Common Vulnerabilities in Cryptocurrency Hacks

Last month, India’s biggest crypto exchange CoinDCX lost ₹368–378 crore. Not because of a customer hack. But because an internal wallet got compromised. Here’s how it played out 👇 → Attacker hijacked a liquidity wallet → Bridged funds (Solana ↔ Ethereum) → Laundered via Tornado Cash Customer wallets? ✅ Safe. But the breach? ❌ Server-side, deep inside their own infra. Most teams think “cold storage = safe.” Reality check: internal wallets are the real blind spot. Here’s what 99% of teams don’t do when it comes to high-risk wallets,  automation accounts, and liquidity ops. So here’s a 6-point Internal Wallet Risk Audit you can run this week: 𝟭. 𝗪𝗮𝗹𝗹𝗲𝘁 𝗥𝗼𝗹𝗲 𝗠𝗮𝗽𝗽𝗶𝗻𝗴 List every wallet → check what it should do vs what it can do. ⚠️ Red flag: liquidity wallet can move treasury funds. 𝟮. 𝗧𝗿𝗮𝗻𝘀𝗮𝗰𝘁𝗶𝗼𝗻 𝗟𝗶𝗺𝗶𝘁𝘀 + 𝗩𝗲𝗹𝗼𝗰𝗶𝘁𝘆 Can the wallet push $10M at once? Or 10x in 2 min? ⚠️ Red flag: no daily caps or auto-delays. 𝟯. 𝗔𝗽𝗽𝗿𝗼𝘃𝗮𝗹 & 𝗦𝗶𝗴𝗻𝗶𝗻𝗴 𝗪𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀 Who signs off on big moves? Forced multi-sigs? JIT approvals? ⚠️ Red flag: backend automation with always-on keys. 𝟰. 𝗕𝗿𝗶𝗱𝗴𝗲 𝗕𝗲𝗵𝗮𝘃𝗶𝗼𝗿 𝗪𝗮𝘁𝗰𝗵 Monitor transfers across chains. Auto-pause weird routes/off-hours. ⚠️ Red flag: first-time bridge + big amount + midnight = no alert. 𝟱. 𝗞𝗲𝘆 𝗥𝗼𝘁𝗮𝘁𝗶𝗼𝗻 𝗗𝗶𝘀𝗰𝗶𝗽𝗹𝗶𝗻𝗲 How often do you rotate keys? Retire old ones? ⚠️ Red flag: stale keys from 2022 still active. 𝟲. 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 ‘𝗥𝗼𝗴𝘂𝗲 𝗪𝗮𝗹𝗹𝗲𝘁𝘀’ When did you last simulate a compromised wallet? ⚠️ Red flag: confident → but never tested. Know friends or colleagues trading crypto?  ♻️ Re-share this with them, they should know where the real risks are. This wasn’t a crypto-specific failure. It was a visibility, privilege, and control failure. What are your thoughts on the CoinDCX breach? #CyberSecurity #CryptoSecurity #BlockchainSecurity #CryptoNews #DataBreach #HackPrevention #Web3Security #CloudSecurity #InfoSec #CryptoHack #CoinDCX #SecurityAwareness #FinTech #RiskManagement #SecurityTips #HackingNews

