This week, hackers stole approximately $27 million worth of cryptocurrency from decentralized finance (DeFi) protocol Penpie.
Penpie confirmed in a statement that $27,348,259 worth of Ethereum was withdrawn on Tuesday, and they have closed withdrawals as well as deposits.
Penpie’s team said that hours after the attack, members arrived at the Kampong Java police station in Singapore to write a report on the incident.
On Wednesday, Penpie also filed a complaint with the FBI’s Internet Crime Complaint Center (IC3) and sent a message to the hacker promising a negotiated bounty payment in exchange for the safe return of the funds.
“We acknowledge that you have exploited our protocol,” they wrote. “Please contact us to discuss terms in confidence. No legal action will be taken if the funds are returned. Let’s find a mutually beneficial solution.”
Penpie sent a similar message on social media, offering to keep the hacker’s identity hidden if some of the funds were returned.
The messages appear to have had little effect, as the hacker continued to move the stolen funds to different blockchain addresses.
The company has pledged to develop a compensation plan for affected users and to consider suggestions before putting the ideas to a vote.
“We are deeply aware of the significant impact this attack has had on users of other protocols who had deposited assets to Penpie,” they said. “Please know that your losses are of the utmost importance to us.”
The attack came the same day the FBI issued an alert warning cryptocurrency companies of repeated attacks by North Korea-based hackers.
Penpie claims to have been initially informed of the attack by Pendle, the platform on which they built the protocol.
In his own postmortem report on the attack, Pendle explained that while millions of dollars were lost due to Penpie specifically, the team’s quick actions prevented the hackers from taking nearly $105 million worth of cryptocurrency from other protocols built on the platform.
Pendle’s internal security system detected the attack almost immediately, but within an hour, the hackers had siphoned off Penpie’s $27 million. Pendle said its platform was ultimately unaffected by the attack.
Pendle provided Penpie with the IP address of the VPN used to launch the attack and the company then passed this information to a Singapore tech crime investigation officer, who they said “will forward the cybercrime incident to the VPN provider for further information.”
Penpie said it had already undergone two audits since its launch in June 2023. One of the audits detected part of the vulnerability and it was thought to have been fixed. But the company introduced a new feature in May 2024 that reintroduced the issue that hackers exploited in this week’s incident.
They acknowledged that they should have done a full audit after adding new features.
“While incremental audits address specific changes, it is also essential to conduct comprehensive audits of the entire protocol to ensure that no vulnerabilities are introduced,” they said in the postmortem.
The company plans to conduct another full audit of its systems to ensure all vulnerabilities are addressed and will only restart operations once the audit is complete.
“Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related companies to target and attempt to socially manipulate dozens of employees at these companies to gain unauthorized access to the company network,” the alert said.
The United Nations is currently investigating 58 cyberattacks allegedly carried out by North Korean hackers that netted the attackers an estimated $3 billion between 2017 and 2023.
Future recorded
Intelligence cloud.
Learn more.
