In a recent cyberattack, the multi-chain trading platform Thunder Terminal fell victim to a hacker attack, revealing that a malicious actor exploited vulnerabilities to gain access to a MongoDB connection. The breach, disclosed on December 27, highlighted the hacker’s successful acquisition of a MongoDB connection URL, which granted them access to session tokens and enabled unauthorized withdrawals on behalf of users.
Response by the Thunder Terminal Team
Thunder Terminal promptly responded to the security breach by revoking all session tokens and transaction signing access as a precautionary measure. They took several steps to prevent further malicious withdrawals and future access to session tokens:
- Revoked all pre-existing connection URLs.
- Revoked all pre-existing session tokens.
- Ensured that all current and future connection URLs can only be accessed and used directly from their servers.
While assuring users that no private keys or wallets were compromised, Thunder Terminal acknowledged that “less than 1% of wallets” were affected, resulting in funds being stolen from a minimum of 114 wallets. They clarified that the exploit occurred through withdrawal requests that their server considered authorized due to leaked session tokens, emphasizing that no private keys were stored, and desktop wallets remained unaffected.
As of the latest update, the exact method through which the hacker gained access to the project’s database remains unclear. Thunder Terminal suggested a potential link to an incident involving New York-based MongoDB. In mid-December, MongoDB reported detecting “suspicious activity” on its network, ultimately confirming a breach where hackers had infiltrated their systems.
Blockchain Analyst’s Findings
Blockchain analyst ZachXBT traced the attack, revealing that 86.5 ETH (approximately $192,500) was transferred to Railgun, a privacy-centric protocol facilitating anonymous cryptocurrency swaps and private transactions. Additionally, the hacker made off with over 439 SOL (around $49,160).
Initially, Thunder Terminal attributed the attack to a compromise of their third-party provider and assured users that their funds were safe, promising imminent refunds. However, a surprising twist occurred when the hacker issued a blockchain-based statement. This message accused the Thunder Team of dishonesty and demanded a ransom of 50 ETH, threatening to disclose all user data if the payment was not made.
Thunder Terminal’s recent ordeal serves as a stark reminder of the persistent threats facing the cryptocurrency space. When platforms rely on third-party services for data accumulation, the entire system becomes vulnerable to security threats. As the cryptocurrency industry continues to evolve, platforms must remain vigilant and reinforce their security measures. Stakeholders should prioritize user protection and strengthen their defenses against increasingly sophisticated cyber threats.