annotation: Ledger Exploiter 2 / Fake_Phishing268838)63.4746 ETH2.764925 WETH24.547777 ILV454.280584 RNDR22,095.6233 CHZ59,844,773.41 SHIB51.631267 ENS3. Wallet Address 3: 0x077D360f11D220E4d5D831430c81C26c9be7C4A4 (Annotation: ChangeNOW, Exchange)0.008008 ETHOur investigative team remains vigilant in monitoring the wallets implicated in the Ledger Connect Kit incident. This is made more efficient with our proprietary tool, which automatically sends alerts when assets are transferred. Known as the Crypto Asset Monitoring Service (CAMS), this state-of-the-art product enables real-time surveillance and provides advanced functionality for overseeing cases involving digital assets.We welcome anyone seeking assistance with investigations, including the Ledger Connect Kit incident, to contact us at any time. Please feel free to reach out to us at [email protected] for support or inquiries.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Disclaimer: This article is meant for informational purposes only and does not constitute financial or legal advice. Always conduct your own research and consult professionals directly.