ChainCatcher message, Cetus officially released a report on the theft incident stating that on May 22, Cetus encountered a sophisticated smart contract attack targeting the CLMM liquidity pool. Cetus took immediate measures to mitigate the impact.The attacker exploited an undiscovered vulnerability in an open-source library, lowering the pool price to build positions in the high-price area, and utilized an overflow check flaw to inject inflated liquidity with very few tokens. Subsequently, they repeatedly executed liquidity removal operations to extract assets from the pool, continuously exploiting unverified calculation functions to carry out the attack, ultimately successfully stealing funds.To jointly maintain the maximum interests of the entire ecosystem, with the support of most Sui validator nodes, Cetus urgently froze two Sui wallet addresses of the attacker, which contained the majority of the stolen funds. The remaining stolen funds have been exchanged by the hacker and cross-chain transferred to the Ethereum mainnet.Cetus is collaborating with the Sui security team and several auditing firms to re-examine the contracts and conduct a multi-party joint audit to ensure the safe restoration of CLMM services after verification is completed. At the same time, Cetus will strengthen on-chain monitoring, initiate additional audits, and regularly publish security reports. To compensate affected LPs, Cetus is working with ecosystem partners to develop a recovery plan and is calling on Sui validators to support on-chain voting to expedite the return of user assets and rebuild confidence. While legal proceedings continue, Cetus is also providing the attacker with a white hat return opportunity. Cetus will soon issue a final ultimatum to them. Any updates will be transparently communicated to the community by Cetus.

ChainCatcher news, Slow Mist's official release on the Cetus theft incident analysis indicates that the core of this event is that the attacker carefully constructed parameters to cause an overflow while bypassing detection, ultimately exchanging a very small amount of tokens for a massive amount of liquidity assets.Slow Mist stated that the attacker precisely calculated and selected specific parameters, exploiting the flaw in the checked_shlw function to obtain liquidity worth billions at the cost of just 1 token. This is an extremely sophisticated mathematical attack. The Slow Mist security team advises developers to rigorously verify all boundary conditions of mathematical functions in smart contract development.Previously, on May 22, according to community news, the liquidity provider Cetus on the SUI ecosystem was suspected of being attacked, with a significant drop in liquidity pool depth and multiple token trading pairs on Cetus experiencing declines, with estimated losses exceeding $230 million. Subsequently, Cetus issued a statement indicating that an incident was detected in the protocol, and for safety reasons, the smart contract has been temporarily suspended while the team investigates the incident.

ChainCatcher message, encrypted KOL AB Kuai.Dong@_FORAB tweeted that, according to community news and confirmation from several industry insiders, the Cetus project, which experienced a theft incident on the evening of May 22, is operated by the same team that ran the DeFi project Crema Finance on the Solana chain in 2022. Crema was under the spotlight due to a theft incident but ultimately managed to recover most of the funds.In 2022, Crema was attacked, resulting in a loss of approximately 9.6 million dollars. After the incident, the attacker returned about 8 million dollars. According to an announcement from the U.S. Attorney's Office for the Southern District of New York, the hacker involved was subsequently arrested and sentenced, with the relevant timing and amount information matching the incident at that time.

ChainCatcher message, Sui official stated: "We have learned that Cetus has experienced a theft incident. We will actively support the Cetus team in their ongoing investigation and will provide further updates as soon as possible."

ChainCatcher news, according to a post by Yu Xian, the founder of Slow Mist, "Today there have been three theft incidents, two of which are related to scams in Telegram. Familiar accounts were hacked, and the scammers carefully set up traps based on the context of chat records. The voice messages sent were also simulated (some AI tools now conveniently simulate based on historical voice). One source cannot be trusted alone; for anything involving funds, it is essential to establish another trusted source verification mechanism."

ChainCatcher news, according to on-chain detective ZachXBT, the $330 million Bitcoin transfer event that caused a 50% surge in the price of Monero (XMR) on April 28 has been confirmed as a social engineering theft targeting an elderly American. The attackers used social engineering techniques to gain access to the victim's wallet and transferred 3,520 BTC (worth $330.7 million).Previously, on April 28, a suspicious transfer occurred at a certain address, amounting to 3,520 Bitcoins (approximately $330.7 million). Subsequently, these funds began to be laundered through more than six instant trading platforms and were exchanged for Monero (XMR), causing the XMR price to soar by 50%.

ChainCatcher news, according to Slow Fog's Yu Xian, the previous incident where $5 million worth of ZK tokens were stolen due to the leakage of the administrator's private key has been resolved, and the stolen funds have been fully recovered. It is reported that during the handling of the incident, Matter Labs, the maintainer of the sole sequencer for ZKSync, intervened with the hacker's address and successfully restricted the transfer of 70% of the stolen funds. Matter Labs stated that the reason for the intervention was that the stolen ZK tokens were directly related to protocol governance.Yu Xian said, "I understand, but I feel a bit regretful about some previous theft incidents on ZKSync that were not 'internal matters'."

