It was through a simple PDF and a fake job offer that the biggest heist in crypto history took place in 2022 when Ronin Bridge lost an astounding $624 million.
Social engineering also played a role in crypto VC Bo Shen losing a whopping $42 million in November 2022 and is very likely behind the $112.5 million lost by Chris Larsen, chairman of Ripple, in January 2024.
In those three cases, social engineering — the manipulation of individuals through psychological tactics to gain unauthorized access to systems or information — allowed the exploiters to gain access to their private keys and then siphon away their funds.
Web3 companies are particularly vulnerable to devastating private key exploits, as a recent report from Web3 firm De.Fi reveals. According to the report, governance framework mispractice poses a threat to 75% of top tokens.
Only 16.6% of the contracts analyzed were managed by multisig wallets, which require up to five different private keys to approve any transaction. Multisig is not even a sophisticated security tool; using it is the most basic security step of any protocol to safeguard against inside jobs, social-engineered or not, scams, and hacks.
Although this report primarily concerns tokens, it accurately represents the lax approach to security practice in the entire Web3 landscape. A lack of security measures proves to be a key factor in most private key exploits through social engineering or otherwise, as only one compromised wallet is needed to compromise a whole protocol.
A private key — governance security so lax, that, for instance, FTX faced a $447 million hack in November 2022, where the attackers reportedlysimply sim-swapped one individual to gain access to the private keys and wallet from which they would withdraw the funds from FTX’s coffer. Later, it would be revealed that FTX stored private keys without encryption.
The lax security practices have become the Achilles’ heel of the crypto space, and North Korea’s state-sponsored crypto hacking group, Lazarus, quickly caught on to this.
Private key exploits through social engineering have become their crypto villain signature.
North Korea’s The Lazarus Group, The Private Keys Masters
The Lazarus Group’s hacking modus operandi really boils down to three words: “Get The Keys!”
The PDF and fake job offer behind the biggest heist in crypto history? Sent by them.
Out of the nine hacks traced back to the Lazarus Group in 2024, seven of them happened through private keys being compromised.
The nature of one of these hacks remained undisclosed: the Atomic Wallet hack, which ultimately allowed them to steal Atomic Wallet users’ private keys.
While the compromise of private keys was acknowledged in other cases, the specific details of how it occurred were never fully disclosed, except for one case: the CoinsPaid hack.
Brute force attacks and supply chain attacks are techniques used to gain access to private keys, but the tactic used in the CoinsPaid hack is likely a more accurate representation of the techniques used by the Lazarus Group in the other seven private key compromise cases.
Similar to the Ronin case, the private key exploit was made possible through malware implemented via ingenious social engineering tactics.
On July 22nd, the Lazarus Group stole $37 million from the Estonia-based cryptocurrency payments firm CoinsPaid via LinkedIn.
According to CoinsPaid’s post-mortem report, the Lazarus Group initially attempted to breach their systems through conventional hacking methods starting in March 2023.
After months without success, they reverted to their successful tactic: the fake job offer route.
They dangled extremely appealing high-salary job offers in front of CoinsPaid’s employees, with compensation ranging from 16,000–24,000 USD a month, and waited for an employee to fall into their trap.
An inattentive? unaware of the risk? employee took the bait, and had a fake job interview with them during which he was asked to download a software to complete a technical task.
Unfortunately, he did not conduct his job interview using his own personal computer but instead used one that provided access to CoinsPaid’s infrastructure.
The “software” was a malicious code that allowed the Lazarus Group “to gain remote control of a computer for the purpose of infiltrating and accessing CoinsPaid’s internal systems,” per CoinPaid.
After gaining access to CoinsPaid’s infrastructure, they were able to successfully open a backdoor that “allowed them to create authorised requests to withdraw funds from CoinsPaid hot wallets.”
That’s how $37 million was lost to the Lazarus Group.
This technique, of finding weaknesses in people rather than code, has proven to be fruitful.
And not only to the Lazarus Group’s benefit.
Additional Study Cases: Concentric Finance and Chris Larsen
- The Concentric Finance Case, a $1,8 Million Heist
Concentric Finance is a yield aggregator project from which around $1.8 million was drained from the project vaults on January 22nd, 2024, following a successful social engineering attack targeting a member of the Concentric Finance team with access to the protocol’s deployer wallet.
