Binance Corners Two KyberSwap Hack Suspects, Involves Law Enforcement

Bitdefender Total Security

In an independent investigation of the recent $265,000 attack on decentralized crypto exchange (DEX) KyberSwap, Binance security experts identified two suspects that may have staged the heist.

Last week, cybercriminals leveraged a frontend vulnerability against Kyber Network and stole crypto assets from the platform’s users.

In response, KyberSwap started investigating and put out a 10% bounty, or about $40,000, for the perpetrators in exchange for the stolen assets. Analogously, Binance launched an independent investigation that led to the identification of two suspects, and shared their findings with the Kyber team, as the company’s CEO Changpeng “CZ” Zhao confirms.

Furthermore, Binance shared its intel with law enforcement agencies to help them bring the perpetrators to justice.

Threat actors likely used a frontend vulnerability on KyberSwap’s platform to inject malicious code into its Google Tag Manager (GTM). While the DEX maintainers responded immediately to the incident by disabling it, the attackers still managed to make off some serious loot.

The perps seem to have focused on whale wallets (single wallets with large amounts of assets), as the funds were siphoned only from two compromised addresses. Kyber Networks managed to suppress the incident fairly quickly, but they suspect the attackers had a broader spectrum and may have tried to compromise other projects.

“We strongly urge all #DeFi projects to conduct a thorough check on your frontend code & associated Google Tag Manager (GTM) scripts as the attacker may have targeted multiple sites,” warns the company in a tweet. “Let’s work together as one #DeFi community to defend against these malicious attacks.”

In the announcement on Twitter, Kyber Network included a guidefor users who believe their address may have “interacted with the malicious script or has been given wrongful approval.” The guide offers instructions on checking the blockchain for records that point to the malicious address and revoking them.