DeFi scientist's wonderful self-narration: How we worked with the police to save ourselves, cracked the StableMagnet case, recovered assets, and arrested the suspect

Wu Shuo Author | Liu Quankai

Editor of this issue | Colin Wu

Almost at the same time, the two major DeFi security incidents that occurred this year had final answers. On August 12, Beijing time, after about 52 hours of the Poly Network incident, the hacker finally chose to return all the assets; the other BSC:StableMagnet case (hereinafter referred to as: SMAG) started on June 23, and the British police also recovered most of the assets after more than a month, and issued an official press release. The same DeFi security incident, the same happy ending, is different from the Poly Network case where large institutions in the industry responded and gathered the strength of hundreds of schools to quickly succumb to hackers. The SMAG incident tells the story of how a decentralized community without institutional support united to save itself, carried out a fierce and long confrontation with stubborn hackers, and finally won the struggle.

It is also this decentralized community without institutional support that has achieved many "firsts". For the first time, it promoted the full cooperation with centralized forces and cracked a large DeFi case with the participation of the police. For the first time in the history of DeFi attacks, the police pushed for a refund on the chain. And the police who initiated it were the British police. As we all know, the UK is a bridgehead for traditional finance and traditional order, and one of the largest forces in the centralized world. This move is a milestone in both DeFi and the centralized world.

Recently, due to the impact of the Poly Network case, DeFi security has once again become a real issue widely discussed by a number of traders and the crypto community. The crypto community worked together to successfully crack and recover the DeFi security case of digital assets, which is of great milestone significance.

Through interviews with people who experienced the SMAG case, this case is unfolded in all aspects for everyone.

The interviewee has many years of experience in the blockchain industry, is an old DeFi farmer, has extensive connections in the crypto community, and is one of the important reporters of this case.

Below I will expand on the interviewees’ perspective. Without changing the original appearance of the incident, I have combined relevant reports on the incident and made some modifications to the text of some interviews. (The following “I”/“we” refers to the interviewees/crypto community scientist friends)

Before the accident:

On June 20 (three days before the incident), I learned about the StableMagnet mining pool on BSC through BSC Daily. At that time, the annualized stablecoin was as high as several thousand, which was very attractive. When this project was first launched, it did not attract much attention. Most ordinary investors do not understand the code and regard it as a new local dog project. Most small investors participate with small funds. Unlike ordinary people, old players and scientists analyze the security of the contract to determine whether it is worth the risk. As an old DeFi farmer, I have maintained my usual habits, studied relevant materials, and after exchanging opinions with several scientist friends in the circle, we believe it is safe. And because of its super high APY, we chose to participate heavily. Although the project is not well-known to the public, it has quietly spread in the scientist circle, and TLV has increased from several million U to 24 million U in two days.

"Alarm" before the accident:

A few hours before the total, scientists and some crypto community members received letters from anonymous sources, suggesting that SMAG would Rug Pull. We have no evidence and cannot verify the claims in the letter, and the scientists studied the code before "entering" and nothing unusual happened. If we publicly warn the community and accuse the project of being fake, it is likely to cause strong FUD and may eventually harm this innocent project. This anonymous letter puts us in a dilemma. Although we began to have some doubts, we did not make too many statements on the matter. This paragraph is confusing. The situation is that some members of the crypto community received anonymous letters, and rekt was one of them. Although Rekt saw it in advance, he chose not to publish it, and most recipients did not see it.

The accident happened:

In the early morning of June 23rd, Asia time, StableMagnet Finance took advantage of the sleep time of most investors to launch an attack, stole 24 million US dollars of stablecoins from users and ran away, and robbed users' wallets. The project website, Telegram group, and Twitter were all closed and disbanded. Soon after the project happened, it was quickly recognized by the community, and the random community immediately reported the situation to Binance. However, it did not receive as much attention as the Poly incident. The hacker had tens of millions of US dollars in assets and even transferred them out through Binance.

Rights protection:

There are more than 1,000 wallets with assets on SMAG. Shortly after the incident, Chinese and English project rights protection groups were quickly established. At first, I was at a loss, and panic ensued. Although the community quickly contacted the exchange within ten minutes after the incident, the exchange did not respond for more than six hours, and even tens of millions of US dollars of assets were successfully transferred across chains through the exchange (the treatment was very different from the Poly incident). Although the exchange failed to prevent the outflow of tens of millions of US dollars of assets, it quickly launched an investigation and summarized clues afterwards.

Although the investors of this project do not have a leading institution with extensive social resources and connections, and have not been able to gain rapid and widespread attention and support from all parties in the industry like the PolyNetwork incident, the crypto community has not given up. Don't forget that there are many scientists involved in this project. The battle between the community and the scammers will officially begin. A community investigation team with Ogle as the core was spontaneously established to conduct a community investigation on all the traces and clues left by the hacker.

