Welcome to the special edition of the Blockchain Threat Intelligence newsletter where we will explore blockchain security incidents and events from the year 2020. In case you never heard of Blockchain Security, or just blocksec, it is a new security field with the mission of securing and defending the cryptocurrency ecosystem. It encompasses security of blockchain protocols, consensus mechanisms, smart contracts, key storage, exchange security practices, blockchain investigations, and other related topics.
The Good, the Bad and the Ugly
The current state of the blockchain industry resembles the California Gold Rush of the middle 19th century America. There is a similar rush of folks venturing into the unknown frontier of cryptocurrency trading and DeFi investing often leaving their livelihoods and previous jobs behind. My home town, San Francisco, has plenty of reminders of that era such as signs of abandoned and buried ships left by crews eager to try their luck at striking it rich with gold.
Unfortunately, that same spirit attracted not only the hard working folks, but also criminals, scammers, and other miscreants. But not all is bad in this new frontier. Just like in the old west, new blockchain security companies and whitehat hackers are joining the fight to bring law and order to the new and vulnerable industry.
In this edition of the newsletter, I will expose the bad, celebrate the good, and explore the evolving battlefield which is the Blockchain Security.
But first a quick note from friends and sponsors at Immunefi:
Last year more than $200M were stolen in DeFi incidents. Immunefi protects you against smart contract hacks by helping create, run, and promote best practice bug bounty programs. Immunefi has the world’s biggest bug bounties, with $5m in smart contract bounties available now.
If you run a smart contract or Defi application, go to https://immunefi.com/services/ and see how Immunefi can help protect your application today.
The year 2020 was filled with almost weekly news of DeFi exploits, occasional exchange and blockchain hacks, user account compromises with a total monetary loss of around $500M. This amount quickly explodes into billions when considering damage caused by various Ponzi schemes, ransomware and cryptojacking malware; however, these will be considered out of scope for this section as there is great coverage elsewhere. Instead I will focus on incidents unique to blocksec as opposed to criminals simply using cryptocurrencies in more traditional schemes.
Let’s begin our review of “the bad” by looking at the breakdown of various incident categories and the amount of monetary damage that they’ve caused:
If you needed any further evidence of just how popular DeFi applications got relative to their centralized counterparts, then looking at the total funds stolen last year should give you a pretty solid signal. Unfortunately, this means that this popularity was coupled with massive hacks which I will cover in detail. Blockchain protocol incidents such as 51% attacks are still present; however, they are dwarfed by the higher level smart contract incidents. Monetary loss caused by vulnerabilities in node and wallet software is even smaller in comparison; however, I will discuss why this may change in the future. And with that let’s dive into our first category which for years remained a persistent target for attackers:
Exchange and other Crypto Business Incidents
Just as in the past years, cryptocurrency business hacks continue to dominate the total monetary loss especially as the market continues to grow. In 2020 about $300M were stolen across 21 incidents mostly from exchanges. This is an increase from $175M stolen in 11 incidents in 2019.
Of all exchange-related hacks, the massive KuCoin attack dwarfs all others with its $281M theft. Interestingly, the exchange claims it has recovered 84% of the lost assets by working with token issuers. Many smart contracts include centralized features which allow superuser accounts to blacklist attacker accounts or burn/confiscate stolen funds. Alternatively, token issuers may be able to redeploy their smart contracts with stolen funds removed from account snapshots. KuCoin was able to convince many projects to take these recovery actions, a precedent which is likely to repeat in future exchange incidents.
Another pattern emerged in 2020 where attackers are not necessarily interested in just stealing funds. In the cases of BlockFi, Coincheck, Coinsquare, Liquid Exchange, and Poloniex obtaining PII (Personally Identifiable Information) was just as useful or at the very least good enough of a reward. Stolen data was likely used to facilitate more direct user attacks such as phishing and SIM swapping.
Below is a complete list of exchange and other cryptocurrency business incidents:
January 1, 2020 - Poloniex resets passwords after accounts got leaked.
February 5, 2020 - Altsbit exchange hacked by Lulzsec with $70K stolen. 💀
February 17, 2020 - VBITEX exchange hacked. 💀
April 7, 2020 - Bisq exchange P2P protocol exploited. $250K stolen.
