Week 19, 2019

Binance | CORA | TRX | Confluence

This week’s news were dominated with the high profile Binance hack, the largest exchange in the continuing series of compromises. In this edition of the intelligence report I will discuss what went right and wrong with the way Binance handled the incident, an update on the Tron backdoor from last week, a couple of critical bugs, and the latest in the cryptominer malware trends.


  • Crypto Traders Ponder Blacklist to Keep Scammers, Thieves at Bay - a Bloomberg article on the recent CORA (Crypto OTC Roundtable Asia) meeting in Chicago on increasing trust in the crypto ecosystem. The attendees have discussed creating both a whitelist of good standing crypto businesses as well as a blacklist of known malicious parties to share among members.


  • Binance Security Breach - On May 7, 2019 Binance has shared the news about a breach resulting in a loss of approximately 7000 BTC ($40 million). Based on the official report, the actors were using a variety of advanced techniques including phishing and malware. The analysis of the BTC transaction from the breach has revealed that the attacker has consolidated stolen Bitcoin into seven addresses and avoided immediately moving them to other exchanges. You can track the movement of stolen funds on Sentinel Protocol’s incident tracker.

    Several things went well with the incident. Only 2 hours have passed between the transaction above and the public notification, an excellent level of transparency that Binance kept up throughout the investigation. It was also great to see the community coming together to support CZ and Binance! On the other hand, the initial unscheduled server maintenance communication was misleading. The tweet made in the time of high stress on the use of re-org to recover funds has resulted in a backlash. Jimmy Song had a writeup on why this is not the right strategy in case of a compromise.

    Binance is planning to resume external deposits and withdrawals on Tuesday. With only a week elapsed since the hack, it also remains to be seen if a sufficient time has passed to fully investigate and kick out the attackers.

  • TRX Pro Backdoor Report - a detailed timeline and report explaining how and who backdoored the Tron smart contract and later exploited it. According to the report, the attacker was running an online Tron IDE called http://tronsmartcontract[.]space which he used to add a backdoor at compilation time. The attacker has also spoofed the contract verification check on his site to trick TRX Pro developers into thinking that everything is fine. The incident illustrates the importance of 3rd party code and behavior verification after the contract is deployed on the Tron and other platforms.



This concludes the threat intelligence for this week. Stay safe out there and good luck if you are one of the now 60k hunters for the Satoshi’s Treasure.