A tough week for the Singaporean exchange KuCoin which suffered a major $281m hack. On the bright side, Lien Finance’s smart contract was preventively hacked to save $9.6m worth of ETH which also resulted in a fascinating article in the research section on beating front-running bots. This week’s edition features a lot more excellent papers, new tool releases, and two new blockchain security competitions. In other news, folks should really reconsider mining crypto on their employer’s supercomputers.

Hacks

• On September 25, 2020 KuCoin exchange hot wallet was compromised which resulted in a lost of more than $281m worth of crypto across BTC, ETH, LTC, BSV, XRP, XLM, TRX, and a number of ERC-20 tokens. What was unique about this hack is the sheer number of ERC-20 asset issuers who were able to freeze and reclaim stolen assets while the attacker was racing to liquidate them on Uniswap, Kyber, and other DEXs. This sets an interesting precedent for future attacks where token issuers actively support hacked exchanges.

• On September 19, 2020 a vulnerability in Lien Finance’s smart contract was discovered and later exploited by a white-hat group led by samczsun. While no funds were lost, $9.6m worth of ETH were at risk.

Malware

• Alien android malware family is targeting Coinbase, Blockchain.com, Luno, other cryptocurrency and banking wallet apps to steal credentials, control and steal SMS messages, and other trojan functionality.

Research

• Escaping the Dark Forest is a fascinating research article by samczsun on beating the front-runners to recover $9.6m worth of ETH from a vulnerable contract. The article is a follow up to Ethereum is a Dark Forest by Dan Robinson where a previous attempt at recovery was intercepted by front-runner bots.

• Staring into the Monster’s Eye: Analyzing a Generalized Front-running Arbitrage Bot Attack is another take on the front-running attacks on the Ethereum network by general purpose arbitrage bots.

• A General Framework for the Security Analysis of Blockchain Protocols.

• Research by Aqua Security observes a sharp increase on cloud infrastructure attacks over the past year to mine Monero using MrbMiner malware.

Projects

• Teatime is an extensible attack framework for Ethereum nodes by Dominik Muhs at Consensys Dilligence.

• Pool Detective is a project by MIT Digital Labs which attempts to detect network attacks across several Satoshi chains.

• Circuit Breaker is a firewall for Lightning network nodes to help protect them against htlcs floods.

Competitions

• DeFi Detectives is another live CTF by folks challenging players to hunt down Uniswap hackers and investigate SushiSwap’s exit scam.

• Damn Vulnerable Defi wargame by OpenZeppelin’s tincho challenges players to sharpen their defi skills.

That’s all for this week in blockchain threat intelligence! As a reminder, I am participating in the latest round of Gitcoin Grants so would appreciate your support. Stay safe and see you all next week.

-Peter

We have some good news this week from Bzx team which was able to recover stolen funds after identifying the attacker. Eterbase revealed additional hack details in the criminal complaint. US DOJ filled multiple indictments against Russian and Chinese nationals participating in variety of crypto-related schemes. At last check out an awesome twitter thread by @tayvano_ on crypto wallet security.

Blockchain Threat Intelligence newsletter is participating in the latest round of Gitcoin Grants. Special thanks to misterigl, Simon Polrot, and Sebastian Bolaños supporting this project!

News

• Bzx project was able to recover $8.1M worth of crypto after identifying the attacker. The project has also awarded a $45k bounty to the engineer who initially identified the vulnerability and reported the hack in progress.

• Negligence lawsuit was filled by Frisco (Zaif) exchange against Binance which allowed attackers to liquidate their stolen bitcoin following the 2018 hack.

• Two Russian nationals were indicted for participating in the theft of $16.8M in crypto and fiat by setting up fake exchange websites.

• Five Chinese nationals associated with APT 41 group were indicted for computer intrusions in facilitation of ransomware, crypto-jacking, and other schemes.

• Eterbase published a criminal complaint containing details of the hack, attacker and hotwallet addresses.

Research

• Awesome thread by Taylor Monahan (@tayvano_) about crypto hacks and vulnerabilities affecting crypto wallets over the past few years. So may gems and lessons!

• Ebb-and-Flow Protocols: A Resolution of the Availability-Finality Dilemma - attack on ETH2.0’s Casper finality gadget.

• Defending Against Malicious Reorgs in Tezos Proof-of-Stake - statistical analysis of reorgs.

