On-chain trading platform Thunder Terminal recently faced a significant security incident, acknowledging a third-party compromise that resulted in a $240,000 exploit affecting 114 wallets. Despite Thunder's assurance that user funds are now secure, the hacker responsible disputes the claim, asserting that it's "all lies" and demanding an additional ransom for user data.
In the incident report released on December 27, Thunder Terminal disclosed that the exploit led to losses totaling 86.5 Ether and 439 Solana, transpiring over a brief nine-minute period. The attacker gained unauthorized access through a compromised "MongoDB connection URL," exploiting a breach in Thunder's data that occurred eight days prior when MongoDB was targeted.
Thunder Terminal emphasized that only 114 out of its 14,000 wallets were compromised, pledging full refunds to affected users along with 0% fees and $100,000 in platform credits. The platform asserted that private keys or wallets had not been compromised.
Contrary to Thunder's reassurances, the attacker left a memo on Etherscan challenging the platform's claims, calling them "all lies" and demanding a 50 ETH ($110,000) ransom for the allegedly affected data, stating, "We have all the user data. 50 ETH and we will delete the data."
While Thunder expressed commitment to reinforcing security measures and being open to negotiations for the return of stolen funds, it did not directly address the hacker's ultimatum. Thunder clarified that it lacks access to users' private keys, refuting the possibility of the exploiter gaining such access.
Etherscan data revealed the hackers' wallet address sending 86.3 ETH to the Railgun protocol, a service facilitating transaction anonymization. Thunder Terminal, launched in late 2022 by Eversify Labs, specializes in rapid trades across multiple blockchain networks, including Ethereum, Solana, Avalanche, and Arbitrum.