Singapore Issues Alert as Akira Ransomware Targets Local Firms

The Akira ransomware is now targeting businesses in Singapore. Businesses in the region have been urged to implement cybersecurity measures and avoid paying ransoms. Additionally, Kaspersky recently found that North Korean hackers are using Durian malware to attack South Korean crypto businesses. Crypto exchange OKX and the Loopring protocol have both suffered security breaches, with OKX users losing funds through API key misuse and Loopring's Guardian service being compromised. The Gemholic project recently hit its users with a nasty $3.5 million rug pull while the hacker behind the $82 million Orbit Chain hack has moved $47.7 million to Tornado Cash.

Akira Ransomware Attacks Hit Singapore

Akira ransomware, which is notorious for stealing $42 million from more than 250 organizations across North America, Europe, and Australia in a year, is now actively targeting businesses in Singapore. Singaporean authorities, including the Cyber Security Agency of Singapore, the Singapore Police Force, and the Personal Data Protection Commission, issued a joint advisory alerting local businesses about this rising threat. Sadly, many victims have already reported cyberattacks to these agencies.

The United States Federal Bureau of Investigation previously found that the ransomware mainly targets businesses and critical infrastructure entities. Singaporean authorities have shared some methods to help detect, deter, and neutralize Akira attacks.

Businesses that have been compromised are strongly advised to not pay ransom to the attackers. Akira members typically demand payments in cryptocurrencies like Bitcoin (BTC) to return control of compromised systems and data. However, authorities warned that paying the ransom does not actually guarantee data decryption or prevention of data publication by the attackers, and it might just lead to further attacks.

Some of the threat mitigation techniques that companies can use include implementing a recovery plan, using multi factor authentication, filtering network traffic, disabling unused ports and hyperlinks, and employing system-wide encryption.

To make things worse, Kaspersky also discovered that North Korean hackers are targeting South Korean crypto businesses by using Durian malware. This malware has comprehensive backdoor functionality, allowing the execution of commands, additional file downloads, and file exfiltration.

Hackers Target OKX

It is not just those in Singapore that need to keep their eyes open for threats. Crypto exchange OKX is reportedly being targeted by hackers, with at least two users reporting drained funds after receiving SMS risk notifications from Hong Kong.

According to SlowMist founder Yu Xian, an unidentified entity created new API keys with withdrawal and trading permissions, allowing them to swap and drain the coins from the platform. OKX’s Chinese branch stated in a Jun. 9 post on X that the exchange has reached out to the users that have been affected and is currently investigating the incidents.

Translated X post from SlowMist founder Yu Xian (Source: X)

The exchange also assured its users that if it is found responsible, it will take the initiative to bear the losses and will announce the investigation results as soon as possible. As of now, the full extent of the attack is still unclear, and it is yet to be determined how the hackers were able to hijack the trading accounts.

SIM swapping, which is essentially a form of phone hijacking, has been a big threat to crypto investors for quite a while now, and even major industry players have fallen victim to these attacks. For instance, in 2021, Coinbase shared that hackers stole crypto from about 6,000 users by bypassing multi-factor authentication in a suspected phishing campaign that involved hijacking two-factor authentication SMS messages.

Other incidents have involved hijackers porting phone numbers to intercept one-time passwords and validate transactions or change account credentials. In response, many major crypto companies have moved away from SMS-based two-factor authentication, though many still rely on this method.

Loopring Compromised

Loopring ,the zkEVM protocol built on Ethereum and known for its secure smart wallet application, has also been failed by multi factor authentication. Loopring recently announced that it suffered a security breach related to its 'Guardian' two-factor authentication service.

The Guardian service allows users to designate trusted wallets for security operations like locking or restoring compromised wallets. However, a hacker managed to bypass Loopring's Official Guardian service to initiate unauthorized recoveries on wallets with a single guardian. Wallets using multiple or third-party guardians were protected.

The breach involved two wallet addresses, with one draining about $5 million worth of tokens. Loopring has decided to suspend Guardian-related and 2FA-related operations and is collaborating with Mist security experts to investigate the compromise.

The protocol is also working with law enforcement to trace the perpetrator and has asked for some help from the public in gathering information. Despite the surprise attack, Loopring's risk disclosure statement identified the Guardian service as a potential vulnerability and recommended users to have at least three guardians.

Gemholic Project Disappears with $3.5M

Meanwhile, several crypto users raised awareness on X about a suspected rug-pull incident involving the Gemholic project and the zkSync network. NSerec, the founder of Zkmarkets, ended up confirming that Gemholic stole $3.5 million.

NSerec claimed that Gemholic deceived investors for a year by falsely promising refunds, and once the funds were unlocked, the team executed a rug pull. He revealed that the contract creator's address was funded by Binance and urged community members to reach out to Binance for some help.

Despite completing KYC verification with SolidProof, the verification service has not publicly addressed the situation. NSerec believes that SolidProof should either admit their failure in proper vetting or report the fraudsters to authorities. He warned that if SolidProof continues to ignore the problem, their service should not be trusted, and affected people should hold SolidProof accountable.

Gemholic has had its funds locked for over a year due to a mistake in the sales contract. Matter Labs, the team behind zkSync, identified the issue with the .transfer() function in the GemstoneIDO smart contract.

On Jun. 7, zkSync completed an upgrade that fixed the issue, allowing access to the locked funds. After the upgrade, Gemholic withdrew 921 Ether from the contract and transferred it to the Ethereum blockchain. Since then, Gemholic’s X account and all Telegram messages have been deleted.

Orbit Chain Hacker Moves $47.7M

The exploiter behind the $82 million Orbit Chain hack over New Year’s Eve has moved $47.7 million to the crypto mixer Tornado Cash after five months of inactivity. On Jun. 8, 12,932 Ether, worth close to $47.7 million, were transferred across seven transactions to a new address, which then sent the funds to Tornado Cash, according to blockchain analytics firm Arkham Intelligence.

At first, it was thought that the exploit cost $82 million in losses, but now Arkham Intelligence believes it is closer to $100 million.

The hacker moved the Ether in batches of 100 ETH but did not transfer the stolen $20 million in Dai or other coins. The hacker’s remaining balance is $71.2 million, including $51.1 million in ETH and small amounts of other cryptocurrencies.

The hack happened on Dec. 31 of 2023, at about 8:52 pm UTC. Orbit Chain confirmed the exploit the following day and stated that it was working with international law enforcement agencies. The project offered an $8 million bounty for any information leading to the identification of the attacker or recovery of the stolen assets.

Orbit Chain, which uses the Inter-Blockchain Communication Protocol to transfer data and value throughout the Cosmos ecosystem, has seen its total value locked drop to nearly $36 million, down from $149.25 million before the hack. At its peak in August of 2022, the value locked was $313 million.