Highlights:
- MetaWin lost over $4 million in ETH and SOL, which was funneled to KuCoin and HitBTC.
- The hacker exploited hot wallets and the frictionless withdrawal system for unauthorized access.
- October saw $88.47 million lost in 20 DeFi hacks, marking a security disaster.
MetaWin, a prominent online casino platform, faced a security breach on November 3, resulting in a $4 million loss. The hacker stole tokens from Metawin’s Ethereum and Solana hot wallets by exploiting the protocol’s “frictionless withdrawal system.” This feature was intended to simplify and speed up access to users’ funds.
Advertisement
Renowned blockchain investigator ZackXBT has identified more than 115 addresses associated with the attacker, who subsequently transferred the stolen funds to KuCoin and a nested service on HitBTC. Transferring assets into mixed or nested accounts further separates them from their original source, making it difficult to trace the assets.
The Ethereum and Solana hot wallets of the online casino Metawin were hacked. Using the "frictionless withdrawal system" vulnerability of the protocol, hackers stole more than $4 million. Some of the funds have been transferred to Kucoin and HitBTC. https://t.co/Lgfl2qfNQz
— Wu Blockchain (@WuBlockchain) November 4, 2024
Casino MetaWin’s Response to the Hack
After detecting the exploit, Metawin CEO Richard “Skel” Skelhorn announced a temporary suspension of withdrawal services to stop further unauthorized transactions. Hot wallets, which are more susceptible to attacks because they are constantly connected to the internet, serve as an entry point for the hacker’s operation.
However, MetaWin demonstrated effective incident response protocols by quickly restoring withdrawals for 95% of its users. This swift action helped minimize financial losses and maintain user trust. Skelhorn mentioned that the team is working with authorities. At this time, the hacker’s identity and motivation for the exploit remain unknown.
Skelhorn stated:
“We’re not gonna dwell on it. It’s in the hands of the feds now and we will make some internal adjustments to keep the players happy but the bad actors at bay.”
Crypto Security Incidents on the Rise
Radiant Capital experienced the worst hack of the last month. On October 16, attackers exploited vulnerabilities in its smart contracts and stole $53 million. The hackers used cross-chain protocols to bridge the stolen assets to Ethereum, complicating efforts to trace the theft.
🚨~$58,000,000 Exploit Alert🚨
Radiant Capital contracts were exploited on BSC & ARB chains with the 'transferFrom' function, which allowed to drain users' funds, namely $USDC $WBNB $ETH and others
⚠️Revoke approvals ASAP👇
0xd50cf00b6e600dd036ba8ef475677d816d6c4281 pic.twitter.com/oUHyshwEmL— De.Fi Antivirus Web3 🛡️ (@De_FiSecurity) October 16, 2024
In another incident, the hackers compromised a crytpo wallet linked to the U.S. government. The hack resulted in about $20 million loss. Notably, most of the stolen funds were returned, but around $700,000 remains missing. It’s rare for a government-controlled wallet to be hacked. This incident adds an unexpected twist to the month’s crime spree.
𝗨𝗣𝗗𝗔𝗧𝗘: 𝗨𝗦 𝗚𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝗹𝗶𝗻𝗸𝗲𝗱 𝗮𝗱𝗱𝗿𝗲𝘀𝘀 𝗮𝗽𝗽𝗲𝗮𝗿𝘀 𝘁𝗼 𝗵𝗮𝘃𝗲 𝗯𝗲𝗲𝗻 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 𝗳𝗼𝗿 $𝟮𝟬𝗠.
$20M in USDC, USDT, aUSDC and ETH has been suspiciously moved from a USG-linked address 0xc9E6E51C7dA9FF1198fdC5b3369EfeDA9b19C34c to… pic.twitter.com/UXn1atE1Wx
— Arkham (@ArkhamIntel) October 24, 2024
EigenLayer, a liquid staking network, encountered its own issues earlier this month. On October 4, attackers stole $5.7 million, which was quickly laundered through exchanges like HitBTC and Bybit. This breach highlighted ongoing vulnerabilities in staking and liquidity protocols.
The Tapioca Foundation, another DeFi platform, also faced a significant loss. Hackers targeted its token vesting contract using social engineering tactics and managed to steal $4.5 million. Sunray Finance also fell victim, losing $2.86 million. Attackers manipulated token values on the Arbitrum chain. As a result, Sunray’s SUN token plummeted.
This serves as another stark reminder of the fragility of DeFi platforms, especially when attackers directly interfere with token values. As of November 2024, total losses from crypto hacks have exceeded $1.4 billion across 179 incidents.
Advertisement