Regroup:

Although we did not prevent the attack, and the news of the escape was not easy to accept, some of our suspicions were related to the anonymous letter we received, and we concluded that the Techrate audit was not completely reliable. The anonymous letter re-entered the public, and scientists and security experts began to re-examine the project.

The vulnerability was buried in an unverified function library, and we initially thought that the function library was verified, but no one verified this at the time.

Rug Pull starts with this deal:

(Photo source: rekt.news)

The initial stolen stablecoins of $22.2 million were extracted from the StableMagnet 3Pool via unverified source code, and the amount subsequently rose to $27 million and is still increasing.

Security firm Rugdoc tweeted that the Ethersacn and BSCscan explorers do not verify the source code of linked libraries, which allows exploiters to deploy a library that is completely different from the source code. Therefore, SMAG's SwapUtils library is actually not checked by the explorer, and there is no warning that the source code is not verified.

The SwapUtils library containing the actual exploit:

0xE25d05777BB4bD0FD0Ca1297C434e612803eaA9a

(Image source: Twitter @Rugdoc.io)

The unverified SwapUtil library not only contained code that could extract all trading pairs, but also code that would transfer more tokens to anyone who approved the SMAG.

Protocols such as Dopple and StableGaj are still running based on the same code, and their SwapUtils library is also unverified.

Escape route:

After we saw the hacker's Rug Pull, their escape route became clear. The stolen funds were distributed to multiple addresses and deposited into Binance to switch to the Ethereum network, and then quickly withdrawn, converting the centralized USDT into decentralized DAI.

We were still wondering whether the "deposit to Binance" link could stop the hackers, but their escape plan had already been successfully implemented in multiple addresses. This is one of them:

Send BUSD to Binance’s hot wallet:

0x2bac04457e5de654cf1600b803e714c2c3fb96d7

USDT received on the Ethereum network:

0xDF5B180c0734fC448BE30B7FF2c5bFc262bDEF26

Convert USDT to DAI: 0xe5daac909a3205f99d370bc2b32b1810a4912a07

After the community identified the attack principle and the hacker’s fund flow track, it began to investigate all related addresses and started this most difficult jigsaw puzzle game.

Within a few days after the incident, Binance obtained effective clues pointing to the suspects being in Hong Kong, and called on Hong Kong victims and people with local resources in the community to contact Binance as soon as possible. Community clues also point to Hong Kong, and anonymous organizations have tried to contact suspected project members. As the community investigation deepens, it can be basically determined that this group of people are repeat offenders. Through the key parts of countless puzzles in the early stage, their identity information was soon determined (the specific details of the identification have not been made public, but it can be revealed that the hackers are naive and left many obvious traces). Unfortunately, even though the project members knew they had been exposed, they remained silent, refused to communicate, and ignored multiple warnings from multiple organizations.

In the case where the hacker refused to communicate, the problem could not be solved in a decentralized way, and the victims placed their hopes on the police. Thanks to the efforts of the victims in Hong Kong, Hong Kong was also the first region to file a case. Later, victims in other regions such as the United Kingdom also filed a case. The personal information of the project party was quickly passed to the Hong Kong police. However, the Hong Kong police initially took a slow attitude towards the incident. After receiving clues, they did not intend to accept the clues from the community, but insisted on obtaining evidence from the exchange involved. However, there were some communication difficulties between the Hong Kong police and the exchange at that time, so there was no progress on the Hong Kong side. At that time, the situation was deadlocked.

Continue to search for evidence:

After the SMAG incident, anonymous sources provided us with more real information. Anonymous told us that this group of people planned multiple Rug Pulls recently, and projects such as Moon Here Token and Wen Moon Token also encountered similar situations. And they also told us a key information that Techrate audited Github but did not audit the deployed contracts. Techrate has noticed this kind of Rug Pulls, but they did not take any action. This is not the first incident where auditors have become the number one suspect, and we should not expect them to point out such problems.

Suspect:

The suspects are completely different from the image presented by the Poly Network hackers. The Poly Network hacker may be a young man with outstanding skills and talent, and he may still be studying. He is very confident, but not bold. When some of his clues were mastered, he began to be afraid. He did not care about money as he said, but was willing to compromise because of external pressure and the continuous excavation of relevant clues, but he was unwilling to show a submissive attitude, so through dramatic and hysterical performance, he tried to make himself want to become a "white hat" and a savior to cover up his original despicable motives (personal speculation of the interviewee). In stark contrast to the Poly hackers, the SMAG group gave me the impression of being extremely stubborn and refusing any form of submission. Even if their identities were exposed and the community warned them many times, they remained indifferent until the police found them.

