Welcome to 2021, the year without DeFi incidents, blockchain reorgs, and exchanges hacks. Just kidding. The year has already started with the first batch of DeFi hacks and exploits in yCredit and DeFi Saver projects. More YouTube giveaway scams and rug pulls followed closely after. On the malware front, this edition features reports of new a crypto stealer and change in tactics for the crypto jacking campaigns. The BlockSec frontier appears much the same as the previous year. On the brighter side, we have a new blockchain security conference, Unchained, on the horizon and a recordings of a number of smart contract security talks from the Hello Security Audit track.
Hello Security Audit conference held on January 7th has a number of excellent talks on smart contract security from folks at Quantstamp, Trail of Bits, Consensys Dilligence and others.
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Welcome to the special edition of the Blockchain Threat Intelligence newsletter where we will explore blockchain security incidents and events from the year 2020. In case you never heard of Blockchain Security, or just blocksec, it is a new security field with the mission of securing and defending the cryptocurrency ecosystem. It encompasses security of blockchain protocols, consensus mechanisms, smart contracts, key storage, exchange security practices, blockchain investigations, and other related topics.
The Good, the Bad and the Ugly
The current state of the blockchain industry resembles the California Gold Rush of the middle 19th century America. There is a similar rush of folks venturing into the unknown frontier of cryptocurrency trading and DeFi investing often leaving their livelihoods and previous jobs behind. My home town, San Francisco, has plenty of reminders of that era such as signs of abandoned and buried ships left by crews eager to try their luck at striking it rich with gold.
Unfortunately, that same spirit attracted not only the hard working folks, but also criminals, scammers, and other miscreants. But not all is bad in this new frontier. Just like in the old west, new blockchain security companies and whitehat hackers are joining the fight to bring law and order to the new and vulnerable industry.
In this edition of the newsletter, I will expose the bad, celebrate the good, and explore the evolving battlefield which is the Blockchain Security.
But first a quick note from friends and sponsors at Immunefi:
Review code. Prevent hacks. Build rep. Get paid.
Last year more than $200M were stolen in DeFi incidents. Immunefi protects you against smart contract hacks by helping create, run, and promote best practice bug bounty programs. Immunefi has the world’s biggest bug bounties, with $5m in smart contract bounties available now.
If you run a smart contract or Defi application, go to https://immunefi.com/services/ and see how Immunefi can help protect your application today.
The Bad
The year 2020 was filled with almost weekly news of DeFi exploits, occasional exchange and blockchain hacks, user account compromises with a total monetary loss of around $500M. This amount quickly explodes into billions when considering damage caused by various Ponzi schemes, ransomware and cryptojacking malware; however, these will be considered out of scope for this section as there is great coverage elsewhere. Instead I will focus on incidents unique to blocksec as opposed to criminals simply using cryptocurrencies in more traditional schemes.
The Good, The Bad and the Ugly. 1966.
Let’s begin our review of “the bad” by looking at the breakdown of various incident categories and the amount of monetary damage that they’ve caused:
Incident categories and monetary loss in 2020.
If you needed any further evidence of just how popular DeFi applications got relative to their centralized counterparts, then looking at the total funds stolen last year should give you a pretty solid signal. Unfortunately, this means that this popularity was coupled with massive hacks which I will cover in detail. Blockchain protocol incidents such as 51% attacks are still present; however, they are dwarfed by the higher level smart contract incidents. Monetary loss caused by vulnerabilities in node and wallet software is even smaller in comparison; however, I will discuss why this may change in the future. And with that let’s dive into our first category which for years remained a persistent target for attackers:
Exchange and other Crypto Business Incidents
Just as in the past years, cryptocurrency business hacks continue to dominate the total monetary loss especially as the market continues to grow. In 2020 about $300M were stolen across 21 incidents mostly from exchanges. This is an increase from $175M stolen in 11 incidents in 2019.
Of all exchange-related hacks, the massive KuCoin attack dwarfs all others with its $281M theft. Interestingly, the exchange claims it has recovered 84% of the lost assets by working with token issuers. Many smart contracts include centralized features which allow superuser accounts to blacklist attacker accounts or burn/confiscate stolen funds. Alternatively, token issuers may be able to redeploy their smart contracts with stolen funds removed from account snapshots. KuCoin was able to convince many projects to take these recovery actions, a precedent which is likely to repeat in future exchange incidents.
Another pattern emerged in 2020 where attackers are not necessarily interested in just stealing funds. In the cases of BlockFi, Coincheck, Coinsquare, Liquid Exchange, and Poloniex obtaining PII (Personally Identifiable Information) was just as useful or at the very least good enough of a reward. Stolen data was likely used to facilitate more direct user attacks such as phishing and SIM swapping.
