Quixotic – an NFT marketplace that runs on Optimism – revealed that wrongdoers breached its security and drained ERC-20 tokens. The organization assured that users with stolen assets will be reimbursed.
The Latest Attack
In a recent tweet, Quixotic disclosed that criminals attacked its “Offer” feature and stole ERC-20 tokens. The team advised its customers to cancel their offers “immediately,” adding that all marketplace operations will be halted.
On the other hand, Quixotic guaranteed that those clients affected by the attack will be fully refunded for their losses in the upcoming days. Non-fungible tokens listed on the marketplace are unharmed by the cyber assault.
We can confirm that a recent update to our marketplace contract was exploited, allowing a hacker to steal approved ERC-20 tokens
1. We will be refunding all stolen ERC-20 tokens
2. NFTs remain safe and are not affected by the exploit
3. All marketplace activity remains paused https://t.co/wBYt903QVO
— Quixotic 🔴✨ – Optimism NFT Marketplace (@quixotic_io) July 1, 2022
According to DappRadar, Quixotic is the largest NFT marketplace on Optimism. It has attracted over 9,000 users in the past month who have completed more than 22,000 transactions. The registered trading volume for that period was approximately $405,000.
The Saga With Harmony
Last week another attack in the cryptocurrency space made the headlines – that of Harmony Protocol. The latter’s Horizon Bridge was breached by hackers who stole nearly $100 million worth of Ethereum.
Shortly after identifying the issue, Harmony offered the attacker a $1 million bounty in return for the stolen funds and sharing exploit information. The anonymous hacker declined the offer as they also started laundering the assets through Tornado Cash.
A subsequent research conducted by Elliptic Enterprises claimed that the organization behind the heist was the North Korean hacking collective – the Lazarus Group:
“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds.”
According to Elliptic’s analysis, the criminals targeted username and password credentials of Harmony’s employees in the Asia Pacific region to breach the protocol’s security system. Later, they used automated laundering services to move the stolen funds during nighttime hours.
The company further maintained that the Lazarus Group has already transferred over 40% of the $100 million to a Tornado Cash mixer.