The target token, token amount, and recipient addresses were changed, but the copycats utilized the same code as the original hackers.
According to a fresh study, nearly 90% of the addresses involved in the $186 million Nomad Bridge heist last week have been identified as “copycats,” who stole $88 million worth of tokens on August 1.
Peter Kacherginsky, Coinbase’s principal blockchain threat intelligence researcher, and Heidi Wilder, a senior associate of the special investigations team, confirmed in a blog post on August 10 that hundreds of “copycats” joined the party after the initial hackers figured out how to steal money in the bridge hack on August 1.
Security researchers claim that the “copycat” technique was a version of the first vulnerability, which made use of a flaw in Nomad’s smart contract
to let users withdraw money from the bridge that wasn’t actually theirs.
The same code was then replicated by the imitators, but they changed the recipient addresses, target token, and token amount.
Although the initial two hackers were the most successful (in terms of the total amount of money they were able to steal), once the method was discovered by copycats, it became a race among all parties to steal as much money as they could.
The initial hackers first attacked the Bridge’s wrapped-Bitcoin (wBTC), then USD Coin (USDC), and wrapped-ETH, according to the Coinbase analysts (wETH).
It made sense for the original hackers to extract these tokens first because they were concentrated in the Nomad Bridge in the highest amounts—wBTC, USDC, and wETH.
White-hat actions
Surprisingly, the return on Nomad Bridge’s request for stolen assets was 17% (as of August 9), with the majority of those tokens being in the form of USDC (30.2%), Tether (USDT) (15.5%), and wBTC (14.0 percent ).
The fact that the bulk of the monies was returned in the form of USDC and USDT shows that the majority of the funds were from white-hat “copycats,” as the original hackers mostly exploited wBTC and wETH.
As of August 9, over 49% of the cash that was misused has already been transferred from each of the recipient’s addresses.
The first three recipient addresses were funded via Tornado Cash, an Ethereum-based technology that enables anonymous transactions, according to Coinbase’s report. All USDC and ETH addresses connected to the protocol were blacklisted by the US Treasury on Monday.
Following the $250 million Wormhole Bridge attack in February and the $540 million Ronin Bridge hack in March, the Nomad Bridge hack has grown to become the fourth largest DeFi hack ever and the third largest in 2022. These cross-chain bridges have been criticized for being overly centralized, which makes them a prime target for attackers.
