Proof-of-Stake (PoS) blockchain node provider Ankr fell victim to a hack this Friday, July 1. The RPC (Remote Procedure Call) gateways provided by the company to access the Polygon and Fantom networks have been hijacked in an attempt to extract funds from its customers. Let’s take stock of this hack.
Ankr users encouraged to reveal their “seed phrases”
This Friday, July 1, the blockchain node provider Proof-of-Stake (PoS) Ankr was the target of a hacke. The hacker(s) managed to compromise RPCs for Polygon (MATIC) and Fantom (FTM) networks.
In practice, the users having attempted to access the Polygon (MATIC) and Fantom (FTM) blockchains through the RPC gateways provided by Ankr came across an error message encouraging them to reveal their “seed phrase” (also called passphrase or recovery phrase). Once in possession of this simplified version of the private keys of the victims who fell into the trap, the hacker(s) could access their wallets in order to steal their funds.
Attention please, attack on @0xPolygon is ongoing right now!
Users see an RPC error asking users to urgently reset their seed on polygonapp net (looks like this is wether DNS hijack or a form of a supply chain attack).
Just a scam popup to bring you to a page to put your seed. pic.twitter.com/fZxtlkKeDN
— CIA Officer (@officer_cia) July 1, 2022
Discover our Private Group
Content with high added value and quick to consume
👉 On the same topic: Wallet, passphrase and address generation
A domain name hijacking at the origin of the piracy
According to Chandler Song (co-founder of Ankr) and Mudit Gupta (head of IT security at Polygon), the source of this hack would come from Gandi, the domain name provider (DNS) of Ankr, which would have transferred control of the Ankr account to the hacker. We do not yet know how he did it, but he could have benefited from the help of an accomplice at Gandi.
Gandi (customer agent compromised?) transferred control of Ankr’s account to the attacker and that was the root cause of the DNS Hijack.
Ankr acted swiftly and has regained access to the account.https://t.co/UgLPD63rYK
— Mudit Gupta (@Mudit__Gupta) July 1, 2022
It is therefore by a domain name hijacking that the pirate would have succeeded in redirect users to a fraudulent address that has affected Ankr’s RPCs for the Polygon (MATIC) and Fantom (FTM) blockchains, so that users of the platform come across this famous error message asking them for their seed phrases.
👉 To go further: How to secure and store your cryptocurrencies?
Use other RPCs to access Polygon (MATIC) and Fantom (FTM)
For simplicity, RPCs allow users to connect their wallets to a blockchain. For example, when you connect a new blockchain in a wallet like Metamask, you do so via an RPC. To better understand, we invite you to read our tutorial to link the Avalanche blockchain (AVAX) to Metamask.
As Wil, blockchain expert and fundamental analysis specialist for our private group Le Grille-Pain points out:
“There are a multitude of RPCs to connect to each blockchain. Only the RPCs provided by Ankr to access the Polygon and Fantom blockchains were compromised.”
While waiting for this case to be clarified, Ankr has passed its users new RPCs to access Polygon (MATIC) and Fantom (FTM) via a tweet posted this afternoon.
‼️For the time being, please use https://t.co/LcnNn1OIWH and https://t.co/LrPIztRL1y
— Ankr (@ankr) July 1, 2022
In the early evening, the company tweeted again to say that the RPCs of the Polygon (MATIC) and Fantom (FTM) networks had been fully restored, adding that all their services were working fine. Ankr took the opportunity to confirm that she had been victim of a domain name service (DNS) attack.
This happened because a third-party we use for DNS gained access to a way to modify some settings on our accounts.
DNS is unfortunately not decentralized.
Moreover ‼️The RPCs from https://t.co/Q8fL5Y3bS2 has never been affected.
— Ankr (@ankr) July 1, 2022
If you prefer, it is also possible to securely connect to these two blockchains using RPCs provided by other companieslike Chainlist for example.
The Polygon company also wanted to point out that this hack did not affect the Proof-of-Stake blockchain in any waythe second layer solution used by the general public.
The Polygon PoS chain is running smoothly. Here are some updates.
— Polygon – MATIC 💚 (@0xPolygon) July 1, 2022
This DNS attack is reminiscent of the one that hit Convex and other DeFI protocols a few days ago. In any case, it is a good reminder for all cryptocurrency users. In the future, never share your seed phrase on the internet, especially if asked.
👉 We invite you to consult our selection of must-read articles to secure your investments in cryptocurrencies.
Get a crypto news recap every Sunday 👌 And that’s it.