Phishing scams are on the rise with Office 365 and Ledger customers targeted last week. Old school SS7 exploits are still successfully used to take over email accounts belonging to folks in the industry. Another day, another DeFi project arbitraged for a few million stable coins and more in this week’s edition:

Crime

• Telegram and email accounts of high profile individuals in the crypto industry were hijacked by exploiting vulnerabilities in SS7 telco switches.

• A phishing campaign on Office 365 customers is using Coinbase themed emails in an attempt to take over their email accounts. Attackers are most likely trying to target users associated with the cryptocurrency exchange.

• Reports of a phishing campaign targeting Ledger users with a prompt to download an updated version of Ledger Live desktop software. It may be related to a recent leak of up to 1M email addresses belonging to Ledger customers.

• Finnish psychotherapy center patients are being extorted 200 euros in BTC to keep their stolen data private.

Hacks

• On October 25th, 2020 an arbitrage weakness in Harvest Finance was exploited to profit an attacker about $24M worth of USDC and USDT. Following the hack, the attacker has transferred gained to funds to the following bitcoin addresses using REN Protocol:
  
  1Paykw4s2WX4SaVjDrQkwSiJr16AiANhiM
  1HLG86DDEzAxAGmEzxr1SUfPCWcnWA6bMm
  14stnrgMFNR4LesqQRUdo5n1VUx9xdAMeg
  18w2Bm2cCsbLjWQU9BcnjzK8ErmzozrVa3
  1FS2t2eAjmjaNmADN6SMHYo7G4XGpX1osS
  1NdAJ89k1qpRMpZLwuYGQ7VnM45xD2NJXa
  1CLHhshrusvT4XADWA29R2H4ndsSUamEWn

Vulnerabilities

• A reentrancy vulnerability was discovered and responsibly disclosed in BurgerSwap DeFi service hosted on Binance Smart Chain.

Research

• Financial Attacks on Democracy is a nice survey of using cryptocurrency to finance bad actors in the last election cycle.

• How This DoJ Strike Force Hunts Down Cryptocurrency Criminals

• Efficient audits with machine learning and Slither-simil

• Smart Contract Hacking Final Free Chapter - Hacking Games Via Bad Randomness Implementations on the Blockchain.

Thanks for joining me this week, stay healthy, and see you all in another edition next week!

-Peter

A relatively quiet week with news of arrests and fines popping up from law enforcement agencies from across the world. IOHK published a very interesting whitepaper on 51% attacks, future SushiSwap clones have an interesting backdoor to exploit, brainwallets are still a really bad idea, politicians are stealing government’s electricity to mine crypto and other news in this week’s edition.

News

• OKEx founder, Xu Mingxing, arrested in China. The exchange has suspended withdrawals citing the need for the key held by Xu.

• FinCEN fined Larry Dean Harmon $60M for running coin-mixing services Helix and Coin Ninja. A separate investigation is running in parallel on charges of conspiracy to launder money and operating an unlicensed money transmitter.

• Several prefectures in Japan received bomb threats demanding 40BTC to avoid the disaster. The incident is similar to the series of bomb threats demanding Bitcoin sent to various government agencies in 2018.

Vulnerabilities

• A reward manipulation vulnerability in SushiSwap’s MasterChef contract was disclosed by Dracula Protocol. The vulnerability can only be exploited by the smart contract owner at the time of the deployment.

• Binance Android Wallet was vulnerable to accessibility services misuse which could be used by malware to steal users’ funds. Gustuff and other malware families use Accessibility Services to target crypto wallets.

Research

• ECIP Comparison for 51% Attack Resistance whitepaper by IOHK analyzes pros and cons of various 51% attack mitigations including checkpointing, timestamping, RSK, Veriblock, PirlGuard, and MESS. The latter mitigation was recently deployed in ETC to combat three back-to-back attacks.

• Ethereum’s Dark Forest is worth cultivating invites everyone to embrace adversarial nature of decentralized systems rather than trying to avoid it.

