Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
January 12, 2024
Orbit Chain is taking aggressive steps to recover crypto assets stolen in the recent attack on Orbit Bridge, its decentralized liquidity bridge protocol. An estimated $81 million USD was drained from Orbit Chain’s Ethereum L1 Vault on New Year's Eve 2023, involving assets like DAI, USDC, USDT, ETH, WBTC.
The company announced today that it is offering an $8M USD bounty to the public for intelligence leading to the recovery of the stolen assets. They are encouraging participation from the broader ecosystem.
Orbit Chain ended its negotiation period with the attackers earlier this morning after presumably no response from those responsible. Notice of the deadline for negotiations was posted 48 hours ago, with a caveat that if DPRK (Democratic People's Republic of Korea) was involved, as some researchers previously speculated, the talks would terminate:
If the attackers do not respond or reject the offer, the Orbit Chain Team will open the bounty to the public and continue tracking down the attackers with the active support from all contributors around the world.
However, needless to say, the negotiation will terminate immediately if DPRK or its related organization is found to be responsible for the exploit.
The Orbit Chain Team will use every available resource to track the attackers until the end and will continue our efforts to prevent any attempt to withdraw stolen assets.
Crypto companies will often attempt negotiating the return of a major portion of the stolen assets while offering a fraction of them as a bounty to the hacker. Some hackers accept these offers after biting off more than they can chew, finding it too difficult to launder stolen cryptocurrency at scale.
This type of negotiation was successful for an incident in 2021 where a hacker, who exploited a vulnerability in the digital contracts that Poly Network uses to move assets between different blockchains, was offered a bounty to return most of the $600M in virtual assets stolen. In a similar case in 2022, cryptocurrency firm Nomad offered hackers a 10% bounty to return 90% of the $190 million they stole.
On January 2, 2024, Orbit Chain claimed it had “identified a significant clue in the process of tracing the stolen funds,” but negotiations with the attacker have so far proven to be futile. The company’s offer of a public bounty aims to leverage the expertise of the security and cryptocurrency ecosystems and motivate them to share intelligence that would lead to identifying the attacker or recovering stolen assets.
A public bounty is a proactive public relations move, as it demonstrates the company's resolve to restore victims' funds. It may also be part of compliance and legal considerations, depending on the regulatory environment and insurance agreements that Orbit Chain is working under.
The stolen assets were frozen by major global cryptocurrency exchanges following the New Year’s Eve attack, and remain in limbo. Freezing assets following a breach is a common immediate response. It helps prevent further unauthorized transfers and can buy time for the company to investigate and track down the stolen funds.
Orbit Chain has been updating customers on Twitter and in its Telegram channel. Many are commenting to express frustration with the company for not having announced a compensation plan for victims of the attack and not explicitly disclosing the nature of the compromise. Orbit Chain has not yet published the details of their investigation.
Researchers suspect the Lazarus group, a cybercrime group run by the government of North Korea, as being responsible for the attack. It bears some similarities to their previous exploits. A report from blockchain security platform Immunefi links the Lazarus group to more than $300 million in losses across crypto hacking incidents in 2023.
Cryptocurrency theft has emerged as a significant threat, because the usual restrictions and controls imposed by sanctions don't apply in the digital currency space. The decentralized and often anonymous nature of cryptocurrencies makes it difficult to trace and recover stolen assets.
In incidents where state-sponsored threat actors are implicated, the complexity and scale of the cyber attacks are often significantly higher, indicating a level of resources beyond the typical capabilities of independent hackers. Victims are likely to have no chance of recourse when funds are stolen by these types of threat actors.
Prevention is the only way to mitigate harm for any company that might be the target of financially motivated attacks. As the Orbit Chain investigation unfolds, the Lazarus’ Group’s ongoing activities remain a concern in 2024. These continued exploits underscore the urgent need for stronger security measures across the rapidly evolving landscape of digital assets and decentralized technologies.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.