coinpedia.org
In one of the most severe events this year, the web3 game Munchables on the Blast layer-2 platform experienced a cyberattack, resulting in a significant loss of funds for the gaming platform. As reported by blockchain researcher ZachXBT, the attack resulted in the loss of 17,400 ETH, equal to $62.5 million. What caught my attention was that the developer who stole the funds returned them without any conditions.
Munchables has been compromised. We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.
— Munchables (@_munchables_) March 26, 2024
Hacker Revealed as North Korean Group Member.
The source of the attack is being speculated, with ZachXBT saying that it is related to North Korea, the country previously implicated in targeting different crypto projects such as the Ronin Network, CoinEx, Stake, Atomic Wallet, and Harmony.
Four different devs hired by the Munchables team and linked to the exploiter are likely all the same person as they:
— ZachXBT (@zachxbt) March 27, 2024
>recommended each other for the job
>regularly transferred payments to the same two exchange deposit addresses >funded each others wallets
Github Username… https://t.co/Q0scxp6AxK pic.twitter.com/Pjjo4uKXPE
Further research by ZachXBT demonstrated that the malicious actor was an employee of the Munchables and had the opportunity to modify some parts of the smart contract code and provide unauthorized access.
Besides, ZachXBT unearthed proof of collusion between four Munchables developers and the exploiter. Such persons, presumably the same person, recommended each other for a job, regularly moved money in the accounts jointly used for exchange and donated money to each other.
Hacker Dev Returns Stolen Funds, Ending Well.
Despite the odds, the members of Blast Core have accumulated $97 million in a multi-signature wallet after a lot of work in the background. In the same way, the Munchables ex-developer who took funds voluntarily returned them without any ransom demands, demonstrating a good ending.
To assist in the recovery of user funds, the Munchables developer published all the relevant private keys. This includes key 3, holding $62,535,441.24, another key of 73 WETH, and an owner key for the rest. Surprisingly, he has agreed to give away these keys without any conditions; thus, a quick settlement of this crisis was ensured.
Conclusion
Though the severity of the attack can’t be underestimated, Munchables will continue to maintain users’ security by not enforcing lockdrops. Furthermore, all Blast-related rewards will be made available as planned, and more updates will be foreseen in the coming days.
While the investigation proceeds and the rescue operations persist, all key players are still on standby, looking forward to the next developments after this critical cyberattack on the Web3 gaming platform.