• An interesting bug in Solidity compiler reported by Certora which results in garbage data being written into persistent storage.

• Call me Ishmael is a fun exercise by BitMEX Research to see just how quickly bots will steal brainwallets on Bitcoin network.

• Uniswap Swindle - Scammer Speaks Out is an interview with a fake ICO scammer.

Competitions

• Ethereum Classic Labs is hosting Chasing the Ghost: Network Security Hackathon which challenges players to develop system to combat 51% attacks.

• 2nd Solidity Underhanded Contest end of October deadline is approaching.

Fun

• Cryptography vs. Big Brother: How Math Became a Weapon Against Tyranny is part two of a four-part documentary series by ReasonTV on the cypherpunk movement.

Cheers!

-Peter

The rise of popularity in DeFi projects has also brought a new wave of scams and scammers. We will focus on three different examples ranging from traditional confidence scams to more technical backdoored smart contracts. OpenEthereum and ETH2 have announced bug bounty programs. TeamTNT is fighting other cryptojackers with their Black-T malware and other news in this week’s edition.

News

• Cryptocurrency Enforcement Framework was published by DoJ. The report focuses on crimes involving cryptocurrency (e.g. drug dealing), money laundering, and theft of cryptocurrency. The report also outlines threats posed by the nation states such as North Korea and Iran.

Scams

• UniCats platform scammed a user out of $140K worth of UNI by requesting unlimited transfer approval and later emptying the wallet. Bad cats!

• Whale Hunt - SBF & Blue Kirby is a dive into the on-chain transactions and activities of the latest exit scam in the DeFi space.

• DeFi Detectives: Chef Nomi Investigation Notes is a deep dive into SushiSwap exit scam and my winning entry in the DeFi Detectives competition.

Vulnerabilities

• A flaw was discovered in Curve, Swerve and other related contracts which could result in funds loss. The vulnerability was responsibly disclosed by Shaikh Farhan as part of Curve’s bug bounty program.

• Lightning Network continues discovering and patching new vulnerabilities.

• $50K bug bounty was announced by the ETH2 project in addition to the existing $25K bounty for the Ethereum project.

• Another $25K bug bounty was announced by the OpenEthereum project.

Malware

• Black-T malware targets weak AWS accounts to mine Monero. The sample proactively disables any competing miners on the compromised hosts.

Research

• Analysis of Soda Finance Hack by folks at Anchain and an example use of Z3 solver to automatically find similar bugs.

• Ethna: Analyzing the Underlying Peer-to-Peer Network of the Ethereum Blockchain

• Frontrunning on Automated Decentralized Exchange in Proof Of Stake Environment

That’s all for this week in Blockchain Threat Intelligence. Be sure to check out /r/BlockSec for more up to the minute news and see you all next week.

-Peter

BitMEX is in a serious trouble with U.S. DoJ with one of the co-owners arrested. No more ransomware payments unless you want OFAC to come after you for financing North Korean nukes. DeFi hackers stole so much that they have started voluntarily returning half of their stolen loot. Ethereum miners caught in MEV schemes and other excellent research articles in this week’s edition.

News

• BitMEX was charged by CFTC and DoJ with failing to implement sufficient AML and KYC procedures and violating the Bank Secrecy Act. The criminal complaint names four BitMEX co-owners with one of them already arrested in Massachusetts.

• U.S. Department of Treasury issued an advisory essentially restricting companies from making or facilitating ransomware payments which may profit entities on the sanctions list.

Hacks

• On September 28, 2020 Eminence.Finance contract was exploited which resulted in the theft of $15M worth of Eminence token. The contract attracted investors even before it was publicly announced or properly tested. An attacker used flash loans to exploit an arbitrage flaw in the way EMN is minted. @FrankResearcher tweeted a detailed transaction analysis which may hold clues in identifying the perp. Interestingly, the attacker returned $8M of their loot back to the Eminence contract for an unknown reason.

• KuCoin CEO tweeted that the perpetrators behind the exchange hack were found. Many more token issuers have performed swaps to invalidate and return stolen assets to KuCoin.

