Hackers used malicious Google ads to trick users into giving up their private key to steal their cryptocurrency. 

The cybercriminals targeted people who hold UST, a popular cryptocurrency that aims to remain pegged to the U.S. dollar from the Terra blockchain—a so-called stablecoin currently vying for dominance in decentralized finance, or DeFi. The phishing operation was spotted by cybersecurity firms Knownsec Blockchain Labs and SlowMist. According to Knownsec, the hackers have stolen $4.31 million from 52 wallets, which they hacked between April 12 and April 21. Knownsec posted a Terra address that the company says is linked to the hack, which contains 4,111,901 UST tokens ($4,111,901) and 2,089 LUNA tokens—part of the Terra ecosystem—worth $197,269.

Motherboard confirmed that a malicious ad targeting Terra users is the first result when searching "Terra bridge" on Google. The URL on the ad appears to match the real Terra bridge URL, which is bridge.terra.money. But once one clicks on it, instead of going to bridge.terra.money, the user is redirected to bridge.terra.momey.biz. 

That site is currently flagged as “deceptive” by Google and closely resembles the real Terra bridge website, and immediately presents the user with a pop-up asking them to connect their wallet.

A screenshot of the phishing site. (Image: Motherboard)

A screenshot of the real Terra site. (Image: Motherboard)

A moderator of Terra’s official Discord channel, who goes by "Somethingelse," told Motherboard that he spotted the malicious ads targeting the bridge and reported them to Google. Several people in the Discord channel also warned others of the malicious Google ads. 

According to Somethingelse, malicious ads targeting various aspects of the Terra/Luna ecosystem have plagued investors for months. Another Terra moderator warned users on Twitter in March about ads targeting investors seeking the Anchor lending protocol. 

“For the past few months, Anchor Discord saw a large uptick in users claiming that funds were stolen from their addresses. As the mod team worked with these folks, we started seeing a pattern of users saying they used Google to go to Anchor. After having the users show us their browser history, we could see where they went to a scam site. I can show you an example,” Somethingelse said in an online chat.

Do you have more information this phishing campaign? Or other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

“Several weeks ago we saw an uptick in user feedback across our community channels detailing typosquatting/phishing scams on Google Search, alongside scam ads mimicking the websites of products like Terra Station, the primary wallet for interacting on the Terra network, and others like Anchor protocol, a savings protocol and money market on Terra,” a spokesperson for Terraform Labs (TFL), the company behing the Terra blockchain and the UST stablecoin, said in an email.

“The strategy deployed by the scammers is evolving but mostly includes purchasing fake ads via Google or directing users to copycat websites (i.e., Station, Anchor, etc.) with a similar URL to the actual products' domain, asking users to connect their wallets and deposit funds, which are then absconded with by the scammers. Other methods include typosquatting sites for Station that prompt users to input their seed phrase to steal their funds.” the spokesperson added.

These phishing attacks show how hackers are getting creative in targeting people who hold cryptocurrency. They also show it’s possible to steal millions in crypto even without hacking the crypto company or project directly.

In the last few months, hackers have targeted large crypto companies like the play-to-earn video games Axie Infinity and WonderHero, the stablecoin Beanstalk, the Poly Network, the cross-chain bridge Wormhole, the popular exchange Crypto.com, Multichain, the crypto gaming company Vulcan Forge, BadgerDAO, and crypto exchange BitMart. 

A Google spokesperson sent the following statement via email: “Protecting users from ad scams and fraud is a key priority, and we have strict policies that specifically prohibit phishing ads. We've reviewed the advertiser accounts in question and have taken appropriate enforcement action. We will continue to aggressively enforce our policies to prevent future abuse from bad actors.”

UPDATE, Apr. 22, 4:11 p.m. ET: This story has been updated to include a comment from Terraform Labs.

UPDATE, Apr. 25, 10:41 a.m. ET: This story was update to include Google’s comment.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

One of the largest cryptocurrency exchanges in the world hired Dan Wolfford, a former NSA analyst who also worked for a UAE-based hacking company accused of spying on American citizens, journalists, and human rights activists. Update: After Motherboard reached out to the company asking for comment, it said Dan Wolfford "was not onboarded" and would no longer be joining it.

On Monday, Wolfford announced in a LinkedIn post that he was starting as Crypto.com’s new Head of Security Operations. Wolfford used to be an NSA analyst, and after he retired from public service, he went to work for DarkMatter, a cybersecurity outfit based in the United Arab Emirates. In 2016, The Intercept revealed that DarkMatter had hired scores of experienced hackers, including former NSA and US intelligence analysts. Then, in 2019, Reuters revealed that a secret team within DarkMatter was tasked with conducting hacking and surveillance operations for the UAE government that targeted American citizens, journalists, and human rights activists. 

Crypto.com said in a statement, sent after an early version of this story was published, that Wolfford “was not onboarded with the company, and he will not be joining us.”

Crypto.com has recently attempted to raise its public profile by purchasing the naming rights to the arena the Los Angeles Lakers play in for $700 million and creating a now-infamous ad starring Matt Damon. The exchange suffered a hack last month which saw $30 million stolen from users, which the exchange reimbursed.

Wolfford doesn’t list DarkMatter as previous experience on his LinkedIn profile. When Motherboard asked Wofford if he disclosed this work history to Crypto.com, he responded that he “explained how media personalities like to report fake news that sounds exciting to get clicks rather the boring truth.”

“I helped three member states of the United Nations develop national threat intelligence capabilities. Crypto.com thinks my knowledge and experience brings value to their global security team,” he said, adding that he was just “a threat intel analyst.”

