In the late hours of Tuesday, the crypto community saw another exploit. Munchables, the Ethereum Layer-2 NFT gaming platform, reported being compromised on an X post.
The crypto heist, which momentarily stole over $62 million, took a shocking turn of events after the attacker’s identity opened a Pandora’s box.
Crypto Developer Turns Hacker
Yesterday, Munchables, a gaming platform powered by Blast, suffered a security breach that resulted in the theft of 17,400 ETH, worth around $62.5 million. Immediately after the X announcement, crypto detective ZachXBT revealed the sum stolen and the address where the funds had been sent.
It was later informed that the crypto heist had been an inside job instead of an external one, as one of the project’s developers seemed to be responsible.
Solidity developer 0xQuit shared on X concerning information about Munchable. The developer pointed out that the smart contract was a “dangerously upgradeable proxy with an unverified implementation contract.”
the Munchables exploit has been planned since deploy.
Munchables is a dangerously upgradeable proxy, and it has been upgraded.
Instead of upgrading from a benign implementation to a malicious one, they did the reverse here
1/
— quit.q00t.eth (,) (@0xQuit) March 26, 2024
The exploit seemingly wasn’t “nothing complex” as it consisted of asking the contract for the stolen funds. However, it required the attacker to be an authorized party, confirming that the heist was a scheme carried out inside the project.
After a deep dive into the matter, 0xQuit concluded that the attack had been plotted since deployment. Munchable’s developer used the contract’s upgradable nature to “assign himself an enormous ether balance before changing the contract implementation to one that appeared legit.”
The developer “simply withdrew the balance” when the total value locked (TVL) was high enough. DeFiLlama data shows that, before the exploit, Munchables had a TLV of $96.16 million. At writing time, the TVL has plummeted to $34.05 million.
As reported by BlockSec, the funds were sent to a multi-sig wallet. The attacker eventually shared all private keys with the Munchables team. The keys gave access to $62.5 million in ETH, 73 WETH, and the owner key, which contained the rest of the project’s funds. According to Solidity developer’s calculations, the total amount neared $100 million.
The fund is currently in a multisig wallet 0x4D2F75F1cF76C8689b4FDdCF4744A22943c6048C, with the threshold 2/3. Owners are 0xFfE8d74881C29A9942C9D7f7F55aa0d8049C304A, 0xe0C5B8341A0453177F5b0Ec2fcEDc57f6E2112Bc, 0x94103f5554D15F95d9c3A8Fa05A9c79c62eDBD6f https://t.co/K1YDZo5uvK
— BlockSec (@BlockSecTeam) March 27, 2024
Change Of Heart Or Fear Of The Crypto Community?
Unfortunately, crypto exploits, hacks, and scams are common in the industry. Most play out similarly, with hackers taking massive sums and investors looking at their empty pockets.
This time, the incident turned out more thrilling than usual, as the identity of the developer-turned-hacker untangled a web of lies and deception. As ZachXBT suggested, Munchable’s rogue developer was North Korean, seemingly tied to the Lazarus group.
However, the movie doesn’t end there: the blockchain investigator revealed that four different developers hired by Munchables’ team were linked to the exploiter, and it seemed like they were all the same person.
the developers pic.twitter.com/AYMbwduiLS
— a1ex (@a1exxxxxxxxxxx) March 27, 2024
These developers recommended each other for the job and regularly transferred payments to the same two exchange deposit addresses, funding each other wallets. Journalist Laura Shin suggested the possibility of the developers not being the same person but different people working for the same entity, North Korea’s government.
Pixelcraft Studios CEO added that he had done a trial hire with this developer in 2022. During the month the ex-Munchables developer worked for them, he exhibited practices “sketchy af.”
The CEO believes that the North Korean link is possible. Additionally, he revealed that the MO was similar back then, as the developer tried to get “his friend” hired.
An X user highlighted that the developer’s GitHub name was “grudev325,” pointing out that “gru” could be related to Russia’s Federal Agency for Foreign Military Intelligence.
Pixelcrafts’s CEO commented that, at the time, the developer explained that the nickname was born after his love for the character Gru from the Despicable Me movies. Ironically, the character in question is a supervillain who spends most of the movie trying to steal the moon.
didn’t even know that was a thing lmeow, this is how he explained it @zachxbt pic.twitter.com/jTMj62GGb2
— coderdan.eth | aavegotchi (@coderdannn) March 27, 2024
Whether he was trying to steal the moon and failed like Gru, the developer ultimately returned the funds without asking for “compensation.” Many users believe that the suspicious “change of heart” results from ZackXBT’s deep dive into the attacker’s web of lies and the threats made.
This thriller ends with the crypto investigator’s reply to a now-deleted post. In his reply, the detective threatened to destroy the developer and all his “other North Korean devs hard on-chain your country has another blackout.”
