Greetings!

This week was a blast and not in a good way. Almost $75M were stolen from 6 projects with malicious insiders accounting for the majority of it. Let’s dive into some of the more notable hacks, but first a note from our sponsors Audit Wizard! With tools like AI-generated PoCs, rapid Foundry testing, code graphing, function tracing this all-in-one smart-contract security platform can really supercharge your auditing powers. Check it out!

Audit Wizard enables developers and auditors to find bugs in smart contracts. Import a project to scan for vulnerabilities, visualize functions, chat with AI about security concerns, and more.

Built by security engineers, Audit Wizard is an easy, one-click solution for finding bugs in web3 code. Sign up for free here!

First let’s discuss how every major piece of web2 infrastructure was almost hacked due to a carefully inserted backdoor in the xz library used by sshd. The malicious code was caught by someone debugging long execution times and valgrind errors. Consider this scenario part of your threat model if you are a large enough target or inevitably depend on third party infrastructure ranging from DNS servers to nodes.

Nation state actors have been trying to infiltrate crypto projects for at least past two years. Unfortunately, a Blast project did hire one such malicious insider. As a result Munchables lost $62.5M from a backdoored contract and Juicebox almost lost $30M if not for a typo by the exploiter. Just as with other cases of insider threat, the bad actor was quickly identified as someone known to hop from one crypto gig to another likely seeking the largest treasury to steal.

It’s unknown what negotiation took place offchain. However, the entire $62.5M was returned 8 hours after theft. The attacker was likely aware of the 2022 Token Hub hack where the BSC chain bridge was paused to prevent outflows of stolen funds. Stolen assets could have been similarly frozen by pausing the Blast L2 bridge or the whole chain rolled back, so the attacker likely did not have much choice. From a defender perspective mass theft of assets on centralized/low liquidity chains may be more survivable if all exists are quickly blocked.

Post exploitation conversation following the $11.6M Prisma Finance hack is an example of bounty negotiation stalling. Just like in the KyberSwap instance, the attacker issued several non-financial, increasingly abusive demands. Their self-description of what motivated them to perform the attack also exhibits strong ego and self-righteousness.

Your team need to do an online press conference, in which all of your team must show their faces with ids (it s like KYC), and send apologies and thanks to all of your users, your investors, and me. During that session, you must specifically present the mistake you made, which party audited the smart contract, and your plan to improve security in the future (what you would do before deploying a new contract, how you react when an something you don t expect comes, etc.). Also, you need to admit that I have no responsibilities in this, and I m purely helping you guys to fix your mistakes. Out of that, you also need to change all the terms that are accusatory in the post-mortem within 12 hrs.

It’s tricky to negotiate with bad actors who believe their actions are good. Simple bounty offers may not be enough when what they are really after is power.

In the premium version of the newsletter you will find additional information, PoCs, and indicators from the aforementioned incidents as well as information on ZongZi, Lava, and a whitehat recovery of Baseline.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

“The world will see the great result from my hands.” Let’s dive into the news!

News

• What we know about the xz Utils backdoor that almost infected the world.

• Dutch Prosecutors Seek 64-Month Jail Sentence for Tornado Cash Dev Alexey Pertsev.

• ‘SEAL 911’ team of white hats formed to fight crypto hacks in real time.

• A Year in Review of Zero-Days Exploited In-the-Wild in 2023 by Mandiant.

Crime

• FTX founder Sam Bankman-Fried sentenced to 25 years for crypto fraud, to pay $11 billion in forfeiture.

• Sanctioned crypto exchange Garantex probed over $20B USDT transfers. The exchange was previously identified having links with Russian organized crime, intelligence and other state agencies.

• US Treasury Sanctions Terrorist Financier for Providing Crypto-Related Services to Hezbollah by TRM.

• US and UK Sanctions Authorities Target Gaza Now for Supporting Hamas by TRM.

• OFAC Sanctions Russia-based Blockchain Companies, Including Netex24 and Bitpapa, for Facilitating Sanctions Evasion by Chainalysis.

• Prominent Global Cryptocurrency Exchange KuCoin And Two Of Its Founders Criminally Charged With Bank Secrecy Act And Unlicensed Money Transmission Offenses by US DoJ.

Phishing

• More X account newsletter compromises with the Pendle Finance hack.

• Decrypt’s mailing service account compromised to advertise a fake airdrop.

Scams

• Retired N.J. corrections officer admits $600K crypto scam.

• Fake crypto bot scammer allegedly told investors, ‘Poof, you’re a millionaire’.

Malware

• Canonical cracks down on crypto cons following Snap Store scam spree.

• Apple Approves Fake App Before Real Rabby Wallet, Users’ Funds Stolen.

• Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining.

• 'Call of Duty' Players Have Their Bitcoin Swiped Thanks to Malware.

Contests

• Curta NumberHeist Writeup by Billh.

Media

• DSS Monthly - War Rooms with SEAL.

• Fuzzing and Heuristics interview with @devdacian by Cyfrin Audits.

• c0c0n 2023 - Smart Contract Phishing - Attack & Defense by Tejaswa Rastogi.

• Rust Security - Foundations by Guvenkaya.

• Web3 Developer/Auditor video channels directory by ddmitrov22.

Research

• Top Ten “Awesome” Security Incidents in 2023 by BlockSec.

• Ongoing Fight Against DeFi Hacks by w1x0m.

• Large Language Models for Blockchain Security: A Systematic Literature Review.

• ABC-Channel: An Advanced Blockchain-based Covert Channel.

• Towards Secure and Trusted-by-Design Smart Contracts.

• Securing Blockchain Systems: A Novel Collaborative Learning Framework to Detect Attacks in Transactions and Smart Contracts.

• With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum.

• Quantifying Arbitrage in Automated Market Makers: An Empirical Study of Ethereum ZK Rollups.

• Solana Attacks: The Elusive Account Confusion and Missing Account Signature threads by BountyHunt3r.

• Evaluating Test Suite Robustness of Top DeFi Protocols by Nadir Khan.

• Roadmap to Becoming a Top Crypto Data Analyst by Andrew Hong.

Tools

• Awesome Smart Contract Analysis Tools by LouisTsai-Csie.

• Zerem - a DeFi Circuit Breaker and Funds Router that protects protocols from loss of funds due to exploits and other forms of errors by hananbeer.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content