This week’s theme is DeFi! Writing smart contracts is hard enough, but take sufficiently complex systems like DeFi apps and bugs just start popping up. Hegic, tBTC, Etheroll all had interesting vulnerabilities discovered and published this week.

The BlockFi incident begs several questions: Why do they still use SMS as a 2FA option especially for internal employees and why are the internal systems still accessible from the Internet? This could have been much worse.

In other news, looks like some of the addresses in the Tulip Fund are turning against Faketoshi and more drama on the Steem network. Also, check out the hilarious Justin Sun deep fake scam video in the links below.

Hacks

• BlockFi Incident Report - on May 14th, 2020 BlockFi suffered a breach of its client data including customer names, emails, DoBs, home addresses, and activity history. An employee’s phone number was SIM ported to gain access to his or her corporate email and BlockFi’s internal systems. According to the incident report, an attacker attempted but failed to steal any funds.

• HegicOptions has shut down again - this one is not a typo, a design flaw in Hegic was exploited to make a quick $3340 profit.

• Details of the tBTC Deposit Pause on May 18, 2020 - additional details about the tBTC bug causing shutdown due to Bitcoin address parsing. An additional vulnerability was also reported where a malicious redeemer could craft an output script which would result in an invalid Bitcoin transaction to seize signer bonds and net profit in some circumstances.

• Etheroll exploited - a clever exploit which takes advantage of infrequent chain forks to game the gambling smart contract.

• Ethereum.org DB dump sold on the black market - reports of 16,000 ETH accounts from the 2016 hack being sold online. Vitalik’s hash is clearly visible in the screenshot and appears to be `$P$BVQJbEipvfH6s.IoLtWZmg3GTdo/ee/`. Does anyone wants to take a stab?

• Bitcoin stolen in a $72 million hack just started moving - more stolen funds movements on the blockchain. This time related to the 2016 Bitfinex hack.

Scams

• TRON’s Justin Sun Imitated in The Most Advanced ‘Deep-Fake’ Crypto Scam - a new spin on the classic crypto scam involves pre-recorded Skype calls with “deep-faked” Justin Sun on the other end. You can watch the hilarious video here.

Vulnerabilities

• Lit by Laser: PIN Code Recovery on Coldcard Mk2 Wallets - keep your crypto close, but your hardware wallets closer. Another hardware wallet cracked by the Ledger Donjon team.

Malware

• Insidious Android malware gives up all malicious features but one to gain stealth - ESET report on a banking trojan targeting cryptocurrency wallets. The malware was available as a DEFENSOR ID app in the official Google Play store. It exploits Android’s accessibility options to control other apps on the phone to gather victims’ credentials, emails, and messages.

People

• Meet the forensics expert who tracks stolen Bitcoin - an expose on CipherBlade’s Rich Sanders and his work tracking down stolen crypto.

Research

• Fact Checking Recent Cryptocurrency Terrorism Financing Reports - debunking myths of terror groups using crypto… for now.

• Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability - a study of DEX arbitrage bots and the risk they pose to consensus security.

Another fun week in blockchain security! I hope you stay healthy and see you all next week. But for now, head over to /r/blocksec subreddit where I share many of the news in this newsletter throughout the week.

Happy Bitcoin halving and welcome back to the Blockchain Threat Intelligence newsletter, the weekly digest of blockchain security news, tools, events, and threats. You may also be interested in /r/blocksec subreddit where I share many of the news below throughout the week.

Lot’s of money laundering activity this week where attackers have attempted to cash out their ill gotten gains or found innovative ways to obfuscate their source. North Korean hackers are at it again and more supercomputers commandeered to mine crypto. Also this week, more news about Michael Terpin’s quest to punish everyone involved in a 2018 heist. Oh and you may want to avoid using online paper wallet generators.

Crime

• N. Korean hacking group increasing efforts to steal cryptocurrency - reports of increased efforts by North Korean APT group Lazarus (aka Hidden Cobra) to attack cryptocurrency institutions in the time when COVID-19 pandemic left the country even more isolated. Additionally, FBI, DHS are preparing to share details of North Korean hacking tools involved in these hacks.

• U.S. cryptocurrency investor sues suburban NYC teen for $71.4 million over alleged swindle - the latest in the series of lawsuits where Michael Terpin is going after everyone involved in a 2018 SIM swapping hack where he lost $24 million in cryptocurrencies. In 2019, Terpin was awarded $75 million in a case against Nicholas Truglia, one of the co-conspirators. Same year, he has also sued AT&T for $224 million for allowing the hack in the first place. The latest suit targets Ellis Pinsky, the alleged ring-leader of the SIM swapping group, who has just turned 18 years old.

