Hugh Karp, the founder of DeFi insurance protocol Nexus Mutual, experienced an attack at 9:40 am (GMT) on December 14 that resulted in a loss of more than $8 million.
Nexus Mutual announced the news via a Twitter post on Monday (December 14), saying that Karp’s personal wallet address was attacked and drained by a member of the protocol. The address contained 370,000 NXM (Nexus Mutual) tokens, currently worth about $8.25 million.
Speaking to an online portal, The block, Karp said that the attackers tricked him into approving a transaction and then gained access to his computer, and altered his MetaMask extension. “Then when I was performing an unrelated transaction, MetaMask popped up with a spoof transaction, and I subsequently approved it, thinking it was the transaction I was intending to conduct. Instead, it was transferring NXM to their wallet,” said Karp. Nexus Mutual is unaffected and nobody else is impacted, he said. “My private keys are still secure. The attacker didn’t get access to them. They tricked me into signing a spoof transaction,” added Karp.
According to a tweet from the Nexus Mutual official handle, the attacker completed KYC eleven days ago and then switched membership to a new address on Friday, December 3rd. The Nexus Mutual is not impacted; the pool of funds and all systems of the firm are safe.
On 14th of December 2020, 370,000 NXM tokens were stolen from Hugh Karp’s ETH wallet address and were deposited to the hacker’s Address ‘E1’ (as highlighted in the graph below) through the transaction ID 0x4ddcc21c6de13b3cf472c8d4cdafd80593e0fc286c67ea144a76dbeddb7f3629.
These 370,000 NXM tokens were then converted into wrapped NXM tokens which were then sent to 0x03E89F2e1EbCEa5d94c1B530f638cEA3950c2E2b, hereby referred to as E2.
After a series of back and forth transactions between E3 and E4, the hacker executed as many as 27 transactions with smart contracts from address E2 to convert the WNXM (wrapped) tokens into 742.75 wrapped ETH.
Of this, 742.75 WETH, approximately 100 WETH tokens were then sent to the address E3, along with 97,992 WNXM tokens and 10,954 WNXM tokens to address E4 from E2. 50,000 WNXM tokens were sent from address E3 to address E4. The hacker then proceeded to convert some of the leftover WNXM tokens to 137.188 renBTC.
The address E4 currently has approximately 60,954 WNXM tokens and these funds have not been moved further.
Funds have been moved around addresses E2, E3, and E4 on multiple occasions in addition to numerous smart contract transactions to convert the WNXM tokens to wrapped ETH, TetherUSD tokens, and renBTC.
The hacker has a total of 5 BTC addresses which is used to move the stolen funds, the details of which are as follows (‘H’s are confirmed hacker addresses and ‘A’s are suspected hacker addresses, refer to the table below for addresses and their respective tags given in the graphs):
All exchanges that are receiving funds from Hugh Karp’s wallet can freeze the account of the user associated with the incoming transaction (flagged by a blockchain analysis tool), preventing them from trading one currency for other cryptocurrencies, especially anonymous ones, that could then be transferred elsewhere and are more difficult to trace.
Merkle Science has updated wallet addresses associated with Hugh Karp’s wallet. All our partners and customers will also receive immediate information if any funds they receive are from the hackers’ wallet.
Most exchanges globally share information on stolen fund addresses to deal with such risks and collaborate with law enforcement agencies and blockchain analysis firms such as Merkle Science for additional data and investigative services.
Our team will continue to update this article on a periodic basis following continuing movements of the stolen funds.
