Lottie Player hit with a supply chain attack, stealing 10 wrapped BTC from Avalanche wallet

Source Cryptopolitan

Lottie Player was hit with a supply chain attack, affecting one wallet with 10 Bitcoin (BTC). The Wordpress tool has been abused to send malicious links to Web3 users, effectively draining wallets. 

Lottie Player, the Wordpress animation library, has been used as a vector of attack for Web3 users. Through malicious links, at least one wallet has been drained of 10 Bitcoin (BTC). 

The Lottie Player attack has affected widely used projects like 1inch and Mover. The 1inch attack may be especially harmful, as the DEX trading service is among the most widely used ones on Ethereum. 

Blockaid has also reported it has been spreading malicious wallet connections through its website. Bubble was another front-facing website affected by the malicious popups, and became one of the first to be reported. Bubble is also the source for building third-party apps, which could have been affected in the hours when the old versions were active. 

Researchers from Blockaid have identified Ace Drainer as the most probable source of the attack. The malicious version of Lottie Player has been removed, but not before spreading fake links for signing with widely used Web3 wallets. The attack has been active for at least 12 hours, increasing the balances in several identified attack wallets.

Lottie player hit with a supply chain attack, stealing 10 wrapped BTC from Avalanche wallet
Lottie Player launched a popup asking to connect a crypto wallet. | Source: GitHub

The attack was first noted when a wallet got drained of 10 BTC, leading to the source of fake links. The risk was in quickly signing all requests, including permanent access to wallets. This allowed the attackers to even drain Avalanche C-Chain addresses, stealing a form of wrapped BTC. The attack itself did not ask for a self-custodial Bitcoin wallet, but relied on the need for Web3 connectivity.

Users also noted the Lottie Player would populate a Web3 route with a malicious transaction when used for websites in the usual way. Analysts noted the attack targeted Ethereum and EVM-compatible chains. 

The attackers’ addresses continue to show activity, affecting small holdings of various Web3 tokens. For now, the entire size of the attack has not been accounted, and may have affected other tokens. The attackers are swapping the tokens quickly through Uniswap, or even through MetaMask swap.

Lottie Player attack spread to multiple sites

The Lottie Player attack displayed a very familiar screen for Web3 users, urging them to connect some of the top wallets, including MetaMask, WalletConnect, and others.

Even the TryHackMe platform experienced the popup, but moved to an older version. The issue has been reported by other users of popular websites. 

The attack affected two versions of Lottie Player, first noticed late on October 30. The attacks originated from versions 2.0.5 or higher. Website owners had to clear the attack themselves in the initial hours, by reverting to other tools or older versions of Lottie Player. Some have chosen to delete the scripts as a precaution. 

Wallet owners may still have to revoke permissions, if they have connected to any of the injected links. Sites like 1inch draw in more than 590K monthly users, and may have affected multiple undetected wallets.

Lottie Player team publishes safe version

The Lottie Player team reacted by uploading a legitimate new version 2.0.8, while unpublishing the contaminated scripts. The team noted the faulty versions were three in total, published directly to NPM using a compromised access token from a developer with the required publishing privileges. The team notes no other repositories or libraries have been affected. 

Lottie Player is widely used for animations and minor features on websites, but has been added to the list of distributors for malicious links. Those types of attacks target individual wallets, adding to the risk of poisoned addresses, direct targeting in email and messages, and fake website versions. 

The attack happens during the next stage of a crypto bull market, accelerating attempts to steal more valuable tokens. Connecting a wallet is best done for a specific purpose, avoiding full-time permissions for signing transactions. Launching a wallet connection immediately after entering a website may be a red flag.

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Copper Long-term forecast: Will Copper Price Expected To Soar In 2023?The price of copper is affected by various of factors. You may wonder how the price of cooper will be in 2023, check out our forecast analysis.
Author  Mitrade
Mar 13, 2023
The price of copper is affected by various of factors. You may wonder how the price of cooper will be in 2023, check out our forecast analysis.
placeholder
Natural Gas sinks to pivotal level as China’s demand slumpsNatural Gas price (XNG/USD) edges lower and sinks to $2.56 on Monday, extending its losing streak for the fifth day in a row. The move comes on the back of China cutting its Liquified Natural Gas (LNG) imports after prices rose above $3.0 in June. It
Author  FXStreet
Jul 01, Mon
Natural Gas price (XNG/USD) edges lower and sinks to $2.56 on Monday, extending its losing streak for the fifth day in a row. The move comes on the back of China cutting its Liquified Natural Gas (LNG) imports after prices rose above $3.0 in June. It
placeholder
Microsoft FY25Q1 Earnings Preview: Will Concerns Over Copilot’s AI Returns Ease? Insights - Microsoft (MSFT) is set to announce its Q1 FY2025 earnings after the market closes on October 30, 2024.
Author  Mitrade
Yesterday 02: 27
Insights - Microsoft (MSFT) is set to announce its Q1 FY2025 earnings after the market closes on October 30, 2024.
placeholder
Gold price hits fresh record high on US election uncertainty, geopolitical risksGold prices (XAU/USD) climbs to a fresh record high during the Asian session on Wednesday as uncertainties surrounding the US presidential election, and the Middle East conflict continue to boost demand for traditional safe-haven assets.
Author  FXStreet
Yesterday 06: 49
Gold prices (XAU/USD) climbs to a fresh record high during the Asian session on Wednesday as uncertainties surrounding the US presidential election, and the Middle East conflict continue to boost demand for traditional safe-haven assets.
placeholder
2 Things to Watch When Uber Reports Its Q3 2024 ResultsTradingKey - Two decades ago, ride-hailing wasn’t a term that anyone had heard of. However, the rise of massive ride-hailing platforms have changed that and allowed anyone to catch a card ride when th
Author  Mitrade
Yesterday 10: 06
TradingKey - Two decades ago, ride-hailing wasn’t a term that anyone had heard of. However, the rise of massive ride-hailing platforms have changed that and allowed anyone to catch a card ride when th
goTop
quote