# [I, Degen - Episode 2 - 4/9/2022](https://idegen.fm/episodes/e2-inverse-hydra-4-9-2022) :::info ## Hydra darknet bust, Inverse Finance Hack, Lapsus$ team take-down, & bubble gum ape heist ::: :::success contact us [@idegenfm](https://twitter.com/idegenfm) ::: ### 1) Ronin Bridge Attack update * [Sky Mavis raises more than 150 million to reimburse hacked funds lead by Binance](https://arstechnica.com/gaming/2022/04/axie-infinity-raises-150m-to-help-reimburse-hacked-user-funds/). and including Paradigm, A16, and others. Some question this fund raising as centralized bailout, while questions loom around the sustainability of the play to earn model at the core of Axie Infinity. * Movement on hacked funds, [notably 300 ETH to Tornado Cash](https://cryptopotato.com/axie-infinitys-ronin-bridge-hacker-starts-to-move-stolen-ethereum-eth/) ### 2) [Seven Lapsus$ group hackers arrested](https://www.bbc.com/news/technology-60864283) **Why this?** Infamous crypto hackers, SIM swappers, and general blackhats. **When:** 4/2 **What happened:** Former hacking partners turned on this main guy and doxxed him. Law enforcement circled in. **Who:** * group that [tried to blackmail Nvida](https://portswigger.net/daily-swig/nvidia-hackers-allegedly-attempting-to-blackmail-company-into-open-sourcing-gpu-drivers) into open-sourcing GPUs (likely so they could be modified and used for crypto mining) * Mostly teens so names aren't released but > Under his online moniker "White" or "Breachbase" the teenager, who is autistic, is said to be behind the prolific Lapsus$ hacker crew, which is believed to be based in South America. ### 3) [Buble Gum Ape Heist](https://twitter.com/0xquit/status/1511198290565509120?s=21&t=mUf0Ew3lkOB5GrdQ_VOw3A) - Bored ape holder "s27" traded their bubble gum ape and matching mutant derivites with floor value of $567k for basic ass photoshopped impostor apes **Why cover this?** As if we needed another reminder that NFT markets are sketchy and the absolute simplicity of the scam. Raises important questions around NFT verification. **What:** simple photoshop scam >The victim entered into a direct swap trade with the scammer via a third-party service called swap.kiwi. Unlike regular marketplaces like OpenSea, platforms like swapkiwi allow direct NFT swaps between collectors, reducing transaction ("gas") fees. > > Unknown to s27, the other participant in the trade put up knock-off NFTs in exchange for s27’s legitimate Bored Ape and Mutant Apes. The scammer used images of actual Bored Apes to create fake replicas and uploaded the same ones to OpenSea. -https://www.theblockcrypto.com/post/140702/bored-ape-holder-loses-nfts-worth-567000-to-a-scammer **where:** kiwi.swap **Who:** anon & s27 **When:** 4/1-3/2022 :::warning It's unclear if the scammer actually used Photoshop or some other editor. ::: ### 4) Hydra Darknet Market bust **when:** 4/5/2022 **what is Hydra:** > the world’s largest darknet market by revenue. > Hydra specialized in same-day 'dead drop' services, where drug dealers (vendors) hide packages in public places before informing customers of the pick-up location > The market primarily caters to criminals in Russia and surrounding nations. “Treasuremen,” or dealers connected with the site, push drugs throughout the region by hiding them in [geo-tagged pickup locations.](https://www.theverge.com/2022/4/5/23011377/germany-servers-russian-darknet-site-hydra-bitcoin) > The website launched in 2015 selling drugs, hacked materials, forged documents and illegal digital services such as Bitcoin-mixing - which cyber-criminals use to launder stolen or extorted digital coins. >The site was written in Russian, with sellers located in Russia, Ukraine, Belarus, Kazakhstan and surrounding countries. > Police say 17 million customers and more than 19,000 seller accounts were registered on the marketplace, which now carries a police seizure notice. > after a tip-off, German police seized the Hydras servers and confiscated €23m (£16.7m) in Bitcoin. 