News

• China central bank’s Shanghai unit officially announces to crack down on crypto exchanges - People’s Bank of China (PBoC) regulatory enforcement action targeting cryptocurrency companies in Shanghai.

Hacks

• Monero download site and binaries compromised - report on the backdoor Monero wallet binaries downloaded from the project’s Github page. The compromise was first reported on Github when a user observed release binaries not matching.

• Password data for ~2.2 million users of currency and gaming sites dumped online - a large data dump from Gatehub and RuneScape compromises

• Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies - a bug bounty was announced that would pay hacktivists in crypto to target financial institutions.

Crime

• Roughly $400 million of Ripple tokens tied to illegal activity - a blockchain analytics company, Elliptic, report on criminals starting to use XRP for illegal activities such as scams, Ponzi schemes, thefts, and some stolen credit card trading activity.

Malware

• Operation BlockChain Gang; Advanced Exploits, Commodity Tools - a detailed profile into a new threat actor called HydSeven. It is unique in its use of highly targeted speak-phishing combined with the use of commodity malware such as NetWire. The actor was involved in the earlier report of the 0day attack targeting Coinbase.

• How Ransomware Attacks - a threat profile of eleven ransomware families diving into their operation, file system and network activity.

• Update to X86 XMR crypto mining blog post - an update to a previous Akamai report discussing an additional attack script used to scan and infect hosts passed by the C2 server.

Vulnerabilities

• Breaking Mimblewimble’s Privacy Model - a report of a flaw in Grin’s Dandelion protocol which may allow user deanonymization by setting up a number of sniffer nodes. However, the Mimblewimble team has responded with the analysis of the report by calling it factually inaccurate.

• Prevent protocol stall from inconsistent LogicSig validity - Algorand fixed a DoS bug in its transaction validation logic.

Research

• What are the Actual Flaws in Important Smart Contracts (and How Can We Find Them)? - analysis of security findings from a large data set of smart contract security audits performed by Trail of Bits.

• Kudelski Security audit of Solana architecture - an in-depth architectural assessment of Solana cryptocurrency.

• EIDOS Airdrop Stifles the Liveness of EOSIO Network - an analysis of the network outages caused by the EIDOS airdrop.

This week BBC dropped a bomb with its investigative report linking known bad actors BTC-e (involved in 2016 election fraud) and Wex exchanges with Russian FSB service. A buffer overflow vulnerability was patched in Bitcoin node software, Ethereum opcode cost instability raises reentrancy concerns, and a dump of SFBW ‘19 videos are all featured in this week of blockchain threat intelligence.

Crime

• Russia’s FSB Linked to $450M Bitcoin Disappearance - a fascinating article on the history of BTC-e and Wex exchanges, their takedown by FBI, arrests of their administrators, and how $450 million worth of cryptocurrencies from these exchanges ended up in the hands of FSB. The article is based on the original investigative report by BBC Russia.

• Thieves targeted crypto execs and threatened their families in wide-ranging scheme, says DOJ - indictments against two individuals using technical (SIM-swapping) and non-technical harassment to steam or attempt to steal $550,000 in cryptocurrency.

• Hackers demand $5 million from Mexico's Pemex in cyberattack - a 565 BTC ($5 million) ransom was posted after company’s computers were infected with DoppelPaymer malware.

Research

• The Middleman Is Dead, Long Live the Middleman: The “Trust Factor” and the Psycho-Social Implications of Blockchain - a paper on trust in decentralized blockchain systems.

• Reentrancy After Istanbul - a research article on the effects of opcode repricing may have contracts where Gas increases may allow for successful reentrancy attacks in the fallback function.

• Securing Lightning Nodes - a great overview of possible attacks on the Lightning nodes and how to protect yourself against them.

Vulnerabilities

• [bitcoin-dev] CVE-2017-18350 disclosure - a buffer overflow vulnerability in SOCKS5 protocol handling in the Bitcoin Core node software.

Media

• SFBW 2019 Videos - videos from San Francisco Blockchain Week were posted including a number of blockchain security talks such as TxProbe Discovering Bitcoin’s Network Topology.

Did you enjoy this week’s edition? Have blockchain security related news to share or just a suggestion? Great, drop a line to iphelix [at] blockthreat.net. Thanks!

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Moving our way to up Week 45, this week features an excellent radio show by BBC on the OneCoin scam, mining hardware heist in Iceland, and an excellent research article on Proof of Work security.

