The Penpie protocol, built independently on the Pendle platform, confirmed that during the attack, a total of $27,348,259 in Ethereum was stolen.
In a proactive response to the breach, the Penpie team promptly suspended all deposits and withdrawals to mitigate further losses.
The decision was aimed at preventing additional funds from being siphoned off while they assessed the situation and implemented measures to enhance security.
Following the breach, the Penpie team quickly initiated legal actions, filing reports with both the Singapore police and the FBI’s Internet Crime Complaint Center (IC3).
These steps are critical not only for the potential recovery of the stolen funds but also to establish a legal framework to combat the rising tide of cybercrime in the crypto space.
In a remarkable attempt to engage with the hacker, the Penpie team sent messages offering a negotiated bounty payment for the safe return of the stolen assets.
They promised not to pursue legal action if the funds were returned. However, these efforts appear to have been in vain, as the hacker continued to transfer the stolen cryptocurrency to various blockchain addresses, effectively obscuring the trail and making recovery efforts more complex.
The Penpie hack drew the attention of another infamous figure in the crypto theft arena – the hacker responsible for the $195 million Euler Finance exploit in March 2023.
In an on-chain message, this individual commended the Penpie attacker, saying, “Good job bro. I didn’t see a hack like this for a while. I’m happy you kept all the money and didn’t let these bastards get back one dollar of what you took. You won, they lost. Good job.” Such accolades among hackers reveal a disturbing culture of cybercrime, where successful breaches are celebrated rather than condemned.
The Pendle platform, upon which Penpie operates, reported that its internal security system detected the attack almost immediately.
Although the platform could not prevent the $27 million loss from Penpie, its swift actions were instrumental in stopping the hackers from extracting an additional $105 million from other protocols hosted on its platform.
This highlights the importance of robust security systems and rapid response protocols in mitigating potential losses during cyber incidents.
In the aftermath, the Penpie team acknowledged that the vulnerability exploited in this attack was related to a new feature introduced in May 2024.
While earlier audits had identified part of the vulnerability and were believed to have resolved it, the addition of new features reintroduced the issue, underscoring the need for thorough vetting of updates before implementation.
The company conceded that they should have conducted a comprehensive audit after the addition of new features and pledged to do so before resuming operations.
This incident is emblematic of a larger trend of escalating crypto thefts in 2024. According to a report from Immunfi, the $1.21 billion stolen this year represents a 15.5% increase from the previous year.
These losses are distributed across 154 separate incidents, with a significant concentration occurring within the DeFi space, which is particularly susceptible to such attacks due to its complex and often unaudited nature.
August 2024 proved to be a particularly notable month for crimes related to cryptocurrency. Security firm PeckShield reported that monetary losses from hacks exceeded $313 million, with two major attacks leading to the theft of approximately $238 million in Bitcoin and $55 million in Dai.
Phishing attacks also saw a significant rise, with Scam Sniffer documenting a 215% increase in stolen funds compared to July. Over 9,000 victims reportedly lost around $63 million to crypto phishing scams during the month, with most of the stolen amount linked to a single large-scale attack resulting in a $55 million loss.
As the crypto landscape continues to evolve, incidents like the Penpie breach serve as stark reminders of the critical importance of security in the digital finance world.
For investors and users of decentralized finance platforms, the need for vigilance and robust security measures has never been more apparent.
The Penpie incident underscores the necessity for comprehensive audits, swift incident response, and ongoing improvements in security practices to protect against the ever-evolving threats in the cryptocurrency space.
