Originally published on: September 25, 2024
The cryptocurrency trading Telegram bot, Banana Gun, has declared that it will be refunding users who collectively suffered a $3 million loss due to a hack conducted by 11 attackers.
Reports started emerging on September 19, with some Banana Gun users noticing unauthorized outbound transfers from their crypto wallets. This unfortunate event forced Banana Gun to temporarily shut down its Ethereum Virtual Machine (EVM) and Solana bots to prevent additional losses.
Crypto trading bots are designed to facilitate automated trades, offering crypto traders a way to enhance profitability.
Initial investigations indicated that 36 users were impacted by the attack, losing roughly $2 million worth of Ether. However, Banana Gun’s subsequent report showed a higher sum of losses with fewer casualties.
A statement from Banana Gun read, “A total of 11 users were impacted, with $3 million taken. All affected users will be fully refunded from the Banana Gun treasury, with no tokens being sold for reimbursements.”
Unlike many hackers who prey on inexperienced investors, the attacker of Banana Gun focused on experienced crypto traders and managed to manually transfer ETH from their wallets while the trading bots were active.
Suspicion arose when manual unauthorized transfers and in-bot notifications regarding the transfers were noted, leading Banana Gun to believe that the hacker exploited a vulnerability within a Telegram message oracle.
Following the vulnerability patch, Banana Gun resumed its EVM and Solana bots, incorporating security measures to avert additional fund losses. These measures include a two-hour transfer delay, two-factor authentication for transfers, and a thorough system review, among others.
In a separate incident, the hacker who pocketed $5 million by leveraging the yield protocol Shezmu recently returned most of the stolen money after accepting a white hat bounty.
Shezmu discovered an exploitation in one of its ShezmuUSD (ShezUSD) stablecoin vaults, prompting the hacker to request 90% of the stolen funds be repaid within 24 hours through an on-chain message.
Shortly after the request, Shezmu began receiving the pilfered Daitokens. The hacker first returned 282.18 Ether to the protocol, followed by an additional refund of 137 Wrapped Ether (WETH).
Stay updated on the latest crypto news and security incidents to ensure your assets remain safe and secure.
