PlayDapp Post-Mortem on the Hacking Incident

PlayDapp Team
7 min readApr 1, 2024

Introduction

Regarding the recent hacking incident, the PlayDapp team will share the actions taken following the hack (within the permissible scope).

However, please understand that we cannot disclose specific details that may impact ongoing investigations by judicial authorities.

1. Incident Overview

On February 9th, 2024, at 10:39 PM (UTC+9), a hacking incident occurred where an unidentified group of hackers compromised the PlayDapp (PLA) token smart contract. The hacker illicitly obtained the private key, allowing them to change ownership and mint permissions of the contract to their account. They removed the existing administrator’s authorizations and invalidly minted 200 million PLA tokens to their account.

On the 12th at 10:09 PM, the hacker invalidly minted an additional 1.59 billion PLA tokens as a second attempt, but market circulation was halted as exchanges had already taken measures to freeze and hold incoming transactions, preventing them from being circulated.

On the 13th at 11:05 AM, the hacker eventually paused the compromised PLA smart contract.

2. Incident Timeline (UTC +9 time)

On January 16, 2024, at 11:13 AM, an email was received regarding a business request from a specific exchange whose domain was spoofed.

  • It was a domain-spoofed mail from the hacker. This e-mail was carefully crafted to resemble regular information request emails received from our major partner exchanges, with identical subject lines, sender email addresses (including username AND domain), and content.
  • Upon opening the attachment in the email, malicious code was executed, installing a tampered remote access multi-session tool.
  • Subsequently, the hacker gained remote control of the PC, leading to the theft of the administrator’s private key.

February 9, 2024, 10:39 PM — The hackers illicitly utilized the stolen private key to alter the entire permissions of the contract to their accounts, removing existing administrator’s authorizations, and invalidly minted 200 million PLA tokens to their accounts.

https://etherscan.io/address/0x6f53e6f92e85c084e10aaf35d4a44dee6a27892d

February 10, 2024, 02:00 AM — Upon recognizing the abnormal situation, the PlayDapp team urgently convened team members and notified major centralized exchanges of the situation, requesting the suspension of deposits, withdrawals, and trading activities.

  • 2:22 AM: Upbit Exchange issued an advisory urging caution regarding PLA investments and temporarily halts deposits and withdrawals.
  • 2:43 AM: Binance Exchange suspended PLA token deposits.
  • 2:44 AM: Bithumb Exchange temporarily halted PLA deposits and withdrawals.

February 10, 2024, 4:17 AM — PlayDapp requested for removal of the PLA bridge on Polygon.

February 10, 2024, 4:30 AM — PlayDapp prepared a mitigation plan for the damage of the hacking incident.

February 10, 2024, 6:05 AM — PlayDapp announced the hacking incident on social media.

February 10, 2024, 2:28 PM — After removing the polygon bridge, PlayDapp announced the transfer of ALL PlayDapp-held PLA to a new, secure wallet in official community channels.

February 10, 2024, 2:50 PM — PlayDapp transferred its holdings of unlocked PLA tokens to a new address.

February 10, 2024, 3:10 PM — PlayDapp transferred locked-up PLA tokens to a new address.

February 10, 2024, 10:46 PM — The initial IDM was sent to the hacker, offering the White Hat reward, but the negotiation was unsuccessful.

https://etherscan.io/tx/0xcb660a82a33480b17527f8c6675e0f43dd875405aee3faffa520e702544f88f2

IDM: Hackers,

It will be difficult to move/exchange the stolen funds any further, we are currently in contact with law enforcement and blockchain intelligence companies.

If you return all access to the contract and the stolen funds by February 13, 2024, at 3:00 AM ET, we will pay a white hat reward of $1 million; otherwise, we will release the same amount as a bounty and work with law enforcement agencies in multiple jurisdictions to conduct a criminal investigation.

February 10, 2024, 11:31 PM — PlayDapp devised a mitigation action plan and posted an announcement regarding the strategy for responding to the hacker on social media.

February 12, 2024, 3:14 PM — PlayDapp shared PLA migration plans with three exchanges (Binance, Upbit, Bithumb).

February 12, 2024, 3:35 PM — Negotiations with the hacker broke down.

February 12, 2024, 10:09 PM — Following the dissolution of negotiations, the hacker invalidly minted an additional 1.59 billion PLA tokens using the stolen minting authority. However, preemptive measures were taken, and most of the associated transactions, including deposits and withdrawals, have already been halted and frozen by the respective exchanges.

https://etherscan.io/tx/0xc41687511e31f5612b73647c4b39e500e45dbfb2ae66789b7b8705d2336002f8

February 13, 2024, 00:29 AM — Announced to PlayDapp Community through official channels to: “Suspend all PLA Trading on DEXs” and “Withdraw all PLA Tokens from Swap Pool LPs.”