Hacks

• The most recent attempt to launder stolen UPbit hacked funds involves an array of well-known exchanges - some more money laundering activity from the 2019 Upbit hack where 342,000 ETH were stolen. The article contains detailed breakdown of all Exchanges which received stolen ETH. Funds moved to Binance exchange were reported frozen.

• Supercomputers hacked across Europe to mine cryptocurrency - a number of European university supercomputers were compromised via stolen SSH credentials to mine Monero. The attackers used custom malware (detailed analysis and indicators) and a CVE-2019-15666 exploit to escalate privileges.

• BitcoinPaperWallet Backdoor - reports of a backdoored paper wallet which generates not so random keys.

• Thousands of #EOS Related to EOSPlay Hack (Sep. 2019) are Laundered through Buying/Selling RAM and Deposited into #Binance Eventually - interesting money laundering technique unique to crypto assets and EOS specifically.

Tools

• Bug Hunting with Crytic - a new smart contract security project by Trail of Bits. Crytic integrates with existing smart contract repositories to continuously execute some of ToB’s other tools like Slither and Echidna to produce customized reports.

That’s all for this week in blockchain security. A bit of trivia, the last block before Bitcoin reward halving contained a nice easter egg in the spirit of the genesis block: NYTimes 09/Apr/2020 With $2.3T Injection, Fed's Plan Far Exceeds 2008 Rescue. Stay healthy and see y’all next week!

Hacks

• Hacker steals $6.7 million worth of tokens from VeChain Foundation - 1.1B VET tokens transferred to 0xD802A148f38aBa4759879c33E8d04deb00cFB92b as a result of misconduct of the token’s finance team. In the follow up to the incident, VeChain Foundation has implemented a blacklist against 469 attacker addresses in collaboration with Authority Masternodes.

Crime

• Russia's Hydra Darknet Marketplace Plans $146M Token Sale - a new trend in darknet markets attempting ICOs.

• Crypto Mining Pool Fraud Scheme - three arrested in a BitClub Network mining pool scam where customers were presented with fake earnings and encouraged to purchase mining tokens.

• Stellar Tried to Give Away 2B XLM Tokens on Keybase. Then the Spammers Came - mass spamming of the Keybase platform as a result of the Stellar airdrop.

• BTC Mixing Service Bitcoin Blender Accused of Stealing User’s Funds - a Reddit user reported the mixing service simply stealing any funds sent to them.

• ISIS Is Experimenting with This New Blockchain Messaging App - reports of a terror group experimenting with a number of messaging apps including BCM, TamTam, RocketChat, Riot, and Hoop.

Malware

• Kaspersky research finds 174 municipal institutions targeted with ransomware in 2019 - the report documents a significant spike in ransomware attacks with ransomware amounts reaching up to $5M on average. The report also notes that mining attacks have also dropped sharply.

• Two members of the prolific Romanian hacker gang Bayrob Group were sentenced to two decades in U.S. prison apiece after their malware mined crypto on 400,000 infected computers.

Vulnerabilities

• How to turn $20M into $340M in 15 seconds - a theoretical attack scenario against MakerDAO which may result in collateral theft. The attack requires 80K MKR which only a the Maker Foundation and a few investors investors like a16z currently have. Following the article, Maker Foundation has increased the Governance Security Module (GSM) delay to 24 hours to allow proper detection to an otherwise instantaneous attack.

• Critical bug in EOS REX - an EOS Authority security assessment has uncovered a flaw in REX contract which allowed it to extract more EOS tokens than expected. The vulnerability is patched.

• Inside Kraken Security Labs: Flaw Found in Keepkey Crypto Hardware Wallet - a voltage glitching attack to extract an encrypted seed.

Research

• Tracing extorted bitcoin - an investigation into a extortion attempt where an attacker claimed sex acts recorded on a hacked webcam video.

• Selfish Behavior in the Tezos Proof-of-Stake Protocol - the research paper describes conditions under which block stealing may be incentivized.

• Vertcoin’s 51% attack – a case-study for blockchain security - several interesting insights into how the Vertcoin attack was perpetrated including Nicehash stratum protocol monitoring, the insights taken from the A model for Bitcoin’s security and the declining block subsidy, Hostile blockchain takeovers and On the Security and Performance of Proof of Work Blockchains papers, and other papers.

