Experts dissect what went wrong

Decentralized finance (DeFi) protocols continue to be targeted by hackers, with Curve Finance becoming the latest platform to be attacked after the DNS hijacking incident.

automated market maker Warn users against using the front end of their website On Aug. 9, the event was flagged online by some members of the wider cryptocurrency community.

While the exact attack mechanism is still under investigation, The consensus is that the attackers managed to clone the Curve Finance website and reroute DNS servers to fake pages. Users who tried to use the platform then moved their funds to a pool run by the attackers.

Curve Finance managed to rectify the situation in time, but the attackers still managed to steal USD coins originally estimated to be worth $537,000 (USD/USD) to restore the hijacked domain. The platform believes that its DNS server provider, Iwantmyname, has been hacked, allowing the subsequent incident to unfold.

Cointelegraph reached out to blockchain analytics firm Elliptic to dissect how attackers managed to trick unsuspecting Curve users. The team confirmed that a hacker compromised Curve’s DNS, causing malicious transactions to be signed.

Related: Cross Chains, Beware: deBridge Flags Attempted Phishing Attack, Suspects Lazarus Group

Elliptic estimates 605,000 USDC and 6,500 wore Stolen before Curve discovered and recovered the vulnerability. Using their blockchain analysis tool, Elliptic then traced the stolen funds to many different exchanges, wallets and mixers.

Stolen funds are immediately converted to ether (Ethereum) to avoid a potential USDC freeze, totaling 363 ETH worth $615,000.

Interestingly, 27.7 ETH was laundered through the now OFAC approved Tornado Cash. 292 ETH was sent to the FixedFloat exchange and coin exchange service. According to an Elliptic spokesperson, the platform managed to freeze 112 ETH and confirmed the movement of funds:

“We have been in contact with the exchange, who confirmed three other addresses from which the hackers had withdrawn funds (these were completed orders that FixedFloat could not freeze in time). These included 1 BTC address, 1 BSC address and 1 LTC addresses.”

In addition to the original Ethereum-based addresses, Elliptic is now monitoring these tokenized addresses. Another 20 ETH was sent to the Binance hot wallet, and another 23 ETH was transferred to an unknown exchange hot wallet.

Elliptic also alerted the wider ecosystem to further incidents of this nature after discovering a listing on a darknet forum claiming to be selling “fake login pages” for hackers of compromised sites.

It’s unclear if this list, discovered the day before the Curve Finance DNS hijacking incident, is directly related, but Elliptic noted that it highlights the methods used in these types of hacks.