• Formalizing Bitcoin Crashes with Universally Composable Security - analysis of attack and detection techniques against Bitcoin blockchain.

• Lightning-dev SIGHASH_SINGLE + update_fee Considered Harmful - vulnerability in LN HTLCs may allow theft of onchain fees.

Thanks for joining me this week, stay healthy, and see you all in another edition next week!

-Peter

Not a month has gone by before the next big exchange hack. Another DeFi project list $5M USD worth of crypto due to a money printing bug. Bitcoin core silently patches a critical bug, forgets to share it with other projects. IRS still wants to figure out where all of the Monero goes. Ransomware incidents on the rise and other news in this week’s edition of Blockchain Threat Intelligence newsletter.

Events

• Crypto Privacy Conference is hosted on September 15-16 with topics on blockchain surveillance, CoinJoin, and other related topics.

News

• IRS announced a $625k bounty to develop blockchain analytics software targeting Monero, Lightning Network, Raiden Network, and other layer 2 privacy protocols.

• US Treasury published 23 wallets on its sanctions list linked to the Internet Research Agency.

• Call of Duty gamers have to pay bitcoin ransom to regain access to their stolen accounts.

• An OG bitcoin wallet file is being traded online to anyone willing to try to crack the password and unlock 69370 BTC.

• $200M AT&T lawsuit filled by Michael Terpin was thrown out, but additional $23.8M case is still pending.

Hacks

• On September 9, 2020, Eterbase exchange was compromised which resulted in $5.4M worth of BTC, ETH, XTZ, AGLO, and other assets stolen from their hotwallets. The exchange has published a report including a list of attacker’s cryptocurrency wallets including a number hosted on Binance and Huobi exchanges. No additional details about the hack were shared.

• A minting vulnerability in bZx token was exploited which resulted in $8M worth LINK, ETH, USDT, USDC, and DAI getting stolen from the platform. According to the incident report, a non-standard transfer function allowed one to set both source and destination to the same address which in turn double the amount owned by the sender.

Vulnerabilities

• A previously patched vulnerability in Bitcoin Core was discovered in forked projects such as Litcoin, Namecoin, Decred. A memory exhaustion vulnerability can crash and/or freeze the vulnerable node. The vulnerability was silently patched in 2018 and was only shared after it was independently discovered by another party.

Malware

• KryptoCibule malware infects Windows hosts to mine Monero, steal crypto by replacing addresses in the clipboard, and exfiltrate wallet files. The malware uses Tor and Bittorrent for its C2 communication.

• Netwalker ransomware compromised Pakistan’s electric company and Argentina’s government network. The ransom is set to 382 BTC and 355 BTC respectively.

• REVil ransomware compromised Chilean bank.

Research

• Coordination, Good and Bad by Vitalik Buterin

Stay informed, stay healthy, and head over to /r/blocksec subreddit for blockchain security news throughout the week.

-Peter

While you were enjoying your sushi and yam, another DeFi project lost their almost entire liquidity pool, Ethereum oracle node operators got attacked, and Shapeshift caught their employee stealing bitcoin.

Hacks

• On September 3, 2020 SYFI token rebase mechanism was exploited to which allowed an attacker to empty token’s liquidity on Uniswap worth 740 ETH.

• On August 30, 2020 multiple Chainlink node operators have experienced a spam attack which resulted in 700 ETH being drained due to inflated gas fees. The attacked allowed a malicious party to mint and sell Chi tokens at a higher price point earning a profit.

• On August 21, 2020 Shapeshift detected a theft of ~90 BTC. According to the civil complaint filed by Shapeshift, a recently hired engineer installed a malicious program which siphoned corporate funds to his personal account for almost 7 months. Shapeshift has previously experienced multiple insider threat incidents in 2016. According to the Forensic Report and a blog post, those incidents also involved an employee who sold login credentials to critical network infrastructure which resulted in a theft of 469 BTC, 5800 ETH, and 1900 LTC spanning three separate hacks.

Vulnerabilities

• Wasabi CoinJoin denial of service vulnerability was discovered and responsibly disclosed by the Trezor team. The vulnerability could have halted all mixing activity for all users.

Malware

• Anubis malware targets Windows users to steal cryptocurrency wallets.

Research

• BAE’s published a report on money laundering operations. The report reveals cryptocurrencies are still rarely used for this purpose while traditional methods like front companies, casinos, money mules are still the preferred method.

