Risks Associated with the Solana npm Package Attack on Wallets

In a weekly update covering significant cybersecurity events in digital assets, ISMG reported notable incidents this week. Attackers exploited malicious npm packages targeting Solana users, while Brazilian banking leader Itaú Unibanco ventured into cryptocurrency trading. Additionally, a Nebraska man entered a guilty plea for cryptojacking, Australia announced stricter regulations for crypto businesses, and total cryptocurrency losses for 2024 saw a 15% decrease. Furthermore, the Japanese exchange DMM Bitcoin confirmed plans to shut down operations.

Cybersecurity analysts recently revealed a supply chain attack directed at the popular npm package @solana/web3.js, which enables developers to interface with the Solana blockchain. Researchers from Socket identified two compromised versions, 1.95.6 and 1.95.7, intentionally engineered to extract private keys and drain cryptocurrency wallets. These compromised packages, regularly downloaded over 400,000 times each week, have since been removed from the npm registry.

This breach appears to have resulted from the attackers gaining unauthorized access to the npm account of the package maintainers, likely through a phishing scheme. The inclusion of malicious code facilitated the exfiltration of private keys disguised within legitimate CloudFlare headers, forwarding them to an external server. Projects managing private keys, including decentralized applications, were specifically targeted; however, non-custodial wallets, which do not expose private keys during transactions, remained unaffected. Users are urged to update to a secure version of the package and rotate vulnerable keys.

Itaú Unibanco, Brazil’s largest bank, has launched cryptocurrency trading capabilities through its investment platform. Initially, clients will have access to trade Bitcoin and Ether, with Guto Antunes, head of digital assets, indicating future plans to broaden their offerings in response to evolving regulations in the cryptocurrency landscape. Founded in 1924 and managing over $526 billion in total assets, Itaú intends to protect customer digital assets with its in-house custody solutions.

This strategic move positions Itaú to compete with local exchanges such as MB and BTG Pactual’s Mynt, and global exchanges like Binance. Unlike many competitors, Itaú will act as a custodian for users’ digital assets. This launch follows exits from Brazilian cryptocurrency market players like XP and PicPay, signaling ongoing regulatory uncertainty within the sector.

Charles O. Parks III, known in the digital underground as “CP30,” has pled guilty to multiple charges of wire fraud related to a cryptojacking scheme that involved stealing approximately $3.5 million in cloud computing resources to mine around $1 million worth of cryptocurrency. Operating from January to August 2021, Parks utilized various identities and corporate affiliations to create and register accounts with cloud service providers. He established email domains using names from two created companies, “MultiMillionaire LLC” and “CP3O LLC.”

Parks transferred the illicit cryptocurrency through exchanges, an NFT marketplace, and traditional banking channels, ultimately laundering his earnings for luxury purchases, including a Mercedes-Benz, jewelry, and high-end travel primarily funded by his criminal activities. Facing up to 20 years in prison, his case highlights significant issues surrounding cloud resource misappropriation.

The Australian Securities and Investments Commission (ASIC) has proposed more stringent licensing requirements aimed at bolstering consumer protection and ensuring market integrity within the cryptocurrency sector. The updates, presented in Consultation Paper 381, aim to provide clarity on existing financial product definitions, enriched with 13 examples relevant to digital assets.

ASIC Commissioner Alan Kirkland emphasized the dual necessity of encouraging responsible financial innovation while safeguarding consumer trust. The advisory delineates transitional strategies for businesses adapting to the newly proposed framework. Stakeholders are invited to submit feedback by February 28, 2025, with the final guidance expected by mid-2025, a pivotal development shaping Australia’s cryptocurrency sector’s future.

According to Immunefi’s Crypto Losses Report, cybersecurity incidents related to cryptocurrency resulted in nearly $1.49 billion in losses across 209 incidents during 2024, reflecting a 15% decrease from the $1.75 billion reported in the prior year. Notably, hacks constituted the overwhelming majority of these losses, accounting for a staggering 99.96% of the total, while rug pulls made up only a small percentage of the reported incidents.

The largest losses were recorded in May and July, amounting to over $359 million and $282 million, respectively. November’s figures showed $71 million in losses primarily concentrated in decentralized finance projects, notably impacting Thala Labs and DEXX. The BNB Chain emerged as the most targeted platform, enduring approximately 46.7% of the attacks, reflecting a concentrated threat landscape within the cryptocurrency sector.

Japanese cryptocurrency exchange DMM Bitcoin has officially declared its intention to terminate operations and transition its assets to SBI VC Trade Co., part of SBI Holdings, by March 2025. This decision follows a significant cybersecurity breach in May, wherein the platform suffered the loss of 4,502.9 bitcoins, valued at around $303 million.

SBI VC Trade plans to assume DMM Bitcoin’s fourteen trading offerings prior to the asset transfer’s completion. Ongoing discussions between both firms include the method and timing for the transfer. DMM Bitcoin, associated with the DMM Group, has communicated that this decision seeks to prevent further complications for clients as investigations into the aforementioned hack continue.

With reporting contributed by Information Security Media Group’s David Perera in Washington, D.C.