Before the police intervened, community members and anonymous organizations (some anonymous organizations even had the contact information of suspected project members the next day, which was finally verified to be correct) had already fully mastered the suspect's complete identity information, social relations and contact information. They are a group of young people in Hong Kong, some of whom have not even graduated yet. The team leader is engaged in blockchain, network security, computer development and related work, and runs a Hong Kong company. It is understood that anonymous organizations have contacted the suspect many times. Try to solve the problem in a decentralized way, but the suspect did not pay attention, refused to communicate and refund, and their behavior was very different from that of ordinary hackers. When a hacker is mastered by someone with the exact real identity information and social relations, most people will become panic, but this group of people did not. The community originally hoped to solve the problem in a decentralized way and give these young people a way out, but they chose the worst option. This means that sanctions from the centralized world are about to come.

Surprise:

The report in the UK was highly valued by the British police. The case was filed the next day and handed over to the serious crime team, and they maintained a highly open connection with the community. At the same time, community members and anonymous organizations obtained key clues and successfully captured the whereabouts of the project members. They learned that they had fled from Hong Kong to the UK, and gradually analyzed more specific location information. This information was quickly handed over to the British police. With the support of a large amount of effective information, the British police took quick action and successfully captured the project members.

Police Action:

The case was codenamed Op Gabbro, and the police were responsible for the Manchester Police Cyber ​​Crime Division, Economic Crime Division, and Anti-Money Laundering and Financial Investigation Division. The British police acted very quickly, filing a case in one day, arresting and recovering $22.2 million in assets within a week. During this period, they have remained open and listened to the opinions of the crypto community.

Some details of the case:

Victims from different countries and regions deposited funds or even their entire personal savings into the BSC:StableMagnet mining pool, and the scammers who operated the mining pool waited until a large amount of funds were deposited before running away and transferring the stolen funds into their accounts. Unfortunately for the scammers, their whereabouts in reality were not hidden without a trace.

Hardcore scientists in the crypto community used high technology to track down the real whereabouts of a pair of suspects, who were about to fly from Hong Kong, China to the UK and would make a short stop in Manchester. When the British police received the intelligence, they quickly tracked them down and were the first to find the stolen Ethereum funds containing $9.5 million.

At the same time, a 23-year-old man and a 25-year-old woman were arrested for fraud and money laundering and investigated. The arrested suspects chose to cooperate with the police for legal purposes such as seeking a reduced sentence. A few days later, the police found another $12.7 million. In the end, expert officers from the Economic Crime Unit of the Manchester Police Department in the UK retrieved a total of approximately $22.2 million in cryptocurrency assets from Tornado. (Police press release)

The case is not over yet:

There are still three main suspects on the run in the StableMagnet team, who have been exposed by the crypto community. They are: a graduate of the Hong Kong Polytechnic University majoring in information security; a prospective graduate of the Chinese University of Hong Kong majoring in computer science; and a student of the Hong Kong Baptist University majoring in English. The resumes of some of its members have even been exposed. The Hong Kong police will continue to take action to arrest them. The community also has information about other members, but does not disclose it.

Although most of the assets have been recovered, some assets have not been found. It is understood that the suspect claimed that some of the assets have been lost. The community is highly suspicious of this, so the community investigation will not stop.

Asset Refund:

The British police have started the refund process. With the efforts of the crypto community, the police have made a breakthrough in refunding victims around the world by refunding on the chain (USDT-ERC20). Victims around the world can first contact the email: [email protected] to obtain the necessary information and guidance, and then report to the local police.

Official announcement from the British police: Mainland victims who meet the conditions can go to Hong Kong to report the case, and the Hong Kong police will accept it.

Note: After the incident gained attention, scams targeting SMAG victims appeared on Telegram groups. If scammers claim to process refunds for victims, please do not believe them.

Feelings: The successful recovery of assets was possible thanks to the three-week marathon large-scale investigation by many individuals and crypto organizations in the open community, especially Ogle's team, the participation of Anonymous in the UK, the rapid response of the police, and the concerted efforts of the decentralized community and centralized forces.

Capital and power still play a very important role in the decentralized world. O3 and Poly Network are well-known projects in the industry, with many institutions and powerful people in the industry participating. After the incident, large institutions and power responded to the call, and received a quick response from major projects and exchanges in the industry, including Tether, USDC, etc., and the combined efforts of hundreds of parties quickly deterred the hackers and made them surrender quickly.

The SMAG incident was a fight between a decentralized community that united to save itself and stubborn hackers without the support of an organization or power. Although they contacted the exchange within ten minutes after the incident, the exchange involved did not respond for more than six hours, and even tens of millions of dollars of assets were successfully transferred across chains through the exchange. The treatment was very different from the Poly incident.

Ogle also shared his views on the case and Poly Network: the Poly hacker may seem to be a person with super skills who exploited the project's vulnerabilities, while SMAG was designed from the beginning for rug pulls and crimes; from the attacker's perspective, I don't know if the Poly attacker is a team, but the form he showed is completely different from that of SMAG. SMAG is a team-based crime, mixed with arrogance.