Welcome to this week’s edition of BlockThreat! For those of you not too busy watching Dogefather on SNL and hopefully not participating in the giveaway scam barrage, I have a fantastic edition for you featuring DeFi hacks, latest scam and malware campaigns, new EVM analysis tools, and a fun new podcast on the QuadrigaCX saga. Enjoy!

Events

• Defcon Blockchain Village CFP is now open. Consider submitting a talk on blockchain security related topics!

Media

• Exit Scam - a podcast series about the death and afterlife of Gerald Cotten (QuadrigaCX CEO)

Scams

• South Korean law enforcement raided V Global exchange offices responsible for scamming $1.5B worth of assets from 40,000 members.

• Elon Musk crypto giveaway scams are on the rise again before his appearance on SNL.

• Ongoing Twitter phishing campaign targets Metamask users to steal seed phrases.

• FBI started adding warning signs on Bitcoin ATM machines to deal with the surge of scams.

• WallStreetBets Forum Members Targeted in Telegram Cryptocurrency Scam which resulted in the loss of $2M worth of Binance Coin.

• Token Sniffer - Scams & Hacks directory lists latest reports of scam coins.

Hacks

• On May 6th, 2021 Value DeFi was hacked after its pool got reinitialized. The attacker drained $10M worth of crypto assets.

• On May 8th, 2021 Value DeFi was hacked again due to invalid use of power() function. Another $11M were stolen.

• On May 8th, 2021 Rari Capital yield-generating strategy in Alpha Finance’s ibETH was exploited which resulted in the theft of 2600 ETH ($10M). The attacker used funds they stole from the earlier Value DeFi hack making this the first cross-chain hack. Perpetrators also issued a mocking on-chain message.

• On May 8th, 2021 Meebit NFT generation logic was exploited to mint a highly valuable NFT worth $700K.

Vulnerabilities

• 0x patched a vote inflation vulnerability after it was responsibly disclosed by samczsun.

Malware

• The Rage of Android Banking Trojans report by Threat Fabric notes an increase in crypto stealing malware targeting popular Android mobile apps from Coinbase, Binance, Blockchain.com, and others.

• Panda Stealer malware report by TrendMicro documents a new wallet stealer propagated through spam emails.

Research

• Tracking One Year of Malicious Tor Exit Relay Activities (Part II) is a follow up to the last year’s article which first identified malicious actors intercepting cryptocurrency-related web traffic on Tor. In this edition, nusenu identifies a likely actor behind 1000s of malicious exit nodes intercepting traffic to cryptocurrency mixers.

• Targeting the Weakest Link: Social Engineering Attacks in Ethereum Smart Contracts explores new attack vectors using specially crafted addresses and homographs.

• DeFi Risk Tools & Resources is a great resource for various blockchain security projects, tools, risk scoring metrics, insurance providers, and other related subjects.

• How To Spot a Potential RUG — Clear signs something is sketchyis a nice deep dive into Phoinikas Finance contract and social media profiles.

Tools

• FuzzyVM - a guided differential fuzzing framework for EVM.

• Ethereum Toolkit (ETK) - a collection of tools for creating and analyzing EVM smart contracts. The toolkit includes assembler and disassembler tools.

• Palkeo Arbitrary Transaction View - a tool to simulate arbitrary EVM transactions.

Help support BlockThreat!

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed, stay healthy, and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Not a week goes by without another record compromise of DeFi platforms. This week Uranium Finance and Spartan Protocol got exploited to the tune of $51M and $30M respectively. Hotbit exchange shut down its operations after attackers penetrated its internal systems. In other news, IRS has been increasingly effective at hunting down criminals using both on-chain and more traditional resources after it identified and arrested Bitcoin Fog’s operator.

News

• Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin. Roman Sterlingov was charged with operating Bitcoin Fog mixer popular with darknet forums since 2011. The perpetrator was identified through a transaction on a Liberty Reserve exchange seized by US DOJ in 2013.

• The IRS Wants Help Hacking Cryptocurrency Hardware Wallets to help it investigate fraud and recover forfeited funds. This is yet another call by IRS to help with its Operation Hidden Treasure.

Hacks

• On April 27, 2021 Uranium Finance account balance calculation error was exploited which resulted in the theft of $51M. Interestingly, the team was about to push a fix before the contract was exploited leading to a suspicion of internal leak. This marks the second time Uranium Finance got exploited this month.

• On April 29, 2021 Hotbit cryptocurrency exchange was compromised resulting in the theft of customer PII including customer email addresses, phone numbers, encrypted passwords and 2FA keys. According to Hotbit, no customer funds were affected.

• On May 2, 2021 Spartan Protocol’s liquidity share calculation flaw was exploited which resulted in the theft of $30M. The BSC smart contract was previously audited by CertiK.

Vulnerabilities

• Tokenlon team patched a critical vulnerability which could have resulted in funds theft. The vulnerability was disclosed by samczsun who also helped the team to secure the funds using Taichi Network to prevent front-running.

• Prysmatic Labs Team published a detailed post-mortem report for the incident causing ETH2 clients to stop producing blocks.

