Greetings!

A major and still unexplained hack happened this week. More than $238M were stolen from an address associated with Genesis Global Trading. Funds were quickly transferred to the usual suspects like Railgun, ChangeNow, eXch, Avalanche Bridge, ThorChain, and others. Railgun once again unshielded transfer of stolen funds, so may be attackers will learn to stop using it.

Seif Wallet exposed users’ private keys and passwords to a 3rd party analytics vendor. It’s not clear if any of the 50 exposed keys were actually drained; however, the incident is an interesting lesson in communicating the exposure to users:

• According to Seif’s post-mortem, the bug was originally discovered on July 25th (thanks SEAL!) and patched on July 26th.

• The announcement of the bug and exposed wallet on X went out on August 20th

• No announcement on official Discord.

• An earlier announcement on August 8th showed up buried deep in project’s docs.

Publishing such a critical exposure deep inside project’s docs and waiting to make a wider announcement almost a month later is what Web2 does. We can do better!

Parcl experienced simultaneous compromises of both their website and X accounts. In their post-mortem Parcl focuses a lot on the DNS hijacking but a double hack indicates a likely credentials theft from an insider.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Zellic acquires Code4rena. The backstory on the acquisition.

• Jaredfromsubway.eth is back with a new MEV bot and new sandwich attacks.

Crime

• How long are prison sentences for crypto criminals in the US?.

• Russian national Deniss Zolotarjovs, a/k/a “Sforza_cesarini”, extradited from Georgia and charged in Ohio.

• Hackers linked to $14M Holograph crypto heist arrested in Italy.

• Judge sets Oct 2025 trial for brothers allegedly behind $25M exploit. A federal judge has set the start date for the criminal trial of two brothers allegedly responsible for stealing $25 million in crypto by exploiting maximal extractable value (MEV) bots.

• Binance founder CZ moved from prison to halfway house - isn’t free yet.

• Binance Hit With Fresh Class Action Lawsuit Over Money Laundering Allegations.

• Malaysian authorities destroy over 900 bitcoin mining rigs amid power theft crackdown.

• Another suspected high-profile crypto scammer caught in Montenegro. Polish national Roman Ziemian, who is an alleged co-founder of crypto Ponzi scheme FutureNet, was originally arrested in Italy in 2022 but escaped while under house arrest.

• Crypto scammer behind $4B fraud caught in Istanbul. Andreas Szakacs, the Swiss CEO of the cryptocurrency company OmegaPro, which began operations in 2019, was arrested in Turkey after obtaining Turkish citizenship.

• Suspect in $14 billion cryptocurrency pyramid scheme extradited to China. A suspected ring leader was identified as Teow — full name Tedy Teow Wooi Huat — is also known as Zhang Yufa. He founded the MBI Group conglomerate in 2012.

• CluCoin Founder Pleads Guilty to Stealing $1.1M of Investor Funds for Online Gambling.

• Ex-bank CEO gets 24 years after falling for crypto scam, causing bank collapse. Hanes was first targeted by scammers in late 2022, apparently when he got a message from an unidentified co-conspirator on WhatsApp, prosecutors said. After blowing through his personal, local church, a local investor club, and finally his daughter's college funds he started stealing bank funds—all in the false hopes that sending more and more money to the scammers would somehow "unlock the supposed returns" on his crypto investments.

• SQ arrests suspect in kidnapping and death of Montreal cryptocurrency influencer. A 32-year-old woman was arrested Thursday as a suspect in the kidnapping and death of Kevin Mirshahi, a cryptocurrency influencer who was abducted from Old Montreal, along with three other people, earlier this summer.

• Man Faces 20-Year Prison Sentence in Crypto Money Laundering Case. Villa, 61, served as a courier for a sophisticated criminal organization led by Jin Hua Zhang, based in Staten Island, New York.

• Argentinian Authorities Arrest Russian National for Laundering the Crypto Proceeds of Illicit Activity. The subject accepted illicit cryptocurrency proceeds from illicit actors such as North Korea’s Lazarus Group, child sexual abuse vendors and terrorist financiers.

