Nexus Mutual - Hugh Speaks Out
You are not as safe as you think.
Hardware wallets and private keys are useless if your machine is compromised.
Apes pay tax and traders lose funds, but careful users don’t deserve to lose their money.
Hugh Karp of Nexus Mutual was hacked for $8M.
This story is different to those which we normally cover, and we wanted to report it appropriately. Greed and impatience don’t earn our respect, but when an individual is targeted through no fault of their own, they deserve to be shown some compassion.
This attack could have happened to any one of us.
We spoke to Hugh one week after the attack took place. The following summary is from his official statement.
On Monday 14th of December at 9:40am UTC, I was tricked into approving a single transaction that sent 370,000 NXM to a hacker instead of what I thought was claiming some mining rewards. The hacker has subsequently liquidated the majority of the NXM into ETH/BTC and has been dispersing it to many different addresses and exchanges.
rekt:
Hi Hugh,
Thanks for talking to us, we want to say first of all; we're sorry that this happened to you.
We didn't want to cover this story without talking to you first, as obviously there is much more of a personal element to this attack than those which we normally cover.
It’s been just over one week since the hack - financial loss aside, how has the incident affected you?
Hugh:
it's been pretty rough to be honest, an emotional roller coaster and not much sleep, especially the first few days but things are settling now.
The first 3 hours or so were definitely the worst, as I'm sure many others in crypto have experienced. You get that gut-wrenching sick feeling and my whole body was shaking and quite weak.
The Nexus team and others in the community really helped out here, Rox (our CTO) and Anatol (our security expert) took control of the situation and guided me on next steps. Then the wider community started getting involved with tracing funds and other things.
rekt:
I'm not surprised that a $8m loss causes some physical side effects - that must have been awful.
How are you handling it psychologically? Has it changed how you think about the industry?
Hugh:
I think I'm doing alright on that front, I tend to take a long term view of things, and before DeFi summer really kicked off NXM was only around $3. So while I've most certainly lost a lot of money, I didn't have that money 4-5 months ago. A start-up is a rollercoaster anyway, so this is just another down section, I'm confident things will turn around.
rekt:
Your written summary of the incident is fascinating.
In one section you write;
"There are connections with other victims of what we believe are similar attacks."
Can you explain these connections?
Hugh:
I can't give too much detail right now, as there are still investigations ongoing but we know of at least 2 other Nexus Mutual members that appear to have been impacted by a similar incident. And anecdotally, through other contacts there are several other victims that have been impacted. We found the two accounts as we were tracing movement of funds.
I guess there are views going around that this was a highly targeted attack that regular Defi users don't have to concern themselves with. I guess that is correct on some level, but I would point out you don't have to be high profile to be targeted. In general, I'd caution against the view that "it's not going to happen to me".
rekt:
You were using a hardware wallet, your private keys weren't compromised - what can users do to prevent this happening to them?
Hugh:
I've been thinking about this since the attack, and I'm honestly not sure on the best solution. The hardware wallet will show enough information so you can verify exactly what you're approving but you have to be quite technical to understand it. Simple transfers for well known tokens are fine, but any smart contract interaction is likely next to impossible for regular users to understand. Personally, I'm going to check the full tx info against external sources from now on, but I don't think that's a viable solution for everybody.
rekt:
In the summary, you write "My computer was compromised and Metamask was altered from disk"
Do you have any ideas how your computer was compromised?
Hugh:
We don't have a full idea as yet, we're still running full diagnostics on my PC. We believe malware was served from coinbene dot team but it is possible it came from somewhere else.
rekt:
There were some messages on Twitter that suggested you had identified the attacker, can you tell us about your communication with them?
Hugh:
Our CTO, Roxana, had a brief telegram conversation with one of the hackers, but we also connected them to other hack victims by tracing transactions and talking with police. I can't really disclose anymore on this front for the time being, apart from saying we believe they are a highly sophisticated hacking group.
rekt:
Have you spoken to law enforcement about the hack?
Hugh:
Yes, we've spoken to UK police who are also coordinating with other jurisdictions. Other cases have been linked up so they are being treated as a larger investigation.
rekt:
Did you feel that the police were well experienced in dealing with this sort of case?
We cover a lot of hacks and exploits involving huge sums of money, but it seems that they are rarely brought to the attention of law enforcement - why do you think that is?
Hugh:
Not really, they seem mainly set up for things like credit card fraud and other smaller items. The other big challenge is the international aspect, that slows down response times and coordination efforts.
rekt:
Insurance protocols offer hackers the opportunity to multiply their profits by taking insurance before hacking a protocol - have you ever seen evidence of this happening - should this be allowed to happen?
Hugh:
We haven't seen it happen ourselves yet, though I'm sure it will. At Nexus Mutual we introduced proof of loss so you need to prove you control an account that suffered a loss. This will prevent the worst impacts.
Insurance products can work without this criteria, but they will be much more expensive in the long run, as extra claims will be paid. For long term sustainable products it's better to align interests as much as possible.
rekt:
The community set up a Gitcoin grant to refund some of your losses - you stated the funds would be used to develop wallet security tools - can you give us some details?
Hugh:
That's right. I haven't established the exact details yet, but the goal is to encourage solutions, or progress on technical items, for highly secure personal wallets that are also great from a UX perspective. I know lots of teams are working on this, but we still have some way to go and I think it's critical that wider crypto space has great options for self-custody. My particular situation is relatively high profile but the issue isn't isolated to me, so hopefully this is an opportunity to spur further progress.
rekt:
If our readers want to help or learn more about this project, where should they go?
Hugh:
If you'd like to donate to the grant, here is the link:
If you'd like to learn more about Nexus Mutual you can find us @NexusMutual on Twitter or join our Discord here.
rekt:
Thanks for talking to us.
Hugh:
No problem at all, I appreciate the opportunity and thanks for being a bit more delicate!
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
GemPad - Rekt
The perfect digital heist - missing reentrancy guards on Gem Pad let an attacker snatch roughly $1.9 million in locked tokens across three chains. Several protocols left wondering if their lock box provider should have checked their own locks first.
False Prophet
Alpaca Finance lost millions by allegedly using manual CoinGecko price updates instead of real oracles. When questioned, they asked "which faster oracle would you have used?" Turns out F5 isn't a reliable price feed. Who knew?
Clober Dex - Rekt
$500k vanished from Clober DEX when code changes met one of DeFi's oldest vulnerabilities. The twist? The exploit code wasn't there during the audits. Some security lessons write themselves.