As in the CoinsPaid and Ronin cases, the attacker targeted a member of the Concentric Finance team who had access to a key vulnerability vector: the deployer wallet. The attacker posed as a recruiter on a professional networking platform. During the recruitment process, they were asked to download software under the guise of a routine skill assessment.
Unfortunately for Concentric Finance, this software was, in fact, malware that ultimately gave the attacker access to the private keys of the deployer wallet.
- Chris Larsen, The Biggest Exploit of 2024?
When it was discovered that Chris Larsen, chairman of Ripple, had his entire wallet wiped out in January 31st, 2024, and no explanation about the how was forthcoming from the victim, it appeared highly likely that his private keys had been compromised, and even more likely that it was done through social engineering.
The reason is, when it comes to private key exploits, there are not a hundred ways to go about it. The other tactics, as we will see below, had an extremely low probability of being involved in this case, and revelations made by Hacken a week after the exploit took place only confirmed the initial hunch shared by the crypto community.
Furthermore, given that no statement has been made to explain away this astounding loss, and as in most cases involving social engineering and the theft of private keys, it’s not far-fetched to allege that a social engineered private key exploit is the reason behind Chris Larsen’s hack and ensuing silence.
The methodology — colossal crypto theft associated with private keys compromised through social engineering — could have suggested that the Lazarus group could be yet again behind (as of now) the biggest hack of 2024. However, the escape routes chosen by the hacker(s) — MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC — tend to prove otherwise.
According to the blockchain security firm SlowMist, the Lazarus group has adopted new ways to launder money and cash out in the year 2023, steering away entirely from mainstream centralized exchanges, which have taken on a very proactive role in stopping the laundering of high-profile hacks in the crypto space over the past two years.
A very wise approach, one would say, as the Binance team succeeded in freezing $4.2 million worth of XRP stolen by Chris Larsen’s exploiter.
Hacken’s latest report suggests, without directly admitting it, that everything points to an inside job from within Ripple’s team, making it even easier for them to succeed in tricking Chris Larsen.
Social engineering can indeed be carried out by friends, family members or colleagues as it involves manipulating individuals into divulging confidential information, performing actions, or providing access to systems or resources that they typically wouldn’t do under normal circ*mstances.
Friends or family members might have a better understanding of a person’s habits, preferences, or vulnerabilities, which can be exploited to gain their trust or manipulate them into divulging sensitive information or performing actions they wouldn’t otherwise do.
This form of social engineering is often referred to as “familiarity exploitation” or “relationship-based manipulation.”
Outside of the “familiarity exploitation” and “fake job offers” startegies we have seen, attackers who use social engineering are able to develop extremely intricate scenarios involving two or more personas, recruit employee(s) and work on their target for weeks and months.
One of the most arrowing demonstration of how far they can go to entrap their target, is the very elaborate and weeks-long social engineering attack that a certain Thomasg.eth went through, and that almost cost him $125 million.
Although in this peculiar case, the endgame was not to have access to his private keys but to have him click on a wallet drainer, the tactics employed are as relevant as in private key exploits case.
Dive into our report on this case to discover more:
If we step back from social engineering, malicious software, and phishing attempts, there is one particular type of hack that has been at the core of numerous private key exploits: brute force attacks.
A brute force attack is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered.
In the past two years, brute force attacks have mainly affected two entities: Profanity and LastPass, but made countless victims.
Profanity Hack
In 2022, private key exploits linked to the brute force attack of Profanity amounted to around $172 million in losses, with probably more losses that have not been recorded.
Profanity is an Ethereum vanity address generator. Vanity addresses are Ethereum addresses that, instead of looking like an indecipherable sequence of numbers or letters, have some parts of them (prefix and/or suffix generally) created by people to include their name or whatever they choose.
On September 15, 2022, the DeFi protocol 1inch Network raised the alarm about vanity addresses generated by Profanity that could possibly be drained due to a subsequent inherent vulnerability. The 1inch Team closed their argument with the very appropriate “Run, You Fools.”
In the following weeks, at the very least, $172 million was lost by individuals and web3 actors alike. The most devastating private key exploit was algorithmic market maker Wintermute, which lost $162.5 million in one of the greatest hacks recorded in 2022.
After the first hacks, it was revealed that Profanity developers had abandoned the project a few years ago after discovering fundamental security issues in creating private keys.
To generate these addresses, they had limited possible seed values (232); when more seed values are used, wallet addresses are better protected. These limited possible seed values made them highly vulnerable to brute force attacks, which is precisely what has been happening since September 2022.