Below is a complete list of exchange and other cryptocurrency business incidents:
Timing of the hacks continues to show careful planning and sophistication where four different exchanges were hit within days of each other. These attacks also coincided with winter holidays when many engineers were on vacations.
Post-mortem reports indicate that many of the hacks could have been easily avoided. For example, BlockFi’s employee was SIM swapped and Cashaa’s employee was infected with malware on an unmanaged personal laptop that was used for work. Other businesses such as Ledger failed to fully communicate the impact of a compromise resulting in an unexpected surge of phishing attacks.
There are still no industry-wide standards or regulations to guide and require exchanges to follow minimum secure practices such as PCI. Unfortunately, this led to cryptocurrency businesses having a wide range of security controls which may not always be sufficient.
DeFi and Smart Contract Incidents
Next in our list of incidents with the highest monetary impact is DeFi with a seemingly endless stream of hacks. The year 2020 had an unprecedented growth in both the number of DeFi projects and the value locked in them. Consumers rushed to take advantage of new ways to earn profits. Attackers soon followed with new classes of smart contract exploits involving flash loans, arbitrage, oracles, and others. Complex interactions between DeFi components have exposed vulnerabilities never expected by developers or sometimes audit firms reviewing them.
When the dust settled in 2020 about $230M+ were stolen across 60 incidents. Some projects like bZx were repeatedly hacked with ever increasing amounts reaching about $9M of total stolen assets in 2020. It was staggering to watch not only the amounts involved but the sheer frequency with which these hacks happen. For example, in a single month of November $76M worth of tokens were stolen with hacks reported almost every other day:
Monthly DeFi Incidents in 2020
Below is a list of DeFi incidents which resulted in a monetary loss:
On the more optimistic side, only half of the total incidents involved monetary loss. The other half were asset issuers scrambling to shut down, upgrade, or in multiplecases hack themselves after a vulnerability was responsibly disclosed by white hat hackers. Scroll through Vulnerability sections in earlier editions of the newsletter for a more complete list of these near misses.
Not all DeFi projects were exploited using sophisticated hacks involving dozens of transactions. Some were good old scams which attracted hungry investors and quickly relieved them of their tokens. Below is a list of DeFi incidents which scammed users using backdoors:
These are the signs of an industry that still needs to mature. Internet Commerce of the late 90s/early 2000s was similarly butchered until educational projects like OWASP, tools like Burp proxy, and a multitude of web security consulting shops, bug bounty programs, conferences, and trainings have sprung up. DeFi space will also need to go through a similar painful growth period. Until then we are likely going to see 2021 set new records in both the number and value lost due to DeFi hacks and scams.
Blockchain Incidents
Beneath all the flashy DeFi apps and exchange platforms sit good old layer one blockchains with their own issues. This section is divided into different components involved in operation of blockchains such as Nodes, Wallets, and consensus protocols guiding them.
Consensus Protocol Incidents
About $20M were stolen across 11 different incidents exploiting blockchain protocols. Most of the attacks involved PoW chains that were 51% attacked after sufficient hash power was rented on miner rental platforms such as NiceHash:
The first incident is particularly interesting as the first instance of a PoS (Proof of Stake) attack in the wild. SteemIt’s governance system was successfully subverted not by a mining pool with a dominant hash power, but by a group of exchanges which pooled together a dominant staking power. The attack was also made unique by the DPoS (Delegated Proof of Stake) mechanism which allowed perpetrators to force a hard fork in order to gain a complete and permanent control of the network.
One common theme with successful 51% attacks was that target blockchains were either relying on commodity mining hardware such as GPUs or in the case of ASICs were not the largest users of the hashing algorithm. This allowed miners to retarget or simply rent hashing capacity to attack these networks. Even with various defenses being put in place, it is likely that PoW 51% attacks are going to continue next year. This brings us to Proof of Stake blockchains. Now that the Pandora’s box has been opened, we may see another PoS 51% attack especially in lower market cap chains where staking funds could be easily borrowed.
Node Software Incidents
Blockchain node software is a crucial element of the blockchain network as the key component which enforces and validates its rules. Unlike protocol incidents where risks are understood and expected such as with the 51% attacks, node software incidents result from vulnerabilities found in the actual implementation. There were 10 different incidents which resulted in the loss of $5.4M in 2020:
RavenCoin incident was particularly nasty as it involved a malicious PR which introduced the minting vulnerability. What is concerning is that the vulnerability and the ongoing exploitation were only discovered 6 months later. Supply chain attacks are a real threat in other open source software projects and blockchains are no different.
The Solana vulnerability was also insane as it identified missing transaction signature validation allowing anyone to steal funds from any account. Luckily the issue was found in the Testnet so no real funds were stolen.
