This week BBC dropped a bomb with its investigative report linking known bad actors BTC-e (involved in 2016 election fraud) and Wex exchanges with Russian FSB service. A buffer overflow vulnerability was patched in Bitcoin node software, Ethereum opcode cost instability raises reentrancy concerns, and a dump of SFBW ‘19 videos are all featured in this week of blockchain threat intelligence.

Crime

• Russia’s FSB Linked to $450M Bitcoin Disappearance - a fascinating article on the history of BTC-e and Wex exchanges, their takedown by FBI, arrests of their administrators, and how $450 million worth of cryptocurrencies from these exchanges ended up in the hands of FSB. The article is based on the original investigative report by BBC Russia.

• Thieves targeted crypto execs and threatened their families in wide-ranging scheme, says DOJ - indictments against two individuals using technical (SIM-swapping) and non-technical harassment to steam or attempt to steal $550,000 in cryptocurrency.

• Hackers demand $5 million from Mexico's Pemex in cyberattack - a 565 BTC ($5 million) ransom was posted after company’s computers were infected with DoppelPaymer malware.

Research

• The Middleman Is Dead, Long Live the Middleman: The “Trust Factor” and the Psycho-Social Implications of Blockchain - a paper on trust in decentralized blockchain systems.

• Reentrancy After Istanbul - a research article on the effects of opcode repricing may have contracts where Gas increases may allow for successful reentrancy attacks in the fallback function.

• Securing Lightning Nodes - a great overview of possible attacks on the Lightning nodes and how to protect yourself against them.

Vulnerabilities

• [bitcoin-dev] CVE-2017-18350 disclosure - a buffer overflow vulnerability in SOCKS5 protocol handling in the Bitcoin Core node software.

Media

• SFBW 2019 Videos - videos from San Francisco Blockchain Week were posted including a number of blockchain security talks such as TxProbe Discovering Bitcoin’s Network Topology.

Did you enjoy this week’s edition? Have blockchain security related news to share or just a suggestion? Great, drop a line to iphelix [at] blockthreat.net. Thanks!

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Moving our way to up Week 45, this week features an excellent radio show by BBC on the OneCoin scam, mining hardware heist in Iceland, and an excellent research article on Proof of Work security.

Crime

• The Missing Cryptoqueen - an 8 episode BBC podcast series investigating OneCoin scam making anywhere between $4 billion.

• The Big Bitcoin Heist - a fascinating expose on a heist to steal cryptocurrency mining hardware from a facility in Iceland.

• N.Korea Laundered Money Through Blockchain Firm in Hong Kong - a report on a North Korean operation to launder stolen cryptocurrencies through a specially set up entity in Hong Kong.

• Columbus man pleads guilty in ‘dark web’ drug scheme - a guilty plea from one of the top vendors on the infamous Silk Road market.

Research

• How Coinbase views proof of work security - an insightful analysis of Proof of Work security and how it is affected by availability of ASIC miners.

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Continuing in the catch up mode, Week 44 features yet another ransomware attack against a major city, BitMEX mass email leak, LiteCoin getting dangerously close to being a target of a 51% attack, Devcon 5 videos and slides release.

Crime

• City of Johannesburg, on Second Hit, Refuses to Pay Ransom - an unusual attack where attackers demanded 4BTC for releasing control of a compromised network as opposed to keys to encrypted files.

Vulnerabilities

• BitMEX Email Leak - an incident report on the massive email address leak affecting BitMEX users. The report identifies an engineering lapse where a SendGrid API call batched sent addresses into a single TO: field which exposed addresses to all other recipients. The report also identifies that exchange’s Twitter account was also briefly compromised. Following the exposure, there were reports on hacking groups starting to target BitMEX users using leaked emails.

• Litecoin Hashrate Falls More Than 50% Since Peak: Dark ASICs Make it Vulnerable to Attack - a significant drop in Litecoin’s hashrate increases a risk and incentives for miners to perform a 51% attack.

Malware

• BlueKeep exploitation activity seen in the wild - a detailed report of mass exploitation of the Windows RDP vulnerability caught on a honeypot. The current payload is a Monero miner.

Research

• Vyper Preliminary Security Review - an analysis of the Vyper smart contract language identifies several interesting vulnerabilities.

Media

• Devcon 5 Videos and Slides - a number of excellent blockchain security related talk recordings were released today including:
  - Live Smart Contract Hacking
  - Ethereum 2.0 Security Considerations
  - Chainalysis: Building Trust in the Ethereum Blockchain
  - Privacy for Everyone
  - Mastering Ethereum CTFs
  - Breaking Smart Contracts

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Catching up on the Week 43 in Blockchain Threat Intelligence, this newsletter features updates on the Crypto Capital saga and its involvement with drug cartel money laundering, side-channel attacks on the privacy coins, and awesome research articles on FumbleChain wargame, eclipse attack against Ethereum, and others.

