KlaySwap BGP Hijacking

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

KlaySwap

KlaySwap is a decentralized protocol which allows users to pool their funds in liquidity pools and earn a return. A sophisticated malicious entity successfully redirected the KlaySwap domain name to a malicious server which they set up to look exactly like the KlaySwap website. When users interacted with this malicious server, they would be prompted to approve malicious transactions which would send their funds to the malicious entity.

The advanced attack is notable because it was done at the BGP (border gateway protocol) level, which allowed modifying the DNS (domain name system) to redirect the domain. The attack first involved fooling a TLS (transport layer security) certificate authority into providing a false SSL (secure socket layer) certificate. With this in hand, the proper padlock icon displayed on the browser to avoid raising suspicion. In total, users were tricked into making 407 malicious transactions, worth a total of approximately $1.9m USD. While none of the money has been recovered from the malicious entity, KlaySwap has put together a recovery program to compensate affected users.

This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14]

About KlaySwap

[15][16][17]

"A South Korean DeFi project." "Discover the potential of your assets, in KLAYswap." "A decentralized crypto asset finance protocol." "Manage your assets, directly from your wallet. Don't let your assets sleep in exchanges, put them to work in your wallet." "Profit gained every second that can be withdrawn at any time. Profits earned, 24 hours a day, 365 days. Never locked." "The future of digital asset management, favored by thousands of users." "KLAYswap is a decentralized autonomous protocol designed to raise the value of KSP, while automatically distributing KSP yields. The growth of KLAYswap and KSP occurs hand-in-hand, for improvement of the ecosystem through providing benefits for its users."

"The AMM (Automated Market Maker) protocol we are launching is a decisive DEX protocol that has now brought the Decentralized Finance (DeFi) market to the general public. Simply put, AMM is a protocol that supports immediate swapping between tokens by replacing the existing buy/sell orderbook structure with a Liquidity Pools created on- chain by liquidity providers."

"In KLAYswap, a complete on-chain instant swap protocol, traders can not only experience immediate transactions via liquidity pools, but also develop services by deciding the policy and direction of KLAYswap with the KSP governance token. In addition, users can receive various forms of compensation, including transaction fee revenue, for contributing to the growth of the protocol. Various people can participate in the KLAYswap ecosystem, including long-term investors who want to hold cryptocurrency for a long time, investors who want to earn income through commission fees, and miners who want to participate in KLAYswap governance through KSP mining."

"BGP is a gateway protocol that enables the internet to exchange routing information between autonomous systems. As networks interact with each other, they need a way to communicate. This is accomplished through peering, which BGP makes possible. Without it, networks would not be able to send and receive information with each other, Fortinet researchers say."

"Ozys, the entity who is in charge of developing KLAYswap, values product security as the utmost priority along with securing faith from users. Since KLAYswap is a representative decentralized financial protocol in Klaytn ecosystem, we have been devoting all our efforts and resources for the purpose of strengthening security through regular audits and protection measures."

Auditing By CertiK

"KLAYswap is having a security audit conducted by Certik, a globally renowned security audit agency. The KLAYswap protocol is comprised of and operates through a variety of smart contracts. A single, small vulnerability within a smart contract can lead to devastating accidents related to service availability and security. KLAYswap puts the safety of its users' transactions first, and is in the process of getting a security certification with Certik to assure safe protection against any possible security incidents in the near future."

The Reality

"Roger Grimes, data-driven defense evangelist at KnowBe4, says if a BGP exploit can be used to intercept critical data, it means the upper-layer protocols and applications are not configured correctly and suggests it's not hard to defeat BGP attacks."

"Grimes says that if integrity checks and encryption are implemented at the upper layers originating at the involved endpoints, the BGP intercept at most will causes temporary service interruption but won’t be able to eavesdrop on the involved data."

"It is a failure at the upper layers and the people who manage them that allows these types of attacks to happen. The owners of the BGP routers didn't implement any of the recommended offsets and the owners and managers of the upper-layer protocols and services also didn't implement recommended mitigations. It's a failure at both lower and upper levels," Grimes says.

"Grimes says it is unfortunate that more service implementers aren't paying attention and doing something about such attacks, since they have known about BGP hijack attacks for decades and mitigations for them exist."

What Happened

"However, [on February 3rd], a malicious external attack has occurred due to the infection of SDK files from external sites, this did not originate from KLAYswap’s own front-end source code and smart contract security issues. We sincerely apologize for the trouble, and ask for a deep understanding from KLAYswap users."

"The hacker modified the third-party JavaScript link on the front end of KLAYswap, causing the user to download malicious malware when accessing the KLAYswap page. This enabled funds to be transferred to the hacker's wallet address when conducting token-related transactions."

"From 82005544 block at 11:31:41 on February 3, 2022 (UTC+9), an initial suspicious transaction was executed in which tokens were sent to a specific wallet when executing token-related functions."

"The attack on both bands lasted a total of three hours until 13:04. For unknown reasons, the attacker stopped the attack on the 121.53.104.0/23 band, and from 13:28 the routing table started to be updated back to the original routing path before the attack. However, for the other contaminated band, 211.249.221.0/24, the update to the original routing path was not made until at least 5 pm, and it is estimated that the contamination was maintained which caused abnormal transactions until 18:01."

Key Event Timeline - KlaySwap BGP Hijacking
Date Event Description
February 3rd, 2022 4:31:41 AM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
February 8th, 2022 1:48:00 AM MST Klayswap Compensation Procedure Klayswap posts on Twitter to announce their commitment "to reversing the damages incurred regarding this recent incident". They provide a link for their compensation procedure[1].

Technical Details

Learn About BGP: [18][19][20][21]

KlaySwap suffered an advanced BGP (border gateway protocol) hijack attack, when an adversary managed to modify DNS (domain name system) to route the KlaySwap domain name to another server. When users visited the KlaySwap website through the normal proper domain, the domain name system would direct them to a malicious server instead of the proper server. This malicious server had a malicious version of the KlaySwap interface, which looked identical except that all transactions were modified to send funds to the attackers. The attack was able to circumvent the TLS (transport layer security) of the internet by first performing the BGP hijack on the TLS certificate authority, which allowed them to receive a security certificate under false pretenses. As such, short of remembering the correct IP address of the KlaySwap server and noting that their requests were being routed to a different IP address, or inspecting the SSL certificate to find it had changed, the website appeared normal.

Victims were redirected to a phishing website on another server, but under the same domain, with malicious code which executed malicious transactions instead of the legitimate transactions which would normally be expected from the platform. In total, $1.9M USD was taken over a series of 407 transactions before the BGP hijack was stopped. The KlaySwap team has created a recovery program for affected users to be able to submit claims if they were impacted and appears to be engaged in providing a full recovery.

[22][23]

[24][25][26][27]

"The hacker modified the third-party JavaScript link on the front end of KLAYswap, causing the user to download malicious malware when accessing the KLAYswap page. This enabled funds to be transferred to the hacker's wallet address when conducting token-related transactions."


"As explained in the previous post (Incident Report), the cause of this accident is that the Kakao SDK file was being connected to a third-party server built by the attacker, which was not a normal server, and was changed to malicious code files due to an attack on the external network. This means this didn’t originate from KLAYswap’s own front-end source code and smart contract security issues, and it was a case that KLAYswap is difficult to control."

"Based on the old version of the KLAYswap code(around January 4th), the attacker changed all transaction requests from users directly to their contracts, and changed the Kakao SDK script loaded on the KLAYswap site and created malicious code in the purpose of disrupting the operation of the existing KLAYswap code."

"The attack on KLAYswap was a BGP hijack, in which attackers manipulated the network flow and configured it so that the users connected to KLAYswap could download malicious code from the server sent by the attacker rather than the normal Software Development Kit file or KakaoTalk, a popular South Korean instant messaging, marketing and customer service application used by the cryptocurrency exchange platform."