Wallet and Client Software Incidents
Things were not much more different on the wallet software side. There were 7 different incidents affecting wallets with one resulting in a massive $1.6M loss:
Similarly to node software, wallets are also vulnerable to supply chain attacks. In fact, one such attack targeting IOTA’s Trinity Wallet caused so much disruption that the entire network had to be halted while developers were investigating.
What is concerning in both node and wallet software bugs is just how rare they are. Both of the major software incidents were caused by supply chain attacks. What’s missing are critical vulnerabilities in nodes and wallets similar to the one found in Solana. It could be that these flaws are silently patched like the one in Geth. However, what keeps me up at night is that it’s just as likely that there are not enough eyes on these projects beyond a few well established ones. If there is something we could learn from traditional security is that even the most secure operating system, web server, mobile, and other software gets compromised. So is it just the matter of time before a major blockchain node vulnerability gets exploited?
User Incidents
Everyday users have been under a constant onslaught from scammers, phishing and malware campaigns. In this report, I will focus on the more technical attacks with incidents involving multi-billion Ponzi scams considered out of scope. Below is a list of just a few sample incidents representative of the year:
This year continued the trend of crypto pyramid schemes, celebrity giveaway and crypto-flipping scams, and fake crypto stealing software. It was interesting to observe the first Web3 scam site which posed as a legitimate MakerDAO project. Another example of scam artists increasing their sophistication is through the use of asset specific features like XRP Memo fields, targeting telco switches, Tor exit nodes, and anything else that would get them closer to users’ crypto.
However, nothing matched the massive Twitter hack which took over hundreds of cryptocurrency, celebrity, corporate, and other accounts all to advertise a simple Bitcoin giveaway scam. These scams have slowly gained in popularity with fake ads popping up on Youtube, Twitter, Google Ads, and other media sources purporting to be coming from Bill Gates, Elon Musk, and other celebrities. However, the July 15th attack was different since it took over verified individual, corporate, or any other account on the Twitter platform. In the end it netted attackers a relatively small $120K profit and resulted in multiple arrests shortly after:
The last notable user incident was an attack against Nexus Mutual’s founder which netted hackers an $8M profit worth of NXM tokens. Unlike mass “fake wallet” campaigns popular on Google Play Store, this one was highly targeted. It involved both a compromise of the user’s machine and a specially modified wallet software.
With cryptocurrency prices going through a mass rally, it is likely that both the frequency and the size of attacks on individuals is going to increase. While traditional mass phishing campaigns are going to remain, the ability to target specific high profile users is particularly worrying. The Ledger database leak has identified a small group of individuals and their PII data which makes both online and physical attacks highly probable and dangerous.
The Ugly
In the previous section we explored some of the baddest incidents that blocksec has ever seen. But who are the actors behind these acts?
The Good, The Bad and the Ugly. 1966.
Advanced Persistent Threat (APT) groups have been a familiar enemy to financial, government, and other institutions for decades. Over the years, reports of Lazarus (APT38), a North Korean hacking group, targeting cryptocurrency businesses have significantly upped the stakes for exchanges after multiple incidentswere attributed to them:
Other state sponsored APT groups such as Vietnamese Ocean Lotus (APT32) and Chinese Wicked Panda (APT41) have been caught using more indirect tactics to accumulate cryptocurrency by installing mining malware on victim’s computers:
Non-state sponsored APTs appear to be primarily focused on highly profitable ransomware campaigns which often involve cryptocurrencies as the preferred method of payment:
Previously mentioned APT groups use or target cryptocurrency assets as just one of their activities. However, a report by ClearSky has revealed a new APT dedicated to attacking cryptocurrency exchanges:
On the not so advanced but persistent side the actors behind both the massive Twitter hack and the more targeted SIM swapping attacks turned out to be a groups of young adults in their early 20s:
While the investigators were focused on actors behind exchange and individual attacks there appears to be almost nothing revealing about folks behind all of the DeFi hacks. The closest we got was with the dForce incident where an attacker was allegedly identified and forced to return all of the stolen assets:
Based on the lack of opsec following the hacks and the highly specialized skill-set involved in executing these attacks, DeFi hackers are more likely to be individual developers who decided to cross the line rather than organized criminal or nation state groups looking for new sources of revenue.
The Good
The story of Blockchain Security would not be complete without talking about the good folks and there were so many this year! What they do is what makes working in blocksec so exciting and inspiring at the same time.
The Good, The Bad and the Ugly. 1966.
