In the latest hack targeting cryptocurrency investors, hackers stole around $135 million from users of the blockchain gaming company VulcanForge, according to the company. The hackers stole the private keys to access 96 wallets, siphoning off 4.5 million PYR, which is VulcanForge’s token that can be used across its ecosystem, the company said in a series of tweets on Sunday and Monday. VulcanForge’s main business involves creating games such as VulcanVerse, which it describes as an “MMORPG,” and a card game called Berserk. Both titles, like pretty much all blockchain games, appear chiefly designed as vehicles to buy and sell in-game items linked to NFTs using PYR. In crypto, compromising someone’s private key is a definitive “game over,” because it gives complete control over the funds held by the corresponding address on a blockchain. VulcanForge announced the hack on Twitter and in its official Discord channel. “Over 4m PYR has been stolen from users’ wallets. It was premature to say this is [wallet management service] Venly’s end: we simply don’t know the cause,” the company wrote on Discord, asking users to move funds to Metamask, a popular wallet. “All funds stolen will be replaced once we’ve understood what’s happened.” Venly’s CTO told The Block that its services were not compromised.
In this case, the cause of the wallet compromise remains unknown, but this likely could have been prevented by following security best practices, including educating users about spotting phishing emails and other social engineering attempts. Another is having good endpoint monitoring with a Managed Detection and Response (MDR) and a SOC to triage alerts, or a service like Binary Defense to triage them.