Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
In the latest hack targeting cryptocurrency investors, hackers stole around $135 million from users of the blockchain gaming company VulcanForge, according to the company.
The hackers stole the private keys to access 96 wallets, siphoning off 4.5 million PYR, which is VulcanForge’s token that can be used across its ecosystem, the company said in a series of tweets on Sunday and Monday. VulcanForge’s main business involves creating games such as VulcanVerse, which it describes as an “MMORPG,” and a card game called Berserk. Both titles, like pretty much all blockchain games, appear chiefly designed as vehicles to buy and sell in-game items linked to NFTs using PYR.
In crypto, compromising someone’s private key is a definitive “game over,” because it gives complete control over the funds held by the corresponding address on a blockchain.
“No words can do much right now, we know that.”
VulcanForge announced the hack on Twitter and in its official Discord channel.
“Over 4m PYR has been stolen from users’ wallets. It was premature to say this is [wallet management service] Venly’s end: we simply don’t know the cause,” the company wrote on Discord, asking users to move funds to Metamask, a popular wallet. “All funds stolen will be replaced once we’ve understood what’s happened.” Venly’s CTO told The Block that its services were not compromised.
“No words can do much right now, we know that,” the company wrote on Twitter.
This is the third major theft of cryptocurrency in the last eleven days. The total amount of stolen cryptocurrency in these three hacks is around $404 million. On Dec. 2, it was BadgerDAO, a blockchain-based decentralized finance (DeFi) platform, which lost $119 million. The company is asking the hacker to please “do the right thing” and return the money. Then four days later, cryptocurrency exchange BitMart got hacked, losing $150 million.
The VulcanForge hack is notable because, like many new tokens, PYR trades on decentralized exchanges. Decentralized exchanges run on smart contracts, and because there’s no centralized order book, investors trade against “liquidity pools” with funds contributed by users who earn a “staking” reward in return. It also means there’s no central authority to blocklist a malicious account trying to cash out stolen funds.
Since the hack, VulcanForge has advised users to remove their liquidity in order to make it difficult or impossible for the attacker to cash out. As The Block reported, the hacker has so far managed to cash out most of the tokens by trading small amounts at a time, although not without sending PYR’s price into a downward spiral due to the sell pressure. On Discord, a bot message has been asking users every half hour: “Anyone that has LP in uniswap or quickswap remove it ASAP.”
Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]
A VulcanForge staff member on Discord claimed on Monday morning that centralized exchanges (CEX) had been notified of the hack. “All the CEX we have partnered with are tracking the addresses and movement of funds. The funds would get seized by the exchange upon deposit,” the staff member said.
On Monday, the company said in a tweet that it had already refunded the majority of stolen PYR, and claimed that it had “isolated” all tokens stolen on centralized exchanges. “Those who knows [sic] VF history, knows [sic] this just makes us stronger,” the company wrote in another tweet.
VulcanForge did not respond to an email asking for comment on how the hack happened.