Rob Behnke
December 14th, 2020
On December 14, 2020 Nexus Mutual reported a hack targeting its CEO Hugh Karp. A member of the mutual changed the destination of a transaction being performed from Karp’s personal wallet. This allowed the attacker to steal $8 million in cryptocurrency; however, the rest of the mutual is not affected.
The Nexus Mutual attack was a multi-stage hack. In the first stage of the hack, the attacker gained remote access to the CEO’s computer and used this remote access to change out the MetaMask extension within Karp’s browser with a malicious version.
Using this malicious extension, the attacker was able to change the transaction being performed and signed by Karp to one that sent wNVM to an attacker-controlled address. This revised transaction transferred 370,000 wNXM tokens (Nexus Mutual’s token) to the attacker.
After stealing the wNXM tokens, the attacker began using 1inch.exchange to convert them to Ether. This process continued over several hours, and, at time of writing, over half of the tokens had been successfully converted. However, the attacker is still periodically making additional transactions on 1inch.exchange to further convert from wNVM to ETH.
This was a sophisticated and targeted attack against the Nexus Mutual CEO. The amount of cryptocurrency that Karp controlled is one of the main reasons that he was targeted and meant that the attacker had sufficient incentive to put in the work to get the attack “right”.
That being said, this hack was likely enabled by a couple instances of user error. These include the initial attack against Karp’s computer and the failure to validate the transaction in question before signing.
A crucial component of this attack was the attacker’s ability to modify the MetaMask extension used by Karp. This made it possible to change the transaction performed by Karp to one sending a large amount of wNXM to an attacker-controlled address.
Currently, no information is available regarding how the attacker managed to gain remote access to the CEO’s machine to change the extension. However, it is probable that this initial compromise was made possible by human error (clicking on a phishing link, use of a weak password, etc.). Once the initial infection vector is identified, steps should be taken to ensure that similar attacks do not occur in the future.
According to Nexus Mutual’s release on the hack, Karp was using a hardware wallet to protect this account. However, the attacker was able to trick Karp into signing a different transaction than the one intended.
The fact that the attacker succeeded in getting Karp to sign the modified transaction demonstrates that Karp did not verify the transaction data on the hardware wallet (which presumably was not compromised) before signing it. Due to the small screen size of these devices and the likelihood that Karp performs many such transactions per day, this is unsurprising but unfortunate.
Currently, little information is available regarding the attack against Nexus Mutual CEO Hugh Karp. The attack was obviously highly targeted and leveraged user error, but the exact details are currently unavailable. However, this hack serves as a cautionary tale about the potential impacts of user error when dealing with high-value cryptocurrency accounts.