Telegram Bot Banana Commits to Covering US$3 Million Lost in Hack

Telegram-based cryptocurrency trading bot Banana Gun has announced it will refund users who lost US$3 million in a recent hack.

On September 25th, the Banana Gun X account posted an update and explained that following on September 19th— “All impacted users will be fully refunded from the Banana Gun treasury, with no tokens being sold for reimbursements.”

The hack affected just 11 traders with Banana Gun noting in its post that the attack targeted “smart money traders and crypto veterans who navigate the space and are not easy to scam”, additionally — “All targets were “known” in the space, either due to their social presence or trading expertise.”

Banana Gun, like other trading bots, facilitates automatic trading and uses algorithmic trading strategies to optimize profitability. On September 19th, Banana Gun users reported unauthorized outbound transfers from their wallets. Victims witnessed the attackers transferring crypto from their wallets while they were interacting with the bot and receiving notifications. The attack affected Banana Gun’s Solana and Ethereum Virtual Machine (EVM) bots.

Security Flaws Discovered in Telegram Message Oracle

Unlike hackers who typically prey on inexperienced investors, the Banana Gun attacker targeted professional crypto traders and successfully managed to manually transfer ETH off their wallets while the trading bots were active. The in-bot warning following the unauthorized transfers prompted Banana Gun to believe that a vulnerability in a Telegram message oracle is exposed to hackers.

“After a thorough investigation by the Banana Gun development team and outside experts, we identified a potential vulnerability in the Telegram message oracle we use, which may have led to the exploit,” Banana Gun authorities admitted in an X post.

The manual transactions were compelling indicators supporting the above discovery, leading to the conclusion that the hacker was more focused on targeting than employing an automated wide-range breach.

After addressing the issue, Banana Gun reactivated the EVM and Solana bots and applied security measures to safeguard against further fund drains. Measures include two-factor authentication for transfers, a two-hour transfer delay, and an in-depth evaluation of systems, among others.

Furthermore, the back-end systems have been redeployed, and the organization has to migrate to new servers to improve the application’s security. They also agreed to do multiple pen-testing and security assessments for web and Telegram bots. In the meantime, Banana Gun expressed gratitude to their partners, AML Bot, the Binance Security team, and the Seal Team, who all contributed significantly to the review and restoration process.

A Series of Similar Incidents

The Telegram bot breach is one of many similar incidents that happened in September 2024. BingX revealed a security vulnerability after discovering abnormal outflows through one of its hot wallets. The attack caused a $43 million loss for BNB, Ethereum, and MATIC assets.

The same applies to Indodax, an Indonesian crypto exchange that was hacked on September 11 and lost over $20 million in digital assets from its hot wallets. Similarly, SlowMist, a blockchain analytics startup, showed that the stolen tokens were swiftly changed into Ethereum, Polygon, TRON, and Bitcoin, hampering the recovery operations.

Apart from such illicit activities, there was an exceptional event as well. On September 21, the hacker who stole $5 million from Shezmu’s yield protocol returned the majority of the stolen funds after accepting a white hat bounty.