We've detected an attack coming from Indonesia against SOLAR dVPN infrastructure which is responsible for fiat-to-DVPN convertio
25 May 2023, 18:54
We've detected an attack coming from Indonesia against SOLAR dVPN infrastructure which is responsible for fiat-to-DVPN convertion.
What happened?
Today, at 17:04 Tallinn Time, our internal monitoring systems reported an unusual spike — number of the new in-app subscriptions with trial period were doubling each 5 minutes. Our team decided to investigate what is happening and what is the reason for that spike.
What we found out?
As we found out that 100% of new subscriptions with active trial period are being created from Indonesia, we've ran a search on social media and news, trying to find whether this spike is justified by some certain line of events or some online-article. According to our data, nothing like that happened.
Using benefits of blockchain transparency, we took a step further to investigate what is the pattern of the actions for newly created wallets.
We found that unknown malicious actor have created an undefined number of Google accounts and subscribed to a 7-day trial period using Google Play In-App purchases mechanism.
As our app is built in such a way that we are paying for nodes on behalf of the users while they only pay for subscription, malicious actor took advantage of it. He rolled out his own low quality nodes with a insanely high pricing per GB and started to subscribe to such nodes from newly created wallets, forcing us to deposit DVPN tokens to his nodes.
It is clear that malicious actor intention was to force us to transfer as much DVPN tokens as possible to his nodes during the trial period and cancel subscription before the first payment.
What measures we've taken?
We've temporary disabled free trial period for Android, replacing it with discount instead. During next couple days our anti-fraud mechanism will be deployed on the servers of the fiat-crypto ramp to prevent this from happening in the future. We've also taken down from the app listing malicious servers (they weren't providing VPN service itself, only gathering tokens). Normal users are not affected, app continues to operate normally.