$8 000 000 USD





"The CEO of decentralized finance (DeFi) insurer Nexus Mutual has lost the equivalent to over $8 million in a targeted attack, the firm disclosed Monday." "Nexus Mutual is a community-owned insurance alternative, offering protection from various risks in the DeFi ecosystem. Only members can participate in the network, buy cover and hold NXM tokens." "Nexus Mutual attack was not a result of its smart contract or external smart contracts, rather, the attacker was able to social engineer their way into the founder’s personal wallet." "Only Karp’s address has been compromised and so far Nexus Mutual and its members have remained unaffected. “The mutual is not impacted; the pool of funds and all systems are safe,” according to another tweet an hour ago."


"On Monday 14th of December at 9:40am UTC, I was tricked into approving a single transaction that sent 370,000 NXM to a hacker instead of what I thought was claiming some mining rewards. The hacker has subsequently liquidated the majority of the NXM into ETH/BTC and has been dispersing it to many different addresses and exchanges."


"The attacker was a member of the mutual, having passed know-your-client verification 11 days ago. The attacker was not fully identified though, with investigations still pending. The attacker needed to be a verified member of the mutual in order to receive NXM tokens, though a Nexus Mutual community manager told Cointelegraph that they are "working on the assumption that [the hacker] could have committed identity fraud."" "The attacker gained remote access to his computer & modified the metamask extension, tricking him into signing a different transaction which transferred funds to the attacker’s own address." "The fact that the attacker succeeded in getting Karp to sign the modified transaction demonstrates that Karp did not verify the transaction data on the hardware wallet (which presumably was not compromised) before signing it. Due to the small screen size of these devices and the likelihood that Karp performs many such transactions per day, this is unsurprising but unfortunate."


"To the attacker. Very nice trick, definitely next level stuff. You'll have trouble cashing out that much NXM. If you return the NXM in full, we will drop all investigations and I will grant you a $300k bounty."


"However, like most DeFi related hacks that take place, it’s unlikely that the attacker is going to return the funds." "According to Scorechain, the hacker has been busy converting the stolen NXM into Bitcoin." "Some of the stolen funds have been transferred via decentralized exchange aggregator 1inch.exchange. “We welcome any assistance to stop the funds, which will likely move quickly,” Nexus said." "[T]he attacker has reportedly already laundered up to $2.7 million worth of the stolen NXM, and is now demanding a similar amount to not sell off the rest." “Hello Hugh. I will not sell wNXM any more until wNXM recovers his value or you send me 4.5k ETH. If you need any negotiation with me, send msg to my eth address. Following are your addresses. You are rich, Hugh [...]” "Any negotiation is requested to be directed via the attacker’s Ethereum address, and the message concludes by listing three wallet addresses claimed to belong to Karp, along with the assertion that he is “rich.”" "The Nexus Mutual team is collaborating with law enforcement agencies to track the hacker, and it seems that they are closing in on the attacker. The team shared a reassuring tweet yesterday after Karp alluded to have gained access to the attacker’s IP and other details which might help to nail the hacker."

KYC can create a closed community, but it's far from foolproof. It certainly does not remove the need for proper protections of funds.


The solution to prevent this event would have been to store the funds offline and use a multi-signature wallet. Large funds should not have been stored on the same wallet as used for other everyday transactions.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.