Halborn Logo

// Blog

Explained: The Nexera Hack (August 2024)


profile

Rob Behnke

August 13th, 2024


In August 2024, Nexera was the victim of a hack with approximately $1.5 million in losses. The attackers deployed malware on the team’s computers to steal private keys with the privileges required to carry out the attack.

Inside the Attack

The Nexera hack began as a social engineering attack using techniques that are increasingly common in the DeFi space. A Nexera employee was approached regarding a part-time consulting position where they would be paid to review smart contract code or other documents related to a DeFi project.

As part of the assessment for the role, the target was instructed to take a skills test, which involved cloning and building code for a game from a GitHub repository. The code included malware that was executed on their machine, enabling the attacker to steal login credentials used to manage Nexera smart contracts.

With this access, the attacker was able to transfer ownership of some of Nexera’s smart contracts to themselves and block upgrades and reassignment of ownership. They also were able to drain the value stored in these contracts, allowing them to steal an estimated $1.5 million of tokens that were staked within affected contracts.

After identifying the hack, the Nexera team froze its contracts and performed an investigation. They also zeroed out the token balance of the attacker’s accounts, eliminating all but the approximately $449K they had already stolen.

An investigation into the incident found that the social engineering techniques and malware used were part of the modus operandi for the Lazarus Group and similar threat actors. These attacks commonly involve fake job offers designed to deploy malware that steals privileged login credentials used to manage DeFi projects.

Lessons Learned from the Attack

The Nexera hack is a lesson in the importance of decentralized access management and protection against social engineering attacks. While anyone could fall for the pretext used by these attackers — believed to be the Lazarus Group or a similar organization — the real security issue is that a single computer had such wide-reaching power and control over the Nexera smart contracts. This power could have been abused in a rug pull or used by an attacker, as demonstrated by this incident.

Security best practices encourage the use of multi-signature wallets for contract management and hardware wallets to secure highly-privileged accounts, both measures that Nexera plans to implement in the wake of this incident. For help in securing your DeFi project against similar threats, get in touch with Halborn.

© Halborn 2024. All rights reserved.