A common occurrence across a number of DeFi incidents this year was the mention of whitehat hackers who reached out to developers to not only give them a heads up about a vulnerability, but actively assist them in patching their code. The whitehat behind many of these responsible disclosures was samczsun. Here are just a few projects out of at least 18 that he helped lock down this year:
Another sheriff in the lawless crypto frontier is Harry Danley from MyCrypto. As you can see from his twitter and blog posts he worked tirelessly for years to identify and shut down a barrage of phishing and malware campaigns targeting cryptocurrency users. Hunting down scammers usually involves take downs and possibly law enforcement reports which rarely result in a punitive action. In 2020 Harry took matters into his own hands and was able to steal back and return stolen funds from scammers by exploiting their badly protected infrastructure:
There are also so many dedicated teams which make the field more secure every day. One such team is Consensys Dilligence. The group is well known for its smart contract security audits; however, their biggest contribution to the community this year was a number of free tools and papers which developers can use to secure their projects. Here are just a few of them released this year:
Blockchain Security Database - a collection of major Ethereum smart contract projects, audit reports, and available bug bounties.
There are many more heroes out there who I quietly watched from the pages of this newsletter in awe. You know who you are and it has been a privilege to share your victories and struggles in the past year.
The dream of bringing the open financial system to the world is not easy. It will require work of thousands entrepreneurs, developers, security engineers to make blockchains not only functional but secure. The blockchain security field is still just as young and barely explored as the cryptocurrency ecosystem it is trying to protect. I hope that reading this newsletter was both informative and inspiring to you to walk this journey with so many of us. Consider joining the good fight as a security engineer, bounty hunter, smart contract developer, blockchain investigator, or just as a curious explorer on the new frontier. If you are not sure how to get started, subscribe to this newsletter where I often post educational materials or just feel free to reach out to me directly.
Help support BlockThreat in 2021!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Welcome to the last Blockchain Threat Intelligence newsletter for this year. We are ending the year with just a few more hacks, one of a DeFi project and one of an exchange. Additional Livecoin exchange hack details reveal some suspicious activity and Parity hackers have suddenly awoken after 3 years. I’ll keep this edition brief, but be on a lookout for the Year in Review report coming out in the next few days.
Livecoin. Hack or “hack”? Current state recreates a complete incident timeline and raises interesting questions about exchanges operation prior to the “hack”.
An Elaborate Cryptocurrency Scam revisits Twitter hack and draws connections with a multitude of scammer campaigns across Youtube, Facebook, and other social media platforms.
Multisol is a CLI to make contract verification easier.
Help support BlockThreat in 2021!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes about 10 hours weekly to prepare threat intelligence on various blockchain security topics. If you found BlockThreat valuable consider supporting its future growth:
Dear readers, thank you for joining me on this journey to learn and explore the exciting world of blockchain security. I hope you had just as much fun reading and learning about this field this past year. Looking forward to seeing you all again in 2021!
This year Mr. Grinch has ruined Christmas for three different exchanges with millions reported stolen as a result of hot wallet compromises. BitGrail operator is in trouble again after additional evidence confirmed an exit scam, Curve discovered a flaw in the IDLE pool, and more in this week’s edition of the Blockchain Threat Intelligence newsletter. Oh and you may want to keep how much crypto you have away from jealous relatives.
Hacks
On December 23rd, 2020 LiveCoin exchange lost control over their server infrastructure. The attackers have massively inflated BTC, ETH, and XRP exchange rates on the trading platform. LiveCoin did not communicate the impact of the hack, but estimated $2.4M worth of cryptowere withdrawn around the time of the attack. Exchange operators were able to briefly post a message about the hack; however, it was since replaced with a ransom note “Good try Livecoin. But no... You have 2 days left...”. Interestingly, the attackers have also sent small amounts of BTC and ETH to addresses associated with the earlier EXMO hack which may indicate a connection or a false lead.
On December 23rd, 2020 Altilly Exchange server infrastructure was compromised. The exchange operators have shared that the attackers have gained control over the server admin portal using an inactive account without 2FA enabled. After gaining access, the attackers were able to steal $1M worth of assets from hot wallets (30 BTC, 12,000 USDT). Even more assets were lost, after perpetrators of the hack downloaded and destroyed all database data and backups possibly to support future ransom demands.
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes about 10 hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
Governments around the world have introduced additional AML and KYC requirements on self-hosted wallet transactions. Warp Finance oracle vulnerability was exploited, Nexus Mutual founder’s wallet was backdoored, Ledger database dumped on a forum, RubyGem supply chain attacks to steal crypto, and more in this week’s edition of Blockchain Threat Intelligence.
Regulations
FinCEN proposal requires exchanges to keep a record of all transactions greater than $3,000 sent to self-hosted wallets. The proposal is unusual due to a very limited public comment period due to “significant national security imperatives.”
Backdoored RubyGems contained malware which replaced bitcoin addresses in the clipboard with that of attacker’s. Compromised gems were pretty_color and ruby-bitcoin.