Amara Khatri

Jimbos Protocol has contacted the Department of Homeland Security in an effort to reclaim the funds that were stolen via a flash loan exploit on the 28th of May.  The protocol had offered the hacker a bounty which the latter chose to ignore.  Jimbos Protocol Contacts Law Enforcement  With the hacker ignoring the bounty offer, the Arbitrum-based Jimbos protocol has revealed that it has contacted law enforcement and has opened a case with the New York Branch of the Department of Homeland Security to arrest the hacker. Jimbos Protocol was hacked on the 28th of May and saw 4000 ETH (roughly $7.5 million) stolen via a flash loan exploit. The team behind the protocol also noted that the Department of Homeland Security had arrested several other exploiters in the past and that it believed they would be able to arrest the protocol’s hacker as well. According to reports, the Department of Homeland Security has worked on several crypto cases, such as 2013’s Mt. Gox seizures and the 2021 Colonial Pipeline ransomware attacks. The Jimbos Protocol team took to Twitter to address the hacker, stating, “They’re behind finding and arresting many of these exploiters. We don’t think this case will be an exception to the rule. To the attacker: We warned you. We’d prefer to give you the bounty so we can focus on our protocol. Instead, we will deal with law enforcement to find you.” The protocol also revealed that the hacker ignored the bounty offer, stating,  ” We’ve spoken about our bounty before, 10% of stolen funds (~$800k USD). We’ve given the hacker time to comply for the bounty, but evidently, they’re not interested.” Bounty Offered To General Public  The Jimbos Protocol has now offered the bounty to the general public instead. This means any user or community member that provides any information that could lead to the hacker’s arrest or recovery of funds would receive the reward. The protocol team had previously stated that they had found several promising leads regarding the hacker but did not wish to harm anyone’s reputation by making assertions before verifying all the facts.  “In order to speed up the investigation and return of funds, we’re offering the 10% bounty (~$800K USD) to the general public. Anyone who provides information that leads to: 1) catching the exploiter, or 2) all funds being returned, is eligible for the reward.” However, the protocol also left the door open for the hacker to return the funds, stating that they were willing to give the hacker the opportunity to return the funds right until they are arrested, at which point the offer will no longer be on the table.  “The door remains open for the hacker to return the funds until they are arrested, at which point the offer will be rescinded. Because then, we will be getting 100% of the funds back, and they will go to prison.” The Jimbos Protocol also added that it would soon publish an analysis of the hack. It also revealed that it would be publishing a plan for a future version of the protocol, which would include a recovery plan for users impacted by the attack.  Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Cybersecurity firm Unciphered has claimed that it managed to hack the hugely popular Trezor T hardware wallet manufactured by Satoshi Labs.  The Trezor T hardware wallet is one of the most popular wallets in the market today.  A Potential Hardware Vulnerability?  Unciphered showcased the hack in a YouTube demonstration, claiming it could extract the hardware wallet’s mnemonic seed phrase by exploiting a hardware vulnerability. In the video, Unciphered is able to dismantle the hardware before extracting the seed phrase or private key. However, the hack requires the physical possession of the wallet, along with specialized equipment. Furthermore, the cybersecurity firm also claimed that there is no way to fix the vulnerability that facilitates the hack without initiating a complete recall of all Trezor T wallets.  In the video, the team at Unciphered claimed they developed an “in-house exploit” that enabled them to extract the wallet’s firmware. Co-founder of Unciphered, Eric Michaud, stated that by leveraging specialized GPU chips, the team was able to crack the Trezor T hardware wallet’s pin seed phrase. Michaud explains in the video,  “We uploaded the firmware we extracted onto our high-performance computing cracking clusters. We have about 10 GPUs, and after some time, we extracted the keys.” Hardware wallets are used to store private keys offline in an air-gapped environment. Because these wallets keep the private keys offline, they are generally considered highly secure. However, Unciphered has stated that the hardware security mechanisms put in place in the Trezor T wallet could theoretically be bypassed if any hacker or malicious individual gained possession of a Trezor T wallet.  An Old Vulnerability?  Unciphered’s demonstration of the vulnerability in Trezor T hardware wallets resulted in speculation that it had rediscovered an old vulnerability known for years. However, Unciphered denied this, stating that the old vulnerability in question had been patched in 2019. According to the firm, the vulnerability and the method to exploit it were developed in-house.  