February 13, 2024, 11:05 AM — The PLA smart contract was paused by the hacker.

https://etherscan.io/tx/0x108528c6c6b9e63e2fd4d3a97c22a50b9f1e7843b51a6c1a1ae4c61fedaef27a

February 13, 2024, 7:46 PM — The PlayDapp team announced the PLA Migration Plan to the community.

February 13, 2024, 07:54 PM — The PlayDapp team announced the pause of the PLA smart contract on social media.

February 20, 2024, 5:41 PM — The PlayDapp team released a comprehensive guide on migrating PLA to PDA, titled “PLA to PDA Token Migration — Tutorial and FAQ.”

February 23, 2024, 6:30 PM — PlayDapp shared progress updates on the migration portal launch via social media.

March 11, 2024, 6:45 PM — PlayDapp posted the migration portal launch announcement.

March 13, 2024, 9:00 AM — PlayDapp launched the Migration Portal for self-custody PLA holders.

3. Root Cause Analysis

This analysis was conducted based on a digital forensic examination of the compromised PC by the WEB3 cybersecurity firm, “CYBERONE,” to analyze the root cause of the incident as follows:

On Jan. 16th, our team received a domain-spoofed mail from the hacker. This e-mail was carefully crafted, so it had the same title, the same sender e-mail address (username AND domain), and the same content that we regularly received from one of our main partner exchanges. This kind of domain spoofing could have been easily prevented by the domain owner, in this case, the exchange, by setting up a simple security measure called DMARC.

The analysis indicates that upon executing the malicious code contained in the attachment of the email, a compromised PC installed a tampered remote access multi-session tool. It was then remotely controlled by the hacker, resulting in the theft of the administrator’s private key.

4. Impact Assessment

In response to the incident, PlayDapp engaged the WEB3 cybersecurity firm, CYBERONE, to conduct a thorough forensic analysis of the administrator’s PC, aimed at identifying the root cause of the hacking incident. Additionally, to track the movement path of the invalidly minted PLA tokens totaling 1.79 billion, PlayDapp initiated collaboration with Uppsala Security, an official partner of Interpol.

Given the substantial inflow of stolen PLA tokens into some exchanges, the PlayDapp team promptly requested suspension of deposits and withdrawals through the hotlines of each exchange, while also requesting immediate freezing of the 34 suspected wallet addresses.

As a result, it was determined that a quantity of 163 million tokens was attempted to be deposited to exchanges, a significant portion of which has been identified as pending or frozen due to actions taken by the exchanges.

Furthermore, we have promptly prepared documentation detailing the aforementioned facts and have filed a report with the appropriate judicial authorities.

5. Response and Mitigation

The loss of ownership rights over the PLA token smart contract signifies that the project team can no longer proceed with the project using that contract. Moreover, as time passes, there is a risk of further malicious harm occurring.

PlayDapp has made the final decision to proceed with migration for the following reasons:

  • To ensure the continuity and stability of the project
  • To identify and prevent the circulation of the hacker’s tokens in the market
  • To identify and differentiate legitimate PLA token holders

The new smart contract will feature enhanced security measures, including the implementation of multi-signature functionality to fortify the signing process. Moreover, it will revoke minting permissions and segregate Snapshot, Pause, and Burn permissions for more effective management, significantly mitigating the risk of recurrence. Alongside these measures, the introduction of a DAO voting system aims to enhance user communication and transparency.

PlayDapp’s ongoing services will also undergo meticulous transitions to the new contract, ensuring continuity and security.

6. Implementations made

Following the hacking incident, the PlayDapp team implemented measures to decentralize private key management. Additionally, actions such as blocking tampered ports, preventing abnormal operations through Application Control, restricting remote port usage, and upgrading intrusion prevention system ratings have been taken to prevent any potential recurrence.

Besides, the team reinforced email account security for all members and implemented malware-blocking antivirus software.

Moving forward, PlayDapp has adopted the multi-signature in smart contracts to facilitate decentralized management of private keys. Each multi-signature is distributed across multiple cold wallets, ensuring that unauthorized access is virtually impossible.

7. Lessons Learned

1) Centralized and closed management can leave systems vulnerable to threats. This incident underscored the importance of decentralized and transparent management to enhance stability.

2) The necessity of transparent and continuous communication with the community became evident.

3) This incident highlighted the rapid advancement of malicious hacking techniques alongside the evolution of blockchain technology. It serves as a stark reminder of the critical importance of security measures.

We are committed to sharing these insights with relevant stakeholders in the industry to collaborate proactively in preventing similar incidents and mitigating potential risks. As part of our ongoing commitment to transparency and security, we will keep you updated with regular updates and share any relevant event reports with our community.

--

--

PlayDapp Team

The home of all things PlayDapp - C2C MarketPLAce, Blockchain games. An interconnected ecosystem of playing and earning! NFT Marketplace: playdapp.com