Kontigo is conducting an internal review weeks after the stablecoin neobank faced a "highly sophisticated" cyber-attack which saw thousands of USDC stolen.

On 5 January, bad actors stole 340,900 USDC from the digital wallets of more than 1,000 users.

Three days later, the attackers drained 56,913 USDC from 258 of the same compromised user wallets.

The stolen funds were moved by the attackers from Kontigo to ChangeNOW, a cryptocurrency exchange based in Saint Vincent and the Grenadines.

While Kontigo is headquartered in the US, it serves customers in the Latin American (LatAm) region. Users are able to hold, send, and receive digital dollars through the company's app.

"Kontigo is committed to expanding access to financial services to the underserved, including in LatAm," wrote the company in a statement on Wednesday. "We are conducting an internal review and will share updates as appropriate.

"We are committed to complying with US laws, including US sanctions, and we are evaluating existing sanctions procedures and protocols with a view of enhancing them where necessary."

Several days after the incident, Kontigo revealed that the bad actors had used infrastructure originating from Bulletproof Hosting (BHP), a service linked to known advanced persistent threat (APT) actors.

The attack required valid and minted authentication tokens (JWTs) issued by the company's authentication provider.

The attacker identified a legacy gateway in its authentication provider's Apple OIDC authentication flow where the system was not correctly validating or applying the expected issuer.

Because of this, the attacker was able to use a controlled OIDC issuer to generate tokens that the authentication provider accepted as valid Apple tokens, enabling them to access accounts and obtain a valid authentication JWT.

Following this, the hackers could generate transactions - or quotes - for wallet withdrawals and connect to the wallets of the affected users to execute those quotes.

Certain backend tables in Kontigo's database provider did not have Row-Level Security (RLS) configured to restrict access at a granular level.

"This resulted in user record visibility that would not normally be permitted when these controls are enabled," the company explained.

In the second phase of the attack, on 8 January, the attacker did not need to mint new authentication tokens.

Instead, they reused wallet session JWTs associated with Kontigo's embedded wallet provider (Thirdweb) that were captured during the initial compromise.

Upon examining the logs, Kontigo said it noticed a clear pattern: users connected to their wallets on Monday, but the transactions were executed on Thursday without any subsequent user connection through our APIs. T

Thirdweb confirmed that, under default settings, the wallet session JWT expires after 30 days.

Based on this, Kontigo determined that the attacker stored wallet session JWTs during the initial attack and reused them during the second attack.

"We worked with Thirdweb to invalidate all active JWTs, and the expiration time for all new Thirdweb JWTs was reduced to 15 minutes," it said.

Additionally, the company rolled out PIN restrictions for both wallet connections and transaction execution to prevent malicious access to Thirdweb's APIs.

The company said at the time that within 30 minutes of detecting the first incident, it activated a comprehensive incident response and escalated the situation with all key security systems.

"From that moment on, we operated 24/7, making dozens of calls daily with industry experts, infrastructure providers, ethical hackers, local authorities, and customers, fully recognising the severity of the situation," it said several days after the incidents. "Once the attack was contained, we began issuing refunds immediately and completed the process within the next 24 hours."

---