Greetings!

Multiple exchanges hacked, crypto executives and users kidnapped, MEV bots pillaged, millions stolen from DeFi projects, all the while APT groups are deploying new malware campaigns to target blockchain engineers. It’s been a wild week, but first a quick word about this week’s sponsors.

BlockSec is a well known blockchain security company behind multi-million dollar whitehat recoveries and excellent products such as Phalcon, MetaSleuth, MetaDock. So I am particularly excited about the upcoming release of Phalcon Block. With years of experience analyzing and responding to compromises, I can’t wait to see the impact this tool will have on our industry.

Phalcon Block offers a comprehensive set of tools designed for monitoring, detecting, and responding to web3 compromises. Developed over the course of two years, it has already been utilized to rescue digital assets valued at over $14 million.

What sets this product apart from its competitors is its high signal-to-noise ratio, achieved through a precise attack detection engine and advanced auto-response capabilities — crucial for minimizing losses in a space where exploits can be executed within minutes.

Book a demo today!

Want to get the word out about your blockchain security related product or company? Consider sponsoring the next edition.

On the exchange side, another asset owned by Justin Sun was hacked. Massive $130m stolen across Ethereum, Bitcoin, Tron, and Ripple networks dwarfing the earlier $8m HTX hack just a few months ago. Interestingly, attackers sent $2.5m worth of GLM tokens to the token contract itself. Comrade Kim is not pleased.

CoinSpot was also hit with a hot wallet compromise for $2.47m with a complete silence from the exchange. Hope it’s not another exchange which disappeared following an unacknowledged hack.

On the DeFi side, this week had 10 incidents for almost $6m in losses. Raft lost $3.3m in an interesting reward manipulation exploit resembling the Euler hack. Just like in the Poloniex hack, the attacker made a mistake and burned most of the stolen loot. Was 4 ETH really worth going to jail for? Use bug bounty programs and sleep well!

MEV bots continue getting pillaged. At least 6 contracts were exploited for more than $2m all due to insufficient function access controls.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, Yuga Labs gave laser eyes a new meaning by literally burning retina of its ApeFest attendees causing temporary blindness and headaches.

Let’s dive into the news!

News

• A victim lost $27m USDT from an address connected to the Binance deployer. According to Binance, the victim withdrew funds to a compromised wallet.

• Binance executives abducted and forced to send $12.5m USDT. Most of the stolen funds were frozen after the theft.

• Swedish Bitcoiners targeted by armed criminals.

• BlueNoroff hackers plan new crypto-theft attacks.

• An unknown Threat Actor(s) claim to have compromised Coin Cloud.

• Critical vulnerability in Atlassian Confluence server is under “mass exploitation”. Projects relying on Confluence should take immediate action.

Crime

• Kraken helps UK police return over $2 million in stolen crypto to victims.

• Oracle Employee Helped Cocaine Dealers Hide $54 Million In Crypto, DOJ Says. He took Breaking Bad cosplay a bit too far.

• Onecoin 'Compliance' Head Pleads Guilty to Wire Fraud and Money Laundering Charges.

Policy

• CFTC 2023 Enforcement Report lists a record number of actions related to crypto fraud including FTX, Binance, Celsius, Avraham Eisenberg, and others.

• House Approves Amendment to Limit SEC's Crypto Enforcement Authority.

• Opyn founders exit crypto industry following CFTC regulatory actions.

Scams

• Ongoing phishing campaign pretending there is a Uniswap exploit.

• Friend.tech users phished using malicious bookmarks in a consent form.

Malware

• BlueNoroff strikes again with new macOS malware by Jamf.

• CherryBlos, the malware that steals cryptocurrency via your photos - what you need to know by Tripwire.

• Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation.

Media

• MiloTruck Interview - 2 Hours of PURE Smart Contract Auditing ALPHA by Johnny Time.

• DeFi math for auditors by Owen.

Contests

• Remedy Closed-Beta Invitational Challenge by Hexens.

Research

• Retrospecting Unhealthy Order Allowance Vulnerability in Perpetual Protocol by ChainLight.

• TSTORE Low Gas Reentrancy by Chainsecurity.

• Thorns in the Rose: Exploring Security Risks in Uniswap v4’s Novel Hook Mechanism by BlockSec.

• As an LP, How to Withdraw Funds Timely Before Protocol Pauses by BlockSec.

• Evolution of Automated Weakness Detection in Ethereum Bytecode: a Comprehensive Study.

• Incorrect TWAP implementations by Chinmay.

• DAO Governance DeFi Attacks by Dacian.

• Solidity Smart Contract Unbounded Loops DOS Attack Vulnerability Explained with REAL Example by Johnny Time.

• Audit Checklists by Decurity. Includes checklists for CDPs, LSDs, and AMMs.

• Vulnerabilities every beginner Smart Contract Security Researcher should find - Part 1 by Dimitar Tsvetanov

• Solana Analytics Starter Guide Parts 1 2 3 4 by Andrew Hong.

• Sync Reth in 6 hours with Snapshots by Merkle.

• Ultimate EVM Tracing Reference by Paradigm.

• Technical Exploration of Inline Assembly in Solidity by M. Kuck.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content