Crime

• Crypto Capital Official Nabbed in Money Laundering Probe - arrest and extradition of Ivan Manuel Molina Lee to Poland to face money laundering charges for a Columbian drug cartel. Bitfinex issued a statement about its involvement as only a victim of a fraud. The arrest continues the saga of the missing $850 million from the Tether fund controlled by Crypto Capital.

• Russian man sent to prison for mining bitcoin at top secret facility that made nuclear bombs - sentencing of a Russian scientist for mining bitcoin at Sarov lab on recently installed supercomputer.

Vulnerabilities

• Linking Anonymous Transactions via Remote Side-Channel Attacks - report on a patched side-channel attack targeting Zcash and Monero networks which can be used to deanonymize transactions, obtain IP addresses of machines with running wallets, cluster addresses to the same wallet.

• Forking Cheeze Wizards Smart Contracts, All Funds (and Wizards!) are Secure - an interesting “dead ringer” vulnerability and writeup in the Cheeze Wizards smart contract.

Research

• Blockchain Penetration Testing - Hacking the Vulnerable FumbleChain - an awesome writeup of solving the FumbleChain wargame.

• Eclipsing Ethereum Peers with False Friends - a research article exploiting Geth’s peer discovery mechanism to perform an eclipse attack.

• Smart Contract Attack Vectors - a repository of known smart contract attacks and vulnerabilities.

• OpenZeppelin Blockchains Study Group - an awesome project to document various blockchain security core topics such as a list of vulnerabilities in node software, classification of consensus mechanisms, common blockchain-specific attacks, and other related topics.

• Responding to 51% attacks in Casper FFG - the article discusses finality-reversion attack and how the upcoming PoS consensus mechanism will defend against it.

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

This week we have observed an uptick in backdoored wallet and other software designed to steal users’ cryptocurrency assets. Other news include a fascinating deep dive into DOJ investigation into a child pornography ring, disappointing details into the Algo Capital hack, and lot’s of indicators for mining malware. Also don’t forget to subscribe to Bellingcat’s new CryptOsint Newsletter!

Crime

• Polish Police Arrest Head of Payment Processor Tied to Bitfinex Crypto Exchange - the latest news in the Crypto Capital saga with the president of the company now in custody.

• Chainalysis in Action: DOJ Announces Shutdown of Largest Child Pornography Website - details of the shutdown of the “Welcome to Video” child pornography website based in South Korea and using Bitcoin to track down its users.

Hacks

• Statement from Algo Capital on the recent security breach - additional details on the recent hack. It appears that attacker’s were able to gain access to CTO’s mobile phone which stored Trezor wallet seeds for Algo, USDT, and BTC funds.

Media

• Bellingcat CryptOsint Newsletter - a news round-up dedicated to covering open source intelligence on cryptocurrency topics.

• Unconfirmed - How Bitcoin Led to the Demise of the Largest Child Porn Site - an awesome episode with details on the IRS operation to shut down the largest child porn site and the use of tools like Chainalysis to assist in the investigation.

Malware

• Hiding Beneath the WAV - a report by Cylance describes a crypto miner campaign using steganography to hide XMRig miner and Metasploit payloads in WAV files. The loader is related to Waterbug/Turla campaign previously reported by Symantec.

• Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub - a new cryptomining worm which spreads using unsecured Docker daemons. The worm installs a malicious docker image which includes scripts to mine Monero.
  
  Indicators:
  120.27.32[.]15
  103.248.164[.]38
  101.161.223[.]254
  61.18.240[.]160
  182.16.102[.]97
  47.111.96[.]197
  106.53.85[.]204
  116.62.48[.]5
  114.67.68[.]52
  118.24.222[.]18
  106.13.127[.]6
  129.211.98[.]236
  101.37.245[.]200
  106.75.96[.]126
  47.107.191[.]137

• Fleecing the onion: Darknet shoppers swindled out of bitcoins via trojanized Tor Browser - a trojanized version of Tor Browser was used to spy on users and steal their bitcoins. The campaign targeted Russian speaking darknet market users.
  
  Indicators:
  
  URLs:
  torproect[.]org
  tor-browser[.]org
  onion4fh3ko2ncex[.]onion
  
  Bitcoin Addresses:
  3338V5E5DUetyfhTyCRPZLB5eASVdkEqQQ
  3CEtinamJCciqSEgSLNoPpywWjviihYqrw
  1FUPnTZNBmTJrSTvJFweJvUKxRVcaMG8oS

• In the Footsteps of a Sextortion Campaign - details of the Phorpiex malware spam campaign. The spam emails were unique by including victim’s leaked online passwords and demanding ransom in bitcoin for keeping webcam recordings private. The campaign may be related to another Save Yourself blackmail/cryptominer campaign reporter earlier.
  
