Nomad Attack Tracking
On August 2, crypto KOL 0xfoobar posted that the cross-chain solution Nomad had been hacked, and that WETH and WBTC were being transferred out at a rate of millions of dollars each, leaving $126 million in the contract potentially at risk.
Nomad Cross-Chain Bridge reopens with updates, has recovered some assets
KingData News: Nomad, a cross-chain interoperability protocol, has released a cross-chain bridge reboot update, which it says makes significant changes to the code to support the reboot, including fixes for vulnerability exploits, patches for the bridge GUI, handling of recovered funds, etc. The code will be released when the audit is complete. nomad says bridging recovered funds back to madAssets is not a simple process, and that users will follow the following process: 1. 1. Bridging madAssets back to Ether will result in an NFT, which describes the type and amount of assets bridged. 2. Using the NFT (e.g. 100 USDC) the NFT grants access to a portion of that asset that is equal to a percentage of the recovered asset. In addition, users who are added to the whitelist will only receive the recovered funds, the recovered funds will be accounted for in tokens, tokens returned in different forms will be released, and Nomad will work with blockchain forensic companies to determine which tokens are affected.
Nomad Releases Recovery Plan, Will Complete Cross-Chain Bridge Upgrade in Late September
KingData News: Nomad, the cross-chain interoperability protocol, has released a recovery plan that will begin by working with Web3 Security and law enforcement to recover stolen funds, and expects to launch an upgraded cross-chain bridge and equitable distribution of recovered funds in late September. On August 1st, the Nomad token bridge was hacked for more than $186M. About 20% of funds (over $37M) has been recovered to-date.
88% of Nomad Bridge Exploiters Were 'Copycats' — Report
KingData News: Close to 90% of addresses taking part in the $186 million Nomad Bridge hack last week have been identified as “copycats,” making off with a total of $88 million worth of tokens on Aug. 1, a new report has revealed. The copycats copied the same code but modified the target token, token amount, and recipient addresses.
PeckShield：One of the Nomad Attackers Was also an OMNI Attacker
KingData News: PeckShield tweeted that one of the Nomad attackers was also the attacker of the decentralized NFT financial protocol OMNI, the address that received $5.94 million in the Nomad attack. In early July, OMNI was attacked and the stolen funds were transferred to Tornado Cash.
LI.FI Researcher: Evmos, Milkomeda, Moonbeam TVL All Drop Significantly after Nomad Attack
KingData News: LI.FI researcher Arjun tweeted that Evmos, Milkomeda, and Moonbeam TVLs, which use Nomad as their primary cross-chain bridge, all dropped significantly after the attack on Nomad. As of August 6, Evmos TVL was down 76.7% (~$5 million), Milkomeda TVL was down 45.45% (~$12.4 million) and Moonbeam TVL was down 62.5% (~$125.5 million).
Nomad: Will Offer a Reward of up to 10% to Attackers Who Return More Than 90% of The Stolen Funds
KingData News: Nomad, a cross-chain interoperability protocol, says on its official account that it will offer a reward of up to 10% to attackers who return more than 90% of the funds stolen. To date, approximately $20 million of Nomad's nearly $200 million in stolen funds has been returned.
Nomad: $16.6M in Total Funds Recovered to Date
KingData News: Nomad announced the return of the stolen funds on Twitter, and to date, a total of $16.6 million has been returned to the officially designated address. As previously reported, the total amount of funds stolen in the Nomad hack was approximately $190 million.
PeckShield: Rari Capital Hackers Make $5 Million Profit in Nomad Attack
KingData News: According to PeckShield monitoring, Rari Capital (Arbitrum) attackers 0x72ccbb and 0x76f455 profited $5 million from the Nomad cross-chain bridge attack, then consolidated the stolen funds in 0x72ccbb and mixed the coins via Tornado,Cash. As of today, the Nomad attackers have mixed approximately $11 million in coins through Tornado Cash.
PeckShield: Approximately $9M of Nomad's Stolen Funds Have Been Returned
KingData News: According to PeckShield monitoring, approximately $9 million of Nomad's stolen funds have been returned to the fund recovery address provided by Nomad. This includes 100 ETH (about $164,000), about 3.78 million USDC, about 20,000 USDT, 15.8 million CQT ($1.38 million), 1.2 million FRAX ($1.2 million), 200 WETH ($328k), 150k $DAI, etc. from the ENS address with the name bitliq.eth. including 100 ETH ($164k) from address with ENS name bitliq.eth, 3.78M USDC, 2M USDT, 15.8M CQT ($1.38M), 1.2M FRAX ($1.2M), 200 WETH (328k), 150k DAI and etc.
