Hacks

• Hacker steals $6.7 million worth of tokens from VeChain Foundation - 1.1B VET tokens transferred to 0xD802A148f38aBa4759879c33E8d04deb00cFB92b as a result of misconduct of the token’s finance team. In the follow up to the incident, VeChain Foundation has implemented a blacklist against 469 attacker addresses in collaboration with Authority Masternodes.

Crime

• Russia's Hydra Darknet Marketplace Plans $146M Token Sale - a new trend in darknet markets attempting ICOs.

• Crypto Mining Pool Fraud Scheme - three arrested in a BitClub Network mining pool scam where customers were presented with fake earnings and encouraged to purchase mining tokens.

• Stellar Tried to Give Away 2B XLM Tokens on Keybase. Then the Spammers Came - mass spamming of the Keybase platform as a result of the Stellar airdrop.

• BTC Mixing Service Bitcoin Blender Accused of Stealing User’s Funds - a Reddit user reported the mixing service simply stealing any funds sent to them.

• ISIS Is Experimenting with This New Blockchain Messaging App - reports of a terror group experimenting with a number of messaging apps including BCM, TamTam, RocketChat, Riot, and Hoop.

Malware

• Kaspersky research finds 174 municipal institutions targeted with ransomware in 2019 - the report documents a significant spike in ransomware attacks with ransomware amounts reaching up to $5M on average. The report also notes that mining attacks have also dropped sharply.

• Two members of the prolific Romanian hacker gang Bayrob Group were sentenced to two decades in U.S. prison apiece after their malware mined crypto on 400,000 infected computers.

Vulnerabilities

• How to turn $20M into $340M in 15 seconds - a theoretical attack scenario against MakerDAO which may result in collateral theft. The attack requires 80K MKR which only a the Maker Foundation and a few investors investors like a16z currently have. Following the article, Maker Foundation has increased the Governance Security Module (GSM) delay to 24 hours to allow proper detection to an otherwise instantaneous attack.

• Critical bug in EOS REX - an EOS Authority security assessment has uncovered a flaw in REX contract which allowed it to extract more EOS tokens than expected. The vulnerability is patched.

• Inside Kraken Security Labs: Flaw Found in Keepkey Crypto Hardware Wallet - a voltage glitching attack to extract an encrypted seed.

Research

• Tracing extorted bitcoin - an investigation into a extortion attempt where an attacker claimed sex acts recorded on a hacked webcam video.

• Selfish Behavior in the Tezos Proof-of-Stake Protocol - the research paper describes conditions under which block stealing may be incentivized.

• Vertcoin’s 51% attack – a case-study for blockchain security - several interesting insights into how the Vertcoin attack was perpetrated including Nicehash stratum protocol monitoring, the insights taken from the A model for Bitcoin’s security and the declining block subsidy, Hostile blockchain takeovers and On the Security and Performance of Proof of Work Blockchains papers, and other papers.

• All smart contract security issues in one place: An introduction to the SWC Registry - introduction to a new smart contract vulnerabilities directory using a few sample contracts as examples.

• Destroying the Indestructible - an interesting technique to bypass Dharma’s IndestructibleRegistry by exploiting the way the platform interprets bytecode with jump in the middle trickery.

• BDoS: Blockchain Denial of Service - novel denial of service attack which requires significantly less than 51% hashpower.

• Chinese bitcoin miners control 65% of the crypto network's processing power; Bitmain’s market share continues to decline - an analysis of increasing share of hashpower controlled by Chinese based miners.

Tools

• Lightning Network (Part 5) – BitMEX Research Launches Penalty Transaction Alert System - a new monitoring system to detect penalty or “justice” transactions on the lightning network.

Malware

• New macOS Threat Served from Cryptocurrency Trading Platform - a new malware sample associated with North Korea’s Lazarus group acts as a cryptocurrency arbitrage trading platform called UnionCryptoTrader.