“I can’t speak on behalf of a company I worked with for a few months back in 2017,” he said. 

While not on his LinkedIn profile anymore, Wolfford’s experience in the Middle East is very public. In 2018, he spoke at an Austin, Texas cybersecurity conference about “real world hacking in the Middle East from 2015-2018.” On the conference website’s bio, Wolfford is listed as having worked as the Intel Director at DarkMatter, and at Cyberpoint, a US cybersecurity contractor hired by the UAE government, some of whose employees later joined DarkMatter.

Do you have any information on a cryptocurrency hack? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

In a 2019 interview with Ars Technica, Wolfford said he did not hack US citizens.

“We did not hack Americans,” he told Ars. “Our mission was simple: advise and assist UAE to create a national cyber security program.” And work on creating a "target list," Wolfford said, was part of a training operation “to teach the Emiratis about lawful targeting and collection.” 

"We tried to show them who is and isn’t a threat to their national security,” he added at the time. “The bottom line is that I don’t condone illegal activity conducted by any of my employers. That is a line I would never cross and I’m offended when people accuse me of being guilty by association.”

In September of last year, three former US intelligence analysts, and former DarkMatter employees, who then worked for UAE intelligence agreed to pay more than $1.68 million in a settlement. The US government accused them of providing hacking services to a foreign government in violation of US export control laws. 

That Crypto.com is looking to beef up their security shouldn’t come as a surprise. Last month hackers stole around $30 million in cryptocurrency from some of the exchange’s users, the company admitted. Crypto.com reimbursed the victims, and said the hackers stole from 483 users. 

This is not the first time a crypto exchange has hired someone who used to work for a controversial surveillance company. In 2019, Coinbase acquired a blockchain intelligence startup launched by three former employees of the controversial spyware company Hacking Team, known for having sold surveillance and hacking technology to countries like Ethiopia, Saudi Arabia, and Sudan, which then used it against journalists and dissidents. After public outrage, including a #DeleteCoinbase online movement, Coinbase said the three former Hacking Team employees would “transition out” of the company. 

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

Hackers compromised several Discord servers of popular NFT projects on Tuesday in an attempt to trick users into giving up cryptocurrency or buying fake NFTs.

Late on Tuesday night, the blockchain cybersecurity firm PeckShield published an alert on Twitter warning that the Discord servers of the NFT projects Memeland, PROOF/Moonbirds, RTFKT, as well as the web3 infrastructure company CyberConnect, were compromised, the latest in a string of hacks against NFT projects through their Discord servers. 

CyberConnect confirmed the hack on Twitter, asking users not to click on any link on Discord, and reminding them that the project will never ask for their private keys. 

Memeland also alerted users on Twitter and inside Discord, where the project posted a message saying a compromised bot posted announcements with “fake links.”

“A discord bot (mee6) seems to be compromised across various high profile servers, including Proof/Moonbirds, RTFKT, PXN, and us,” a Memeland team member wrote. “Stay vigilant all the time. Deauthorize unused/unknown apps in your settings. Do not click on any links. And as always: DON’T TRUST. VERIFY.”

Alien Frens, another NFT project, also confirmed the hack on Twitter saying: “we were hacked as with many others today, we’re not sure how they infiltrated yet.” 

According to the Memeland announcement, hackers allegedly took control of the Discord bot mee6. This is a tool that Discord server owners can use to automate welcome messages, inform about server rules, topics, and events, according to the bot’s official website, which claims the bot is used by more than 16 million Discord servers.

Mee6 did not respond to a request for comment sent via email and Twitter DM. 

Do you have more information this hack? Or other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

On Twitter, the company confirmed hackers took over one of its employees’ account, and that was the reason hackers were able to post phishing links on several Discord servers.

“Some servers have reported MEE6 being used to post unwanted messages. There is no technical breach in our systems. This was due to one of our employee's account getting compromised,” mee6 wrote in a tweet. “The issue is now fixed and we've taken all the steps to make sure it never happens again. We take security very seriously, and will always be committed not only to keep our systems safe but also add extra measures to protect servers from accounts being compromised.”

Other victims of the hack were Axie Infinity, one of the most popular play-to-earn video games, NFT project APIENS, Cool Cats, and Burrito Boyz.

RTFKT, Alien Frens, and PROOF/Moonbirds did not respond to a request for comment sent via Twitter DM.

Bots are widely used inside Discord to automatically post announcements across channels and reach users in a more automated and effective way. That’s also what makes them great targets for hackers, because they essentially serve the purpose of being official messages from the admins of the Discord server. 

The co-founder of blockchain security firm Zellic, who asked to be referred to only as Stephen, explained to Motherboard that compromised bots are one of the biggest risks crypto projects and their users face.

“If that bot ever got compromised, the back end that controls the bot ever got compromised, that'd be fucking nasty dude. Because then you could just post an announcement saying like, ‘Oh, blah, blah, blah, go to this link,’ and then people will believe it because it's the freaking bot. And then you'd be able to fish like a bajillion people,” Stephen said in an interview about the pitfalls of using Discord. “That would be such a credible piece of bait that I'm sure hundreds or thousands of people are gonna fall for that. [...] Those bots are a huge liability when it comes to security.”

A hacker who claimed to be involved in hacks of Discord servers—but not these particular ones—said that going after mee6 makes sense because “it’s a big bot so it’s a good way to get access to big servers.”

UPDATE, May 23, 4:00 p.m. ET: This story was updated to remove the name of the hacker, since Motherboard was not able to verify their name.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.