Greetings!

We begin our year with a mass X compromise of government, crypto, and even security companies’ accounts to spread crypto drainers.

PSA: Ongoing phishing campaign involving fake journalists directing victims to a Calendly-like phishing site designed to hijack X account permissions.

More than $18M were stolen this week across four incidents. Coinspaid suffered the largest losses in yet another hot wallet compromise worth $7.5M. Two protocols lost combined $4.75M to the well known rounding issue on newly deployed pools that many AAVEv2 forks fail to defend against. Gamma experienced an $6.18M price manipulation exploit due to insufficient price change controls.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Hack3d: The Web3 Security Report 2023 by CertiK.

• Blockchain Security and Anti-Money Laundering Annual Report 2023 by SlowMist.

• Annual Web3 Security Report 2023 by QuillAudits.

• North Korean Hackers Stole $600 Million in Crypto in 2023 by TRM.

• Hacker hijacks Orange Spain RIPE account to cause BGP havoc. Attacker continues posting about the compromise on X.

Crime

• Russian crypto miner held hostage on Christmas day.

• Founder of major Taiwanese crypto exchange ACE arrested for alleged fraud.

• Chinese billionaire behind Himalaya Exchange indicted for $1B scheme.

Phishing

• Reports of an ongoing LFG phishing attack using Solana-based drainers. One victim reported losing $125K.

• AragonDAO lost $800K in a fake airdrop phishing attack.

• Reports of an ongoing X phishing campaign targeting crypto related accounts as fake journalists sharing malicious Calendly links. The malicious phishing site requests full Twitter app permissions.

• Hackers hijack govt and business accounts on X for crypto scams.

• X users fed up with constant stream of malicious crypto ads.

• CertiK X account phished using a malicious Calendly link described above.

• Netgear, Hyundai latest X accounts hacked to push crypto drainers.

• Mandiant's X account hacked by crypto Drainer-as-a-Service gang. Bad actors used Mandiant’s account to post a link to a Phantom wallet phishing site.

• Crypto VC Polychain Capital confirms founder’s X account hacked.

Scams

• Chief executive of collapsed crypto fund HyperVerse does not appear to exist.

• Funds on MangoFarmSOL drained, community alleges rug pull.

Malware

• Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices by Gabby Xiong (Fortinet).

Media

• Echidna Tutorial: #1 Introduction to create Invariant tests with Solidity by bloqarl.

Research

• Post Mortem on SUSHI and YFI Incident by dYdx.

• Uniswap V4: Oracle hook with malicious owner by Damian Rusinek (Composable Security).

• Echidna: Invariant Tests for AMM Contracts by Bloqarl.

• A Guide to Crafting Robust Invariants by Chirag Agrawal and Antonio Viggiano.

• Notes on Solidity with highlights of security caviats by Chinmay Farkya.

• Architectural Design for Secure Smart Contract Development.

• DApps Ecosystems: Mapping the Network Structure of Smart Contract Interactions.

• Tag, you’re it: Signal tagging in Circom by Tjaden Hess (Trail of Bits).

• zkEVM Bootcamp homework and notes by ustas.eth.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content