Penpie DeFi platform files reports with FBI, Singapore police after $27 million crypto theft
Hackers stole about $27 million worth of cryptocurrency from the Penpie decentralized finance (DeFi) protocol this week.
Penpie confirmed in a statement that $27,348,259 worth of ethereum was taken on Tuesday, and they have shut down withdrawals as well as deposits.
The Penpie team said that hours after the attack occurred, members arrived at the Kampong Java Neighbourhood Police Centre in Singapore to file a report on the incident.
On Wednesday, Penpie also filed a complaint with the FBI’s Internet Crime Complaint Center (IC3) and sent a message to the hacker promising a negotiated bounty payment in exchange for the safe return of funds.
“We acknowledge your exploit of our protocol,” they wrote. “Please contact us to discuss terms confidentially. No legal action will be pursued if the funds are returned. Let’s find a mutually beneficial solution.”
Penpie sent a similar message on social media, offering to keep the hacker’s identity hidden if some portion of the funds are returned.
The messages appear to have had little effect, as the hacker continued to move the stolen funds to different blockchain addresses.
The company pledged to develop a compensation plan for affected users and take suggestions before putting the ideas to a vote.
“We deeply acknowledge the significant impact this attack has had on users from other protocols who had assets deposited on Penpie,” they said. “Please know that your losses are of utmost importance to us.”
The attack occurred on the same day that the FBI released an alert warning cryptocurrency companies of repeated attacks by hackers based in North Korea.
Penpie says it was initially informed of the attack by Pendle — the platform they built the protocol on.
In its own post-mortem on the attack, Pendle explained that while millions were lost from Penpie specifically, the team’s quick actions stopped the hackers from taking close to $105 million worth of cryptocurrency from other protocols built on the platform.
Pendle’s internal security system discovered the attack almost immediately, but within an hour, the hackers had already siphoned the $27 million from Penpie. Pendle said that in the end, their platform was not affected by the attack.
Pendle provided Penpie with the VPN IP address used to launch the attack and the company then provided that information to a Singapore Technology Crime Senior Investigation Officer, who they said “will forward the cybercrime incident to the VPN provider for further information.”
Penpie noted that it has previously gone through two audits after launching in June 2023. One of the audits caught a portion of the vulnerability and it was believed to have been resolved. But the company introduced a new feature in May 2024 that reintroduced the issue which the hackers exploited in this week’s incident.
They acknowledged that they should have done a full audit after adding new features.
“While incremental audits address specific changes, it is also essential to conduct comprehensive audits of the entire protocol to ensure that no vulnerabilities are introduced,” they said in the post-mortem.
The company is planning on doing another full audit of their systems to ensure all vulnerabilities are addressed and will only restart operations once the audit is complete.
“Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network,” the alert says.
The United Nations is currently investigating 58 cyberattacks allegedly conducted by North Korean hackers that allowed attackers to rake in about $3 billion from 2017 to 2023.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.