• A fun hunting exercise by ZenGo’s security team to track down bitcoin funds paid in the recent UCSF ransomware incident.

Tools

• ETHOver extension by Martin Ortner from Consensys Dilligence allows analysts to easily pull source code and bytecode from Etherscan for any Ethereum address in the VS Code editor.

Thanks for joining me this week in blockchain threat intelligence news and see you all next week.

-Peter

Never a dull week in blockchain security! ETC got 51% attacked yet again. DoJ filed a complaint targeting 280 Lazarus Group cryptocurrency accounts. Yam, Chicken, YFV, and many other DeFi projects are getting deployed with unintentional and sometimes intentional vulnerabilities.

News

• DoJ seizes 280 cryptocurrency accounts associated with Lazarus Group.

• Empire Market exit scams with ~2638 BTC ($30.2M).

• CipherTrace announces Monero tracing capabilities.

Hacks

• On August 29, 2020 ETC has suffered another 51% attack with massive 7000+ blocks getting reorged. Looking deeper into the attack, 800K ETC (~$5M USD worth) were double spent in seven transactions. This is the third such attacker in the last month, with the first two covered here and here where additional 1.26M ETC were successfully double spent.
  
  Indicators:
  
  Reorg Victims:
  0xf0624560be4f73137C0DA1a2D4905fCF29067A82 0xDBbF2416C3764c91e7F2b04386ae72A1b1a939eA 0xbEc6BDA9C054263638676A7651f11Ea968128E58 0x1405DC84dB1c199C4E64a70976719747aF8580C1 0x7fCb1f635ADe333B6EC859C7Df53168cf132Ff7f 0x23373e0B840b24b241B00915D9962E759B9af287
  
  Attacker's addresses:
  0xeA8Cb86636eCE0155e69e796e4e1cb0238011289 0x98635d4A1E4143c757E6658A3F0AAEd93797b605 0x09dB3ee9f58d2E0152B9e41a8b91C5bbF8aF3a86 0xb4e4D72039658c3aAcBE7833D50597941e8f6EE7 0xb73f91FD456e96cF4C73632BF8581F93A91542C1
  
  Orphaned TXs:
  0x241128df91fe0954c569d25fe87b0c984ce2fa6efd63d54eb80449c1b4e887bf 0x9dc9b47fab62bdc1936a22d9d8e884481c2d121092416c83f286a5f741908b89 0x57907961230ecc0e5298d1725e43f2d936b9ed0c9daace61f9e758530f927cd4
  0x6962ee8506bbfd491d504bda0c8e0720fe48770b3789c6cf6e59fcfcf32103f4 0xe83fe7c979c836acef98ed8e6f65fda460d52a42cfb55b8fab567a746f0eb0d1 0x5614fe27bd1191b79e895af14c6111932f540bdcc6a80d7a12b90b52a96b5c08 0xba0aacafe4de6d31de6ea772ff0486443fb937ea30975654b0ce3e69fed749d6
  

Vulnerabilities

• A Denial of Service vulnerability was discovered in OpenEthereum node software which stop the node from importing new blocks.

• Chicken Finance was caught thinly disguising a backdoor in their contract, YFV is getting extorted with staking vulnerability, and many other DeFi hacks and vulnerabilities. Check out the excellent Consensys Dilligence - Smart Contract Security Newsletter for more details.

• An interesting social engineering attack vector which may allow a user to be extorted to access funds on their hardware wallet.

Malware

• Significant increases in cryptojacking malware was reported by Symantec.

• Electrum wallet users using outdated software versions continue getting phished with malicious popups to download backdoored software. In the latest example, a user reported a 1400 BTC theft as a results of the attack. You can find previous coverage of the hack and its perpetrators here and here.

Research

• A detailed report by F-Secure Labs on Lazarus Group criminal activity targeting cryptocurrency businesses. It includes malware indicators, techniques and tactics.

• Another report regarding Lazarus Group on-chain activity and the recent DOJ civil forfeiture complaint targeting 280 cryptocurrency addresses.

• A fun write-up for the recent for the recent Blockchain Investigation Contest by folks at AnChain.

• A fascinating analysis of bots automatically front-running transactions which may yield a profit. We have previously encountered these bots piggy-backing on asset issuer’s attempts to recover funds from vulnerable contracts.

• DogByte attack against ETH2.0 VDF.

That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter