‘Elon Musk at Bitcoin 2024’ scam, Lazarus Group hacks, MOG phishing: Crypto-Sec

Crypto scams, hacks and exploits and how to avoid them: Crypto-Sec

Deepfake scams: Bitcoin conference AI drains $79K

As the Bitcoin 2024 conference was taking place on July 25-27, crypto users lost over $79,000 due to a deep-fake AI livestream of the conference. The fake livestream featured footage of Elon Musk giving a speech, but while Musk had been rumored to attend, he did not actually speak at the conference and obviously had no involvement with the video — like countless other Musk related scams online.

Michael Dunworth, co-founder of crypto payments service Wyre, reported the deep-fake scam through a post to X on July 26. “I’ve had people call me telling me Elon Musk is giving free Bitcoins away at Bitcoin ‘24,” he stated. “No wonder, they have a fake live stream with dubbed voice over, and 70k+ (fake) people watching the live stream.”

According to Dunworth’s post, the fake livestream video was posted to a channel called “Tesla,” which was named after Elon Musk’s car company but was not endorsed by it. The real livestream of the conference, on the other hand, was posted by Bitcoin Magazine’s official YouTube channel.

Bitcoin consulting firm The Bitcoin Way reported another version of the scam on July 27. This version was reportedly posted to a YouTube channel called KHORTEX.

The livestream reportedly featured an AI-generated video of Elon Musk telling viewers to send Bitcoin to a particular address, which it claimed would allow them to receive double back. A similar Elon Musk deep-fake scam circulated in May.

Blockchain data shows that some viewers did send crypto to the scam addresses. The Bitcoin network address associated with the scam received over 0.77 Bitcoin (BTC), worth approximately $53,000 based on the Bitcoin price at the time, from July 28-29. An additional 4.531 Ethereum (ETH) (worth approximately $26,000) was sent to the scammer’s Ethereum address and 4,136 Dogecoin (DOGE) (worth $537.34) was transferred to the Dogecoin address. In total, viewers of the fake livestream lost over $79,000 from the scam.

Deep-fake scams are on the rise and while videos may appear to feature a trustworthy source, they can be completely fake, AI-generated content. Always confirm the source of videos to determine their authenticity before relying on any information in them and if an investment idea seems too good to be true, it probably is. Nobody is going to send you twice as much crypto back for one thing.

Phish of the week: MOG holder gets mogged by scammer

A holder of meme coin MOG lost over $148,000 from a phishing scam on July 28. The attacker drained 82 billion MOG from the victim’s wallet — 16.4 billion of which ($29,720 based on the price at the time) went to the developer of the draining app and the other 65.6 billion ($118,880) went to the phishing scammer. Blockchain security firm PeckShield reported the attack on X.

MOG is a meme coin meant to celebrate the pickup-artist concept of “mogging,” or asserting one’s dominance over another person to show one’s attractiveness to a third person. The coin was launched in July, 2023. It has increased by over 3,617% since February, according to data from Coinmarketcap.

According to PeckShield, the attacker also drained $10,000 worth of BASED tokens from the victim in a separate attack on the Base network.

In technical terms, what happened was that on the Ethereum network, the victim appears to have submitted a signed transaction message authorizing the attacker to call the Permit2 function on Uniswap’s official router. Blockchain data shows that the victim’s account was set as the “owner” and a malicious smart contract with an address ending in cbbF was set as the “spender.”

The malicious “spender” contract was created by a known phishing account labeled “Fake_Phishing188615” on Etherscan and was created at the moment the Permit function was called.

Crypto phishing is a technique that scammers use to trick users into making token approvals they didn’t intend, usually by setting up a fake website that appears to be from an authoritative source. To help avoid such scams, crypto users should take care not to sign transaction messages if they’re not sure what they contain or if the website they are using is not familiar to them.

Phishing scammers usually operate from a domain name that is not the official domain name of the company they are pretending to be, so checking the URL of a site is also sometimes an effective means of avoiding these scams. However URLs can look very similar due to the use of substitute characters from languages other than English that look almost the same.

CEXs: DMM hacker mixes funds with Poloniex hacker wallet

On July 27, on-chain sleuth ZachXBT reported that funds from the May 31 DMM hack have now been intermingled with those from the Poloniex hack from November 2023, implying that these two hacks must have been performed by the same individual or group. ZachXBT suspects that both attacks were performed by the Lazarus Group.

“Earlier today remaining dust from the Poloniex November 2023 hack and DMM Bitcoin May 2024 hack consolidated into the same address further showing the Lazarus Group ties,” he stated.

In crypto transactions, the term “dust” refers to very small amounts of crypto that may be left over in a wallet after larger transactions have been made. Zach mentioned two different wallet accounts in the post, one of which contains approximately $0.10 worth of ETH and another which holds less than $0.01 worth.

The DMM hack was the largest exploit against a central exchange in 2024 so far. Over $300 million was lost in the attack.

Also read: Japanese exchange DMM loses $305M in Bitcoin via private key hack

Ransomware: Microsoft discovers ESXi backdoor

Microsoft reportedly discovered a new vector of attack being used by crypto-ransomware attackers. It released the findings of its research through a blog post on July 29. The vulnerability affected ESXi servers, although it has now been eliminated through a patch.

ESXi server software, produced by VMWare, runs directly on an enterprise-grade device, bypassing its operating system. This kind of software is often called “bare metal.”

Microsoft found that a flaw in the ESXi server code allowed ransomware attackers to take control of the device and encrypt its contents, crashing its operations and making recovery impossible without obtaining the attacker’s decryption key. Researchers observed multiple attacks that relied on this vulnerability, including some that installed the notorious Akira and Black Bast ransomware programs.

To carry out the attack, hackers only needed to enter the commands, “net group ‘ESX Admins’ /domain /add” and “net group ‘ESX Admins’ username /domain /add.” Entering these commands would give the attackers “full administrative access” to the device, allowing them to encrypt all of its contents.

These commands worked because the domain group ‘ESX Admins” by default had full administrative access, even though the group did not exist by default and no validation process checked to see whether it existed.

Ransomware is a type of malicious attack that involves the attacker stealing files and locking and damaging a device in an attempt to cause ongoing harm to a company. The attacker then demands payment in cryptocurrency in return for repairing the damage or restoring the device. Because of the irreversible nature of blockchain transactions, cryptocurrency networks are favored as a means of payment by ransomware attackers.

Also read: WazirX hackers prepped 8 days before attack, swindlers fake fiat for USDT: Asia Express