What a week in DeFi land! Multiple projects had to resort to hacking their own smart contracts after getting reports about critical flaws. Additional vulnerabilities discovered in the Argent wallet and the Lightning Network all leading to funds theft. This week we have also learned about a shady South Korean exchange behind multi-million gas fee transactions on the Ethereum network. In other news enjoy the upcoming movie about NSA kidnapping Satoshi Nakamoto in an attempt to destroy cryptocurrencies.

Hacks

• The sender of $5 million Ethereum transaction fees has revealed itself to be a shady South Korean exchange Good Cycle which confirmed to be hacked on multiple times.

Scams

• South Korean authorities seized data of two unnamed Ponzi scheme exchanges.

• Scammers use vanity Bitcoin addresses with celebrity or corporate names as part of fake “giveaway” campaigns.

• Wirecard, the company behind Crypto.com and TenX debit cards, is unable to locate $2 billion of cash.

Vulnerabilities

• A major vulnerability in Bancor Network’s smart contract could allow funds theft. Bancor team has attacked their own vulnerable smart contracts to secure users’ funds, but not before arbitrage bots front-running some of those transactions and claiming the bounty for themselves.

• Another vulnerability and a pre-emptive hack on the DeFi Saver Exchange resulted in $30k of funds moved to a safe location.

• A high severity vulnerability in Argent wallet recovery process which can result in funds theft for wallets with no recovery guardians.

• Disclosure of a fee blackmail attack on the Lightning Network that can make a victim loose almost all funds of a non Wumbo channel and potential fixes.

Research

• ConsenSys Dilligence released Blockchain Security Database aggregating security audits and bounty programs for major Ethereum projects.

• Detecting transaction replacement attacks with Manticore

• Flood & Loot: A Systemic Attack On The Lightning Network

• Attack Nets project to create a stable testing ground for attackers.

• How I checked over 1 trillion mnemonics in 30 hours to win a bitcoin

• The 80,000 stolen MtGox bitcoins

Thanks for joining me this week and see you in another edition of Blockchain Threat Intelligence newsletter. In the meantime, head over to /r/blocksec for up to date information on the current threats.

-Peter

There was an uptick of scam reports this week ranging from Estonia’s massive cleaning operation, fake Elon Musks, and a fake Privnotes site. Malicious Monero miners are still hacking everything they can get their hands on from Azure Kubernetes servers to vulnerable SQL and Windows boxes. Also, a big oops on Filecoin’s testnet where miners exploited an inflation bug to mint millions.

In other news, Craig Wright may have just self-incriminated himself into hacking Mt. Gox by claiming ownership of one of the attacker’s BTC addresses.

Hacks

• A theory that the recent high fee transactions on Ethereum network were part of the exchange blackmail campaign.

Vulnerabilities

• Inflation Bug discovered and exploited by 6Block on Filecoin’s Testnet with several accounts now holding a billion each. No additional details are available on the vulnerability; however, it appears that the bug is exploitable by miners.

Scams

• A massive crackdown on Estonia’s cryptocurrency companies involved in money laundering and other scams.

• Multiple Youtube channels were hijacked as part of the Elon Musk/Space X impersonation campaign to steal Bitcoin.

• A definitive Ontario Securities commission report on QuadrigaCX exchange.

• A Privnotes[.]com phishing site was found to alter Bitcoin addresses sent in private messages.

Malware

• Kingminer cryptominer targets SQL servers with weak passwords and Windows hosts vulnerable to EternalBlue exploit to install XMRig and Mimikatz payloads.

• A number of misconfigured Azure Kubernetes clusters were exploited to mine Monero.

Research

• A research article by Trail of Bits on exploiting ECDSA nonce bias.

• Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users.

• Attacking Bitcoin Core by Amiti Uttawar.

That’s all for this week in Blockchain Threat Intelligence. Check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter

The brief lull between exchange hacks is over with yet another incident on Coincheck. This one is by the order of magnitude less than the 2018 hack, but losing control over your DNS could have been much worse than just leaking customer data for 200 users. Speaking of data leaks, Coinsquare hackers share thoughts on what to do with the stolen cache in their interview with Vice. Last but not least check out CipherTrace’s massive cryptocurrency crime and money-laundering report and a few interesting research articles in the Research section.

Hacks

• Crypto exchange Coincheck says it suffered a data breach, which may have exposed some users' personal information - on May 31, 2020 an unauthorized party changed exchanges DNS record which allowed them to intercept customer emails.

• Hackers Plan to Use Stolen Cryptocurrency Exchange Data for SIM Swapping - interview with Coinsquare hackers where they explore what to do with the stolen data ranging from leaking it to embarrass the exchange to attacking its customers.

• Coinsquare CEO confirms client data was stolen by a former employee after report of SIM swap threat

• Hackers Move Another $800K in BTC Stolen From the 2016 Bitfinex Breach - more activity since last week.

Vulnerabilities

• Details of firmware updates for Trezor One (version 1.9.1) and Trezor Model T (version 2.3.1) - a patch to address a hypothetical attack where malware can craft a transaction with unexpectedly high fees. The patch disables partially signed bitcoin transactions which breaks some integrations.

Research

• CipherTrace - Spring 2020 Cryptocurrency Crime and Anti-Money Laundering Report

• Time-Dilation Attacks on the Lightning Network

• Attacking Zcash Protocol For Fun And Profit

• Breaking the Solidity Compiler with a Fuzzer - an interesting study into compiler fuzzing by Trail of Bits.

