Cryptocurrency trading platform Thunder Terminal suffered a security breach on December 27th, resulting in the theft of approximately $240,000 in user funds. The attack highlights the importance of secure data storage and the ongoing vulnerabilities of decentralized finance (DeFi) platforms.
Thunder Terminal acknowledged the breach in a blog post, stating that the hacker gained access to a MongoDB connection URL. This access allowed them to retrieve session tokens and execute unauthorized withdrawals on behalf of users. The attack ended at 12:20 AM UTC on December 27th after all session tokens and transaction signing access were revoked.
Limited Scope, But Still Significant:
Thunder Terminal assured users that no private keys or wallets were compromised, and their desktop app remained unaffected. However, the team admitted that “less than 1%” of wallets were affected, with at least 114 wallets suffering from fund theft.
Cause and Culprit Unclear:
The exact nature of how the hacker accessed Thunder Terminal’s database remains unclear. The platform suggests a possible connection to a recent MongoDB security breach, where the database provider acknowledged unauthorized access to its systems.
Blockchain detective ZachXBT traced the stolen funds, finding that the attacker transferred 86.5 ETH (approximately $192,500) to Railgun, a privacy-focused protocol for anonymous cryptocurrency swaps and transactions. Additionally, the hacker stole over 439 SOL (around $49,160).
Conflicting Messages and Ransom Threats:
Thunder Terminal initially claimed the attack involved a compromised third-party provider and reassured users that funds were safe and refunds would be issued. However, the hacker countered these claims through a blockchain-based message, accusing the platform of lying and threatening to reveal all user data unless they received a 50 ETH ransom.