Malware

• Unit 42 report on WeSteal cryptocurrency stealer documents malware capabilities and the malware as a service scheme by its creators.

• Microsoft built-in cryptojacking malware detection into its Microsoft Defender product.

Research

• How to Beat an Ethereum Sweeper Script and Recover Your Assets by Harry Denley is an excellent resource on the sweeper scams plaguing Telegram and how to combat them using Flashbots, private mining pools, and self-destructing contracts.

• Combating Ransomware report by Ransomware Task Force (RTF) outlines a comprehensive set of actions to combat ransomware. It includes detailed threat actor profiles, ransomware payment flows, and other interesting topics such as cyber insurance.

• Vulnerabilities and Open Issues of Smart Contracts: A Systematic Mapping is a nice survey of available literature on the topic in the title.

• Ethereum Uncle Bandit Strikes Again is another fun MEV fight writeup between sandwich and sniper bots by Robert Miller.

Help support BlockThreat!

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining me this week in Blockchain Threat Intelligence!

- Peter Kacherginsky (iphelix)

Something is afoot in Turkey with two crypto exchanges shutting down with one of the founders on the run. Another DeFi founder’s computer was hacked leading to a massive $60M theft. This week’s edition features lot’s of amazing write-ups on responsibly disclosed vulnerabilities and research papers. In other news, Faketoshi’s funds were apparently stolen after he got hacked by a Pineapple.

News

• CEO of Turkish exchange Thodex flees the country with $2B in customer funds. The same week Turkish authorities detained several Vebitcoin employees on fraud charges shortly after the exchange seized its operations. Both incidents follow Turkey’s ban on crypto payments a week prior.

• US Marshals Service signed a $4.5M contract with BitGo to store forfeited crypto. This may be related to a recent $1B seized in stolen Silk Road funds.

• Seven USDC wallet addresses were blacklisted. Remember that many smart contracts including USDC, USDT, PAX include asset freezing functionality.

• The Incredible Rise of North Korea’s Hacking Army by Ed Caesar (The New Yorker) is an incredible read about Lazarus group’s may criminal enterprises including cryptocurrency exchange heists and ransomware attacks.

• How the Kremlin provides a safe harbor for ransomware by Frank Bajak (AP News) links Russian security services with Evil Corp and other ransomware groups.

Events

• Blockchain Hackers V - DeFi Security meetup in Dubai on April 28th.

Scams

• New NFT scam called sleepminting tricks users into purchasing unauthorized copies of legitimate NFTs on popular marketplaces.

• SafeMoon likely going to exit scam after half of its liquidity got locked.

Hacks

• On April 19th, 2021 EasiFi’s founder’s computer was compromised resulting in the theft of contract private keys to drain about $60M worth of stablecoins and EASY tokens. While the post-mortem implies a highly targeted attack on the founder, it is concerning that a single private key stored in Metamask had so much access to both assets and smart contracts.

Vulnerabilities

• Ambisafe EToken2 platform vulnerability which could allow backdooring new users’ accounts was patched after a responsible disclosure by samczsun. The vulnerability affected SOLVE, RFR, UBT, CHSB, and other tokens using the EToken2 implementation. Check out the awesome bug hunting writeup!

• A vulnerable user on Primitive Finance was helped to lock down their funds after the threat was responsibly disclosed by Amber Group developers.

• Pancake V2 integer rounding vulnerability was patched after responsibly disclosed by Nipun from Alpha Finance.

• Maker patched multiple bugs in emergency shutdown and end modules.

• Prysmatic Labs patched a bug which stopped nodes from producing blocks for 2 hours with a total reward opportunity cost of 15 ETH.

• OpenEthereum Berlin consensus bug post-mortem exposes gaps in current fuzzing and testing frameworks used in the project.

Malware

• Reports of Prometei botnet targeting vulnerable Microsoft Exchange servers to install mining software.

Competitions

• DEX challenge by Patrick Collins was added to the Ethernaut Wargame.

Research

• Crypto-Asset Exchange Security Guidelines by CSA has several nice threat models useful for both exchange operators and users.

• Smart Contract Security for Pentesters by iosiro is an introductory text on attack vectors and sources of bugs in smart contracts aimed at traditional application security professionals.

• MEV and coordination by Samuel Shadrach explores main actors and their incentives to coordinate in transaction ordering.

• TSGN: Transaction Subgraph Networks for Identifying Ethereum Phishing Accounts.

• SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds.

• Ponzi Scheme Detection in Ethereum Transaction Network.

• A Tractable Probabilistic Approach to Analyze Sybil Attacks in Sharding-Based Blockchain Protocols.

• Bitcoin Address Clustering Method Based on Multiple Heuristic Conditions.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining me in another week of blockchain security, the industry that never stops to amaze me. See you all next week!