Vulnerabilities

• Double-spend vulnerability was responsibly disclosed and patched in the Incognito smart contract by samczsun.

Malware

• REvil Ransomware-as-a-Service operators posted $1M worth of bitcoins on a forum to recruit new affiliates.

Events

• Solidity Underhanded Contest is a competition to obfuscate malicious code in Solidity smart contract. This year’s theme is upgradable contracts.

Research

• MEVs are coming tweet storm by @FrankResearcher reveals real world examples of Ethereum miners engaging in execution arbitrage. Miner Extractable Value (MEV) were first discussed in Flash Boys 2.0 paper on front-running transactions.

• EMN Exploit case study implements a complete exploit used to attack Emminence.Finance contract.

• Check out Smart Contract Hacking training series blog posts, Github repo, and YouTube channel.

• A DoS attack vector against Eth2 nodes using time servers. The attack works by setting node time far into the future using malicious NTP servers and also broadcasting future state from attacker validators. Once the target node signs a future attestation it will remain in locked state until some time in the future.

That’s all for this week in blockchain threat intelligence! As a reminder, I am participating in the latest round of Gitcoin Grants so would appreciate your support. Stay safe and see you all next week.

-Peter

A tough week for the Singaporean exchange KuCoin which suffered a major $281m hack. On the bright side, Lien Finance’s smart contract was preventively hacked to save $9.6m worth of ETH which also resulted in a fascinating article in the research section on beating front-running bots. This week’s edition features a lot more excellent papers, new tool releases, and two new blockchain security competitions. In other news, folks should really reconsider mining crypto on their employer’s supercomputers.

Hacks

• On September 25, 2020 KuCoin exchange hot wallet was compromised which resulted in a lost of more than $281m worth of crypto across BTC, ETH, LTC, BSV, XRP, XLM, TRX, and a number of ERC-20 tokens. What was unique about this hack is the sheer number of ERC-20 asset issuers who were able to freeze and reclaim stolen assets while the attacker was racing to liquidate them on Uniswap, Kyber, and other DEXs. This sets an interesting precedent for future attacks where token issuers actively support hacked exchanges.

• On September 19, 2020 a vulnerability in Lien Finance’s smart contract was discovered and later exploited by a white-hat group led by samczsun. While no funds were lost, $9.6m worth of ETH were at risk.

Malware

• Alien android malware family is targeting Coinbase, Blockchain.com, Luno, other cryptocurrency and banking wallet apps to steal credentials, control and steal SMS messages, and other trojan functionality.

Research

• Escaping the Dark Forest is a fascinating research article by samczsun on beating the front-runners to recover $9.6m worth of ETH from a vulnerable contract. The article is a follow up to Ethereum is a Dark Forest by Dan Robinson where a previous attempt at recovery was intercepted by front-runner bots.

• Staring into the Monster’s Eye: Analyzing a Generalized Front-running Arbitrage Bot Attack is another take on the front-running attacks on the Ethereum network by general purpose arbitrage bots.

• A General Framework for the Security Analysis of Blockchain Protocols.

• Research by Aqua Security observes a sharp increase on cloud infrastructure attacks over the past year to mine Monero using MrbMiner malware.

Projects

• Teatime is an extensible attack framework for Ethereum nodes by Dominik Muhs at Consensys Dilligence.

• Pool Detective is a project by MIT Digital Labs which attempts to detect network attacks across several Satoshi chains.

• Circuit Breaker is a firewall for Lightning network nodes to help protect them against htlcs floods.

Competitions

• DeFi Detectives is another live CTF by folks challenging players to hunt down Uniswap hackers and investigate SushiSwap’s exit scam.

• Damn Vulnerable Defi wargame by OpenZeppelin’s tincho challenges players to sharpen their defi skills.

That’s all for this week in blockchain threat intelligence! As a reminder, I am participating in the latest round of Gitcoin Grants so would appreciate your support. Stay safe and see you all next week.

-Peter