Greetings!
We begin our year with a mass X compromise of government, crypto, and even security companies’ accounts to spread crypto drainers.
PSA: Ongoing phishing campaign involving fake journalists directing victims to a Calendly-like phishing site designed to hijack X account permissions.
More than $18M were stolen this week across four incidents. Coinspaid suffered the largest losses in yet another hot wallet compromise worth $7.5M. Two protocols lost combined $4.75M to the well known rounding issue on newly deployed pools that many AAVEv2 forks fail to defend against. Gamma experienced an $6.18M price manipulation exploit due to insufficient price change controls.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
Hack3d: The Web3 Security Report 2023 by CertiK.
Blockchain Security and Anti-Money Laundering Annual Report 2023 by SlowMist.
Annual Web3 Security Report 2023 by QuillAudits.
North Korean Hackers Stole $600 Million in Crypto in 2023 by TRM.
Hacker hijacks Orange Spain RIPE account to cause BGP havoc. Attacker continues posting about the compromise on X.
Crime
Founder of major Taiwanese crypto exchange ACE arrested for alleged fraud.
Chinese billionaire behind Himalaya Exchange indicted for $1B scheme.
Phishing
Reports of an ongoing LFG phishing attack using Solana-based drainers. One victim reported losing $125K.
AragonDAO lost $800K in a fake airdrop phishing attack.
Reports of an ongoing X phishing campaign targeting crypto related accounts as fake journalists sharing malicious Calendly links. The malicious phishing site requests full Twitter app permissions.
Hackers hijack govt and business accounts on X for crypto scams.
X users fed up with constant stream of malicious crypto ads.
CertiK X account phished using a malicious Calendly link described above.
Netgear, Hyundai latest X accounts hacked to push crypto drainers.
Mandiant's X account hacked by crypto Drainer-as-a-Service gang. Bad actors used Mandiant’s account to post a link to a Phantom wallet phishing site.
Crypto VC Polychain Capital confirms founder’s X account hacked.
Scams
Malware
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices by Gabby Xiong (Fortinet).
Media
Research
Uniswap V4: Oracle hook with malicious owner by Damian Rusinek (Composable Security).
Echidna: Invariant Tests for AMM Contracts by Bloqarl.
A Guide to Crafting Robust Invariants by Chirag Agrawal and Antonio Viggiano.
Notes on Solidity with highlights of security caviats by Chinmay Farkya.
DApps Ecosystems: Mapping the Network Structure of Smart Contract Interactions.
Tag, you’re it: Signal tagging in Circom by Tjaden Hess (Trail of Bits).
zkEVM Bootcamp homework and notes by ustas.eth.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.