Research

• SquirRL: Automating Attack Discovery on Blockchain Incentive Mechanisms with Deep Reinforcement Learning - a new framework to identify novel incentive attacks like selfish mining.

• Improvements of the Balance Discovery Attack on Lightning Network Payment Channels - a new attack method using malformed payments to unmask balances of payment channels.

• How DeFi cannibalizes PoS security - a research article outlines a new risk to less staking power available due to the popularity of DeFi platforms.

• Mutation Testing for Smart Contracts - A step by step guide to using Vertigo to test smart contracts.

• Metal Bitcoin Seed Storage Stress Test (Round III) - the latest round where Jameson Lopp burns and crushes hardware wallets.

Tools

• RandomX Sniffer - a PoC tool to detect traces of running RandomX ransomware algorithm in CPU registers.

Media

• Breaking Bitcoin 2019 - videos from the conference are now available.

Hacks

• South Korean crypto exchange Upbit has lost cryptocurrency worth $49 million - in a confirmed announcement 342,000 ETH has been stolen on November 27th and sent to an unknown wallet 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.

• Vertcoin (VTC) was 51% attacked - five outputs were double spent on the Vertcoin network as a result of the 51% attack netting an attacker just 125 VTC ($29). The attacker most likely obtained the hash power by renting it on Nicehash.

• A hacking group is hijacking Docker systems with exposed API endpoints - reports of a mass internet scanning for open Docker endpoints to install an image with Monero miner.

Crime

• The Secret Life and Strange Death of Quadriga Founder Gerald Cotten - a Vanity Fair article into the life of Gerald Cotten, scams he ran before Quadriga, theft of funds, and finally his odd death.

• CipherTrace Q3 2019 Cryptocurrency Anti-Money Laundering Report - a quarterly report into the cryptocurrency related thefts, scams and other criminal activity.

• Little-Known Crypto Exchange With Ties to a Shanghai Firm Halts Services, Says CEO ‘Missing’ - a likely exit scam involving a missing CEO and frozen cold storage funds.

• Russia’s FSB Linked to $450M Bitcoin Disappearance - an article based on the BBC Russia report into the link between BTC-e exchange and Russia’s FSB services.

• U.S. authorities arrest Ethereum research scientist Virgil Griffith for allegedly assisting North Korea in evading sanctions - reports of an arrest of an Ethereum developer who traveled to North Korea to present at a cryptocurrency conference.

Malware

• Insights from one year of tracking a polymorphic threat - analysis of a complex malware family Dexphot utilizing several stealth and polymorphic techniques.

• Stantinko botnet adds cryptomining to its pool of criminal activities - an interesting sample which obfuscates miner traffic through the use of proxies. Configuration data for the proxies is stored on YouTube.

Research

• Clustering transactions in Bitcoin and other cryptocurrencies - findings from the network-level privacy attacks on Bitcoin and other cryptocurrency networks.

• Debunking the Binance police raids with OSINT - analysis of Shanghai government visits to cryptocurrency companies and how it may have involved Binance.

• Inside Kraken Security Labs: Crypto Domain Hijacking - a domain takeover attack targeting a directory service for PGP keys and bitcoin receiving addresses.

• NSA Backdoors and Bitcoin - a curious case of selecting ECC curves for Bitcoin and dodging an NSA backdoor built into an alternative version used by most of the industry.

Tools

• A beginner’s guide to MythX - introduction to smart contract security assessments using MythX.

• ContractGuard: Defend Ethereum Smart Contracts with Embedded Intrusion Detection - a novel solution to build-in defenses into the smart contract itself.

News

• China central bank’s Shanghai unit officially announces to crack down on crypto exchanges - People’s Bank of China (PBoC) regulatory enforcement action targeting cryptocurrency companies in Shanghai.

Hacks

• Monero download site and binaries compromised - report on the backdoor Monero wallet binaries downloaded from the project’s Github page. The compromise was first reported on Github when a user observed release binaries not matching.