"After analyzing this attack, the S2W TALON team observed that the BGP hijacking technique was used for the aforementioned external network attack. By manipulating the network flow through BGP Hijacking, the attacker configured users connected to KLAYswap to download malicious code from the attacker’s server rather than the normal SDK file."

"Dr. Xinxin Fan, IoTeX co-founder and head of blockchain, described how these dedicated, crafted attacks leverage the BGP hijack to inject malicious code into a user's browser and then steal the victim's funds. Fan, a cryptographer and a cybersecurity expert who has worked for Facebook and Google, tells Information Security Media Group: "Such an attack highlights that security is a multilayer issue and cryptocurrency platforms should apply the defense-in-depth approach to protect their customers' assets.""

"Based on the old version of the KLAYswap code(around January 4th), the attacker created malicious code to change all transaction requests of users in purpose of transferring or approving users’ token to the attacker’s contract. And even if a KLAYswap user normally requests, the function of the KLAYswap has been changed to prevent the operation of the existing clay KLAYcode and allow the attacker’s own malicious code file to be downloaded, not the normal SDK produced by Kakao. If a transaction occurs with the contaminated logic, it was designed so that the user’s asset was either approved or sent directly to the attacker’s address."

"Since the Kakao SDK file download path is connected with the HTTPS protocol, even if a BGP hijacking attack is performed, a response cannot be given because the certificate does not match. For this purpose, just before the attack, the attacker issued and registered a free temporary 3-month certificate for the developers[.]kakao.com domain through SSL certificate issuer called ZeroSSL. Because the routing policy was already manipulated by the BGP Hijacking, the attacker was able to register the certificate."


"The second and most dangerous element of the attack was its neutralization of the Internet’s encryption defenses. While there is a moderate level of complexity associated with BGP hijacks, they do happen relatively often (some of the most egregious examples involve China Telecom routing about 15 percent of Internet traffic through its network for 18 minutes and Pakistan Telecom accidently taking down Youtube in a botched attempt at local censorship)."

"What is unprecedented in this attack (to our knowledge) is the complete bypassing of the cryptographic protections offered by the TLS protocol. TLS is the workhorse of encryption of the World Wide Web and is part of the reason the web is trusted with more and more secure applications like financial services and medical systems. Among other security properties, TLS is designed to protect the confidentiality and integrity of user data. TLS allows a web service and a client (like a user of KLAYswap) to securely exchange data even over a potentially untrusted network (like the adversary’s network in the event of this attack) and also ensure (in theory) they are talking to the legitimate endpoint."

"Yet, ironically, KLAYswap and Kakao were properly using TLS, and it was not a vulnerability in the TLS protocol that was exploited during the attack. Instead, the attack exploited the false trust that TLS places in the routing infrastructure. TLS relies on the Public Key Infrastructure (PKI) to confirm the identity of the web servers. The PKI is tasked with distributing digitally signed certificates that verify the server’s identity (in this case the domain name like developers.kakao.com) and the server’s cryptographic key. If a server presents a valid certificate, even if there is another network in the middle, a client can encrypt data that only the real server can read."

"Using its BGP hijack, the adversary first targeted the PKI and launched a man-in-the-middle attack on the certificate distribution process. Only after it had acquired a valid digital certificate for the target domain did it aim its attack towards real users by serving its malicious javascript file over an encrypted connection."

"Certificate Authorities (or CAs, the entities that sign digital certificates in the PKI) have a similar identity problem to the one in TLS connections. CAs are approached by customers with requests to sign certificates. The CA needs to make sure the customer requesting a certificate actually controls the associated domain name. To verify identity (and thus bootstrap trust for the entire TLS ecosystem), CAs perform domain control validation requiring users to prove control of the domain listed in their certificate requests. Since the server might be getting a TLS certificate for the first time, domain control validation is often performed over no-security-attached HTTP."

"But now we are back to square one: the adversary simply needs to perform a BGP hijack to attract the domain control validation traffic from the CA, pretend to be the victim website, and serve the content the CA requested. After receiving a signed certificate for the victim’s domain, the adversary can serve real users over the supposedly “secure” TLS connection. This is indeed what happened in the KLAYswap attack and makes the attack particularly scary for other secure applications across the Internet. The attackers hijacked developers.kakao.com, approached the certificate authority ZeroSSL, requested a certificate for developers.kakao.com, and served this certificate to KLAYswap users that were downloading the javascript library over presumably “secure” TLS."


"From 82005544 block at 11:31:41 on February 3, 2022 (UTC+9), an initial suspicious transaction was executed in which tokens were sent to a specific wallet when executing token-related functions."

"The attack on both bands lasted a total of three hours until 13:04. For unknown reasons, the attacker stopped the attack on the 121.53.104.0/23 band, and from 13:28 the routing table started to be updated back to the original routing path before the attack. However, for the other contaminated band, 211.249.221.0/24, the update to the original routing path was not made until at least 5 pm, and it is estimated that the contamination was maintained which caused abnormal transactions until 18:01."

"From the attack target’s point of view, since the flow of the network is unilaterally changed without any issue between the server and the service, it encounters a situation in which no traffic is generated without a clear cause. The scope of this attack goes beyond the response range of general companies that cannot intervene in AS operations."

Total Amount Lost

The total amount lost has been estimated at $1,830,000 USD.

"[KlaySwap] stated it was hacked and lost over 2.2 billion won, or about $1.83 million, in the incident." "Currently, the estimated damage is about 2.2 billion(KRW)." "The amount of damage of 2.2 billion won announced by KLAYswap is estimated to be the sum of the amounts transferred from each coin and token. When all these amounts are added together, it is $1,910,172.95, which is equivalent to about 2.28 billion won at the exchange rate of February 10, 2022."

"The total value of the tokens the attacker tried to swap is $1,396,861.24, and excluding the transactions rejected by Orbit, amounts to a value of $900,137.85. There is a difference of about 600 million won between the calculated actual value and Klaytn’s announcement, and it is estimated that it is because the amount of the Klay coin swapped with other tokens was added as a duplicate."

Immediate Reactions

"After analyzing this attack, the S2W TALON team observed that the BGP hijacking technique was used for the aforementioned external network attack. By manipulating the network flow through BGP Hijacking, the attacker configured users connected to KLAYswap to download malicious code from the attacker’s server rather than the normal SDK file."

"Dr. Xinxin Fan, IoTeX co-founder and head of blockchain, described how these dedicated, crafted attacks leverage the BGP hijack to inject malicious code into a user's browser and then steal the victim's funds. Fan, a cryptographer and a cybersecurity expert who has worked for Facebook and Google, tells Information Security Media Group: "Such an attack highlights that security is a multilayer issue and cryptocurrency platforms should apply the defense-in-depth approach to protect their customers' assets.""


"From the attack target’s point of view, since the flow of the network is unilaterally changed without any issue between the server and the service, it encounters a situation in which no traffic is generated without a clear cause. The scope of this attack goes beyond the response range of general companies that cannot intervene in AS operations."


"Due to this attack, if a KLAYswap user requested a deposit, swap, withdrawal, etc. of assets in the 1.5 hour period beginning from 11:30 on February 3rd, assets were immediately transferred to the attacker. Analysis of the blockchain transactions indicates that while the stolen coins totaled in a value of about 2.2 billion won, the actual attacker stole coins with a value of about 1 billion won." "During this time, 407 suspicious transactions were found in 325 wallets linked to this incident."

"In order to prevent further damage from taking place, following measures were adopted. Upon identification of the incident, all functions of KLAYswap have been blocked, emergency inspections were conducted, and the operation of Klaytn minter in Orbit Bridge was restricted to prevent the transfer of stolen assets to other exchange platforms." "Along with restrictions on KLAYswap and Orbit Bridge functions, the contaminated Kakao SDK file, which is analyzed to be the main cause of the incident, was removed."

