- Thunder team confirmed the exploit on X, stating that 86 ETH and 439 SOL were lost in the attack.
- The hacker stated that they held user data regarding private keys and that they intended to delete it.
- The Thunder team stated no keys or wallets are stored by the protocol, hence making the threat irrelevant.
The team also assured affected users that their funds would be refunded and that they would be given 0% fees.
The crypto market witnessed another hack before the year ended as trading platform Thunder confirmed an exploit on December 27. The DeFi protocol running on Ethereum, Solana, and other chains has been threatened by the exploiter of potentially deleting users’ private keys’ data, although the team denied the possibility, reassuring the safety of assets.
Crypto trading protocol Thunder hacked
Crypto trading protocol Thunder took to X, formerly Twitter, to confirm a suspected exploit on December 27. The team addressed the suspicious withdrawals that began early in the morning and put a halt to the same in the next nine minutes.
The hacker still managed to steal 86.5 ETH and 439 SOL, collectively worth over $239,000. According to Thunder, the exploiter managed to gain access to a MongoDB connection URL, which they used to pull session tokens and execute withdrawals on behalf of users.
While the team behind the protocol stated that 114 out of the 14,000 wallets on the platform were affected, the exploiter noted that they held the user data concerning private keys and intended to delete them.
Thunder exploiter’s threat
This threat was discredited by the Thunder team, which stated,
“No private keys nor wallets were compromised…We do not store any private keys, so the attacker does not have access to any wallets. Desktop wallets were not affected. Less than 1% of wallets on our platform were affected as a result of this attack.
Furthermore, the team stated that they are already communicating with the Federal Bureau of Investigation (FBI) and are willing to negotiate with the exploiter, failure of which would lead to them taking legal action.
We have taken the following actions:
– Our legal team and the FBI have been contacted.
– We are now undergoing a full, technical audit.
– We are working on adding 2FA immediately for withdrawals.
– We are adding additional security regarding session issuing.
– We know which…
— Thunder (@ThunderTerminal) December 27, 2023
Lastly, users were reassured of the safety of their assets, and the ones affected were notified with the team claiming that the lost funds would be refunded in full and the users would be given 0% fees and $100,000 in credits.
The Thunder exploit could be the last exploit of 2023, which has already seen the theft of more than $2 billion worth of assets, with the largest attack witnessed by blockchain security consultancy firm Mixin Network, resulting in the loss of over $200 million worth of digital assets.