April 14, 2020 - BlockFi exchange suffered data breach. PII stolen.
May 31, 2020 - Coincheck DNS compromised. PII stolen.
June 2, 2020 - Coinsquare customer PII stolen by a former employee.
July 10, 2020 - Cashaa $3.2M stolen after employee got infected with malware.
July 31, 2020 - 2gether exchange lost $1.3M after a hot wallet hack.
August 21, 2020 - Shapeshift insider stole $1M.
September 9, 2020 - Eterbase lost $5.4M after a hot wallet hack.
September 25, 2020 - KuCoin lost $281M after a hot wallet hack.
October 26, 2020 - EtherCash cold wallet compromised. $2.5M stolen.
November 13, 2020 - Liquid Exchange DNS compromised. PII stolen.
November 18, 2020 - NiceHash’s DNS hacked causing DoS.
November 26, 2020 - Bancar hacked. $1.9M stolen.
December 9, 2020 - Multiple cryptocurrency companies under DDoS attacks.
December 21, 2020 - EXMO hacked. $10.5M stolen.
December 23, 2020 - LiveCoin hacked. $2.4M stolen. 💀
December 23, 2020 - Altilly hacked. $1M stolen.💀
December 28, 2020 - Voyager Digital DNS hacked.
Timing of the hacks continues to show careful planning and sophistication where four different exchanges were hit within days of each other. These attacks also coincided with winter holidays when many engineers were on vacations.
Post-mortem reports indicate that many of the hacks could have been easily avoided. For example, BlockFi’s employee was SIM swapped and Cashaa’s employee was infected with malware on an unmanaged personal laptop that was used for work. Other businesses such as Ledger failed to fully communicate the impact of a compromise resulting in an unexpected surge of phishing attacks.
There are still no industry-wide standards or regulations to guide and require exchanges to follow minimum secure practices such as PCI. Unfortunately, this led to cryptocurrency businesses having a wide range of security controls which may not always be sufficient.
DeFi and Smart Contract Incidents
Next in our list of incidents with the highest monetary impact is DeFi with a seemingly endless stream of hacks. The year 2020 had an unprecedented growth in both the number of DeFi projects and the value locked in them. Consumers rushed to take advantage of new ways to earn profits. Attackers soon followed with new classes of smart contract exploits involving flash loans, arbitrage, oracles, and others. Complex interactions between DeFi components have exposed vulnerabilities never expected by developers or sometimes audit firms reviewing them.
When the dust settled in 2020 about $230M+ were stolen across 60 incidents. Some projects like bZx were repeatedly hacked with ever increasing amounts reaching about $9M of total stolen assets in 2020. It was staggering to watch not only the amounts involved but the sheer frequency with which these hacks happen. For example, in a single month of November $76M worth of tokens were stolen with hacks reported almost every other day:
Below is a list of DeFi incidents which resulted in a monetary loss:
February 12, 2020 - MakerDAO mass liquidation event. $8.3M liquidated.
February 15, 2020 - bZx relieved of $350K.
February 17, 2020 - bZx hacked again with $630K stolen.
April 18, 2020 - Uniswap imBTC LP drained of $300K.
April 19, 2020 - dForce Lendf.Me reentrancy exploit resulted in $25M theft.
April 25, 2020 - Etheroll exploited using chain forks with $33K stolen.
May 21, 2020 - Hegic Options was arbitraged out of $3K.
June 28, 2020 - Balancer exploited using deflationary tokens for $500K.
June 30, 2020 - Vether design flaw exploited for $900K.
July 29, 2020 - Ledger customer database hacked. 272K customer PII stolen.
August 4, 2020 - OPYN was double spent for $371K.
September 3, 2020 - SYFI rebase mechanism exploited for $280K.
September 13, 2020 - bZx money printing bug resulted in $8.1M loss.
September 20, 2020 - Soda Finance exploited for $160K.
September 28, 2020 - Eminence Finance exploited for $15M.
October 25, 2020 - Harvest Finance exploited for $24M.
November 7, 2020 - BSV Multi-sig implementation exploited with $90k stolen.
November 12, 2020 - Akropolis reentrancy bug was used to steal $2M.
November 14, 2020 - Value DeFi hacked for $7.4M.
