$8 million stolen in unusual DeFi hack

The founder of Nexus Mutual, a decentralized digital currency insurance provider, was hacked for over $8 million early this morning. The attacker was able to steal 370,000 NXM, equal to roughly $8.3 million as of press time. However, this DeFi hack is unlike the hacks we have seen take place in the past. Instead of draining the project’s liquidity pool, the attacker singled out Nexus Mutual founder Hugh Karp, and only stole the funds from Karp’s personal wallet.

According to the official announcement from Nexus Mutual, the attacker tricked Karp into signing a transaction that sent the funds from his personal wallet to the attacker’s wallet.

Initial investigation:
A targeted personal attack on Hugh.
Hugh's using a hardware wallet. The attacker gained remote access to his computer & modified the metamask extension, tricking him into signing a different transaction which transferred funds to the attacker’s own address.

— Nexus Mutual (@NexusMutual) December 14, 2020

Karp called the attack “a very nice trick” and has asked the attacker to return the funds, saying that he will even let the attacker keep $300,000 of the stolen money and will drop the on-going investigation into the hack if the money is sent back./p>

However, like most DeFi related hacks that take place, it’s unlikely that the attacker is going to return the funds. The stolen money is already on the move and has been sent to the decentralized exchange aggregator, 1inch exchange.

A deviation from the norm

A majority of the DeFi hacks and exploits that we saw take place in 2020 happened because the attacker had vast knowledge of how smart contracts work as well as how the DeFi platform’s contracts interacted with external smart contracts. Attackers would often conduct a flash loan attack, which would alter token prices in a way that was beneficial to them before purchasing the tokens for cheap or calling a function that would drain a project’s liquidity pool.

However, the Nexus Mutual attack was not a result of its smart contract or external smart contracts, rather, the attacker was able to social engineer their way into the founder’s personal wallet.