Greetings!

Another week, another batch of “whitehat” hackers returning stolen assets following multi-million compromises. The Safemoon exploit was particularly concerning with a very obvious burn function access control bug. This should not have slipped through testing/deployment phases.

Multiple reports were released on North Korean actors which have been busy lately first with the supply chain attack targeting crypto business and later using cloud mining services to launder stolen crypto.

All of the indicators for the above hacks are in the premium section as always. Let’s dive into the news, but first a word from our sponsors Chainalysis!

The 2023 Crypto Crime Report is here!

Inside you’ll find 100+ pages of original data, research, and case studies on the most pressing topics in cryptocurrency-based crime, including:

• Why 2022 set records for crypto hacking

• How sanctions on Hydra, Tornado Cash, and others impacted the crypto crime ecosystem

• The latest crypto money laundering tactics employed by cybercriminals

• What crypto winter means for scammers

• How cybersecurity enhancements have hurt ransomware attackers

• And more!

Get your copy now >

News

• Cryptocurrency companies backdoored in 3CX supply chain attack.

• APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations report by Mandiant covers new crypto laundering techniques.

• Cryptocurrency crime and anti-money laundering report by Ciphertrace.

• Criminal gang behind fake crypto wallets arrested in China.

Scams

• Decoding Kokomo Finance $4 Million Rug Pull by QuillAudits.

• Si vis pacem, para bellum: Exploring MetaMask Phishing by ChainLight.

• Over 1M Arbitrum tokens lost to phishing attack.

Hacks

• On March 28, 2023 Safemoon lost $8.9m after failing to restrict access to the burn function in a contract upgrade. Interestingly, the original attacker was front-run by an MEV bot also involved in last week’s Nuwa hack which promised to return stolen assets.

• On March 29, 2023 UNMS lost $100k in a price oracle manipulation attack.

• On March 30, 2023 Patricio Worthalter lost $3.83m in a spear phishing attack.

• On April 1, 2023 Allbridge was targeting by two attackers using a price oracle manipulation attack. $570k were lost and about $470k were returned after one of the attackers turned “whitehat” following doxing.

Vulnerabilities

• THORChain halted the network following a vulnerability report that could result in potential asset theft.

• How to almost take over any DNSSEC name on ENS.

• Uniswap Vulnerability Disclosure by Nomoi.

• Multiple CVEs in threshold cryptography implementations by Kudelski Security Research.

• Cadence patched a node crash vulnerability thanks to a responsible disclosure by @bluesign.

Malware

• Copy-paste heist or clipboard-injector attacks on cryptousers by Kaspersky.

• New OpcJacker Malware Distributed via Fake VPN Malvertising by TrendMicro.

Contests

• Numen Cyber CTF Writeups. Congrats teams ChainLight, KALOS, and AmberLabs!

• Here comes Decipher EVM Puzzles game for all Smart Contract Devs.

• Dev account honeypots thread by Daniel Luca.

Research

• Exploit Insurance to Raise Your Payout by Robert Forster.

• Foundry and hevm fuzzing thread by philogy.

• BERT4ETH: A Pre-trained Transformer for Ethereum Fraud Detection.

• The Blockchain Imitation Game.

Tools

• Gambit: A Solidity Mutation Testing Tool for Formal Verification.

• How to use Phalcon Debug to dive into a transaction.

• Medusa - a cross-platform go-ethereum-based smart contract fuzzer inspired by Echidna.

• Dedaub Smart Contract Storage Browser.

• Token Tester - test a variety of unconventional tokens against your smart contracts.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content

Indicators