November 16, 2020 - Origin Protocol reentrancy bug exploited for $7.7M.
November 17, 2020 - 88mph money printing bug hacked for $100K.
November 21, 2020 - Pickle Finance was relieved of $19.7M.
November 29, 2020 - SushiSwap “accidentally” exploited for $15K.
December 17, 2020 - Warp Finance oracle weakness exploited for $7.8M.
December 28, 2020 - Cover Protocol minting bug exploited for $9.4M.
On the more optimistic side, only half of the total incidents involved monetary loss. The other half were asset issuers scrambling to shut down, upgrade, or in multiple cases hack themselves after a vulnerability was responsibly disclosed by white hat hackers. Scroll through Vulnerability sections in earlier editions of the newsletter for a more complete list of these near misses.
Not all DeFi projects were exploited using sophisticated hacks involving dozens of transactions. Some were good old scams which attracted hungry investors and quickly relieved them of their tokens. Below is a list of DeFi incidents which scammed users using backdoors:
August 24, 2020 - Chicken Finance owners stole deposits with a backdoor.
September 23, 2020 - UniCats phished users with infinite allow. $140K stolen.
November 2, 2020 - Axion Network backdoor used to steal $24M.
November 29, 2020 - Compounder Finance backdoor used to steal $12M.
Other DeFi projects have simply rug pulled on their projects after they got them sufficiently pumped. Here are just a few examples:
September 5, 2020 - SushiSwap creator Chef Nomi has ran off from the project.
October 10, 2020 - Blue Curby pulled an exit scam with the Off Blue project.
November 22, 2020 - Fake Uniswap LP tokens net scammers $52K.
These are the signs of an industry that still needs to mature. Internet Commerce of the late 90s/early 2000s was similarly butchered until educational projects like OWASP, tools like Burp proxy, and a multitude of web security consulting shops, bug bounty programs, conferences, and trainings have sprung up. DeFi space will also need to go through a similar painful growth period. Until then we are likely going to see 2021 set new records in both the number and value lost due to DeFi hacks and scams.
Beneath all the flashy DeFi apps and exchange platforms sit good old layer one blockchains with their own issues. This section is divided into different components involved in operation of blockchains such as Nodes, Wallets, and consensus protocols guiding them.
Consensus Protocol Incidents
About $20M were stolen across 11 different incidents exploiting blockchain protocols. Most of the attacks involved PoW chains that were 51% attacked after sufficient hash power was rented on miner rental platforms such as NiceHash:
January 23, 2020 - Bitcoin Gold 51% attacked. $19K double spent.
January 24, 2020 - Bitcoin Gold 51% attacked again. $53K double spent.
July 10, 2020 - Bitcoin Gold 51% attempt. Nodes checkpointed after a tip off.
July 31, 2020 - Ethereum Classic 51% attacked. $5.8M double spent.
August 5, 2020 - Ethereum Classic 51% attacked. $3.2M double spent.
August 29, 2020 - Ethereum Classic 51% attacked. $5M double spent.
November 7, 2020 - Grin 51% attacked. Unknown damage.
November 20, 2020 - Bitcoin Cash ABC 51% attacked to DoS the fork.
An emerging trend in these attacks is the massive increase in the number of orphaned (aka “reorged”) blocks involved in double spends. In the past years, attacks such as Vertcoin were reorged with 400-700 blocks. The latest attacks against Ethereum Classic involved a massive 7000 block reorg. Another trend is how PoS blockchains learned to defend themselves using both dynamic and hard-coded checkpoints. Such was the case with Bitcoin Gold which was notified of an impeding attack by a NiceHash rental miner which in turn coordinated a secret node version bump to invalidate attacker’s blocks.
Traditionally 51% attacks involve a double spend to compensate attackers for their mining effort and net them some profit. For example, one of the Ethereum Classic attacks cost perpetrators around $200K. However, in the case of Bitcoin Cash ABC Voluntarism.dev attackers simply wanted to cause as much grief to the chain as possible even at a personal loss. With more central banks getting involved in cryptocurrencies, could the next cyberwarfare campaign target country’s blockchain infrastructure?
As more unique blockchain projects come online, the year 2020 has also brought us several attack classes which were previously only theorized:
March 2, 2020 - SteemIt DPoS mechanism was attacked by multiple exchanges.