Crime

• The Missing Cryptoqueen - an 8 episode BBC podcast series investigating OneCoin scam making anywhere between $4 billion.

• The Big Bitcoin Heist - a fascinating expose on a heist to steal cryptocurrency mining hardware from a facility in Iceland.

• N.Korea Laundered Money Through Blockchain Firm in Hong Kong - a report on a North Korean operation to launder stolen cryptocurrencies through a specially set up entity in Hong Kong.

• Columbus man pleads guilty in ‘dark web’ drug scheme - a guilty plea from one of the top vendors on the infamous Silk Road market.

Research

• How Coinbase views proof of work security - an insightful analysis of Proof of Work security and how it is affected by availability of ASIC miners.

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Continuing in the catch up mode, Week 44 features yet another ransomware attack against a major city, BitMEX mass email leak, LiteCoin getting dangerously close to being a target of a 51% attack, Devcon 5 videos and slides release.

Crime

• City of Johannesburg, on Second Hit, Refuses to Pay Ransom - an unusual attack where attackers demanded 4BTC for releasing control of a compromised network as opposed to keys to encrypted files.

Vulnerabilities

• BitMEX Email Leak - an incident report on the massive email address leak affecting BitMEX users. The report identifies an engineering lapse where a SendGrid API call batched sent addresses into a single TO: field which exposed addresses to all other recipients. The report also identifies that exchange’s Twitter account was also briefly compromised. Following the exposure, there were reports on hacking groups starting to target BitMEX users using leaked emails.

• Litecoin Hashrate Falls More Than 50% Since Peak: Dark ASICs Make it Vulnerable to Attack - a significant drop in Litecoin’s hashrate increases a risk and incentives for miners to perform a 51% attack.

Malware

• BlueKeep exploitation activity seen in the wild - a detailed report of mass exploitation of the Windows RDP vulnerability caught on a honeypot. The current payload is a Monero miner.

Research

• Vyper Preliminary Security Review - an analysis of the Vyper smart contract language identifies several interesting vulnerabilities.

Media

• Devcon 5 Videos and Slides - a number of excellent blockchain security related talk recordings were released today including:
  - Live Smart Contract Hacking
  - Ethereum 2.0 Security Considerations
  - Chainalysis: Building Trust in the Ethereum Blockchain
  - Privacy for Everyone
  - Mastering Ethereum CTFs
  - Breaking Smart Contracts

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Catching up on the Week 43 in Blockchain Threat Intelligence, this newsletter features updates on the Crypto Capital saga and its involvement with drug cartel money laundering, side-channel attacks on the privacy coins, and awesome research articles on FumbleChain wargame, eclipse attack against Ethereum, and others.

Crime

• Crypto Capital Official Nabbed in Money Laundering Probe - arrest and extradition of Ivan Manuel Molina Lee to Poland to face money laundering charges for a Columbian drug cartel. Bitfinex issued a statement about its involvement as only a victim of a fraud. The arrest continues the saga of the missing $850 million from the Tether fund controlled by Crypto Capital.

• Russian man sent to prison for mining bitcoin at top secret facility that made nuclear bombs - sentencing of a Russian scientist for mining bitcoin at Sarov lab on recently installed supercomputer.

Vulnerabilities

• Linking Anonymous Transactions via Remote Side-Channel Attacks - report on a patched side-channel attack targeting Zcash and Monero networks which can be used to deanonymize transactions, obtain IP addresses of machines with running wallets, cluster addresses to the same wallet.

• Forking Cheeze Wizards Smart Contracts, All Funds (and Wizards!) are Secure - an interesting “dead ringer” vulnerability and writeup in the Cheeze Wizards smart contract.

Research

• Blockchain Penetration Testing - Hacking the Vulnerable FumbleChain - an awesome writeup of solving the FumbleChain wargame.

• Eclipsing Ethereum Peers with False Friends - a research article exploiting Geth’s peer discovery mechanism to perform an eclipse attack.

• Smart Contract Attack Vectors - a repository of known smart contract attacks and vulnerabilities.

• OpenZeppelin Blockchains Study Group - an awesome project to document various blockchain security core topics such as a list of vulnerabilities in node software, classification of consensus mechanisms, common blockchain-specific attacks, and other related topics.

• Responding to 51% attacks in Casper FFG - the article discusses finality-reversion attack and how the upcoming PoS consensus mechanism will defend against it.

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey