BadgerDAO, "one of the most security-minded DAOs in operation", has been hit with a cryptocurrency heist enabled via a JavaScript hack on their website. BadgerDAO enables Bitcoin holders to "bridge" their cryptocurrency over to the smart-contract and DeFi-enabled Ethereum platform via its token, thus allowing access to the world of decentralized finance. After preliminary investigations aided by blockchain security and data analytics Peckshield, it seems that the bad actors inserted a malicious script in the BadgerDAO website - in turn intercepting Web 3.0 transactions and inserting a request to transfer the victim's tokens to the attacker's chosen address. It's currently estimated that around $120 million were siphoned off via this attack. A single transfer saw 896 Bitcoin being diverted this way - a cool $50 million.

As soon as BadgerDAO became aware of suspect wallet activity, the company immediately froze all smart contracts running in its platform - a way to stem the bleeding until the security audit could be conducted. Thursday night, BadgerDAO announced it had "retained data forensics experts Chainalysis to explore the full scale of the incident & authorities in both the US & Canada have been informed & Badger is cooperating fully with external investigations as well as proceeding with its own."

Magecart is a relatively new online exploit group that has been in the news recently for affecting British Airways, and Ticketmaster in the recent past months. This hithero-unrecognized group uses a web-based card skimmer script by injecting a precious few lines of malicious code in a website, to then steal sensitive data that customers enter in the payment sections of said affected websites. Two large digital threat management outfits, RiskIQ and Volexity, today released their reports on how Newegg was similarly affected during the time period of August 13, 2018 through September 18, 2018, and what this means to users who may have performed a transaction on the website during this period.

In particular, Newegg.com was affected when the criminals behind Magecart registed the neweggstats.com domain (now inactive) via domain provider Namecheap. As RiskIQ points out, this was soon changed to navigate to the 217.23.4.11 IP address, which is a Magecart server that was used to receive and store all collected user data from the compromise that happened since. A fake certificate was issued to add a layer of legitimacy to the domain, as seen below. Be sure to read past the break to find out more details, and also what the bottom line is for affected users.

This here is an issue that this editor has been fearing for a while, and that we here at TPU have called our users' attention to in the past. It's bad enough when websites willingly implement web mining scripts absent of users' consent or simple knowledge. Opt-in mining as a contribution to a website's revenue would be the best way to go around the issue; however, absent that, a simple opt-out capability wouldn't be much worse. But if stealth usage of a site viewers' computing resources is bad, what then can be said when the site managers themselves are unaware of the implementation of a web miner?

This is what happened with Politifact, the US politics fact-checking website, which is but one of hundreds of the world's top traffic websites that have seen the stealth introduction of these web mining scripts - against the will of the site managers. In the meantime, Politifact has brought down the offending code and has vowed to investigate, but this opens up Pandora's box, really. Generally speaking, these JavaScript apps are running code hosted on another server that the end user - and sometimes even the site hosts - can't inspect or don't expect to have to inspect. And this is easier to do than one would imagine; there's a lack of protection against JavaScript routines like this one. And where there's potential for profit, there's abuse; and that's what we're seeing. It also doesn't help that injecting the necessary JavaScript into the front page of a website is much easier than a full blown hack into a website's databases; and once the code has been shoehorned into a website's code, it runs itself, hijacking users' CPU cycles and putting the resulting Monero coins into a designated wallet.

It has come into the limelight that popular torrenting website The Pirate Bay (TPB) has been running additional code on their site, which helped enable them to make use of a visitor's CPU in mining Monero (XMR, a cryptocurrency with added layers of anonymity when compared to Bitcoin). Now, I realize Torrenting (in particular, of copyright-protected material) is in itself a subject open to heated debate - but let's leave that discussion for another day. Today, I thought I'd focus on this mining act itself, on how TPB was secretly using your computing resources to stealthily mine cryptocurrency which they could then turn into additional revenue.

That this was done without the users' consent is clearly wrong. We as users are entitled to know what to expect from our system and from its usage of our resources - as seldom as we can claim that ability nowadays. That a site we are visiting is using our computing resources to generate additional revenue than the one it obtains from ads without, at the very least, being forthcoming about it (with the increased electricity costs that implies, however small) can be considered, at a minimum, distasteful. However, the discussion becomes much more interesting if we wonder what would have happened if users had, in fact, been warned. What does this mean for the future of web browsing, for revenue models - and for those pesky, flashy, little (or not so little) ads?To our forum-lurkers: this article is marked as an Editorial