• US Treasury Sanctions Nearly 400 Individuals and Entities For Supporting Russia’s War Machine.

• Feds Will Contact Victims of Million-Dollar Crypto Scam 'via NFT’ After Founder's Guilty Plea.

• 615 Crypto Scam Sites Dismantled by Australian Regulator.

• Crypto scam: 99 arrested in Philippine raid on Chinese-run center - crypto.news.

• FBI Recovers $5 Million From Pig Butchering Crypto Scam.

• 99 Arrested in Philippine Crypto Scam Hub Raid. Among those arrested were three key figures: Nan Shan, the manager; Detu Su, the owner; and Wu Jian Bin, the supervisor. The raid also uncovered 64 foreign nationals, including Chinese, Malaysians, and others, alongside 32 Filipinos allegedly working as customer service representatives (CSRs) in the fraudulent operation.

Policy

• Today, the Federal Court for the Northern District of California ruled, as matter of law, that none of the tokens trading on Kraken are securities.

• Former SEC crypto enforcement chief David Hirsh leaves for private practice. He will be joining McGuireWoods law firm to help their clients “stay ahead of the curve”.

Phishing

• Someone lost 211 ETH($553,312) by copying the wrong address from a contaminated transfer history.

• Crypto trader loses $55M in DAI to phishing attack using Inferno Drainer kit. Whale Hunter's Payday by Rekt has additional details.

• McRugged: Hackers Take Over McDonald’s Instagram, Make $700K on Fake Grimace Token.

• Suspicious activity in GitHub associated with Lazarus Group by Heiner.

• All of user’s wallets were drained by a fake job interview exercise.

• Polygon Discord compromise hits Avalanche, ZKsync hours later.

• Avalanche Discord server has been compromised. Only last week their COO’s X account was compromised as well.

• SaharaLabsAI Discord server compromised.

• The official Twitter account of Aquarius has been hacked.

• Artela’sDiscord was hacked.

Scams

• Interview with a self proclaimed PumpFun rugger that's made over $200k rugging coins.

• Justin Sun’s USDD Drops 12,000 BTC Without DAO Approval.

• QR Code Scams: TN Attorney General Issues Warning.

Malware

• A malicious Chrome extension called ‘Bull Checker’ drains Solana wallets.

• New Malware PG_MEM Targets PostgreSQL Databases for Crypto Mining.

• Infostealers Waltz Through macOS to Grab Crypto Wallets, Browser Creds.

• Mac users beware: AMOS malware clones wallet apps and comes for your crypto.

• 'Cthulhu Stealer' macOS Malware Can Steal Keychain Passwords, Web Browsing Info, Crypto Wallets, and More.

• Ransomware rakes in record-breaking $450 million in first half of 2024.

• MoonPeak malware from North Korean actors unveils new details on attacker infrastructure.

Media

• Blockchain Security Series 12 - Stephen Tong ( @gf_256): Co-founder & Hacker @zellic_io.

Contests

• Solidity Challenges by Jason Schwarz (passandscore).

• Bitmaps & Merkle Proofs - Damn Vulnerable DeFi V4 Primer by DegenShaker.

Research

• Risk & Security Enhancement for App Chains: An In-depth Writeup of CWA-2023-004 by CertiK.

• Introduction to the Sway Language Security Audit by ExVul.

• Demystifying and Detecting Cryptographic Defects in Ethereum Smart Contracts.

• Survey on Quality Assurance of Smart Contracts.

• Settled, But Not Really: The Privacy Gap in Bitcoin's 'Final' Transactions.

• Ecosystem Explorer - Exploring the Bitcoin L2 Saga and Recent Solutions.

• Phrack 71 featuring our very own cts (Zellic).

Tools

• LLEVM allows you to decompile and converse with evm bytecode, decompiled solidity, Yul and Opcodes by 0xKoda.

• FOUR.MEME Sandwich Bot by Fuzzland recently used in a successful attack.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content