ChainCatcher news, Safe announced that its joint security investigation with Mandiant (now part of Google Cloud) has made significant progress and confirmed that the theft incident on Bybit on February 21 was perpetrated by the North Korean hacker group TraderTraitor, which has previously targeted the crypto industry multiple times.The attackers compromised the laptop of a Safe{Wallet} developer and hijacked an AWS session token to bypass multi-factor authentication controls. This developer is one of the few with higher privileges to perform their duties.Safe calls on the Web3 ecosystem to collectively address the increasingly complex security threats and to enhance the optimization of transaction verification tools to improve user security. The official team has released a detailed transaction verification guide and plans to further optimize the user experience to reduce potential risks.

ChainCatcher news, the Matrixport analysis report points out that after the Bybit theft incident, hidden buying may boost ETH's rebound.The specific viewpoint is as follows: "The market's focus is on how Bybit suffered the theft of nearly 500,000 ETH on Friday, but what is truly worth noting is its impact on the market. Bybit needs to repurchase ETH to replenish wallet funds, while the hackers must handle subsequent operations cautiously.From past experience, stolen funds are usually not immediately sold off, meaning short-term selling pressure is likely to be limited. Meanwhile, the market has added a potential buying demand of 500,000 ETH, while it is currently reported that only about 100,000 ETH has been repurchased. The supply-demand imbalance may drive ETH prices upward. Given that the price has shown signs of stabilization, we are optimistic about the current trend."

ChainCatcher news, Slow Mist founder Yu Xian posted on social media, "Through forensic analysis and correlation tracking, we confirm that the attackers of the CEX theft incident are the North Korean hacker group Lazarus Group. This is a nation-state APT attack targeting cryptocurrency trading platforms. We have decided to share the relevant IOCs (Indicators of Compromise), which include some IPs of cloud service providers, proxies, etc. It is important to note that this disclosure does not specify which platform or platforms were involved, nor does it mention Bybit; if there are similarities, it is indeed not impossible."The attackers utilized pyyaml for RCE (Remote Code Execution), enabling the delivery of malicious code to control target computers and servers. This method bypassed most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attackers is to gain control over wallets by infiltrating the infrastructure of cryptocurrency trading platforms, thereby illegally transferring a large amount of cryptocurrency assets from the wallets.Slow Mist published a summary article revealing the attack methods of the Lazarus Group, and also analyzed their use of social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfer tactics. At the same time, based on actual cases, they summarized defense recommendations against APT attacks, hoping to provide references for the industry and help more institutions enhance their security capabilities and reduce the impact of potential threats.

ChainCatcher message, Greeks.Live macro researcher Adam released an English community briefing on the X platform, disclosing that despite the Bybit $1.5 billion Ethereum theft incident, market sentiment remains cautiously optimistic, with traders believing this is just a temporary setback. The group consensus will focus on $95,000 to $96,000 as a key support level, expecting a mean reversion upward, but there are some divergences regarding the price trend over the weekend.The market believes the impact of this hacking incident is manageable. Binance and Bitget provided emergency liquidity support by depositing 50,000 Ethereum, and traders are actively selling low volatility options (29% volatility), indicating limited concern about further declines.

ChainCatcher message, Defillama co-founder 0xngmi posted on X that since the theft incident, Bybit has seen a net outflow of 700 million dollars due to user withdrawals.

ChainCatcher news, Slow Mist's Yu Sen stated in a post on X that the group theft incident disclosed by GoPlus today involves over 800 tokens on multiple Ethereum Virtual Machine (EVM) compatible chains, with the attacker having profited $1.24 million.It is worth noting that he pointed out that the victims are primarily from the "yield farming group" (participants active in multiple project airdrop tasks).

ChainCatcher news, according to TASS, in 2024, experts from Rosseti North Caucasus branch, together with law enforcement agencies, stopped 6 cases of electricity theft from mining sites. The total amount of stolen energy was nearly 3.5 million kilowatt-hours. In terms of losses caused to the regional power grid complex, the losses exceeded 30 million rubles.

ChainCatcher news, according to The Block, multiple blockchain security experts have pointed out that a North Korean hacker group may be behind the theft incident of the Singapore cryptocurrency exchange Phemex. The attackers stole over $70 million in crypto assets, including approximately $16 million in SOL, $12 million in XRP, and $5 million in Bitcoin.MetaMask Chief Security Researcher Taylor Monahan stated that the attackers simultaneously stole a large amount of assets across multiple chains and quickly exchanged stablecoins with a high risk of freezing for ETH. Phemex CEO Federico Variola confirmed the security of the cold wallet, and the platform is developing a compensation plan for the victims.

ChainCatcher news, Slow Mist founder Yu Xian posted on the X platform stating that Slow Mist has intervened in the incident of the official X account of 0xScope being compromised, and has connected with relevant solutions, waiting for smooth progress.ChainCatcher previously reported that lmk.fun (formerly Scopescan) issued a reminder on the X platform stating that the X account of the Web3 knowledge graph protocol 0xScope (@ScopeProtocol) has been compromised. Please do not click on any links or trust the content they publish. An investigation and recovery are underway.