Nearly 90% of Nomad Bridge Exploiters Were “Copycats”

Nearly 90% of Nomad Bridge exploiters were “copycats” according to a report by Coinbase on the exploit that happened earlier this month.

The target token, token amount, and recipient addresses were changed, but they (the copycats) utilized the same code as the original hackers.

Nearly 90% of Nomad Bridge Exploiters Were “Copycats”

According to a recent study, nearly 90% of the addresses involved in the $186 million Nomad Bridge heist last week have been identified as “copycats,” who stole $88 million worth of tokens on August 1.

Peter Kacherginsky, Coinbase’s chief blockchain threat intelligence researcher, and Heidi Wilder, a senior associate of the special investigations team, confirmed what many had assumed during the bridge hack on August 1: that after the original hackers worked out how to take cash, hundreds of “copycats” joined the party. The revelation was made in a blog post published on August 10 by Coinbase.

Security researchers claim that the “copycat” technique was a version of the first vulnerability, which made use of a flaw in Nomad’s smart contract to let users withdraw money from the bridge that wasn’t actually theirs.

The copycats then produced the exact identical code, but they altered the recipient addresses, target token, and token quantity.

Despite the fact that the first two hackers were the most successful in terms of the overall amount of money they were able to steal after the technique was copied by others, there was a race to see who could take the most money.

According to Coinbase experts, the early hackers targeted the Bridge’s wrapped-Bitcoin (wBTC), followed by wrapped-ETH and USD Coin (USDC) (wETH).

White-hat actions

Unexpectedly, Nomad Bridge’s request for the return of stolen money resulted in a 17% return (as of August 9), with the majority of those tokens being in the form of USDC (30.2%), Tether (USDT) (15.5%), and wBTC (14.0%).

The fact that the bulk of the funds were returned in the form of USDC and USDT shows that the majority of the funds were from white-hat “copycats,” as the original hackers mostly exploited wBTC and wETH.

As of August 9, 49% of the stolen money had already been transferred from each recipient’s address to a different location.

According to Coinbase’s analysis, the first three recipient addresses were financed using Tornado Cash, an Ethereum-based system that permits anonymous transactions. The US Treasury banned all USDC and ETH addresses linked to the protocol on Monday.