On Feb 21, 2025, Bybit (a crypto exchange) detected unauthorized activity during a routine fund transfer process. A deeper investigation revealed something shocking: $1.5 billion had been transferred to an unknown wallet. But this should have been almost impossible. Bybit's wallet is protected by 'multi signature' security, meaning: At least 2 out of 3 authorized personnel must approve the transaction. Yet, somehow, the attacker bypassed this restriction. How? This is the story of the biggest heist in cryptocurrency world known till date. Read on. 𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄 (𝘀𝗶𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝗱): 1) Attacker recons Bybit's infra > Identifies that Bybit uses a 3rd party multisig platform provider (SafeWallet). 2) Attacker targets SafeWallet > Compromises a SafeWallet developer's device > Injects malicious JavaScript code into SafeWallet application hosted on AWS cloud. 3) Here's the interesting part: This injected code executes ONLY when there's a transaction from a Bybit signer > Once activated, the malicious JS code can modify critical fields during a transaction. 4) Bybit's authorized personnel now accesses SafeWallet interface to perform a routine transaction > the malicious code now manipulates the transaction details > Silently replaces the recipient address with attacker address but doesn't reveal this in UI. 5) Both the Bybit's signers, believing everything is normal, authorize the transaction > 1.5 billion $ worth of crypto stolen! 𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀: 1) Hacking is like magic. What you see is not what is real. What was displayed to signers is not what was actually executed. This art of deception is at the core of many sophisticated attacks. The methods evolve, but the concept stays the same. 2) No defense is absolute. Bybit's wallet had strong security. Its not just a multisig wallet but a 'multisig cold' wallet. Cold wallets are usually kept offline until there is a need to access funds i.e. for 99.9% of the time the wallet is not even connected to internet. Yet, this could not stop the attacker. 3) The easiest way to get past a locked door is to convince the owner to open it for you. The attacker knew that stealing multiple private keys was impractical—getting 2 or 3 would be nearly impossible. So they devised a plan so that the legitimate owners themselves execute the what the attacker wanted. 4) The payload was designed to activate only when certain conditions were met. This selective execution ensured that backdoor remained undetected. 2 min after the malicious transaction, the hacker updated the SafeWallet code to remove the backdoor. 5) In a high-stakes game, your enemy might not attack you directly. The most dangerous weakness is the one you don’t see clearly and don't control directly. Assess your supply chain threats rigorously. If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #informationsecurity #supplychainsecurity #malware #cybersecurity #cloudsecurity

Last month, we were pentesting a crypto iOS app for a client. The most dangerous vulnerability wasn’t on the server. 30 minutes in, we found their Moonpay SECRET API Key. Hardcoded. Anyone with basic reverse engineering skills could access: 👉 Access to customer transaction data 👉 Full visibility into financial activity 👉 Zero authentication beyond the leaked key The API call was shockingly simple: GET /v1/transactions Host: api.moonpay.com Authorization: Api-Key sk_live_<SECRET> That's it. No sophisticated exploit. No zero-day. Just a key sitting in plain sight. 𝐇𝐨𝐰 𝐝𝐢𝐝 𝐭𝐡𝐢𝐬 𝐡𝐚𝐩𝐩𝐞𝐧? → A developer hardcoded it during a sprint. "Just temporarily." → It went to production. Passed code review. Sat there for 8 months. → 500K+ downloads later, we found it. 𝐓𝐡𝐞 𝐮𝐧𝐜𝐨𝐦𝐟𝐨𝐫𝐭𝐚𝐛𝐥𝐞 𝐭𝐫𝐮𝐭𝐡: → The fix took 2 hours → The exposure lasted 12 months → This isn't an isolated incident In 2025, we've found critical vulnerabilities in 80% of mobile apps we've tested. Most are completely preventable: → Hardcoded API keys → Weak certificate pinning → Exposed endpoints → Poor key management 𝐇𝐞𝐫𝐞'𝐬 𝐰𝐡𝐚𝐭 𝐰𝐞 𝐫𝐞𝐜𝐨𝐦𝐦𝐞𝐧𝐝: ✅ Never store secrets client-side ✅ Use secure keystores (iOS Keychain) ✅ Implement certificate pinning ✅ Regular security audits—not just code reviews 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧 𝐟𝐨𝐫 𝐲𝐨𝐮: When was the last time YOUR mobile app was pentested? If the answer is "never" or "I don't remember"—you're not alone. But your users' data deserves better. Drop a comment or DM me "iOS" and I'll share our iOS mobile app security checklist same one we use for our clients. Don't wait for an attacker to find what we found. #CyberSecurity #AppSec #PenetrationTesting #MobileSecurity #InfoSec #iOSApp #iOSPentest

