Korean crypto exchange Bithumb says it lost over $30M following a hack

Just weeks after Korean crypto exchange Coinrail lost $40 million through an alleged hack, another in the crypto-mad country — Bithumb — has claimed hackers made off with over $30 million in cryptocurrency.

Coinrail may be one of Korea’s smaller exchanges, but Bithumb is far larger. The exchange is one of the world’s top ten ranked based on trading of Ethereum and Bitcoin Cash, and top for newly-launched EOS, according to data from Coinmarketcap.com.

In a now-deleted tweet, Bithumb said today that 35 billion won of tokens — around $31 million — were snatched. It didn’t provide details of the attack, but it did say it will cover any losses for its users. The company has temporarily frozen deposits and trading while it is in the process of “changing our wallet system” following the incident.

Days prior to the hack, Bithumb said on Twitter that it was “transferring all of asset to the cold wallet to build up the security system and upgrade” its database. It isn’t clear whether that move was triggered by the attack — in which case it happened days ago — or whether it might have been a factor that enabled it.

A tweet sent days before Bithumb said it had been hacked

There’s often uncertainty around alleged hacks, with some in the crypto community claiming an inside job for most incidents. In this case, reports from earlier this month that Bithumb was hit by a 30 billion won tax bill from the Korean government will certainly raise suspicions. Without an independent audit or third-party report into the incident, however, it is hard to know exactly what happened.

That said, one strong takeaway, once again, is that people who buy crypto should store their tokens in their own private wallet (ideally with a hardware key for access) not on an exchange where they could be pinched by an attacker. In this case, Bithumb is big enough to cover the losses, but it isn’t always that way and securely holding tokens avoids potential for trouble.

CommerceDNA wins the TechCrunch Hackathon at VivaTech

It’s been a long night at VivaTech. The building hosted a very special competition — the very first TechCrunch Hackathon in Paris.

Hundreds of engineers and designers got together to come up with something cool, something neat, something awesome. The only condition was that they only had 24 hours to work on their projects. Some of them were participating in our event for the first time, while others were regulars. Some of them slept on the floor in a corner, while others drank too much Red Bull.

We could all feel the excitement in the air when the 64 teams took the stage to present a one-minute demo to impress fellow coders and our judges. But only one team could take home the grand prize and €5,000. So, without further ado, meet the TechCrunch Hackathon winner.

Winner: CommerceDNA

Runner-Up #1: AID

Runner-Up #2: EV Range Meter


Judges

Nicolas Bacca, CTO, Ledger
Nicolas worked on card systems for 5 years at Oberthur, a leader in embedded digital security, ultimately as R&D Solution Architect. He left Oberthur to launch his company, Ubinity, which was developing smartcard operating systems.

He finally co-founded BT Chip to develop an open standard, secure element based hardware wallet which eventually became the first version of the Ledger wallet.

Charles Gorintin, co-founder & CTO, Alan
Charles Gorintin is a French data science and engineering leader. He is a cofounder and CTO of Alan. Alan’s mission is to make it easy for people to be in great health.

Prior to co-founding Alan, Charles Gorintin was a data science leader at fast-growing social networks, Facebook, Instagram, and Twitter, where he worked on anti-fraud, growth, and social psychology.

Gorintin holds a Master’s degree in Mathematics and Computer Science from Ecole des Ponts ParisTech, a Master’s degree in Machine Learning from ENS Paris-Saclay, and a Masters of Financial Engineering from UC Berkeley – Haas School of Business.

Samantha Jérusalmy, Partner, Elaia Partners
Samantha joined Elaia Partners in 2008. She began her career as a consultant at Eurogroup, a consulting firm specialized in organisation and strategy, within the Bank and Finance division. She then joined Clipperton Finance, a corporate finance firm dedicated to high-tech growth companies, before moving to Elaia Partners in 2008. She became an Investment Manager in 2011 then a Partner in 2014.

Laure Némée, CTO, Leetchi
Laure has spent her career in software development in various startups since 2000 after an engineer’s degree in computer science. She joined Leetchi at the very beginning in 2010 and has been Leetchi Group CTO since. She now works mainly on MANGOPAY, the payment service for sharing economy sites that was created by Leetchi.

Benjamin Netter, CTO, Lendix
Benjamin is the CTO of Lendix, the leading SME lending platform in continental Europe. Learning to code at 8, he has been since then experimenting ways to rethink fashion, travel or finance using technology. In 2009, in parallel with his studies at EPITECH, he created one of the first French applications on Facebook (Questions entre amis), which was used by more than half a million users. In 2011, he won the Foursquare Global Hackathon by reinventing the travel guide with Tripovore. In 2014, he launched Somewhere, an Instagram travel experiment acclaimed by the press. He is today reinventing with Lendix the way European companies get faster and simpler financing.


And finally here were our hackmasters that guided our hackers to success:

Emily Atkinson, Software Engineer / MD, DevelopHer UK
Emily is a Software Engineer at Condé Nast Britain, and co-founder & Managing Director of women in tech network DevelopHer UK. Her technical role involves back-end services, infrastructure ops and tooling, site reliability and back-end product. Entering tech as an MSc Computer Science grad, she spent six years at online print startup MOO – working across the platform, including mobile web and product. As an advocate for diversity and inclusion in STEM & digital in 2016 Atkinson launched DevelopHer, a volunteer-run non-profit community aimed at increasing diversity in tech by empowering members to develop their career and skills through events, workshops, networking and mentoring.

Romain Dillet, Senior Writer, TechCrunch
Romain attended EMLYON Business School, a leading French business school specialized in entrepreneurship. He covers many things from mobile apps with great design to fashion, Apple, AI and complex tech achievements. He also speaks at major tech conferences. He likes pop culture more than anything in the world.

Facebook tool warns developers of phishing attacks dangling lookalike domains

Phishing seems like a problem that will be here for the long haul, so I welcome any tools to combat it with open arms. Today Facebook announced one: a service for domain owners or concerned users that watches for sketchy versions of web addresses that might indicate a phishing attempt in the offing.

The developer only needs to specify the domain name they care about and our tool will take care of the rest,” explained Facebook security engineer David Huang. “For example, if you subscribe to phishing alerts for a legitimate domain ‘facebook.com,’ we’ll alert you when we detect a potential phishing domain like ‘facebook.com.evil.com’ and other malicious variations as we see them.”

Hosting your phishing website as a subdomain of evil.com seems like kind of a giveaway. But there are subtler ways to fool people. If someone wanted to make you think that an email was coming from this website, for instance, they might register something like techcrunch-support.com or techcrunch.official.site and send it from there.

Hi Peter.

Small variations in spelling work, too: would you notice that an email came from techcruhch.com or techcrunoh.com if you were on your phone, walking down the street and trying not to be hit by people riding electric scooters? I think not. Back in the day even CrouchGear might have worked.

And lookalike characters that render differently inline are a strange new threat: whɑtsɑpp.com has an alpha (or something) instead of an a, and helpfully renders as xn—whtspp-cxcc.com. Look, I didn’t design the system. I just use it.

The tool looks for all these variations in domains it encounters by watching the stream of certificates being issued to new domains. “We have been using these logs to monitor certificates issued for domains owned by Facebook and have created tools to help developers take advantage of the same approach,” reads the Facebook blog post. Nice of them!

Developers can sign up here and submit domains they’d like to monitor. Facebook won’t do anything but alert you that it detected something weird, so if there’s a false positive you don’t need to worry about getting kicked off your domain. On the other hand, if scammers are setting up shop at a doppelgänger web address, you’ll have to do the legwork yourself to get it shut down and warn your own users to be on the lookout.

Under Armour says MyFitnessPal data breach affected 150 million users

Under Armour, the fitness company that owns MyFitnessPal, disclosed today a data breach that affected about 150 million users. MyFitnessPal, a food and nutrition application, earlier this week became aware of the breach, which took place late last month.

The breached data did not include any Social Security numbers, driver license numbers or any other government-issued identifiers, according to Under Armour. The company also said payment card information was not collected.

“The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident,” Under Armour wrote in a press release.

Four days after Under Armour became aware of the issue, the company said it started to notify members of the MyFitnessPal community via email and in-app messaging. Under Armour recommends MyFitnessPal users change their passwords.

“Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities,” the press release stated. “The investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”

Security flaw in Grindr exposed locations to third-party service

Users of Grindr, the popular dating app for gay men, may have been broadcasting their location despite having disabled that particular feature. Two security flaws allowed for discovery of location data against a user’s will, though they take a bit of doing.

The first of the flaws, which were discovered by Trever Faden and reported first by NBC News, allowed users to see a variety of data not available normally: who had blocked them, deleted photos, locations of people who had chosen not to share that data, and more.

The catch is that if you wanted to find out about this, you had to hand over your username and password to Faden’s purpose-built website, C*ckblocked (asterisk original), which would then scour your Grindr account for this hidden metadata.

Of course it’s a bad idea to surrender your credentials to any third party whatsoever, but regardless of that, this particular third party was able to find data that a user should not have access to in the first place.

The second flaw involved location data being sent unencrypted, meaning a traffic snooper might be able to detect it.

It may not sound too serious to have someone watching a wi-fi network know a person’s location — they’re there on the network, obviously, which narrows it down considerably. But users of a gay dating app are members of a minority often targeted by bigots and governments, and having their phone essentially send out a public signal saying “I’m here and I’m gay” without their knowledge is a serious problem.

I’ve asked Grindr for comment and confirmation; the company told NBC News that it had changed how data was handled in order to prevent the C*ckblocked exploit (the site has since been shut down), but did not address the second issue.

More evidence ties alleged DNC hacker Guccifer 2.0 to Russian intelligence

It may be a while since you’ve heard the handle “Guccifer 2.0,” the hacker who took responsibility for the infamous DNC hack of 2016. Reports from the intelligence community at the time, as well as common sense, pegged Guccifer 2.0 not as the Romanian activist he claimed to be, but a Russian operative. Evidence has been scarce, but one slip-up may have given the game away.

An anonymous source close to the U.S. government investigation of the hacker told the Daily Beast that one one single occasion, Guccifer 2.0 failed to log into the usual VPN that disguised their traffic. As a result, they left one honest IP trace at an unnamed social media site.

That IP address, “identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow,” the Daily Beast reported. (The GRU is one of the Russia’s security and intelligence organs.)

Previous work by security researchers had suggested this, but it’s the first I’ve heard of evidence this direct. Assuming it’s genuine, it’s a sobering reminder of how fragile anonymity is on the internet — one click and the whole thing comes crashing down.

It’s a bit of a foregone conclusion now, since in the time since the hack the notion of Russian interference with the election has gone from unnerving possibility to banal fact. And while a single impression like that may sound a bit flimsy, investigators would of course be putting it together with all kinds of other activity and patterns to be clear this wasn’t just a random intern checking his feeds at an open terminal.