"As a result of a thorough analysis of accidents along with restrictions on KLAYswap and Orbit bridge functions, we confirmed that malicious code files, not normal SDKs produced by Kakao, were downloaded despite of the request of Kakao SDK through an ordinary route according to the guidelines from Kakao, and we have removed Kakao SDK loading from KLAYswap.In addition, we immediately identified KLAYswap user wallet addresses and asset lists that have been approved for smart contracts used by hackers, and completed additional development to unauthorize the asset lists that have been approved for the problematic contracts through the normalization of KLAYswap."

"We firstly apologize for the wait." "The website has gotten back to normal, and the protocol is safe."


"We sincerely apologize for what happened yesterday. We will make this right." "KLAYswap is committed to reversing the damages incurred regarding this recent incident." "On February 4, Ozys, a developer of KLAYswap, announced the compensation plan that preemptively recovers the monetary damages caused by this recent incident before identifying the exact problem necessary for the procedure and creating compensation funds based on responsibility."

Ultimate Outcome

Klayswap Compensation Procedure

Klayswap announced a compensation procedure[1].

KLAYswap is committed to reversing the damages incurred regarding this recent incident.

1/ Compensation for token lost will proceed in the same amount to the wallet address where the abnormal transfer was initiated. Please complete ' Unauthorizing token approval' before submitting your compensation application form.

2/ Before submitting the compensation application, please check your wallet address, TXID, and the name and exact amounts of the tokens through Klaytn’s official explorer ‘Klaytnscope’ (https://scope.klaytn.com).

3/ After searching for your wallet address through ‘Klaytnscope,’ please check the TXID depending on the asset type. You can find the TXID on the Internal Transactions page for KLAY and the Token Transfers page for KIP-7.


[28]

"The accident period applicable to the compensation is tentatively 82005468 ~ 82028787 Blocks as of the current Klaytn, and compensation will be made to the wallet address that created transactions where the asset was transferred to the attacker’s address within those blocks. The compensation will be given as it is in the exact amount of lost tokens, and the procedure will be announced through an additional notice."

"Compensation for token lost will proceed in the same amount to the wallet address where the abnormal transfer was initiated. Please complete 'Unauthorizing token approval' before submitting your compensation application form." "Before submitting the compensation application, please check your wallet address, TXID, and the name and exact amounts of the tokens through Klaytn’s official explorer ‘Klaytnscope’." "After searching for your wallet address through ‘Klaytnscope,’ please check the TXID depending on the asset type. You can find the TXID on the Internal Transactions page for KLAY and the Token Transfers page for KIP-7."

"With this compensation, we would like to resolve the anxiety and difficulties experienced by those who have suffered damage. After this compensation, we will identify the exact problem related to this accident and establish a plan to prevent a recurrence. Finally, we will continue to build a safer and more reliable Decentralized Finance ecosystem as a responsible blockchain company."


"The total value of the tokens the attacker tried to swap is $1,396,861.24, and excluding the transactions rejected by Orbit, amounts to a value of $900,137.85. There is a difference of about 600 million won between the calculated actual value and Klaytn’s announcement, and it is estimated that it is because the amount of the Klay coin swapped with other tokens was added as a duplicate."

"After the attack occurred, the attacker did not perform the transfer of funds until 12:42:14 on February 3, 2022, and first swapped part of the stolen funds through the KLAYswap at 12:42:17 on February 3, 2022." "Afterwards, the attacker additionally swapped to KLAY-based tokens (KETH, KUSDT, KXRP, etc.), and finally confirmed that it was transferred to the FixedFloat* cryptocurrency exchange into coins such as Tether, Dai Stablecoin, and USD coin. It was impossible to confirm which swap occurred afterwards at the exchange."

"Users who accessed and continued to use KLAYswap before the time of the incident may still be exposed to the danger of exploitation of assets since unintended transactions can repeatedly occur as the malicious contract code remains. Since this issue cannot be handled by KLAYswap, the users must immediately delete the cache of their internet browser manually."

"To prevent further unexpected incident, we strongly recommend that users who created a transaction within KLAYswap at the time of the incident to replace the wallet with a new one. Please note that you should transfer a small amount first when you change the wallet. After securing the safety of transfer, transfer the remaining amount."

Total Amount Recovered

KlaySwap attempted to compensate affected users.


"The accident period applicable to the compensation is tentatively 82005468 ~ 82028787 Blocks as of the current Klaytn, and compensation will be made to the wallet address that created transactions where the asset was transferred to the attacker’s address within those blocks. The compensation will be given as it is in the exact amount of lost tokens, and the procedure will be announced through an additional notice."

"Compensation for token lost will proceed in the same amount to the wallet address where the abnormal transfer was initiated. Please complete 'Unauthorizing token approval' before submitting your compensation application form." "Before submitting the compensation application, please check your wallet address, TXID, and the name and exact amounts of the tokens through Klaytn’s official explorer ‘Klaytnscope’." "After searching for your wallet address through ‘Klaytnscope,’ please check the TXID depending on the asset type. You can find the TXID on the Internal Transactions page for KLAY and the Token Transfers page for KIP-7."

"With this compensation, we would like to resolve the anxiety and difficulties experienced by those who have suffered damage. After this compensation, we will identify the exact problem related to this accident and establish a plan to prevent a recurrence. Finally, we will continue to build a safer and more reliable Decentralized Finance ecosystem as a responsible blockchain company."

Ongoing Developments

TBD

Individual Prevention Policies

Individuals could have prevented this attack by double checking the transactions prior to approval. Malicious transactions involved sending funds to a previously unrecognized address.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Losses can be minimized by storing most funds offline.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 KLAYswap - "KLAYswap is committed to reversing the damages incurred regarding this recent incident. Here is an announcement for the compensation procedure." - Twitter (Mar 12, 2022)
  2. Klayswap Compensation Guide - Klayswap Medium (Mar 12, 2022)
  3. Klayswap Incident Report Feb 03 2022 - Klayswap Medium (Mar 12, 2022)
  4. @KLAYswap Twitter (Mar 12, 2022)
  5. Klayswap Compensation Plan - Klayswap Medium (Mar 12, 2022)
  6. @KLAYswap Twitter (Mar 12, 2022)
  7. https://developers.kakao.com/sdk/js/kakao.min.js (Mar 12, 2022)
  8. Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack - BankInfoSecurity (Mar 12, 2022)
  9. @web3isgreat Twitter (Mar 12, 2022)
  10. Post Mortem Of Klayswap Incident Through BGP Hijacking - SW2Blog Medium (Mar 12, 2022)
  11. Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency - Freedom To Tinker (Mar 12, 2022)
  12. Cryptocurrency Cyber News - Crypto Customers On Klayswap Have Lost Money Due To A BGP Hijacking - YouTube (Mar 12, 2022)
  13. South Korean DeFi project KLAYswap was hacked for US$1.83 million - Aliens.com (Mar 12, 2022)
  14. Attackers exploit flaw in web’s security to steal $2M in cryptocurrency -| Hacker News (Mar 12, 2022)
  15. KLAYswap Homepage (Mar 12, 2022)
  16. Introduction - KLAYswap (Mar 12, 2022)
  17. KLAYswap Advantages - KLAYswap (Mar 12, 2022)
  18. ErgoBTC - "w/ onion routing i am safe and fast" - Twitter (Mar 15, 2023)
  19. YouTube - How BGP Works - ThousandEyes (Jan 26, 2024)
  20. ErgoBTC - "TIL there are public websites diagramming the BGP routing tables." - Twitter (Mar 15, 2023)
  21. ErgoBTC - "attn: sov citizens plz register ur channels w/ the ur global IANA equivalent" - Twitter (Mar 15, 2023)
  22. Klaytnscope (Mar 12, 2022)
  23. Klaytnscope (Mar 12, 2022)
  24. Klaytnscope (Mar 12, 2022)
  25. Klaytnscope (Mar 12, 2022)
  26. Post Mortem of KlaySwap Incident through BGP Hijacking : blueteamsec (Mar 12, 2022)
  27. Post Mortem of KlaySwap Incident through BGP Hijacking - S2W Blog (Jul 25, 2023)
  28. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)