• Europol Wasabi Wallet Report

That’s all for this week in Blockchain Threat Intelligence. Stay informed, stay healthy, and head over to /r/blocksec subreddit for blockchain security news through the week.

-Peter

This week let’s take a breather from the usual survey of hacks, leaks, vulnerabilities and enjoy the much needed break with a number of interesting white papers. You will learn about the current state of privacy coins, ECDSA attacks, model consensus mechanism threats, and think about DeFi risk. For some lighter reading, you can enjoy the play by play of SIM swappers using AT&T as their playground to target cryptocurrency owners.

Hacks

• Hacker steals $1,200 worth of Ethereum in under 100 seconds - news of bots scanning Github and other Internet resources for wallet keys and mnemonics.

• The events of a SIM swap attack (and defense tips) - a play by play of a standoff between SIM swappers and an AT&T customer.

• The Ethereum forum hacker is now selling the databases of Trezor and Ledger - the same actor selling Ethereum.org DB from last week is offering additional dumps of popular hardware wallet companies. Both Ledger and Trezor question validity of the data.

Malware

• Thousands of enterprise systems infected by new Blue Mockingbird malware gang - Telerik UI vulnerability exploited to install Monero mining malware.

Research

• The stair-pattern in time-locked Bitcoin transactions - an interesting study into certain time-locked transactions which can be used for fee sniping by miners.

• Everything is a Race and Nakamoto Always Wins - security analysis of several consensus mechanisms based on the longest chains.

• Dangers of using secp256k1 for encryption - Twist Attacks - an attack which may lead to a private key exposure.

• LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage

• DeRisking DeFi: Guarded Launches - risk management for DeFi assets.

• Subtleties and Security - information on four security issues in Bitcoin Core.

• Alt-Coin Traceability - the current state privacy features in Zcash and Monero.

• Custody Protocols Using Bitcoin Vaults

Thanks for joining me this week and see you in another edition of Blockchain Threat Intelligence newsletter. Head over to /r/blocksec for up to date information on the current threats.

-Peter

This week’s theme is DeFi! Writing smart contracts is hard enough, but take sufficiently complex systems like DeFi apps and bugs just start popping up. Hegic, tBTC, Etheroll all had interesting vulnerabilities discovered and published this week.

The BlockFi incident begs several questions: Why do they still use SMS as a 2FA option especially for internal employees and why are the internal systems still accessible from the Internet? This could have been much worse.

In other news, looks like some of the addresses in the Tulip Fund are turning against Faketoshi and more drama on the Steem network. Also, check out the hilarious Justin Sun deep fake scam video in the links below.

Hacks

• BlockFi Incident Report - on May 14th, 2020 BlockFi suffered a breach of its client data including customer names, emails, DoBs, home addresses, and activity history. An employee’s phone number was SIM ported to gain access to his or her corporate email and BlockFi’s internal systems. According to the incident report, an attacker attempted but failed to steal any funds.

• HegicOptions has shut down again - this one is not a typo, a design flaw in Hegic was exploited to make a quick $3340 profit.

• Details of the tBTC Deposit Pause on May 18, 2020 - additional details about the tBTC bug causing shutdown due to Bitcoin address parsing. An additional vulnerability was also reported where a malicious redeemer could craft an output script which would result in an invalid Bitcoin transaction to seize signer bonds and net profit in some circumstances.

• Etheroll exploited - a clever exploit which takes advantage of infrequent chain forks to game the gambling smart contract.

• Ethereum.org DB dump sold on the black market - reports of 16,000 ETH accounts from the 2016 hack being sold online. Vitalik’s hash is clearly visible in the screenshot and appears to be `$P$BVQJbEipvfH6s.IoLtWZmg3GTdo/ee/`. Does anyone wants to take a stab?

• Bitcoin stolen in a $72 million hack just started moving - more stolen funds movements on the blockchain. This time related to the 2016 Bitfinex hack.

Scams

• TRON’s Justin Sun Imitated in The Most Advanced ‘Deep-Fake’ Crypto Scam - a new spin on the classic crypto scam involves pre-recorded Skype calls with “deep-faked” Justin Sun on the other end. You can watch the hilarious video here.

Vulnerabilities

• Lit by Laser: PIN Code Recovery on Coldcard Mk2 Wallets - keep your crypto close, but your hardware wallets closer. Another hardware wallet cracked by the Ledger Donjon team.

Malware

• Insidious Android malware gives up all malicious features but one to gain stealth - ESET report on a banking trojan targeting cryptocurrency wallets. The malware was available as a DEFENSOR ID app in the official Google Play store. It exploits Android’s accessibility options to control other apps on the phone to gather victims’ credentials, emails, and messages.

People

• Meet the forensics expert who tracks stolen Bitcoin - an expose on CipherBlade’s Rich Sanders and his work tracking down stolen crypto.

Research

• Fact Checking Recent Cryptocurrency Terrorism Financing Reports - debunking myths of terror groups using crypto… for now.

• Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability - a study of DEX arbitrage bots and the risk they pose to consensus security.

Another fun week in blockchain security! I hope you stay healthy and see you all next week. But for now, head over to /r/blocksec subreddit where I share many of the news in this newsletter throughout the week.