Nomad Officially Releases Instructions for Returning Stolen Funds
KingData News: Nomad Bridge's official Twitter feed releases the process for recovering funds. Nomad says it is actively working with chain analysis/intelligence firm TRM Labs and law enforcement to track the flow of funds and identify recipient wallets to coordinate the return of funds. It has also partnered with Anchorage Digital, a state-regulated custodian bank, to accept and protect ETH and ERC-20 tokens.
PeckShield: Nomad Hacker Address Has Transferred About 3,780 ETH to Tornado.cash
KingData News: According to PeckShield monitoring, the Nomad hacker address 0xC994.... .0cf599 has transferred about 3,780 ETH to Tornado.cash for coin mixing. Intermediate address: 0x55cF64F479c4d77F646a9a34B5A8d92917AeE6Cc.
Nomad Refutes Rumors: No Instructions Yet for Returning Stolen Funds
KingData News: Nomad officials tweeted, "We’re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel."
Nomad's Former Development Team: Theft Has no Impact on Optics, Will Continue to Monitor
KingData News: cLabs, the development team for the Celo eco-cross-chain protocol Optics, says it has confirmed there is no impact on Optics users following the attack on the cross-chain solution Nomad. The protocol will be monitored on an ongoing basis.
PeckShield: 41 Addresses Profited from the Nomad Incident by Approximately $152M
KingData News: According to PeckShield monitoring, approximately 41 addresses made approximately $152 million (80%) in profits from the Nomad attack, including approximately 7 MEV bots (approximately $7.1 million), the Rari Capital hack (approximately $3.4 million) and 6 white hat hacks (approximately $8.2 million), and approximately 10% of ENS domain addresses made $6.1 million in profits.
Nomad Bridge Drained of Nearly $200M in Exploit
KingData News: The cross-chain token bridge Nomad was exploited Monday, with attackers draining the protocol of virtually all of its funds. The total value of cryptocurrency lost to the attack totaled near $200 million. The Nomad team acknowledged the exploit in a statement to CoinDesk. "An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained," the team said. "We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds."
PeckShield: One of Nomad's Attack Addresses Transferred Nearly 3,800 ETH to Tornado.Cash
KingData News: According to PeckShield monitoring, one of Nomad's attack addresses (0xC994) has transferred 1,205 ETH and 2,580 ETH to intermediate addresses (starting with 0x7a98 and 0xC994), respectively, and started laundering the stolen funds via Tornado.Cash.
More Than $95 Million in Stolen Funds Remains at 3 Addresses in Nomad Incident
KingData News: MistTrack monitoring shows that more than $95 million in stolen funds remain at three addresses from the Nomad attack. There are still about $8 million in crypto assets including 1,084 ETH, 1.2 million DAI, 103 WBTC in 0xB5C ......3590E, which is also responsible for transferring 10,000 WETH to another address and transferring other USDC. The second address 0x56D ......ac4e3 still has about $47 million in crypto assets including 12.8 million ETH, 10.2 million WETH, and 800,000 DAI. The third address, 0xBF2......27179, was converted to DAI after receiving 38.666 million USDC and currently has about $39.7 million in crypto assets. After combing through all the transitions, MistTrack were unable to connect to address 3 with the other two addresses. However it should also be noted that these attacks share the same patterns.
PeckShield：Hackers in the Rari Capital Incident Were Involved in This Nomad Bridge Attack
KingData News: According to PeckShield monitoring, one of the Nomad cross-chain bridge attackers was the hacker behind the Rari Capital theft, who made approximately $3 million in profits from the Nomad attack. As previously reported, Rari Capital's pool of funds on Fuse was attacked in April of this year, with hackers making nearly $80 million in profits.
The Evmos Chain is Functioning Properly
KingData News: Cosmos Eco EVM compatible chain Evmos tweeted that a couple hours ago, the Nomad ERC20 bridge contract was exploited. Most assets have been drained. We’re working closely with the Nomad team and will follow up as we get more info. The Evmos chain is functioning properly. This is strictly a bridge exploit. Currently Nomad is paused, so users cannot withdraw their ERC20 wrapped assets from Evmos back to Ethereum. The team will keep you updated on how this affects Evmos users and those with Nomad wrapped assets.
Sources: Nomad Bridge Getting Actively Hacked
KingData News: According to a tweet from @0xfoobar, "Nomad bridge getting actively hacked. WETH and WBTC being taken out in million-dollar increments. Withdraw all funds if you can, still $126m remaining in the contract that's likely at risk. Recent transaction just grabbed 10,000 ETH ($16 million) in one go. The Nomad bridge holds $80 million USDC and it's all flowing out too". Officials now say they have identified the problem and are actively studying it.