BlockThreat - Week 1, 2021
yCredit | DeFi Saver | SuperMassive | ElectroRAT
Peter Kacherginsky | Jan 14 | 1 |
Welcome to 2021, the year without DeFi incidents, blockchain reorgs, and exchanges hacks. Just kidding. The year has already started with the first batch of DeFi hacks and exploits in yCredit and DeFi Saver projects. More YouTube giveaway scams and rug pulls followed closely after. On the malware front, this edition features reports of new a crypto stealer and change in tactics for the crypto jacking campaigns. The BlockSec frontier appears much the same as the previous year. On the brighter side, we have a new blockchain security conference, Unchained, on the horizon and a recordings of a number of smart contract security talks from the Hello Security Audit track.
Hacks
On January 1st, 2021 yCredit Finance minting vulnerability was successfully exploited.
Vulnerabilities
January 5th, 2020 DeFi Saver urgently moved users’ funds to a new contract after a vulnerability was responsibly disclosed by the Dedaub team.
Scams
YouTube channel hijacked to promote a crypto giveaway scam to steal $70K.
A vulnerable PRNG was exploited to cheat at a SuperMassive NFT experiment.
Malware
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders explores a long running ransomware operation which netted perpetrators more than $150M.
Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets
Team TNT crypto-mining botnet targets weak Docker and AWS accounts.
Events and Communities
Unchained BlockSec Conference announced. CFP deadline is February 2nd.
ETHGlobal - White Hat Panel: DeFi Exploits on January 13th.
Media
Hello Security Audit conference held on January 7th has a number of excellent talks on smart contract security from folks at Quantstamp, Trail of Bits, Consensys Dilligence and others.
Fault Tolerant - Cryptocurrency Threat Models episode offers a unique analysis of threat to and by PoW chains like Bitcoin.
Research
Why we need wide adoption of social recovery wallets by Vitalik Buterin.
Crypto-Hotwire: Illegal Blockchain Mining at Zero Cost Using Public Infrastructures
How to prepare for an interview for a Security Researcher role at OpenZeppelin
Tools
tx2uml package creates useful Ethereum transaction graph.
Help support BlockThreat!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.
Thanks for joining me in the first edition of this year! Stay healthy and stay informed.
- Peter Kacherginsky (iphelix)
1 |