March 12, 2020 - Ethereum mempool manipulated to cause congestion.
November 10, 2020 - Monero Sybil attacked to deanonymize its users.
The first incident is particularly interesting as the first instance of a PoS (Proof of Stake) attack in the wild. SteemIt’s governance system was successfully subverted not by a mining pool with a dominant hash power, but by a group of exchanges which pooled together a dominant staking power. The attack was also made unique by the DPoS (Delegated Proof of Stake) mechanism which allowed perpetrators to force a hard fork in order to gain a complete and permanent control of the network.
The mempool manipulation on Ethereum was also interesting due to attackers targeting a higher level MakerDAO collateral liquidation mechanism as opposed to the underlying blockchain. Finally, the Monero Sybil attack is likely connected to the recent bounty put out by U.S. Treasury to help deanonymize Monero. If that’s true this would be the first confirmed state sponsored attack on the blockchain.
One common theme with successful 51% attacks was that target blockchains were either relying on commodity mining hardware such as GPUs or in the case of ASICs were not the largest users of the hashing algorithm. This allowed miners to retarget or simply rent hashing capacity to attack these networks. Even with various defenses being put in place, it is likely that PoW 51% attacks are going to continue next year. This brings us to Proof of Stake blockchains. Now that the Pandora’s box has been opened, we may see another PoS 51% attack especially in lower market cap chains where staking funds could be easily borrowed.
Node Software Incidents
Blockchain node software is a crucial element of the blockchain network as the key component which enforces and validates its rules. Unlike protocol incidents where risks are understood and expected such as with the 51% attacks, node software incidents result from vulnerabilities found in the actual implementation. There were 10 different incidents which resulted in the loss of $5.4M in 2020:
March 9, 2020 - Solana Testnet failed to validate signatures. 500M SOL stolen.
April 10, 2020 - Tendermint DoS vulnerability patched.
May 31, 2020 - Tendermint DoS vulnerability patched.
June 7, 2020 - FileCoin Testnet inflation bug. 9B FIL minted.
July 2, 2020 - RavenCoin Mainnet supply chain attack. $5.1M stolen.
July 2, 2020 - Tendermint DoS vulnerability patched.
August 27, 2020 - Ethereum Parity node DoS bug exploited.
August 30, 2020 - Chainlink node DoS attack. $300K drained.
November 6, 2020 - Ethereum ETHash integer overflow patched.
November 12, 2020 - Ethereum Geth DoS bug exploited.
RavenCoin incident was particularly nasty as it involved a malicious PR which introduced the minting vulnerability. What is concerning is that the vulnerability and the ongoing exploitation were only discovered 6 months later. Supply chain attacks are a real threat in other open source software projects and blockchains are no different.
The Solana vulnerability was also insane as it identified missing transaction signature validation allowing anyone to steal funds from any account. Luckily the issue was found in the Testnet so no real funds were stolen.
Wallet and Client Software Incidents
Things were not much more different on the wallet software side. There were 7 different incidents affecting wallets with one resulting in a massive $1.6M loss:
February 12, 2020 - IOTA Trinity Wallet supply chain attack. $1.6M lost.
June 3, 2020 - Trezor transaction crafting vulnerability patched.
June 18, 2020 - Argent Wallet funds theft vulnerability patched.
July 7, 2020 - Ledger Live and other wallets RBF mishandling.
September 3, 2020 - Wasabi Wallet coinjoin feature DoS vulnerability.
October 14, 2020 - Binance Wallet Android Accessibility vulnerability patched.
December 16, 2020 - ruby-bitcoin and other gems with crypto stealer identified.
Similarly to node software, wallets are also vulnerable to supply chain attacks. In fact, one such attack targeting IOTA’s Trinity Wallet caused so much disruption that the entire network had to be halted while developers were investigating.
What is concerning in both node and wallet software bugs is just how rare they are. Both of the major software incidents were caused by supply chain attacks. What’s missing are critical vulnerabilities in nodes and wallets similar to the one found in Solana. It could be that these flaws are silently patched like the one in Geth. However, what keeps me up at night is that it’s just as likely that there are not enough eyes on these projects beyond a few well established ones. If there is something we could learn from traditional security is that even the most secure operating system, web server, mobile, and other software gets compromised. So is it just the matter of time before a major blockchain node vulnerability gets exploited?
