Greetings!

Markets are down and stolen tokens are on the move. Proceeds from at least nine compromises started moving ill-gotten gains to Tornado Cash almost simultaneously. It could be that bad actors are learning from each other or we could find some correlation between some of them.

On the DeFi side, more than $13M was stolen this week across 7 incidents with the vast majority coming from the Ronin hack. A bad smart contract upgrade failed to fully initialize the contract and effectively disabled cross-chain withdrawal verification. Luckily the contract was exploited by whitehats who returned all of the funds for a cool $500K reward.

Nexera published two really good post-mortems on getting infiltrated by Lazarus. It followed a familiar kill chain starting with a job outreach on LinkedIn, tricking one of the Nexera’s developers into downloading NPM malware, key exfiltration, followed by the theft of $500K in assets. Some observations:

• The developer machine was used for non-job-related functions (interviews). Just buy your devs separate machines and ask them to do gaming/torrents/job hunting on their personal devices.

• Smart contract admin keys were found in clear text. Hardware wallets, multi-sigs, secure key cloud storage, etc., are all readily available controls that will stop a single compromise from turning into a disaster.

• Endpoint security was missing/ineffective. Not seeing any evidence of monitoring or alerting on malicious code or data theft. We are too focused on smart contracts and forget about infrastructure, endpoints, people, etc.

The premium version of the newsletter has detailed information and indicators on the above compromises as well as TokenStake, Novax, OMPX, iVest, and other hacks.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, Discord server compromises are on the rise, especially for well known projects. Check out the Discord security guide in the Phishing section below.

Let’s dive into the news!