🇰🇵 North Korean hackers targeting crypto developers with fake job offers! Security researchers have uncovered a sophisticated campaign by threat actor Slow Pisces (aka Jade Sleet) targeting cryptocurrency developers through LinkedIn. The attackers pose as employers, sending malicious Python coding challenges that deliver RN Loader and Stealer malware. This attack harvests sensitive data including system metadata, iCloud Keychain contents, SSH keys, and cloud configuration files. The same group is linked to February's massive Bybit cryptocurrency hack. 💭Things to Consider: This attack demonstrates how social engineering continues to evolve alongside technical exploits. The targeting of developers, especially in the cryptocurrency space, shows a shift toward compromising the developers rather than just the platforms they create. By focusing on the users with privileged access and using legitimate platforms like LinkedIn and GitHub as delivery mechanisms, attackers are bypassing traditional security controls and exploiting our yearning for career advancement and professional validation. ⚡PROTECT YOURSELF: Cryptocurrency developers should treat unsolicited job opportunities with extreme caution, especially those requiring you to download and run code. Always review the code in a sandboxed environment before execution, verify the legitimacy of recruiters through multiple channels, and maintain separate development environments for untrusted code. Organizations should implement security awareness training specifically addressing these sophisticated social engineering tactics. Share this warning with your developer networks as the next target could be someone you know! #HumanRiskManagement #CyberSecurity #SocialEngineering #CryptoCurrency #MalwareAlert #DeveloperSecurity #ThreatIntelligence #TrustAndVerify

How have some of the largest crypto hacks involved tricking sophisticated teams into signing malicious transactions? For example, the $1.5 billion operational loss at Bybit was due to this. When transferring funds, or interacting with a DeFi product, a transaction must be signed. The largest operational attack in crypto (the Bybit hack) involved tricking the Bybit team into signing a transaction that they thought was legitimate, but actually sent funds to a malicious party (the North Koreans). This attack has also hit many many more - including DeFi protocols, individuals, funds. It is important to have multiple methods of verifying transactions when managing crypto custody. What does this mean to have multiple methods of verifying a transaction? When you go to sign a transaction, there is a batch of data that is produced that we can just call the "unsigned transaction". That unsigned transaction looks like a seemingly random collection of numbers and letters - you need some method to verify that the information you are about to sign is, in fact, what you want to sign. What is the problem? Sometimes your method of verifying the transaction becomes compromised. How can you mitigate this? Here are a few practical examples of solutions: - Have dedicated machines for signing transactions (including automated cloud based signers). - Use a pre transaction tool/service that acts as a separate pair of eyes to look at your transaction. This tool/service should be independent of your operation. - If you are using a crypto custody solution that allows setting signing policies (i.e., setting frequent allowable transactions), take advantage of that and actually set the policies. If the solution's policy engine does what it is supposed to, then this should mitigate risks to an operation's frequently used transactions. - Some custody technology providers implement their own transaction flows. This can include proprietary wallet browser plugins and hardware (usually pushing transaction information to phones), this is one more surface an attacker would have to compromise. Of course, the efficacy of those plugins and flows would need to be secure.

🚨 Bybit Hack: The Largest Crypto Heist in History 🚨 $1.46 BILLION stolen—and counting. That’s 16% of all previous crypto hacks combined. But here’s the scariest part: ❌ No code exploit ❌ No leaked private keys ✅ Just humans being tricked Bybit’s own multisig signers approved the transactions, thinking they were routine transfer. But the attacker manipulated their UI, made the UI show a different transaction than what was actually being signed. This is next-level social engineering: 🔍 Identified and targeted all multisig signers 🦠 Infected their devices with malware 🖥️ Altered the UI to display a fake, legitimate-looking transaction ✍️ Tricked all signers into approving it 💡 Key lessons for crypto security: 🔸 Multisigs are not foolproof if signers can be compromised 🔸 Cold wallets aren’t automatically safe 🔸 Even the best code can’t fix human vulnerabilities 🔸 Supply chain attacks are getting more sophisticated The game has changed !

Imagine this, $1.5 BILLION lost to hackers. This is exactly what just happened with the ByBit attack Heres what every executive and board member should know about the hack: The hack was a multi layered attack combining smart contract manipulation and a supply chain breach, a growing risk for financial platforms. How the Attack Unfolded: 1️⃣ Wallet Interface Manipulation Hackers altered the smart contract logic while displaying legitimate addresses, tricking the system into approving unauthorized transactions. 2️⃣ Supply Chain Breach Attackers injected malicious code into Safe Wallet, a third-party service used by ByBit, compromising its infrastructure. 3️⃣ Attribution to Lazarus Group The FBI linked the attack to North Korea’s state-sponsored Lazarus Group, which has a history of targeting cryptocurrency platforms. Key Takeaways for Business Leaders: 🔹 Third-party risk is a major vulnerability Companies must enforce stronger security assessments for vendors handling critical infrastructure. 🔹 Crypto platforms remain high-value targets State-sponsored groups are evolving tactics, exploiting smart contract and wallet security flaws. 🔹 Proactive monitoring is essential Continuous security validation and supply chain threat detection must be prioritized to prevent similar breaches. As financial services integrate blockchain and smart contracts, supply chain security and transaction integrity will be critical to mitigating risks.

🚨 New TRM Labs Data Drop: Spoiler - 2025 is already a record setting year for hacks. In just the first half of 2025, over $2.1 billion has been stolen in 75+ hacks, marking the largest H1 total ever — up 10% from 2022’s record and nearly matching all of 2024. The average hack now tops $30 million, double last year’s. That surge was led by the Bybit hack in February — a $1.5 billion theft we assess was carried out by North Korea, the largest crypto hack in history. It alone accounts for nearly 70% of total losses, and helps explain why North Korea-linked groups stole $1.6 billion in H1 — more than any other actor by far. This is no longer just cybercrime — it's statecraft. Our data shows DPRK continues to exploit crypto theft to evade sanctions and fund weapons development. Meanwhile, other state-linked actors are entering the fray: in June 2025, alleged Israeli group Gonjeshke Darande (Predatory Sparrow) hacked Iran’s Nobitex exchange, stealing $90 million and sending funds to unspendable vanity addresses — a clear political statement, not a financial one. 👨💻How the hacks are happening: 🔨 Infrastructure attacks — including private key theft and front-end compromises — made up 80% of losses, and were 10x larger than other attacks. ✨ DeFi protocol exploits — like flash loans and reentrancy — accounted for 12%, underscoring persistent smart contract vulnerabilities. 🙋♀️ What it means: H1 2025 marks a turning point. Crypto hacks are now part of geopolitical conflict, with state actors using theft as a tool of foreign policy. Defenses must go beyond audits and MFA — we need industry-wide insider threat detection, advanced social engineering defenses, and state-level response coordination. 🛣️ The way forward: Only a global, coordinated effort—across law enforcement, regulators, and blockchain intelligence—can keep pace. As crypto intersects more deeply with national security, the threats are no longer theoretical. They're operational. Read the full report in the comments ⬇️

🚨 Lessons from the Bybit Hack: What Every Crypto User Should Know Last week, Bybit suffered one of the largest crypto hacks in history, with $1.4 billion in ETH stolen from a cold wallet. The attack was sophisticated, targeting multi-signature authentication weaknesses and tricking security teams into approving a fraudulent transaction. Some key takeaways from this breach: 🔹 Blind signing is a major security risk. Users and institutions need human-readable transaction details to prevent manipulated approvals. 🔹 Lazarus Group is likely behind the attack. North Korea’s cybercriminal unit continues to exploit crypto platforms using advanced hacking techniques. 🔹 Bybit kept withdrawals open and covered 80 percent of losses with internal funds and bridge loans, but trust in centralized platforms remains a concern. 🔹 Better security is not just about reacting but preventing. Solutions like zero-trust security models, clear signing processes, and robust transaction protection are critical to safeguarding digital assets. This hack is another reminder that security cannot be an afterthought in crypto. We need infrastructure that eliminates blind signing, enhances institutional oversight, and provides transparent, user-friendly transaction approvals. We at Anchorage Digital are determined to protect our clients from these security issues. Porto combines our time-tested custody security with cutting edge self-custody technology. Reach out if you want to learn more! Article for more depth in the comments ⬇️