Web3 infrastructure provider Ankr is the latest victim of hacking and financial theft. The BNB Chain-Based DeFi protocol has confirmed in a series of tweets that it got hacked, and the attacker managed to steal six quadrillion tokens. The stolen crypto was Ankr Reward Bearing Stake/aBNBc.
Lookomchain, an on-chain analytics firm, stated that the hacking occurred on Friday, and the hacker stole around $10 million worth of crypto (USDC coins). The hacker could create countless Ankr Reward Bearing Staked BNB (aBNBc) tokens, which Blockchain security company PeckShield claim has an unlimited mint bug. Following the attack, the token’s value collapsed by at least 100%.
Soon after the attack occurred, the Binance crypto exchange paused withdrawals. Crypto intel firm Arkham stated that the attacker’s wallet address was linked to a developer at Ankr. Based on this, Arkham is not ruling out the possibility of an inside job.
As per Ankr’s spokesperson, the hacking occurred from a compromised private security key. The private-key hack helped the attacker initiate infinite tokens minting, PeckShield noted. The key was swapped out and replaced. It is worth noting that developers are allotted private keys to modify/manage smart contracts.
Ankr tweeted about the incident, claiming that all underlying assets on its Staking are safe at the moment, whereas all infrastructure services remain unaffected. Ankr has confirmed that after the exploitation of its aBNB token, it has urged exchanges to stop trading immediately.
The protocol has requested users to stop trading aBNB, and liquidity providers should remove liquidity from DEXes and keep the aBNBc.
Furthermore, Ankr claims that it is in touch with DEXes and will reissue tokens after evaluating the situation. the protocol suspects that it is an insider job and is devising a plan to compensate impacted users.
What Happened to Stolen Funds?
According to PeckShield’s tweet, hacker(s) transferred some funds to a decentralized cryptocurrency tumbler, Tornado Cash. It is worth noting that Tornado Cash was blacklisted by the US government in August 2022.
A portion of these funds was bridged through Celer and deBridgeGate. Therefore, they shifted 20 trillion of the stolen tokens into Helio, a decentralized lending protocol, and converted them into Binance Coin (BNB). Using crypto mixer Tornado Cash, they swapped the BNB for $5 million of USDC, which is equivalent to the US dollar.