Crypto hacker gets 86.5 ETH for Thunder Terminal, but the private keys are safe.



A crypto hacker incident occurred during Christmas on the on-chain trading platform Thunder Terminal, however, the users are reassured. It involves 114 wallets violated, with a total of 86.5 ETH funds.

Crypto hacker steals 86.5 ETH from Thunder Terminal but reassures users

Ugly Christmas gift for the on-chain trading platform Thunder Terminal, which found itself the target of an 86.5 ETH exploit by a crypto hacker.

During these hours, the platform is trying to update and reassure users about what happened, emphasizing that the funds are safe and the private keys have not been compromised. 

Thunder Terminal has published on X a series of tweets explaining what happened. 

“Accident report: At 12:11:47 UTC, suspicious withdrawals began to be sent through Thunder wallets. A malicious actor gained access to a MongoDB connection URL which they used to retrieve session tokens and perform withdrawals on behalf of users. At 12:20:35 UTC, the last harmful withdrawal occurred after all session tokens and all transaction signing access types were revoked for security reasons.”

Neither private keys nor wallets have been compromised. The exploit occurred through withdrawal requests that our server considered authorized due to leaked session tokens. We do not store any private keys, so the attacker does not have access to any wallet. Desktop wallets have not been affected. Less than 1% of wallets on our platform have been affected by this attack.”

The attack would have lasted 9 minutes, at which point the crypto hacker would have executed the exploit by accessing a MongoDB connection URL, used to retrieve session tokens and make withdrawals on behalf of users. Apparently, the last withdrawal was blocked due to a security access revocation. 

Crypto hacker defines all Thunder Terminal updates as “lies”

In the tweet thread, Thunder also confirmed that approximately 86.5 ETH and 439 SOL were lost. For the affected users, the platform guarantees that they will receive a full refund of their funds, along with 0% fees and $100,000 in credits each.

These users should be less than 1% of the total platform wallets, since, as it has emerged, only 114 wallets out of over 14,000 have been affected. 

In another update tweet from Thunder Terminal, however, it seems that someone has noticed something else. 

“No one’s private keys have been compromised. Only 114 wallets out of over 14,000 have been affected. The funds are safe even in the future. We blocked the attack in less than 9 minutes.

It seems that a third-party service we were using has been compromised. We are actively investigating – please give us some time. Funds are safe and refunds will be handled shortly.

Ummmmm. The exploiter says the opposite…”

And in fact, according to a note on the chain reported by ZachXBT, the crypto hacker would have intervened to define the latest Thunder updates as “lies”. 

And indeed, it reads as follows:

“All lies. Furthermore, we have all the user data. 50 ETH and we will delete the data.”

So the crypto hacker would be asking for a ransom of 50 ETH to delete other data (from users) that would have been stolen. 

The case of Huobi and the refund of funds

Just last October, the hacker attack on Huobi’s crypto-exchange ended well, with the refund of the 5000 ETH stolen by the crypto hacker. Confirming everything was Tron’s co-founder, Justin Sun, advisor to the platform.

In practice, the previous month, the crypto hacker had stolen the equivalent of 8 million dollars in ETH from the crypto-exchange.

Immediately after, Sun would have published a series of tweets explaining Huobi’s move in response to the attack. 

And indeed, the crypto-exchange offered a reward of $400,000 to the hacker (called “white hat bonus”) and a hiring in the Huobi team as a “security consultant”, if the hacker had decided to return the funds. 

On the contrary, the crypto-exchange would have transferred the case to the authorities, considering that Sun had already published part of the “corrupted” addresses.