This is not the first time Unciphered has successfully retrieved seed phrases from a hardware wallet. In February, the cybersecurity company demonstrated a similar hack of a popular hardware wallet, OneKey. In the video related to OneKey, Unciphered showed how it exploited the lack of encryption between the hardware wallet’s CPU and the secure element through a field programmable gate array. This was able to intercept all communications between the secure element and the processor.  “The FPGA is a high-speed processor also known as a field programmable gate array, allowing us to iterate through different algorithms, bypass the wallet’s security and extract the mnemonics.” Trezor Responds  Trezor responded to Unciphered’s demonstration of the exploit and stated that it had quite a few similarities with the Read Protection Downgrade (RDP) vulnerability. This vulnerability was discovered by researchers from Kraken Security Labs and impacted both Trezor One and Trezor Model T. In short, this implied that Trezor was aware of the vulnerability. Chief technology officer at Trezor, Tomáš Sušánka, stated,  “This appears to be a vulnerability called an RDP downgrade attack, and as communicated on our blog in early 2020, RDP downgrade attacks require the physical theft of a device and extremely sophisticated technological knowledge and advanced equipment. Even with the above, Trezors can be protected by a strong passphrase, which adds another layer of security that renders an RDP downgrade useless.” The company further added that it had taken steps to resolve the issue and had developed a new secure element for hardware wallets in collaboration with its sister firm, Tropic Square.  Hardware Wallets Not As Safe As They Claim To Be?  With their promise of keeping seed phrases and access codes offline and safe from the prying eyes of hackers, hardware wallets have long been considered the pinnacle of safety when it comes to storing digital assets. Their popularity grew even further with the collapse of major centralized exchanges such as FTX, with investors and users opting for self-custody of their assets.  However, recent events have put a considerable dent in the reputation of hardware wallets. One of the primary events that led to the confidence crisis in hardware wallets was the announcement of Ledger Recover. Ledger’s Recover feature set the cat among the pigeons as it sparked concerns that third parties could gain access to private keys, allowing them access to the crypto held in the wallets. Ledger’s response did little to calm frayed nerves and led to considerable backlash for Ledger. Eventually, Ledger was forced to postpone the feature’s release and open-source the code for transparency. Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

The Securities and Exchange Commission (SEC) has now zeroed in on the prominent Bitcoin mining company, Marathon Digital, over alleged violations of securities laws.  Marathon Subpoenaed By SEC In a recent press release, the Bitcoin mining company Marathon Digital Holdings revealed that it had been subpoenaed by the SEC as a part of its ongoing investigation of the Montana Data Center involving the potential violations of securities laws.  Marathon Digital, which is the second largest publicly traded Bitcoin miner in the US, was subpoenaed by the SEC to produce documents and information related to the company's operations. Marathon has stated that it intends to cooperate fully with the SEC's investigation.  Marathon’s Regulatory Troubles The company filed its quarterly earnings report on Wednesday, wherein it also shared the news of the subpoena.  “The Company received an additional subpoena from the SEC on April 10, 2023, relating to, among other things, transactions with related parties. We understand that the SEC may be investigating whether or not there may have been any violations of the federal securities law. We are cooperating with the SEC.” This is not the first time Marathon has come under scrutiny from regulators. The company and its executives were subpoenaed back in September 2021, through which the SEC tried to gain access to the documents pertaining to the company’s Montana-based facility.  Additionally, around a couple of months back, the country was also in the news for internal accounting issues, which resulted in them reissuing several financial statements. CEO Calls Out “Energy Concerns”  The SEC's investigation of Marathon comes at a time of increasing scrutiny of the cryptocurrency industry by regulators around the world. Last month, the SEC warned investors about the risks of investing in cryptocurrencies, including the possibility of fraud and market manipulation. The agency has also taken action against a number of cryptocurrency companies in recent years, including Ripple Labs, Coinme BitConnect, and Coinbase.  Many regulators and government bodies have shown concerns over the high carbon footprint and energy demands of mining operations.  However, Marathon’s CEO Fred Theil recently questioned these perspectives claiming that industrial emissions are of significantly greater concern for their environmental impact.  He tweeted,  “Why focus on the environmental impact of the energy used by bitcoin mining when the heavy industry is responsible for around 22 percent of global CO2 emissions…After targeting bitcoin miners, will the administration propose an energy tax on generative AI data centers to protect the environment and jobs?” Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.