• All smart contract security issues in one place: An introduction to the SWC Registry - introduction to a new smart contract vulnerabilities directory using a few sample contracts as examples.

• Destroying the Indestructible - an interesting technique to bypass Dharma’s IndestructibleRegistry by exploiting the way the platform interprets bytecode with jump in the middle trickery.

• BDoS: Blockchain Denial of Service - novel denial of service attack which requires significantly less than 51% hashpower.

• Chinese bitcoin miners control 65% of the crypto network's processing power; Bitmain’s market share continues to decline - an analysis of increasing share of hashpower controlled by Chinese based miners.

Tools

• Lightning Network (Part 5) – BitMEX Research Launches Penalty Transaction Alert System - a new monitoring system to detect penalty or “justice” transactions on the lightning network.

Malware

• New macOS Threat Served from Cryptocurrency Trading Platform - a new malware sample associated with North Korea’s Lazarus group acts as a cryptocurrency arbitrage trading platform called UnionCryptoTrader.

Research

• SquirRL: Automating Attack Discovery on Blockchain Incentive Mechanisms with Deep Reinforcement Learning - a new framework to identify novel incentive attacks like selfish mining.

• Improvements of the Balance Discovery Attack on Lightning Network Payment Channels - a new attack method using malformed payments to unmask balances of payment channels.

• How DeFi cannibalizes PoS security - a research article outlines a new risk to less staking power available due to the popularity of DeFi platforms.

• Mutation Testing for Smart Contracts - A step by step guide to using Vertigo to test smart contracts.

• Metal Bitcoin Seed Storage Stress Test (Round III) - the latest round where Jameson Lopp burns and crushes hardware wallets.

Tools

• RandomX Sniffer - a PoC tool to detect traces of running RandomX ransomware algorithm in CPU registers.

Media

• Breaking Bitcoin 2019 - videos from the conference are now available.

Hacks

• South Korean crypto exchange Upbit has lost cryptocurrency worth $49 million - in a confirmed announcement 342,000 ETH has been stolen on November 27th and sent to an unknown wallet 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.

• Vertcoin (VTC) was 51% attacked - five outputs were double spent on the Vertcoin network as a result of the 51% attack netting an attacker just 125 VTC ($29). The attacker most likely obtained the hash power by renting it on Nicehash.

• A hacking group is hijacking Docker systems with exposed API endpoints - reports of a mass internet scanning for open Docker endpoints to install an image with Monero miner.

Crime

• The Secret Life and Strange Death of Quadriga Founder Gerald Cotten - a Vanity Fair article into the life of Gerald Cotten, scams he ran before Quadriga, theft of funds, and finally his odd death.

• CipherTrace Q3 2019 Cryptocurrency Anti-Money Laundering Report - a quarterly report into the cryptocurrency related thefts, scams and other criminal activity.

• Little-Known Crypto Exchange With Ties to a Shanghai Firm Halts Services, Says CEO ‘Missing’ - a likely exit scam involving a missing CEO and frozen cold storage funds.

• Russia’s FSB Linked to $450M Bitcoin Disappearance - an article based on the BBC Russia report into the link between BTC-e exchange and Russia’s FSB services.

• U.S. authorities arrest Ethereum research scientist Virgil Griffith for allegedly assisting North Korea in evading sanctions - reports of an arrest of an Ethereum developer who traveled to North Korea to present at a cryptocurrency conference.

Malware

• Insights from one year of tracking a polymorphic threat - analysis of a complex malware family Dexphot utilizing several stealth and polymorphic techniques.

• Stantinko botnet adds cryptomining to its pool of criminal activities - an interesting sample which obfuscates miner traffic through the use of proxies. Configuration data for the proxies is stored on YouTube.

Research

• Clustering transactions in Bitcoin and other cryptocurrencies - findings from the network-level privacy attacks on Bitcoin and other cryptocurrency networks.

• Debunking the Binance police raids with OSINT - analysis of Shanghai government visits to cryptocurrency companies and how it may have involved Binance.

• Inside Kraken Security Labs: Crypto Domain Hijacking - a domain takeover attack targeting a directory service for PGP keys and bitcoin receiving addresses.

• NSA Backdoors and Bitcoin - a curious case of selecting ECC curves for Bitcoin and dodging an NSA backdoor built into an alternative version used by most of the industry.

Tools

• A beginner’s guide to MythX - introduction to smart contract security assessments using MythX.

• ContractGuard: Defend Ethereum Smart Contracts with Embedded Intrusion Detection - a novel solution to build-in defenses into the smart contract itself.