25.2 million USD > Hydra was seemingly impervious to police attempts to stop it. \-[BBC](https://www.bbc.com/news/technology-61002904) >Germany’s federal police shut down the Russia-based Hydra Market, the world’s largest darknet market by revenue. Later in the day, the Justice Department followed up by indicting one of Hydra’s key operators, and the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Hydra, adding more than 100 of its cryptocurrency addresses to the SDN list as identifiers. >In 2021, Hydra received more than $1.7 billion worth of cryptocurrency, which accounts for over 75% of all darknet market revenue globally. \- [Chain Analysis](https://blog.chainalysis.com/reports/hydra-garantex-ofac-sanctions-russia/) **Who?:** Dmitry Olegovich Pavlov is said to be the mastermind behind Hydra. ### 5) [Inverse Finance Hack ](https://rekt.news/inverse-finance-rekt/) :::info 15M taken in exceptionally clever defi attack. ::: [**What is Inverse Finance?**](https://docs.inverse.finance/inverse-finance/about-inverse) > Inverse Finance is a community of cryptocurrency enthusiasts organized as a Decentralized Autonomous Organization (DAO), started on the 26th of December 2020. Inverse DAO governs and develops a suite of permissionless and decentralized finance tools using blockchain smart contract technology. The code base is open-source, and maintained by the community. [Inverse Marketing Pitch](https://www.inverse.finance/) >Master the Game Of Positive Sum DeFi > Here at Inverse Finance, we're decentralized by design, moving past reckless, outdated systems towards a better solution: Positive Sum Defi. We help you maximize your earnings via revenue sharing, accumulate high yields with sustainable APYs, and benefit from low-cost stable coin borrowing. Join our community to grow and thrive. **Why this?** * Oracle Manipulation is not new in defi, but does represent one of the most facinating classes of expoits in crypto right now. I want to call these defi anti-pattern attacks but that's probably not the most techincally acurate description. * 15.6 Million is not a huge amount in the world of crypto hacks, but the complexity and style of the attack is worth note. **When:** 4/2/2022 **Who:** anon **What happened:** [From Inverse Twitter:]((https://twitter.com/InverseFinance/status/1510282040809299972?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1510282040809299972%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.coindesk.com%2Ftech%2F2022%2F04%2F02%2Fdefi-lender-inverse-finance-exploited-for-156-million%2F)) > This morning Inverse Finance's money market, Anchor, was subject to a capital-intensive manipulation of the INV/ETH price oracle on Sushiswap, resulting in a sharp rise in the price of INV which subsequently enabled the attacker to borrow $15.6 million in DOLA, ETH, WBTC, & YFI [From Rekt.news]( https://rekt.news/inverse-finance-rekt/) >A professionally executed hack allowed an anonymous actor to manipulate the price of INV and help her self to an exclusive deal from the ETH based lending protocol. Lets walk though the attack with Rekt: > 1) First of all, the exploiter withdrew 901 ETH from Tornado Cash. ^^ Start with mixed coins > 2) Then they transferred 1.5 ETH to 241 clean addresses via Disperse and deployed five different smart contracts, of which only one was real. ^^ Used as prep to spam txs on step 4? > 3) He then swapped 500 ETH to 1.7k INV so that it went through the INV-WETH pair on SushiSwap, significantly changing the price due to low liquidity (50x). ^^ Manipulate the oracle > 4) At the same time, he began spamming transactions with an exploit to be the first to get into the next block and get an inflated price from SushiSwap. ^^ Beat other flashbots to the opp, not sure what exploit was in the TXs though? > The Inverse Finance oracle, through Keeper Network, ended up using SushiSwap TWAP as an oracle, returning the price that made the INV token on the platform incredibly expensive. ^^ INV price is high because of attackers manipulation > The attacker then deposited his 1.7k INV (fair price - $644k) as collateral and (permanently) borrowed $15.6M. ^^ Success **Final Thoughts:** - Attacker started with 901 ETH, ~2 Million USD. Confidence or risk tolerant? I dont know, but it's interesting to think about the how failed attempts of exploits likes this are out there that we don't hear about. - There is an ongoing discussion about _if_ these kinds of attacks are actually attacks. "code is law" side might say no, but of course the protocol designers will say yes. - Hacks like this that stands to strengthen the foundation of deFi if we can learn from these hacks. Outro: Big week, whats next? You can find our shows at [https://idegen.fm](https://idegen.fm)