It was first assumed in January 2022 by Inch co-founder Anton Bukov that within 50 days, a set of 1,000 GPUs could theoretically brute force the private keys of every 7-character vanity address generated by Profanity.
On September 30th, 2022, the crypto firm Amber Group tried to replicate the $162M Wintermute hack with simple hardware, a Macbook M1 with 16GB RAM, which was extremely easy and quick: it took them less than 60 hours in total to mimic the hack.
As of now, every person with funds locked in one of their Profanity addresses could still be subjected to a swift brute force attack.
The Last Pass Case
In 2022, intrinsic vulnerability in vanity-wallet-maker-Profanity wrecked absolute havoc for both retail investors and crypto actors.
In 2023, retail investors were unlucky again. This time the wallet drain came from password manager service LastPass who is, allegedly, leaking away seed phrases.
Blockchain Security Researchers revealed in September 2023 that hundreds of wallets have been silently siphoned for more than $35 million due to LastPass’ encrypted vaults being cracked and offering access to the seed phrases stored within.
This discovery was made possible thanks to Taylor Monahan, lead product manager of MetaMask, who was on the hunt for six months, looking for a cue that would explain how so many “security-conscious” and long-term crypto users could see their wallets being siphoned out of the blue with nothing to indicate it could be due to security breaches or wallet drainers.
She was able to successfully connect the dots to a single common point: LastPass Vault.
Movement of stolen cryptos from individuals who used LastPass to store their crypto seed phrases showing a common denominator — Source: Tayvano_ on Twitter
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.
The 150 victims of this unidentifiable crypto heist had all stored their secret seed phrase on LastPass.
Furthermore, it could all be traced back to a unique signature linked to monthly crypto heists of two to five million dollars that date back to December 2022, one month after the LastPass breach was revealed.
Leading blockchain security researchers allege that some of LastPass’ encrypted vaults were cracked to access to the crypto credentials stored within.
As of now, seed phrases stored in LastPass vaults should be regarded as compromised.
Brute force attacks have not been the only hacks allowing private key exploits. It’s also the case with supply chain attacks.
Supply chain attacks have been among the new types of hacks in the web3 community over the past two years. Four supply chain attacks were reported in 2023, resulting in $237 million in losses and contributing to the second-biggest hack of the year: Mixin Network.
In cybersecurity, a supply chain attack qualifies as a cyberattack that targets organizations and attempts to inflict damage by exploiting the “weaker links” and their vulnerabilities in the supply chain network.
The “Supply Chain Network” encompasses every intermediary and organization used to operate a business.
Every new actor in a supply chain brings with it its own ‘points of vulnerability.’
As a result, supply chain attacks have become one of the most dangerous security threats for businesses and organizations at large.
Applied to the blockchain, a supply chain attack occurred when around 9,223 crypto wallets from Phantom, Slope, Solflare, and TrustWallet on the Solana blockchain were drained of almost $6 million in crypto in August 2022 due to their private keys being compromised.
According to the Solana team, all of the affected addresses, including those of Phantom, Solflare, and TrustWallet, ‘were at one point created, imported, or used in Slope mobile wallet applications.’ Unfortunately, one week prior to the exploit, Slope had decided to use Sentry, an event-logging platform utilized by many websites and mobile apps in the industry, including the Slope wallet for iOS and Android, which turned out to be the ‘weak link.’
Slope did not anticipate how Sentry could turn into a key point of access for hackers.
Based on auditing firms Zellic and OtterSec’s research:
“[…] any interaction in the app would trigger an event log. Unfortunately, Slope didn’t configure Sentry to scrub sensitive info. Thus, the seed phrases were leaked to Sentry”.
In short, anyone with access to Sentry could access users’ private keys, which allowed the hacker(s) to ‘recover wallets that do not belong to them and transfer tokens to their own personal wallet,’ resulting in almost 10,000 people seeing their funds disappear.
In September 2023, the Mixin hack took place.
Mixin, a peer-to-peer transactional network for digital assets, fell victim to a private key exploit when their cloud service provider, Google, was successfully breached and enabled the leaking of their private key, resulting in a $200 million loss. The North Korea state-sponsored hacking group Lazarus is thought to be the mastermind behind the attack.
Web3 actors converging toward each other and becoming even more interwoven to provide better services for web3 users are turning into an ever-lasting trend.
Thus, supply chain attacks will grow as these web3 actors’ supply chains become even more fragmented, creating multiple new points of vulnerability.
