The Telegram-based cryptocurrency trading bot Banana Gun has announced it will refund users who collectively lost $3 million in a recent hack carried out by 11 attackers.
On Sept. 19, certain users of Banana Gun reported unauthorized outbound transfers from their crypto wallets. The revelation forced Banana Gun to temporarily switch off its Ethereum Virtual Machine (EVM) and Solana bots to avoid further losses.
Crypto trading bots facilitate automated trades, often used by crypto traders to optimize profitability.
While initial investigations suggested that 36 users were affected by the attack and lost nearly $2 million worth of Ether (ETH), Banana Gunâs post-mortem report revealed a higher value of loss with fewer casualties.Â
Source: Banana Gun
âA total of 11 users were affected, with $3M drained. All impacted users will be fully refunded from the Banana Gun treasury, with no tokens being sold for reimbursements,â the bot firm stated.
Vulnerability within Telegram message oracle
Unlike hackers that usually prey on novice investors, the Banana Gun attacker targeted seasoned crypto traders and was able to manually transfer ETH from their wallets while the trading bots were in use.Â
Manual unauthorized transfers and in-bot notifications of the transfers led Banana Gun to suspect that the hacker exploited a vulnerability within a Telegram message oracle.Â
After patching the vulnerability, Banana Gun resumed EVM and Solana bots and implemented security measures to prevent further fund drains. Measures include a two-hour transfer delay, 2FA for transfers, and a thorough review of systems, among others.
Negotiating with hacker
On Sept. 21, the hacker that stole $5 million from leveraging yield protocol Shezmu returned most of its stolen funds after accepting a white hat bounty.
Source: Shezmu
Shezmu found that one of its ShezmuUSD (ShezUSD) stablecoin vaults was exploited, and the hacker requested that 90% of the stolen funds be returned within 24 hours through an onchain message.
Within hours, Shezmu began receiving the stolen Dai (DAI) tokens in its wallet. The hacker initially returned 282.18 Ether (ETH) to the protocol and followed it up with another refund of 137 Wrapped Ether (WETH).
Magazine: Lady of Crypto will be âall out of cryptoâ by September 2025: X Hall of Flame
