Decentralizedexchangeaggregator1Inch’swebsitehasbeenbreachedalongwithmultipleotherplatformsthatusethesamefrontendlibrary,LottiePlayer.
ThebreachoriginatedfrommaliciouscodeinjectedintotheLottiePlayer,awidely-usedanimationlibraryusedbyseveraldAppsandnon-cryptowebsites.Asofnow,nouserwalletshavebeenreportedlycompromised.
1inchUsersCautionedAgainstAnyInteractions
AccordingtoseveralpostsonX(formerlyTwitter),1InchandTENFinancearetheconfirmedvictimsofthisattacksofar.However,thenumbercouldbemuchhigher,astheexploittargetedLottiePlayerversions2.0.5andabove.
Hackershavereportedlyinjectedmaliciouscodeintothefront-endJSONfilesofwebsitesusingtheseversions.Thiscodenowenablesthecompromisedsitestoperformunauthorizedtransactions,posingaseverethreattousers’assetsanddata.
ReportsfromBlockaidindicatethattheattackwasintroducedthroughacompromiseofLottiePlayer’scontentserver,whereamaliciousnpmpackagewasusedtodistributealteredcode.Blockaidandothersecurityfirmshaveconfirmedtheinjectionofunauthorizedscriptswithinthepackage.
“Legitimatesites(noncryptoaswell)arenowservingmaliciouscontent,includinganti-debugevasioncode.@LottieFiles,itlookslikeattackershavemanagedtopushmaliciousversionsofyourpackage,withanotherversionbeinguploadednow,”BlockaidwroteinanX(formerlyTwitter)post.
Atthetimeofwriting,1inchhasn’treleasedanyofficialstatementonthebreach.However,theLottiePlayerteamhasconfirmedthattheywereabletoidentifythecauseofthebreachandareworkingonremovingtheaffectedversions.
Usersarestrictlyadvisedtoavoidconnectingwalletsorinteractingwithaffectedplatformsuntilthesecurityissuesarefullyresolved.
Communitypostonthe1InchDiscordchannel
CryptoHacksContinueToEscalate
Securitybreacheshavebeenthemostplaguingissueofthecryptoindustry,andmaliciousactivitiescontinuetogroweveryyear.
Mostrecently,hackersreportedlystole$20millionworthofcryptocurrenciesfromtheUSgovernment.Thefundswerealsopartofthe$3.6billionthatthefedsseizedfromtheBitfinexhackers.
BlockchainlenderRadiantCapitalsufferedoneofthebiggesthacksofthisyear,losingmorethan$50million.Thehackersgainedcontrolofthefirm’sprivatekeysandrapidlydrainedtheseassets.
However,theinvestigationandprosecutionofthesecrimeshavealsointensified.FBTrecentlyarrestedtheSECX(formerlyTwitter)accounthacker.Theaccusedisa25-year-oldAlabamamannamedEricCouncilJr.
Earlierthisyear,theCouncilallegedlyhackedtheSEC’sXaccountandpostedfalsenewsaboutBitcoinETFapprovals,whichsignificantlyaffectedthemarket.Yet,thefedsbelieveCouncilwasn’tthebrainsofthisoperationandtheyaretryingtonegotiateapleadealwithhim.
Sofar,cryptohackshaveexceeded$2.1billionin2024,withCeFiplatformstakingthebiggesthits.
beincrypto.com