• Password data for ~2.2 million users of currency and gaming sites dumped online - a large data dump from Gatehub and RuneScape compromises

• Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies - a bug bounty was announced that would pay hacktivists in crypto to target financial institutions.

Crime

• Roughly $400 million of Ripple tokens tied to illegal activity - a blockchain analytics company, Elliptic, report on criminals starting to use XRP for illegal activities such as scams, Ponzi schemes, thefts, and some stolen credit card trading activity.

Malware

• Operation BlockChain Gang; Advanced Exploits, Commodity Tools - a detailed profile into a new threat actor called HydSeven. It is unique in its use of highly targeted speak-phishing combined with the use of commodity malware such as NetWire. The actor was involved in the earlier report of the 0day attack targeting Coinbase.

• How Ransomware Attacks - a threat profile of eleven ransomware families diving into their operation, file system and network activity.

• Update to X86 XMR crypto mining blog post - an update to a previous Akamai report discussing an additional attack script used to scan and infect hosts passed by the C2 server.

Vulnerabilities

• Breaking Mimblewimble’s Privacy Model - a report of a flaw in Grin’s Dandelion protocol which may allow user deanonymization by setting up a number of sniffer nodes. However, the Mimblewimble team has responded with the analysis of the report by calling it factually inaccurate.

• Prevent protocol stall from inconsistent LogicSig validity - Algorand fixed a DoS bug in its transaction validation logic.

Research

• What are the Actual Flaws in Important Smart Contracts (and How Can We Find Them)? - analysis of security findings from a large data set of smart contract security audits performed by Trail of Bits.

• Kudelski Security audit of Solana architecture - an in-depth architectural assessment of Solana cryptocurrency.

• EIDOS Airdrop Stifles the Liveness of EOSIO Network - an analysis of the network outages caused by the EIDOS airdrop.

This week BBC dropped a bomb with its investigative report linking known bad actors BTC-e (involved in 2016 election fraud) and Wex exchanges with Russian FSB service. A buffer overflow vulnerability was patched in Bitcoin node software, Ethereum opcode cost instability raises reentrancy concerns, and a dump of SFBW ‘19 videos are all featured in this week of blockchain threat intelligence.

Crime

• Russia’s FSB Linked to $450M Bitcoin Disappearance - a fascinating article on the history of BTC-e and Wex exchanges, their takedown by FBI, arrests of their administrators, and how $450 million worth of cryptocurrencies from these exchanges ended up in the hands of FSB. The article is based on the original investigative report by BBC Russia.

• Thieves targeted crypto execs and threatened their families in wide-ranging scheme, says DOJ - indictments against two individuals using technical (SIM-swapping) and non-technical harassment to steam or attempt to steal $550,000 in cryptocurrency.

• Hackers demand $5 million from Mexico's Pemex in cyberattack - a 565 BTC ($5 million) ransom was posted after company’s computers were infected with DoppelPaymer malware.

Research

• The Middleman Is Dead, Long Live the Middleman: The “Trust Factor” and the Psycho-Social Implications of Blockchain - a paper on trust in decentralized blockchain systems.

• Reentrancy After Istanbul - a research article on the effects of opcode repricing may have contracts where Gas increases may allow for successful reentrancy attacks in the fallback function.

• Securing Lightning Nodes - a great overview of possible attacks on the Lightning nodes and how to protect yourself against them.

Vulnerabilities

• [bitcoin-dev] CVE-2017-18350 disclosure - a buffer overflow vulnerability in SOCKS5 protocol handling in the Bitcoin Core node software.

Media

• SFBW 2019 Videos - videos from San Francisco Blockchain Week were posted including a number of blockchain security talks such as TxProbe Discovering Bitcoin’s Network Topology.

Did you enjoy this week’s edition? Have blockchain security related news to share or just a suggestion? Great, drop a line to iphelix [at] blockthreat.net. Thanks!

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey