News

• China central bank’s Shanghai unit officially announces to crack down on crypto exchanges - People’s Bank of China (PBoC) regulatory enforcement action targeting cryptocurrency companies in Shanghai.

Hacks

• Monero download site and binaries compromised - report on the backdoor Monero wallet binaries downloaded from the project’s Github page. The compromise was first reported on Github when a user observed release binaries not matching.

• Password data for ~2.2 million users of currency and gaming sites dumped online - a large data dump from Gatehub and RuneScape compromises

• Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies - a bug bounty was announced that would pay hacktivists in crypto to target financial institutions.

Crime

• Roughly $400 million of Ripple tokens tied to illegal activity - a blockchain analytics company, Elliptic, report on criminals starting to use XRP for illegal activities such as scams, Ponzi schemes, thefts, and some stolen credit card trading activity.

Malware

• Operation BlockChain Gang; Advanced Exploits, Commodity Tools - a detailed profile into a new threat actor called HydSeven. It is unique in its use of highly targeted speak-phishing combined with the use of commodity malware such as NetWire. The actor was involved in the earlier report of the 0day attack targeting Coinbase.

• How Ransomware Attacks - a threat profile of eleven ransomware families diving into their operation, file system and network activity.

• Update to X86 XMR crypto mining blog post - an update to a previous Akamai report discussing an additional attack script used to scan and infect hosts passed by the C2 server.

Vulnerabilities

• Breaking Mimblewimble’s Privacy Model - a report of a flaw in Grin’s Dandelion protocol which may allow user deanonymization by setting up a number of sniffer nodes. However, the Mimblewimble team has responded with the analysis of the report by calling it factually inaccurate.

• Prevent protocol stall from inconsistent LogicSig validity - Algorand fixed a DoS bug in its transaction validation logic.

Research

• What are the Actual Flaws in Important Smart Contracts (and How Can We Find Them)? - analysis of security findings from a large data set of smart contract security audits performed by Trail of Bits.

• Kudelski Security audit of Solana architecture - an in-depth architectural assessment of Solana cryptocurrency.

• EIDOS Airdrop Stifles the Liveness of EOSIO Network - an analysis of the network outages caused by the EIDOS airdrop.