Everyday users have been under a constant onslaught from scammers, phishing and malware campaigns. In this report, I will focus on the more technical attacks with incidents involving multi-billion Ponzi scams considered out of scope. Below is a list of just a few sample incidents representative of the year:
January 28, 2020 - Phishing campaign using a fake Web3 MakerDAO site.
March 30, 2020 - Stolen YouTube accounts advertise a Bill Gates-themed scam.
May 24, 2020 - Justin Sun Deep Fake used to scam investors over Skype.
June 14, 2020 - Typosquatted message sharing site replaces BTC addresses.
June 16, 2020 - Elon Musk giveaway scam on Youtube and Google ads.
July 15, 2020 - Twitter hacked. Massive BTC giveaway scam. $120K stolen.
August 9, 2020 - Ongoing Tor MiTM attacks used to steal crypto.
October 19, 2020 - Account hijacks using telco’s SS7 switches.
November 20, 2020 - Fake wallet and DeFi apps in Google Play Store.
December 4, 2020 - Users phished using XRP Memo field. $5.4M stolen.
December 14, 2020 - Backdoored wallet used to steal $8M from NM exec.
December 20, 2020 - Ledger Customer DB leaked on a scammer forum.
This year continued the trend of crypto pyramid schemes, celebrity giveaway and crypto-flipping scams, and fake crypto stealing software. It was interesting to observe the first Web3 scam site which posed as a legitimate MakerDAO project. Another example of scam artists increasing their sophistication is through the use of asset specific features like XRP Memo fields, targeting telco switches, Tor exit nodes, and anything else that would get them closer to users’ crypto.
However, nothing matched the massive Twitter hack which took over hundreds of cryptocurrency, celebrity, corporate, and other accounts all to advertise a simple Bitcoin giveaway scam. These scams have slowly gained in popularity with fake ads popping up on Youtube, Twitter, Google Ads, and other media sources purporting to be coming from Bill Gates, Elon Musk, and other celebrities. However, the July 15th attack was different since it took over verified individual, corporate, or any other account on the Twitter platform. In the end it netted attackers a relatively small $120K profit and resulted in multiple arrests shortly after:
The last notable user incident was an attack against Nexus Mutual’s founder which netted hackers an $8M profit worth of NXM tokens. Unlike mass “fake wallet” campaigns popular on Google Play Store, this one was highly targeted. It involved both a compromise of the user’s machine and a specially modified wallet software.
With cryptocurrency prices going through a mass rally, it is likely that both the frequency and the size of attacks on individuals is going to increase. While traditional mass phishing campaigns are going to remain, the ability to target specific high profile users is particularly worrying. The Ledger database leak has identified a small group of individuals and their PII data which makes both online and physical attacks highly probable and dangerous.
In the previous section we explored some of the baddest incidents that blocksec has ever seen. But who are the actors behind these acts?
Advanced Persistent Threat (APT) groups have been a familiar enemy to financial, government, and other institutions for decades. Over the years, reports of Lazarus (APT38), a North Korean hacking group, targeting cryptocurrency businesses have significantly upped the stakes for exchanges after multiple incidents were attributed to them:
January 21, 2020 - Chainalysis analysis of Lazarus exchange hacks.
March 2, 2020 - DoJ sanction references two exchanges hacked in 2018.
August 18, 2020 - F-Secure report on Lazarus Cryptocurrency campaigns.
August 27, 2020 - DoJ complaint references two exchanges hacked in 2019.
Other state sponsored APT groups such as Vietnamese Ocean Lotus (APT32) and Chinese Wicked Panda (APT41) have been caught using more indirect tactics to accumulate cryptocurrency by installing mining malware on victim’s computers:
September 16, 2020 - DoJ warrants for APT41 actors involved in cryptojacking.
November 30, 2020 - Microsoft report on BISMUTH cryptojacking campaign.
Non-state sponsored APTs appear to be primarily focused on highly profitable ransomware campaigns which often involve cryptocurrencies as the preferred method of payment:
May 12, 2020 - Sophos report on Maze ransomware group.