- Peter Kacherginsky (iphelix)

MEV is the word of the day and I dedicated a whole section of the newsletter for you to catch up on the latest events in the Dark Forest. In other news there was a lot of regulatory activity with new sanctions and analysis published below. Stand-alone blockchains have been having increased number of consensus bugs with Stellar, OpenEthereum, and Tendermint issuing patches. Only the latter did so preemptively thus avoiding a major incident.

As a reminder, the OpenBlockSec Incidents repository is growing every day now with a complete coverage of incidents and post-mortems from past years. Check out this busy year in early exchange history. Does it remind you of the DeFi space today?

News

• Janet Yellen, Bitcoin And Crypto Fearmongers Get Pushback From Former CIA Director after he published An Analysis of Bitcoin’s Use in Illicit Finance in response to the Janet Yellen’s warning earlier this year.

• Biden calls out crypto's use in sanctions evasion in executive order response to Russian cyberattacks. The complete sanctions list includes a number of BTC, BCH, ETH, LTC, ZEC, DASH, and other addresses.

• U.S. Regulator’s Crypto Conundrum Hurts Ransomware Victims explores how some regulations make it actually harder to catch criminals.

• Hackers move $760 million from the 2016 Bitfinex hack.

• Chinese police arrest EOS gambling dApp team, seize $3.8 million in crypto following the series of recent crackdowns.

Scams

• NFT Scams Part 2: Typosquatting Attacks targeting NFT marketplace users discusses a surge of fake domains.

• NFT Scams Part 1: 5 NFT Scams you need to know enumerates both generic and NFT specific schemes.

Hacks

• On April 14th, 2021 Celsius Network reported a breach of its 3rd party email distribution system which resulted in a number of phishing emails sent to its customers.

Vulnerabilities

• Tendermint issued a patch to defend against a new security risk called Forward Lunatic Attack tricking light clients into accepting bad blocks.

• OpenEthereum patched a consensus flaw which halted its Ethereum nodes after the Berlin fork.

• Stellar fixed a flaw which caused a network halt after core Horizon and Lobstr nodes dropped offline.

Malware

• HackBoss malware poses as hacker tools on Telegram to steal digital coins.

Media

• How (Not) To Get REKT - DeFi Hacks Explained by Finematics and Rekt

Research

• An Analysis of Bitcoin’s Use in Illicit Finance by Michael Morell.

• Using discreet log contracts to attack Bitcoin forks.

• EtherClue: Digital investigation of attacks on Ethereum smart contracts.

• Ethereum Name Service: the Good, the Bad, and the Ugly.

MEV

• Rapid Rise of MEV in Ethereum by Harith Kamarul

• Flashbots Transparency Report — March 2021 by thegostep provides latest stats on the Ethereum dark forest.

• MEV …wat do? by Philip Daian explores the use of MEVs for economic security of chains.

• Frontrunning Synthetix: a history is an account of a cat and mouse game played by frontrunners and Synthetix devs.

• A novel MEV instance targeting sandwich bots by Robert Miller.

• Five theses about transaction ordering, MEV, and front-running by Ed Felten.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)

Welcome to this week’s edition of Blockchain Threat Intelligence. BSC (Binance Smart Chain) had multiple DeFi applications hacked, a critical bug in Fei was responsibly disclosed, rumors of Paxful exployee PII getting leaked, and more in the never ending stream of blockchain security news.

News

• Ransomware tops U.S. cyber priorities, Homeland secretary says.

• Additional details revealed about Lazarus Group extortion tactics after the Bithumb compromise.

Media

• Silk Road (2021) is yet another crypto-thriller based on the true stories of the Dread Pirate Roberts and a corrupt DEA agent set out to hunt him down. I enjoyed film’s morally ambiguous stance on both DPR and DEA agent’s actions. Silk Road takes a few liberties with the plot line, but mostly sticks to the real world events including the infamous San Francisco library bust.

Hacks

• On April 4th, 2021 Polkatrain on BSC rebate mechanism was exploited which resulted in the loss of $3M (57K DOT).

• On April 7th, 2021 Uranium Finance on BSC logic bug was exploited which resulted in the theft of $1.5M worth of RADS. According to the post-mortem, the Uranium team was able to persuade the attacker to return $1M by linking their identity to a Binance account.

• Rumors of Paxful employee PII leak after a post was made on Raidforums.

Vulnerabilities

• A vulnerability in Fei reward logic was responsibly disclosed by 0xRevert using the Immunefi bug bounty.

• Reports of BitClout collecting users’ private keys on each API request by James Prestwich. Anyone with access to raw data or server logs may be able to steal assets linked to the keys.

• ABI deserialization vulnerability was discovered in Solidity compiler by the Certora team.

Malware

• Github Actions are abused to mine Monero.

Research

• Sandwich bot exploit/honeypot analysis by Robert Miller.

• Paradigm CTF 2021 Swap Challenge guided walkthrough by samczsun.

• Double Spend Proofs: Protocol Improvements and Providing End-User Guidance explores zero-conf transactions on BCH network.

• A Formal Analysis of the MimbleWimble Cryptocurrency Protocol.

Help support BlockThreat!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Stay informed and see you in the next week’s edition!

- Peter Kacherginsky (iphelix)