1inch and Other Platforms Compromised in Supply Chain Attack
A recent supply chain attack compromised the frontend of decentralized exchange aggregator 1inch, TEN Finance, and other platforms due to malicious code injected into the Lottie Player animation library. This breach affects Lottie Player versions 2.0.5 and above, enabling unauthorized transactions that jeopardize users' funds and personal data. Users are advised to avoid interacting with these affected platforms until security issues are resolved.
The attack originated from malicious code introduced into the Lottie Player library’s JSON files, allowing compromised websites to execute unauthorized actions. Blockaid, a security firm, reported that the breach stemmed from a corrupted npm package on Lottie Player’s content server. Security firms confirmed that attackers inserted unauthorized scripts, including code to bypass debugging measures. Legitimate websites outside the crypto space may also be serving malicious content due to this exploit. The Lottie Player team has identified the source of the problem and is working to remove the compromised versions.
This incident reflects a broader trend of increasing crypto hacks. Security breaches in the crypto industry are growing more sophisticated each year. Recently, hackers stole $20 million in crypto from the U.S. government, linked to funds seized from Bitfinex hackers. Blockchain lender Radiant Capital experienced a significant loss, with over $50 million drained due to a hack accessing its private keys.
Federal investigations into crypto crimes have intensified. The FBI arrested Eric Council Jr. for allegedly hacking the SEC’s X (formerly Twitter) account and spreading false news about Bitcoin ETF approvals, disrupting the market. Although Council is in custody, authorities believe he was not the mastermind behind the hack and are negotiating a plea deal with him.
In 2024, crypto-related thefts have already exceeded $2.1 billion, with centralized finance (CeFi) platforms facing the most significant losses.