2019 was another banner year for crypto fraud that will continue to adversely impact prices of Bitcoin and Ethereum going forward as Ponzi scheme PlusToken unwinds. Although some of its perpetrators have already been jailed in China, active wallets suggest that the entire crime ring hasn’t been arrested.
Moreover, the flow of funds demonstrates the sophistication of the scheme and the associated individuals who were not yet nabbed. Meanwhile, 2020 is picking up where its predecessor left off, with the $2.5 million MoonPay exploit of IOTA’s wallet showing that crypto fraud remains endemic.
MoonPay Found to Have Incubated the Latest Crypto Scam
The dollar value of the Trinity scam, which saw MoonPay’s content delivery network exploited to serve up malicious SDKs to IOTA wallet users, is a fraction that of PlusToken. However, the MoonPay attack, which saw a vulnerability in the firm’s fiat-crypto on-ramp exploited, is more insidious due to its sophistication. The hack, derived from a vulnerability that lay unpatched for three months, has sent shockwaves not only through the IOTA community but through that of all the crypto projects that have integrated MoonPay’s technology.
8.55 Ti in IOTA tokens, worth around $2.5 million, were stolen by the attacker, with an investigation by the IOTA Foundation finding that the fault lay in “illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their content delivery network) when a user opened Trinity. The code was loaded into the local Trinity instance, and, after the user’s wallet was unlocked, decrypted the user’s seed and sent the seed and password to a server controlled by the attacker.”
MoonPay claims to have “retained top cybersecurity experts to assist in our discovery process,” into the exploit,