August 3, 2020 - McAffee report on NetWalker ransomware group.
October 14, 2020 - FireEye report on FIN11 ransomware campaign.
October 28, 2020 - REvil ransomware as a service operation details.
November 16, 2020 - TA505 threat actor profile.
Previously mentioned APT groups use or target cryptocurrency assets as just one of their activities. However, a report by ClearSky has revealed a new APT dedicated to attacking cryptocurrency exchanges:
June 24, 2020 - CryptoCore Group profile.
On the not so advanced but persistent side the actors behind both the massive Twitter hack and the more targeted SIM swapping attacks turned out to be a groups of young adults in their early 20s:
July 31, 2020 - Three charged in the Twitter hack.
November 20, 2020 - 21-year old SIM Swapper Gets 3 Years in Jail.
While the investigators were focused on actors behind exchange and individual attacks there appears to be almost nothing revealing about folks behind all of the DeFi hacks. The closest we got was with the dForce incident where an attacker was allegedly identified and forced to return all of the stolen assets:
April 20, 2020 - dForce attacker returned stolen funds after leaking IP address.
In other incidents, hackers sent back stolen funds with snarky remarks:
Based on the lack of opsec following the hacks and the highly specialized skill-set involved in executing these attacks, DeFi hackers are more likely to be individual developers who decided to cross the line rather than organized criminal or nation state groups looking for new sources of revenue.
The story of Blockchain Security would not be complete without talking about the good folks and there were so many this year! What they do is what makes working in blocksec so exciting and inspiring at the same time.
A common occurrence across a number of DeFi incidents this year was the mention of whitehat hackers who reached out to developers to not only give them a heads up about a vulnerability, but actively assist them in patching their code. The whitehat behind many of these responsible disclosures was samczsun. Here are just a few projects out of at least 18 that he helped lock down this year:
January 25th, 2020 - Helped Curve Finance lock down a critical vulnerability which could have drained the smart contract.
September 19, 2020 - Led a group of whitehats to help rescue $9.6M worth of ETH in Lien Finance’s smart contracts.
November 17, 2020 - Helped 88mph team exploit their contract to rescue funds.
Another sheriff in the lawless crypto frontier is Harry Danley from MyCrypto. As you can see from his twitter and blog posts he worked tirelessly for years to identify and shut down a barrage of phishing and malware campaigns targeting cryptocurrency users. Hunting down scammers usually involves take downs and possibly law enforcement reports which rarely result in a punitive action. In 2020 Harry took matters into his own hands and was able to steal back and return stolen funds from scammers by exploiting their badly protected infrastructure:
July 17, 2020 - Harry returned $10k worth of crypto stolen in two fake Uniswap and Balancer phishing campaigns.
There are also so many dedicated teams which make the field more secure every day. One such team is Consensys Dilligence. The group is well known for its smart contract security audits; however, their biggest contribution to the community this year was a number of free tools and papers which developers can use to secure their projects. Here are just a few of them released this year:
Scribble - smart contract runtime verification tool.
VSCode Solidity Metrics - smart contract triage reporting.
VSCode ETHover - smart contract viewer, decompiler, flattener.
Teatime - a blockchain RPC attack framework.
Legions - Ethereum node security toolkit.
Blockchain Security Database - a collection of major Ethereum smart contract projects, audit reports, and available bug bounties.
There are many more heroes out there who I quietly watched from the pages of this newsletter in awe. You know who you are and it has been a privilege to share your victories and struggles in the past year.
The dream of bringing the open financial system to the world is not easy. It will require work of thousands entrepreneurs, developers, security engineers to make blockchains not only functional but secure. The blockchain security field is still just as young and barely explored as the cryptocurrency ecosystem it is trying to protect. I hope that reading this newsletter was both informative and inspiring to you to walk this journey with so many of us. Consider joining the good fight as a security engineer, bounty hunter, smart contract developer, blockchain investigator, or just as a curious explorer on the new frontier. If you are not sure how to get started, subscribe to this newsletter where I often post educational materials or just feel free to reach out to me directly.
Help support BlockThreat in 2021!
Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:
1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.
Thanks for joining me in this special edition of Blockchain Threat Intelligence and looking forward to seeing you all in 2021!
- Peter Kacherginsky (iphelix)