The Telegram-based cryptocurrency trading bot Banana Gun has announced it will refund users who collectively lost $3 million in a recent hack carried out by 11 attackers.
On Sept. 19, certain Banana Gun users reported unauthorized outbound transfers from their crypto wallets. The revelation forced Banana Gun to temporarily switch off its Ethereum Virtual Machine (EVM) and Solana bots to avoid further losses.
Crypto trading bots facilitate automated trades, often used by crypto traders to optimize profitability.
While initial investigations suggested that 36 users were affected by the attack and lost nearly $2 million worth of Ether (ETH), Banana Gun’s post-mortem report revealed a higher value of loss with fewer casualties.
“A total of 11 users were affected, with $3M drained. All impacted users will be fully refunded from the Banana Gun treasury, with no tokens being sold for reimbursements,” the bot firm stated.
Vulnerability within Telegram message oracle
Unlike hackers that usually prey on novice investors, the Banana Gun attacker targeted seasoned crypto traders and was able to manually transfer ETH from their wallets while the trading bots were in use.
Manual unauthorized transfers and in-bot notifications of the transfers led Banana Gun to suspect that the hacker exploited a vulnerability within a Telegram message oracle.
Related: Indian crypto exchange WazirX struggles to recover funds 60 days after hack
After patching the vulnerability, Banana Gun restarted EVM and Solana bots and implemented security measures to prevent further fund drains. Measures include a two-hour transfer delay, two-factor authentication for transfers, and a thorough review of systems, among others.
Negotiating with hacker
On Sept. 21, the hacker that stole $5 million from leveraging yield protocol Shezmu returned most of its stolen funds after accepting a white hat bounty.
Shezmu found that one of its ShezmuUSD (ShezUSD) stablecoin vaults was exploited, and the hacker requested that 90% of the stolen funds be returned within 24 hours through an onchain message.
Within hours, Shezmu began receiving the stolen Dai (DAI) tokens in its wallet. The hacker initially returned 282.18 Ether (ETH) to the protocol and followed it up with another refund of 137 Wrapped Ether (WETH).
Magazine: Lady of Crypto will be ‘all out of crypto’ by September 2025: X Hall of Flame