Greetings!

Critical bug in Solana and a hard-fork in Optimism is a good indicator there are now more eyes on blockchain code. On the other hand these findings are still so rare that one has to wonder how many more bugs are still out there?

No major DeFi exploits this with the exception of Vow which lost $1M while experimenting with their price oracle settings in production on-chain. Oops!

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now. This is as bad as it gets, patch immediately!

• Solana developers address critical vulnerability with coordinated patch

• Optimism Foundation disables permissionless fraud proofs, plans hard fork following security audits.

• Railgun Blocks Inferno Drainer’s Attempt to Launder Stolen Funds Worth 174 ETH.

• CertiK blames rogue employee for Tornado Cash transactions during $3M Kraken hack. Other source indicate it was a planned marketing stunt.

• 2024 Crypto Crime Mid-year Update Part 1: Cybercrime Climbs as Exchange Thieves and Ransomware Attackers Grow Bolder by Chainalysis.

Crime

• Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator. This is the latest arrest of North Korean facilitator since the arrest of Christina Chapman in a wide-spread campaign. Do you know who your recent hire really is?

• Bohemia Admin(s) arrested in Ireland, 6.5 million euros seized.

• Indian Authorities Arrest Man for Kidnapping Linked to $2.4B BitConnect Scam.

• A crypto data leak led the FBI to America's most wanted sex trafficking fugitive. Now, the victims want his bitcoins.

• Bitcoin Bandits Swipe $700,000 in Apparent Targeted Attack in Costa Rica.

• Malaysian Police Hunt 4 Suspects in Kidnapping Case Involving $1.2M Crypto Ransom.

• 7 Indicted in $300,000 Queens Bitcoin Theft, Say Prosecutors. Interesting tha the ringleader was indicted along with his parents.

• 'I'll Be Fine' in Prison: Pump.fun Attacker Pleads Guilty in London.

• Malaysian kidnappers abducted Chinese man for $1M USDT.

• Robbery Victim Forced To Transfer $2,000,000 in Crypto to Four Attackers in Break-and-Enter.

• Multiple arrests made in $14.4M Holograph hack investigation.

• Iran Escalates Crackdown on Illegal Crypto Mining Amid Severe Power Crisis.

• Paraguayan Justice System Achieves Conviction for Power Theft Crime Linked to Cryptocurrency Mining.

• SEC Charges NovaTech and its Principals and Promoters with $650 Million Crypto Fraud.

• FTX settles complaint from the CFTC with $12.7 billion payout.

• Florida Woman Convicted of Laundering Crypto to Facilitate Drug Sales.

• Houston Police Seize over $200,000 in Cryptocurrency in Fraud Investigation.

Policy

• SEC Subpoenas Crypto Venture Capital Firms in Potential Enforcement Actions Against Digital Asset Industry.

• Coinbase Slams SEC's Proposal to Amend Definition of Term 'Exchange'.

Phishing

• DPRK IT worker investigation by ZachXBT. More than $1.3M were stolen from the treasury after malicious code had been pushed. The investigation uncovered 21 developers working for at least 25 different crypto projects.

• Address poisoning attacks continue being profitable. Two victims lost $400,000 and $64,250.

• Google took three months to remove scam app that stole over $5 million in crypto.

• A Beginner’s Guide to Web3 Security: How to Avoid Airdrop Scams by SlowMist.

• New Crypto Scam Using QR Codes To Deceive Users Into Authorizing Wallets Spreads.

• Ava Labs COO’s X account suspected as hacked after posting memecoin.

• A Coinbase user thought he called customer support. Instead he lost $100,000 in 20 minutes to scammers.

Scams

• Hedging Bets by Rekt.

• Bitcoin Scam Targets US County Residents With Fake Warrants.

• Australian regulator claims 58% of crypto ads on Facebook are scams.

• How scammers convince Americans to drain their life savings into crypto fraud schemes.

Malware

• Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove and their Big Reveal by Check Point

• Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys.

• New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining.

• Approaching stealers devs: a brief interview with AMOS by g0njxa.

Media

• Blockchain Security Series 11 - Peter Kacherginsky (Lead @ Unit 0x Threat Research Team at Coinbase) by Pablo Sabbatella.

• Stories from the Laundromat – Talking Money Laundering with the Author of "Rinsed" and "Lazarus Heist" by TRM.

• Smart Contract Auditors vs AI: Audit Wizard Overview by Johnny Time.

Research

• Threshold Transaction Malleability Bugfix Review by Immunefi.

• Low Level Vulnerabilities: Examples and POCs unique to EVM contracts written without the guardrails of higher level languages like solidity or vyper by Amadi Michael.

• Moving Averages - DeFi Math: Use Cases and Vulnerabilities by Bloqarl.

• A guide on how L2s actually work by 0xCygaar.

• Maker - A Deep Dive Into The World’s First Unbiased Global Financial System.

• SoK: Attacks on DAOs.

• Simple Perturbations Subvert Ethereum Phishing Transactions Detection: An Empirical Analysis.

• Dissecting the Infrastructure Used in Web-based Cryptojacking: A Measurement Perspective.

• Smart Contract Languages: a comparative analysis.

Tools

• Brontes - a blockchain analytics pipeline built on top of Reth.

• tbl - a cli tool for reading and editing parquet files. Storm’s latest creation allows one to easily manage blockchain datasets.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content