fix
spherex Blog

KY(ha)C(ker) - Stolen KYC Fraud make security tools almost ineffective

1 min read ・ Nov 05, 2024 ・by Maor Ovadia

Web3 Hackers Evolving

Our story begins two and half weeks ago, and the twist in this story has created a new chapter in the evolution of Web3 hackers. On September 21st, a storage vault owned by Shezmu was compromised. As a result, approximately $4.9 million USD worth of ShezUSD were stolen, and Shezmu later confirmed that its stablecoin vaults had been drained.

https://x.com/shoucccc/status/1837228053862437244

Tracking the Hackers Footprint

Shezmu contacted the hacker with an on-chain message, urging him to return the funds in exchange for a 10% bounty reward, ”in exchange for treating this as a white-hat incident”. Pretty standard. While speaking softly, Shezmu also ‘carried a big stick’ by stating “…your wallet is Linked to a KYC exchange”. Whenever hackers make this mistake, it allows tracking their footprints, eventually leading to their real world identities, and potentially allowing the victim to pursue legal actions. In the past, this leverage caused many hackers to pay (back) for their mistakes, giving up all the stolen funds in order to avoid facing the severe legal consequences of their actions.

Conversation between the hacker and Shezmu

The Twist

Just recently, spherex rescued more than $550k USD worth of crypto assets exactly this way. Once you get to the hacker’s real world identity, it’s game over almost instantly. But our story is about to get a twist. A few hours later, the hacker replies. Good news, he’s open to a discussion. Bad news, only on his terms - retaining 20% of the funds for himself (~$1 million), and the surprising twist: “btw I have no problem with that KYC”. The main leverage Shezmu had, was gone.

Not an Isolated Incident

In recent years, more and more attackers have stopped using anonymization tools such as TornadoCash, switching to fabricated or stolen KYC accounts. Using a KYC account evades a prominent indicator used by many security monitoring firms that look for TornadoCash funded accounts. As this trend grows, those security firms will lose one of their key indicators for identifying potential attacker wallets. After losing the ability to predict attacks by breaking them down into phases, one of the main early warning signs, monitoring companies will lose yet another indicator.

Conclusion

About the author

Maor Ovadia
Analyst at spherex technologies
Follow

Maor has many years of experience in software development, QA, cyber security and more. Before joining SphereX as an analyst, Maor served 10 years in the Israeli intelligence doing software development, QA, research and leading teams, and 4 years in Kayhut as R&D group leader and product management.

Tags
spherex Blog
Continue your reading with these value-packed posts
spherex Blog
The Silent Threat: How to Protect Your Assets from Compromised Keys in Web3
Safeguarding your keys is crucial - not just for your personal security, but for the integrity of your entire project.
Read more
next icon
3 min read ・ Nov 20, 2024 ・by Shira Shalev
spherex Blog
Trick Or Treat - Fooling Etherscan’s Proxy Detection
Hybrid Etherscan setup that could potentially lead the Etherscan displaying one thing while the proxy actually points something else.
Read more
next icon
3 min read ・ Oct 31, 2024 ・by Eyal Fine
spherex Blog
The Cost of Complacency: What Radiant's Second Hack Teaches Us
‍Why Web3 Protocols Must Rethink Security in an Evolving Threat Landscape.
Read more
next icon
4 min read ・ Oct 10, 2024 ・by Chris Kunze-Levy

Get Bulletproof Protection From Web3 Zero-Day Attacks

Image