Hackers Target MicroStrategy Followers with Bogus Token Airdrop

Cybercriminals exploited MicroStrategy's social media to orchestrate a fake airdrop scam, causing over $440,000 in financial damage.

Are cybercriminals getting out of hand? MicroStrategy fell victim to a sophisticated hack where attackers used its social media account to promote a fake airdrop, leading to over $440,000 in losses. Aleo, a decentralized blockchain platform focusing on privacy through zero-knowledge cryptography, suffered a data leak exposing users' KYC documents, raising serious concerns over the security of personal information in the blockchain domain. Additionally, China's Supreme People’s Procuratorate reported a concerning rise in cybercrimes, particularly those exploiting blockchain and metaverse technologies for illicit purposes, including online fraud, money laundering, and investment scams.

Beware of the Fake Airdrop

MicroStrategy, a business intelligence firm, recently became the target of a sophisticated hack that involved the unauthorized use of its X account to distribute malicious links. These links lured unsuspecting users into participating in a fake airdrop for an "official" Ethereum-based MSTR token. Victims were directed to a counterfeit MicroStrategy webpage, which then prompted them to connect their wallets to claim the fraudulent MSTR airdrop. By accepting a series of permissions in their Web3 wallets, users inadvertently gave attackers the ability to drain tokens from their wallets.

The scam has already resulted in large financial losses, with independent blockchain investigator ZachXBT and anti-scam platform Scam Sniffer reporting that the total amount swindled has exceeded $440,000. A big portion of this loss was suffered by a single user, who unfortunately lost more than $420,000. This victim's funds, consisting of various altcoins valued at $424,786, were transferred to the attacker's wallet and partially rerouted to a wallet linked to the infamous hacking group PinkDrainer.

Despite the sophistication of the scam, many crypto industry observers have criticized the victims for their naivety, especially considering MicroStrategy's well-documented focus on Bitcoin rather than Ethereum. The incident has also sparked discussions about the importance of vigilance and skepticism when participating in digital asset transactions, especially in light of the increasing prevalence of crypto-related scams similar to this.

Aleo Users' Information Leaked…

Meanwhile, concerns about privacy and security within the blockchain community are also increasing after the decentralized blockchain platform Aleo experienced a data leak. On Feb. 25, reports surfaced on X indicating that personal information of some users, specifically Know Your Customer (KYC) documents, was inadvertently disclosed. Aleo, known for its focus on zero-knowledge (zk) cryptography, relies on a third-party protocol to handle KYC procedures.

The incident came to light when a pseudonymous user, @0xemirsoyturk, revealed that he received an email containing the KYC documents—selfies and ID card photos—of another individual. This breach of privacy naturally raised alarms about the security of user data on the platform. Similarly, another user, @Selim_jpeg,also confirmed receiving someone else's KYC information.

To participate in Aleo's reward program, users are required to undergo KYC/AML verification and pass the Office of Foreign Assets Control (OFAC) screening, in line with Aleo’s internal policies. This process is conducted during sign-up for HackerOne, a third-party service that collects users' unencrypted KYC data.

Zero-knowledge layer-1 blockchain platforms like Aleo aim to offer enhanced privacy and security by employing cryptographic techniques that allow transactions without revealing specific details, thereby ensuring user confidentiality. This approach is designed to prevent external parties from tracing or accessing sensitive information, offering users a higher degree of privacy in their blockchain transactions.

The leak, however, has raised some serious questions about the platform's operational security practices. Mike Sarvodaya, founder of Galactica, a layer-1 blockchain infrastructure, commented on the irony of a privacy-focused protocol using a third-party service for collecting unencrypted KYC data, only for it to be leaked. He firmly believes in the importance of developing storage and proof systems for sensitive data, like Personally Identifiable Information (PII), based on zero-knowledge or fully homomorphic encryption (FHE) techniques. According to Sarvodaya, these systems should ensure that no single entity can access or reveal stored data.

China's Cybercrime Surge

In a concerted effort to combat the surge in cybercrimes, the Supreme People’s Procuratorate (SPP) of China, the nation's apex prosecutorial body, has turned its focus towards people exploiting blockchain and metaverse projects for illicit purposes. The SPP expressed deep concern over the escalating instances of online fraud, cyber violence, and infringement of personal information, particularly noting the significant uptick in cybercrimes conducted through blockchain technologies and in the metaverse. Criminals are also increasingly using cryptocurrencies to launder money, posing major challenges in tracking their illegal proceeds.

Deputy Prosecutor-General Ge Xiaoyan highlighted a 64% year-on-year increase in telecom fraud charges related to cybercrime. Furthermore, blockchain-related offenses are on the rise, with traditional crimes like gambling, theft, pyramid schemes, and counterfeiting also transitioning into the digital realm. Xiaoyan pointed out an almost 23% increase in internet theft charges and an almost 86% surge in charges related to online counterfeiting and the sale of inferior goods.

Between January and November, procuratorates charged 280,000 individuals in connection with cybercrime cases, which is a 36% increase from the previous year and accounting for 19% of all criminal offenses. Zhang Xiaojin, director of the Fourth Procuratorate of the SPP, even issued a warning about investment scams in the local cryptocurrency economy, pointing out the emergence of new cybercrimes leveraging technologies like the metaverse, blockchain, and binary options platforms. Xiaojin stressed that digital currencies are becoming focal points for criminal activities.

In contrast to mainland China's stringent measures against digital asset-related crimes, Hong Kong, a special administrative region of China, has adopted a more crypto-friendly regulatory approach. Hong Kong aims to standardize the digital asset ecosystem and protect investors while still encouraging innovation.

The People's Bank of China (PBoC) has also addressed cryptocurrency regulation and decentralized finance in its latest financial stability report, dedicating a section to cryptocurrency assets and advocating for international cooperation in regulating the industry. Despite the official announcement in 2021 by the PBoC of measures to combat crypto adoption in mainland China, including a crackdown on crypto transactions and mining, the country remains a significant hub for cryptocurrency mining.