  Indicators:
  
  Bitcoin Addresses
  1Eim8U3kPgkTRNSFKN49jgz9Wv4A1qmcjR
  1LwPAckT7ettEpLEuAU2dBXbqqSd9SrLAD
  1D1nXbBdPmCpy9rPRdtaXjA5ftGzYPPw51
  1LZStbAiQYiBGUTEH8mbTYu8pbvmrDprZQ
  1FLREuhB3U56yJBTTsj6zzEXjNf4BTzeZr
  1QBfCvZUuA3fbXX9bHeeTpqzkYgikvhtXR
  1F73edsje5GbjqybTgKAesWfihvp4Q59Eq
  13HffyTVP8qcYzd5tga4Bc6rCGETNbbZuD
  1MnUgqSkToq3j7ozwjSh54m1WxWZ3Xqym6
  12EMaHiZG75ztkjUjuPZhQDcyW89qRJVuR
  15WGVWt16CzuK3opvJHg6i1XSstbXGEPcZ
  1PC3q4JgAJvHcpsT2LqwoqVN2ckzAVQoxf
  1Nq84HeDmd2JGyRtjqh32QRG4zoSrp8bdL
  16JApT2K6Z9AirkMeBSWyhwuJ8dCfRhY9U
  1GTzcCBW79F3BtBdN9jx7hqNq65ebbt1Wm
  19naMJAmQq6b9XJaSaWpw2MTBBVeW355Ro
  1HB3KtKoguFuZ4BdmCv9Fc4tYTwDQgmqmW
  1PzrJSAhZSiYK93qLZnKsRzQzS49j5Ugzc
  1BpwthndBC2aDHiztoMtMBnq7ejmNkHnSV
  1CSDpCjyVHsuTb6i7zZ8dr81iUGL5ff7vM
  1Lmb3V8PbqTtGmFawu41k9hSXZgJn4G2pS
  1MX8BUf7R4rE7xLoaVMyiceX8DE8D3aFQg
  1KDnUbAHkxb57RYjJufdmjYF9F4vFWjm5m
  1BdMo6PKJCR9S6FzLDtE4ChszHdrJdbWJ7
  12ZyXPMJBAFCfpyYTYo8V6QcG653Lcs9oj
  154J36DXD2wA512cJRdAJsr1KcKynbVtpM
  15xdJ5nhwQCTFGs9AqciPGxgf62hGdWog7
  15w8KYwC76vDRiSZD2LK6dEbHvs7N38mh6
  1GLJa8dMq9XBaiMhXNJSQjVoNzh2xRanzD
  15dut9dbaZbSKZq27tyuLkjhCEiRaewvvh
  14VYd5JrPrrXD1qiMxZ5An2VsU5db5ZqS7
  1PTNbkmQckDTjbhCMtfa5zqY992ZNZ8biG
  17v35QnAre7Vd2T74SD9xhEGJVwYfTPDhN
  1HwJeZ5uyNJ6Peq8x1wixKVnurY1yURK8P
  1Mh8T6eVbP8zCRPzUqbb7b9PiW6Wv3mRPY
  1LfYcbCsssB2niF3VWRBTVZFExzsweyPGQ
  1PcZSbbc4u4juK64mpFSWwcR9hESPboRH8
  1AEb2hcPpxDs89AJojyySyiZdW4vdEumZN
  17jHsGecV53ro2LGzo53s5trTH6Qf3gksS
  18jZzWe4Wv4mUNm93rjeWJscqPdhecwsAY
  1CEi7Py9hNgMwqPMiCphFuF6SF263v7Yqj
  1AiBJcWZYQrz5Z9S9X7nYNueznU7iU5V5h
  1EwCEJr5JwpafZx11dcXDtX5QSPJvzth17
  1HctxwLwjEFCacTPi83me927UBs7aTJ7LF
  14AuMKdDV5s6xmGa13xw6F9hc1CwntkcfT
  14poC1Jg97vuvsyoKSZYz7h276LoAZcrtn
  1NpjBxiLhQQ5VVyDMrxESoA5HoHLLQXABa
  12KkDhdBX2zNv24D7SgBBrEBme7eNddvUj
  1JrdZLfH6j9KP2GjCJc7PhxwrrYKGYoSEi
  1Fjg3Q89MawTyfNcMbX6MUnfT923icRuMy
  1L9H1CtLsDCTtuvdE9hqpm9BD72jYBtvDF
  1PuxZLDEz2as13NKcTzC2BGadF2g2zhdfo
  1DZNohaDckSxJu6YxfeGkqCtxDAhtFP3Jq
  19razyqXme4evPi2wS9Zf8kor3VaYG8dTN
  1CWHmuF8dHt7HBGx5RKKLgg9QA2GmE3UyL
  1FqAEDNBFFjBZuVzk7V94tKgGwhVa8qABt
  1BXavFhbxCpno2dFpS4BU4NvEJjjqCN8Kd
  1164VJYmR8nP8z1NSPHqQreVWCMq2QdqUJ

• SAFU Wallet is Malicious, Binance Warns Community Members - a malicious chrome extension designed to steal cryptocurrency wallet private keys and passwords.
  
  Indicators:
  Attacker’s address: bnb168zhf9n3ve4mj35sgmtrvz54uyzc9r3e3xrder

• Backdoored ZecWallet - there is a malicious version of the ZCash wallet software floating around according to the PSA by the Electric Coin Company.

That’s all for this week in blockchain threat intelligence. Stay safe and see you all next week!

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey