Risks to Wallets from Solana npm Package Attack

ISMG periodically aggregates key incidents affecting the cybersecurity landscape of digital assets. Recent reports indicate that malicious npm package versions targeted Solana users, while Brazil’s largest bank began cryptocurrency trading. In addition, a Nebraska man has pled guilty to cryptojacking, Australia has issued stricter regulations for crypto businesses, and 2024 has seen a 15% decrease in cryptocurrency losses. Notably, DMM Bitcoin, a Japanese exchange, announced plans to cease operations.

Related Update: OnDemand | NSM-8 Deadline July 2022: Keys for Quantum-Resistant Algorithms Implementation

Cybersecurity analysts have identified a supply chain attack against the widely utilized @solana/web3.js npm package, integral to interactions with the Solana blockchain. Researchers at Socket discovered two malicious versions—1.95.6 and 1.95.7—embedded with code capable of exfiltrating private keys and draining user wallets. This package, which has been downloaded over 400,000 times each week, has since been removed from the npm registry.

This incident stemmed from the compromise of the maintainers’ npm account through a phishing attack, allowing malicious actors to incorporate a backdoor that extracted private keys via deceptive CloudFlare headers, forwarding them to external servers. While decentralized applications that handle private keys were primarily targeted, non-custodial wallets, which do not expose private keys during transactions, were not affected. Users encouraged to update to the latest secure version and rotate their keys if they suspect compromise.

Brazil’s largest banking institution, Itau Unibanco, has launched cryptocurrency trading services via its investment platform, beginning with Bitcoin and Ether transactions. Future expansions are planned as regulatory frameworks for cryptocurrencies develop, according to Guto Antunes, who oversees digital assets.

Founded in 1924, Itau Unibanco manages upwards of $526 billion in assets and will offer custody services for customer digital assets in-house, as reported by BeinCrypto. This strategic move positions Itau to compete with other local platforms such as MB and BTG Pactual’s Mynt, as well as global exchanges like Binance.

The launch follows recent withdrawals from other Brazilian platforms such as XP and PicPay, indicating a landscape marked by regulatory uncertainties.

A Nebraska resident has admitted guilt to wire fraud charges in Brooklyn federal court after misappropriating $3.5 million worth of cloud computing resources to mine approximately $1 million in cryptocurrency, as reported in a recent indictment.

Charles O. Parks III, also known as “CP30,” operated a cryptojacking scheme from January to August 2021, employing various aliases and corporate entities to establish accounts with cloud service providers. His operations included laundering cryptocurrency through multiple exchanges, an NFT marketplace, and traditional banking systems, ultimately converting illicit gains into luxurious purchases including a Mercedes Benz.

Parks faces a potential maximum sentence of 20 years in prison upon sentencing.

The Australian Securities and Investments Commission (ASIC) has proposed stricter licensing requirements for cryptocurrency businesses aimed at enhancing consumer protection and increasing market integrity. The release of Consultation Paper 381 clarifies existing definitions for financial products and illustrates their applicability to digital assets.

ASIC Commissioner Alan Kirkland underscored the need for a balance between fostering responsible financial innovation and ensuring consumer confidence. The advisory also outlines the transitional measures for businesses adapting to the evolving regulatory framework.

Stakeholders are invited to submit feedback until February 28, 2025, with final guidance expected in mid-2025, which will significantly influence the future of Australia’s cryptocurrency ecosystem.

In 2024, total cryptocurrency losses reached nearly $1.49 billion across 209 incidents, reflecting a 15% drop from the $1.75 billion reported during the same period last year, according to Immunefi’s Crypto Losses Report. The majority of these losses, accounting for 99.96%, were linked to hacking incidents, with rug pulls constituting a minor portion of the total.

The most significant losses were reported in May and July, at $359 million and $282 million, respectively. November also recorded substantial losses amounting to $71 million, primarily affecting decentralized finance projects such as Thala Labs and DEXX. The BNB Chain emerged as the most targeted network, sustaining 46.7% of attack incidents.

Japanese cryptocurrency exchange DMM Bitcoin has announced its decision to shut down operations and transfer its assets to SBI VC Trade Co., a subsidiary of SBI Holdings, by March 2025. This decision follows a significant security breach in May that resulted in the loss of 4,502.9 bitcoins, valued at around $303 million.

SBI VC Trade is preparing to take over DMM Bitcoin’s 14 cryptocurrency trading services prior to the asset transfer, with both companies currently finalizing specifics of the transition. This move, stated to prevent further inconveniences for customers, comes amid ongoing investigations into the May hack.

Reporting contributed by David Perera from Information Security Media Group, Washington, D.C.