Post Mortem of KlaySwap Incident through BGP Hijacking
Date 2022. 02. 16
According to theIncident Reportreleased byKLAYswap, the first case of using the KLAYswap UI to transfer tokens into an attacker’s wallet took place on February 3, 2022.
KLAYswap posited thata malicious code download disguised as a Kakao SDK file by an external network attackwas the cause of the accident.
KLAYswap and KakaoTalk-related services dynamically load and use Kakao SDK (Software Development Kit) for marketing purposes. During this particular attack, there was a problem that the connection was not possible or slowed down in the service using the same SDK.
After analyzing this attack, the S2W TALON team observed that theBGP hijackingtechnique was used for the aforementioned external network attack. By manipulating the network flow through BGP Hijacking, the attacker configured users connected to KLAYswap to download malicious code from the attacker’s server rather than the normal SDK file.
It is known that the malicious code was distributed only to users who accessed the server through KLAYswap by checking the Referer value of the HTTP header when connecting, while a server-side error was returned to other users. For this reason, it is understood that access to other services using the SDK was disrupted.
Due to this attack, if a KLAYswap user requested a deposit, swap, withdrawal, etc. of assets in the 1.5 hour period beginning from 11:30 on February 3rd, assets were immediately transferred to the attacker. Analysis of the blockchain transactions indicates that while the stolen coins totaled in a value of about 2.2 billion won, the actual attacker stole coins with a value of about 1 billion won.
S2W intends to inform the danger of the attack by describing the relatively unfamiliar attack of BGP Hijacking as well as the detailed attack process to share what kind of actual damage can be caused by this attack.
All times mentioned in the analysis results below are based on Korea Standard Time (UTC+9).