Greetings!

Markets are down and stolen tokens are on the move. Proceeds from at least nine compromises started moving ill-gotten gains to Tornado Cash almost simultaneously. It could be that bad actors are learning from each other or we could find some correlation between some of them.

On the DeFi side, more than $13M was stolen this week across 7 incidents with the vast majority coming from the Ronin hack. A bad smart contract upgrade failed to fully initialize the contract and effectively disabled cross-chain withdrawal verification. Luckily the contract was exploited by whitehats who returned all of the funds for a cool $500K reward.

Nexera published two really good post-mortems on getting infiltrated by Lazarus. It followed a familiar kill chain starting with a job outreach on LinkedIn, tricking one of the Nexera’s developers into downloading NPM malware, key exfiltration, followed by the theft of $500K in assets. Some observations:

• The developer machine was used for non-job-related functions (interviews). Just buy your devs separate machines and ask them to do gaming/torrents/job hunting on their personal devices.

• Smart contract admin keys were found in clear text. Hardware wallets, multi-sigs, secure key cloud storage, etc., are all readily available controls that will stop a single compromise from turning into a disaster.

• Endpoint security was missing/ineffective. Not seeing any evidence of monitoring or alerting on malicious code or data theft. We are too focused on smart contracts and forget about infrastructure, endpoints, people, etc.

The premium version of the newsletter has detailed information and indicators on the above compromises as well as TokenStake, Novax, OMPX, iVest, and other hacks.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, Discord server compromises are on the rise, especially for well known projects. Check out the Discord security guide in the Phishing section below.

Let’s dive into the news!

Events

• Solana Auditors Bootcamp by Ackee.

News

• Hackers leak 2.7 billion data records with Social Security numbers.

• DOJ Launches Whistleblower Awards Program to Tackle Crypto Crimes.

• Solana prevents potential outage, patches critical vulnerability.

• Multiple bad actors are swapping funds and moving them to Tornado Cash during the down market. It almost feels coordinated.

• 2024 H1 BSC Security Report.

Crime

• Doxxed crypto hackers ‘Airbnb hopping’ to avoid kidnappers and rivals, report.

• CFTC subpoenas Ben ‘BitBoy’ Armstrong’s former company in fraud investigation, asks about activity for tokens such as BEN.

• Su Zhu’s favourite trader MAJIN on scam allegations and ‘self-destruction’.

• Eisenberg seeks to have Mango Markets fraud convictions thrown out.

• Telegram has become the go-to app for heroin, guns, and everything illegal. Can crypto save it?

• Billion-dollar bust as international op shutters Cryptonator wallet.

• Hackers attack Olympic Games venue, demand crypto ransom.

Policy

• Judge Orders Ripple to Pay $125M in Civil Penalties, Ending SEC Lawsuit.

• Regulating Decentralized Systems: Evidence from Sanctions on Tornado Cash by Federal Reserve Bank of NY.

• Bill proposes to give Secret Service more power to pursue crypto crime.

Phishing

• Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors.

• Rari and Starknet Discord servers compromised.

• Setting Up Your Crypto Project’s Discord Server Securely by NFT_Dreww (Boring Security).

• Securely Set up a Discord Server by iSpeakNerd (Boring Security).

Scams

• No one surprised as DJT token has finally rugged.

• I Listened to a Pitch for a Possible Bitcoin Scam So You Don’t Have To.

Media

• The Science of Blockchain (SBC) 2024

  • Chaofan Shou (UC Berkeley) - "Mitigating Smart Contract Attacks in the Real World".

  • Yehuda Lindell (Coinbase) - "MPC for custody at Coinbase".

Competitions

• Reproducing and Exploiting ZK Circuit Vulnerabilities by zkSecurity.

Research

• Towards Understanding the Bugs in Solidity Compiler.

• SoK: What Don’t We Know? Understanding Security Vulnerabilities in SNARKs.

• Evmos Precompile State Commit Infinite Mint by Jason Matthyser (Asymmetric Research).

• Dark Skippy - a powerful method for a malicious signing device to leak secret keys. A malicious signer can use a modified signing function to efficiently and covertly exfiltrate their master secret seed by embedding it within transaction signatures.

• Introduction to TON: Accounts, Tokens, Transactions, and Security by SlowMist.

• Formal verification vs. fuzzing thread by 0xScourgedev.

• The Anatomy of Proof Generation by Andy Arditi and Ye Zhang (Scroll).

• Exploring Leo: A Primer on Aleo Program Security by zkSecurity.

• The zero-knowledge attack of the year might just have happened, or Nova got broken by zkSecurity.

• Beyond the Whitepaper: Where BFT Consensus Protocols Meet Reality.

• Blockchain Economic Denial of Sustainability Attack: Exploiting Latency Optimization in Ethereum Transaction Forwarding.

• Implement Uniswap V4 swaps & Avoid Critical Mistakes by bloqarl.

• Cloud cryptography demystified: Google Cloud Platform by Scott Arciszewski (Trail of Bits).

• Vulnerability Management program pack 1.0 by SecTemplates.

Tools

• New Tonkeeper app enhances crypto asset security, preventing hacks.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content