Beware of the risk of phishing by malicious advertisements for projects on the Terra chain

0x01 Event summary

Recently, the assets of some users on the Terra chain have been maliciously transferred out. From April 12th to April 21st, funds in about 52 addresses were maliciously transferred to terra1fz57nt6t3nnxel6q77wsmxxdesn7rgy0h27x30 with a total loss of about $4.31 million.

0x02 Event details

This attack is a batch of Google keyword advertisements for phishing. When users search Google for such well-known Terra projects as astroport, nexus protocol, anchor protocol, etc., the first seemingly normal advertisement link on the Google results page (the displayed domain name or even the same) is actually a phishing site.

The user entered his seed phrase in the seemingly legit website and instantly the hackers had begun emptying his wallet. The user had staked 1000 Luna in his wallet (worth about $100,000). Using the stolen seed phrase, the hacker opened his wallet and proceeded to unstake this Luna. There is a 21-day lock-up period for withdrawing staked Luna, so the hacker could not immediately withdraw it to his own wallet. The Luna block explorer publishes the exact time that staked Luna will be released, so thus began a 3 week-long countdown of our friend anxiously watching his wallet, knowing that he was helpless to prevent his Luna from being stolen the moment it was unlocked.

The victim assumed the hacker would be running a script that spends the Luna the moment it becomes available. So they decided the best chance they had to recover the Luna was to write a similar script that hopefully withdrew the money to a safe wallet before the hacker’s script could do the same.

The result was a race to spend the Luna at the moment of unstaking — almost like trying to be the first person to grab the last cookie from a plate, except that cookie is worth $100k.

0x03 Their Approach

They wrote their script using the terra.js SDK. It worked as follows:

1. Once started, the script would wait until a provided execution_time
2. An interval timer then runs every 200ms which attempts to withdraw the Luna
3. To withdraw the Luna, you need to:
   — Create an LCDClient and connect to a node
   — Create a MsgSend
   — Create and sign a transaction
   —Broadcast the transaction
   Note that these steps are all done asynchronously

Here’s the Github Repo

0x04 Their Optimizations

Assuming the script was well-engineered, this project was essentially a race against the clock. To improve their odds of submitting their transaction first, they wanted to connect to as many nodes as possible. Of the 6 public LCD nodes listed in the docs, only 2 of them worked for them— namely https://terra-lcd.easy2stake.com and https://blockdaemon-terra-lcd.api.bdnodes.net:1317.

An IP address lookup of the above 2 nodes revealed that one was located in Germany and the other in Virginia in the US. To reduce the latency between us and the nodes, we set up two AWS EC2 instances: one located in Virginia and the other in Frankfurt. Each connected to their closest node. Then, for good measure, we set up an additional two AWS EC2 instances in the same locations.

Each server would begin executing the script roughly 30 seconds before the unlock, but with a start time that staggered by about 250 ms, to try to improve the odds of sliding a transaction in at just the right moment.

0x05 Result

When the time to unlock came, instances were able to successfully create and sign the transactions (which could only happen once the Luna was unlocked). Unfortunately, the broadcast of our transaction failed. This is presumably due to the hacker being able to broadcast their transaction before us and hence our broadcast was rejected.

They believe that in the time between them creating the transaction and broadcasting it to the node, the hacker had already submitted their competing broadcast, thereby taking the Luna from the wallet.

Here’s the hacker’s successful transaction. This hacker is a professional. They have a website that looks exactly like a Luna wallet and Google ads to lure victims into revealing their seed phrases. We were able to trace some of their previous transactions in a different wallet to find that they’re holding about $20 million in stolen crypto.

Attempting to create and broadcast transactions on the 4 servers at execution time

0x05 Security advice

Lunaray security team recommends that users on the Terra chain be vigilant not to click on links from Google searches or click on links of unknown origin, reduce unnecessary operations using common wallets, and avoid unnecessary capital losses.

ref:https://medium.com/@LiorNn/our-failed-attempt-at-saving-100-000-of-crypto-from-hackers-19aa8d3d961e

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

• Bookmap Review | 5 Best Crypto Exchanges in the USA
• The Best Crypto Hardware wallet | Bitbns Review
• 10 Best Crypto Exchange in Singapore | Buy AXS
• Red Dog Casino Review | Swyftx Review | CoinGate Review
• Best Crypto to Invest in India | WazirX P2P | Hi Dollar Review