Telegram Bot Banana Commits to Covering US$3 Million Lost in Hack

As a seasoned analyst with over two decades of experience in the cryptocurrency sector, I have seen my fair share of ups and downs, hacks, and heists. The recent string of incidents, including the Banana Gun X hack and similar events at BingX, Indodax, and Shezmu’s yield protocol, has been a stark reminder of the ever-present risks in this space.


On September 25th, the Banana Gun X account shared a new post, clarifying that, starting from September 19th, all affected users will receive a full refund directly from the Banana Gun treasury. No Banana Gun tokens will be sold to facilitate these reimbursements.

The hack only impacted 11 individuals associated with Banana Gun. In a statement, they explained that the attack was specifically aimed at sophisticated traders and crypto veterans who are experienced and difficult to deceive. Moreover, all the affected parties were recognized figures within the industry, either due to their online influence or trading proficiency.

On September 19th, users of the trading bot known as Banana Gun reported unauthorized transactions from their digital wallets. These unwanted transfers occurred while they were using the bot and receiving notifications. The attackers managed to move cryptocurrency out of the victims’ wallets, specifically targeting Banana Gun’s bots operating on Solana and Ethereum networks.

Security Flaws Discovered in Telegram Message Oracle

Unlike common hackers who usually focus on unsuspecting new investors, the attacker behind Banana Gun specifically targeted skilled crypto traders. Successfully bypassing their active trading bots, this individual was able to move ETH from their digital wallets without authorization. The alerts within the trading bots after these unauthorized transfers led Banana Gun to suspect that a weakness in Telegram message oracles might have been exploited by hackers.

According to a statement made on X-Post by the Banana Gun team, they and external experts have discovered a possible weakness in the Telegram message oracle we rely on. This potential flaw might be connected to the exploit they admitted occurred during their investigation.

The manual actions served as strong evidence corroborating the aforementioned finding, suggesting that the hacker’s primary objective was to specifically target resources rather than launch a broad, automated cyber attack.

Following resolution of the problem, Banana Gun restarted the EVM and Solana bots while implementing security precautions to prevent additional fund leaks. Some of these measures include requiring two-factor authentication for transfers, introducing a two-hour delay on transfers, and conducting a thorough examination of the systems, among other steps.

Additionally, the back-end systems have been repositioned, necessitating a move to updated servers to enhance the application’s security. They plan to conduct numerous penetration tests and security audits for both web applications and Telegram bots. In the interim, Banana Gun acknowledges the valuable contributions of their partners, AML Bot, the Binance Security team, and the Seal Team, who all played crucial roles in the evaluation and recovery process.

A Series of Similar Incidents

As a researcher, I am reflecting on the series of incidents that unfolded in September 2024, including the breach of the Telegram bot. My focus is particularly on the incident involving BingX, where an unexpected outflow was detected from one of their hot wallets. Upon investigation, we uncovered a security vulnerability that led to an attack, resulting in a staggering loss of approximately $43 million for assets such as BNB, Ethereum, and MATIC.

The principle also applies to Indodax, a cryptocurrency exchange based in Indonesia, which was hacked on September 11th and suffered a loss of approximately $20 million in digital assets from its hot wallets. Likewise, SlowMist, a blockchain analysis company, found that the stolen tokens were quickly converted into Ethereum, Polygon, TRON, and Bitcoin, making it challenging to recover the lost funds.

Beyond engaging in illegal activities, there was also an extraordinary incident to note. On September 21st, the hacker who swiped $5 million from Shezmu’s yield protocol chose to return most of the stolen funds following the acceptance of a ‘white hat’ reward.

Read More

2024-10-01 11:19