Flash Loan Attack and 24 Years in Prison: What's Up With Crypto-Sec?

Crypto-Sec is a biweekly roundup column by TinTucBitcoin on stories and tips related to cryptocurrency and cybersecurity. **Polter Finance Drained in "Classic" Flash Loan Attack** The Fantom-based DeFi platform Polter Finance was drained of over $7 million through a "classic" flash loan attack on November 18, according to blockchain expert Nick Franklin's analysis. The attacker artificially inflated the price of the SpookySwap Governance Token, BOO, by "borrowing nearly all the BOO Tokens from the LP [Liquidity Pool]." Once the price was high enough, the attacker "could send 1 BOO and drain all the pools." Data from the blockchain analytics platform BlockSec Phalcon confirmed that prior to the attack, there were only 269,042.22851562786 Tokens in the Liquidity Pool. The attacker then borrowed 269,042.22851562785 BOO Tokens (around $1.3 million based on the BOO price at the time) through a flash loan, leaving only 0.000000000001 Tokens. Since Token prices on decentralized exchanges are determined by the ratio between that Token and the Token it is priced in, this caused the BOO price to skyrocket. The attacker then sent a single BOO Token and proceeded to borrow $9.1 million in wrapped Fantom (FTM) Tokens, netting $7.8 million in profit. The attacker repeated the attack to obtain other Tokens, including Magic Internet Money (MIM), sFTMX, Axelar USDC (axlUSDC), BTC, ETH, and USD Coin (USDC). Some estimates suggest the attack netted a total of $12 million. Franklin did not speculate on how the attacker may have obtained enough BOO to repay the flash loan. However, one possible explanation is that they bought it from another Liquidity Pool at a much lower price. DeFi users should consider the risks of depositing funds into platforms with low-liquidity Tokens, as the prices of these Tokens are often susceptible to manipulation. The anonymous founder of Polter Finance, known as Whichghost, has filed a police report about the incident and is attempting to negotiate with the attacker. **CoinPoker Hit by Hot Wallet Attack** The cryptocurrency poker platform CoinPoker recently fell victim to a private key hack, according to a November 18 report from the blockchain analytics platform Cyvers. The attacker executed transactions across multiple networks, including BNB Smart Chain, Ethereum, and Polygon. On November 16, the poker platform attempted to negotiate with the attacker by posting a message on the Ethereum network. "We are aware of activity related to the theft of funds from the wallet address [starting with 0x3c17]," the message stated. "We are seeking to establish a secure communication channel to constructively resolve this matter. [...] We are open to discussing terms, including a potential bounty, to safely return the funds." Blockchain data shows the attacker sent most of the stolen funds to the private mixing service Tornado Cash, making it difficult to trace and potentially creating a weak point in the platform's negotiation ability. Web3 users should be aware that they may lose funds if a centralized gaming platform is hacked and loses customer deposits. Fortunately, CoinPoker appears to have weathered this attack, as current withdrawal requests are still functioning normally. **Man Sentenced to 24 Years for Cryptocurrency Fraud That Brought Down Bank** A man from Elkhart, Kansas, USA was sentenced to 24 years in prison for his role in a cryptocurrency fraud scheme that brought down the Heartland Tri-State Bank, according to a report on November 5 from the UK technology news site The Register. The mastermind behind the fraud scheme remains at large. According to the report, Shan Hanes, 53, was the CEO of Heartland Tri-State Bank at the time he encountered a cryptocurrency fraudster via WhatsApp in 2023. The fraudster convinced Hanes to invest in a fake cryptocurrency investment scheme. But Hanes not only contributed his own money, he also misappropriated funds from the Elkhart Church of Christ and the Santa Fe Investment Club, organizations he was responsible for managing the finances of.

Furthermore, Hanes has finally started withdrawing money from the bank itself. Over $47 million has been withdrawn from deposits at Heartland Tri-State Bank and transferred into this cryptocurrency fraud scheme, but the scheme did not generate any actual profits and the entire amount has been pocketed by the anonymous founder. The bank's financial officials eventually reported Hanes' fraudulent behavior to the authorities. But by then, the losses had exceeded the bank's total assets, leading to its bankruptcy. According to a July 2023 CNN report, this failed bank was initially bailed out by the Federal Deposit Insurance Corporation, and then acquired by Dream First Bank of Syracuse and reopened. The report states that authorities have recovered $8 million from Hanes' wallets, but the remaining $39 million is lost forever. Cryptocurrency investors may want to be wary of crypto investments that cannot be tracked on the blockchain through a public block explorer. These types of "projects" are often fictitious.