According to the company, hackers took over $135 million from users of the blockchain gaming company VulcanForge in the latest hack targeting cryptocurrency investors. The hack was announced by VulcanForge on Twitter and in its official Discord channel.
“Over 4m PYR has been stolen from users’ wallets. It was premature to say this is [wallet management service] Venly’s end: we simply don’t know the cause,” the company wrote on Discord, asking users to move funds to Metamask, a popular wallet. “All funds stolen will be replaced once we’ve understood what’s happened.”
Venly's CTO said that its services were not compromised. “No words can do much right now, we know that,” the company wrote on Twitter.
The hackers acquired the private keys to 96 wallets, siphoning off 4.5 million PYR, VulcanForge's token that can be used across its ecosystem, according to a series of tweets from the firm on Sunday and Monday. VulcanForge's major business is generating games like VulcanVerse, which it defines as a "MMORPG," and Berserk, a card game. Both titles, like nearly all blockchain games, appear to be primarily built as platforms for buying and selling in-game products tied to NFTs utilizing PYR. Compromise of someone's private key is a clear "game over" in crypto because it gives complete access over the funds stored by the corresponding address on a blockchain.
This is the third large cryptocurrency theft in the last eleven days. The total amount of cryptocurrency stolen in these three attacks is around $404 million. BadgerDAO, blockchain-based decentralized finance (DeFi) platform, lost $119 million on December 2. The company is requesting that the hacker "do the right thing" and refund the money. Then, four days later, the cryptocurrency exchange BitMart was hacked, resulting in a loss of $150 million.
PYR, like many new tokens, trades on decentralized exchanges, making the VulcanForge hack noteworthy. Decentralized exchanges are powered by smart contracts, and because there is no centralized order book, investors trade against "liquidity pools" comprised of funds given by users in exchange for a "staking" reward. It also implies that there is no centralized authority to blocklist a fraudulent account attempting to cash out stolen funds.
VulcanForge has encouraged users to remove their liquidity since the hack in order to make it difficult or impossible for the attacker to cash out. According to reports, the hacker has so far been able to cash out the majority of the tokens by trading tiny quantities at a time, but not without putting the PYR price into a downward spiral owing to selling pressure.