Threat Management, Threat Management, Network Security

Cryptocurrency service Bancor robbed of millions; MyEtherWallet users targeted via malicious VPN Chrome extension

Cryptocurrency token conversion service Bancor disclosed yesterday that hackers stole millions in funds from one of its online wallets, while Etherium crypto wallet service MyEtherWallet warned that hackers may have compromised anyone who accessed its service while using the free VPN service Hola and its Chrome extension.

These incidents provide the latest mounting evidence that the hastily growing cryptocurrency business sector continues to be a hotspot for cybercriminal activity, especially as exchanges and other services fail to identify and weed out dangerous vulnerabilities.

Bancor, which describes itself as a decentralized liquidity network that converts users' tokens directly from their wallets, said in a Twitter post that on July 9 the company experienced a security breach that compromised a wallet used to upgrade certain smart contracts.

Although user wallets were not affected, the culprit still managed to withdraw 24,984 Etherium (ETH) tokens, over 229 million Punid X (NPXS) tokens and 3.2 billion in Bancor Coins (BNT) from the smart contract. As of July 9, the stolen currency was collectively worth around $23.5 million.

Bancor was able to successfully freeze the stolen BNT -- worth around $10 million -- but not the other stolen tokens. "However, we are now working together with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for the thief to liquidate them," the tweet reads.

As for 2 p.m. ET, the Bancor Network website remained down for maintenance, following the attack.

“The Bancor security breach is just the latest example of cryptocurrency's continued popularity with cybercriminals due to its anonymity and large potential profits," said Sherrod DeGrippo, director of emerging threats at Proofpoint. "In fact, over the past nine months, we have identified a significant increase in threat actors targeting cryptocurrency sites, wallets, exchanges, and individual users. Threats include a surge in commodity malware volumes, such as banking trojans and information stealers, leveraging cryptocurrency logins to steal and mine currency."

Moreover, threat actors are resorting to "creative tactics" to victimize cryptocurrency traders, "like purchasing space on Google Ads to advertise fake wallets or cryptocurrency trading sites, which ultimately steal the user's credentials or wallets," DeGrippo continued.

In addition to Bancor, MyEtherWallet issued its own disclosure on Twitter yesterday: "We received a report that suggest[s] Hola Chrome extension was hacked for approximately 5 hrs and the attack was logging your activity on MEW," the tweet reads.  A separate tweet urgently advises anyone with the Hola Chrome extension who used MEW during the attack to "transfer your funds immediately" to a new account.

A blog post from Israel-Based Hola Networks Ltd., developer of the Hola VPN product, further explains that the attackers uploaded a malicious version of its app's Chrome extension to the Chrome Store, replacing the one that Hola's development team originally uploaded.

"After initial investigation, we found that our Google Chrome Store account was compromised, and that a hacker uploaded a modified version of the extension to the store," the post states, noting that Hola quickly reinstated the official extension and secured the account. Further investigation showed that the attack "was programmed to inject a JavaScript tag into the MEW site to phish information about MEW accounts that are logging in without being in 'incognito mode,' by re-directing the MEW users to the hacker's website."

"We notified MEW, notified Google, and ensured that the hacker's web site was down," the post continues, adding that Hola is currently "determining the scope of the compromise, and conducting an assessment on steps that can be taken to help prevent such an incident from occurring in the future."

The attack appears to have come from a Russia-based IP address, according to a TechCrunch article, citing a company statement from MyEtherWallet.

Last April, hackers employed a man-in-the-middle attack to compromise an Amazon DNS server, allowing them to steal about $152,000 in Ethereum from MEW by redirecting customers to a phishing site where they entered their wallets' login credentials.

The incident also shines a spotlight on Hola VPN and similar free or freemium virtual private network services whose privacy and security protections have at times drawn scrutiny.

VPN assessment website TheBestVPN.com recently published an evaluation of the peer-to-peer Hola VPN service, calling it a "problematic and dangerous VPN service that has been caught red-handed exploiting the internet connections of its users and opening them up to dangerous scenarios." The review warns that the VPN app excessively logs and shares user information, does not use encryption, and routes traffic insecurely (via peers' machines instead of through dedicated servers). A series of tests run on the app also turned up DNS and WebRTC leaks.

"I think an attack was going to happen one way or another. It's just sad that people lost funds because of weak effort in security and privacy," said Robert Madisalu, chief researcher at TheBestVPN.com.

"I'd suggest everyone... opt for a better VPN that actually uses a military grade encryption standard," added Mardisalu. "Before choosing a VPN, go through [its] logging policy as well. You might be surprised what you can find there."

Ariel Hochstadt, co-founder of vpnMentor, another VPN review website, expressed similar reservations about Hola. "Most people see a free VPN service and don't stop and think about whether there is an unknown price to be paid," said Hochstadt. "While it may not be monetary, there is a price being paid: low security and user IPs sold to third parties."

Ultimately, the onus is on users to make sound decisions regarding which VPN they use. "If they don't stop and ask themselves why their VPN does not work when conducting a simple Google search -- Hola does not support Google.com -- then you can't be surprised when you're getting hacked for using it," said Hochstadt.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.