Play-to-earn non fungible token (NFT) platform Vulcan Forged said on Tuesday it has refunded over $140 million (Rs 1,062 crore approx.) worth of cryptocurrency to all investors, a day after the platform was compromised.
An NFT is essentially a digital file that comes with ownership rights. Anything in digital format can qualify, including pieces of art, sports cards, memes, videos, and audios, which are once “tokenised,” can be traded.
The cyber criminals stole assets in Ether, Polygon as well as the native cryptocurrency of Vulcan Forged termed ‘PYR’.
Vulcan Forged offers over six blockchain games, and also has an active NFT marketplace, and its own decentralized exchange, where users can trade its token ‘PYR’. Jaime Thomson, the CEO of Vulcan Forged acknowledged the breach on Twitter and called December 13 as the “darkest day in Vulcan Forged history”.
It should be noted that when someone registers an account with Vulcan Forged, the platform creates wallets. A crypto wallet stores the private keys that give the user access to their cryptocurrencies—allowing one to send and receive cryptocurrencies like Bitcoin and Ethereum.
All crypto coins are stored on the blockchain, and the private key is required to authorise transfers of those coins to another person’s wallet.
Vulcan Forged said that it managed users’ private keys, using Venly, which is a semi-custodial wallet solution.
“Venly itself is a service, which as far as we know is all fine and has not been exploited or hacked. What has happened is someone has exploited our servers, gotten the Venly credentials, and used them to extract the private keys of the Forged users. Going forward, of course, we are going to be using nothing but decentralised wallets so we never have to encounter this problem again,” Thomson added.
After the exploit was discovered Vulcan Forged immediately told its investors to remove all the funds from the decentralized exchanges. This would make it harder for the attacker to cash out the funds, without using any centralised exchanges that ask their users to submit Know-Your-Customer (KYC) documents while registering on the platform.
Despite this, the attacker has sold significant amounts of hacked coins, in small batches of tokens. But they still have 2 million PYR (currently worth $47 million) sitting untouched in one wallet.
“We have contacted all exchanges to blacklist that address. It also seems the wallet owner may have KYCd [completed Know Your Customer checks] on an exchange we’re now in contact with,” tweeted Vulcan Forged.
Meanwhile, this is not the first time that cybercriminals have attacked crypto platforms. On December 6, hackers stole $31 million (Rs 226 crores approx) in cryptocurrency by hacking into multi-chain decentralised exchange MonoX. The attack was first identified on December 1.
Earlier, in November, the US Federal Bureau of Investigation (FBI) issued a warning against cybercriminals that are using QR codes to defraud unsuspecting individuals. The FBI said that it has witnessed an increase in scammers directing victims to use physical cryptocurrency ATMs and digital QR codes to complete payment transactions.
The agency also pointed out that the decentralised nature of cryptocurrency makes it difficult to recover the victim’s money, with much of the stolen funds being sent overseas right away instead of being tracked and verified by a bank.