Greetings!

A relatively quiet week to wrap the month with significantly less losses ($25m) relative to July ($462m). I guess web3 blackhats take time off too. The largest compromise was of BitBrowser users who enable a sync feature lost $520,000+ worth of crypto after the browser backend infrastructure was compromised.

Things are more concerning on the malware side with more information released by GCHQ about the Infamous Chisel Android malware associated with the infamous Sandworm Russian APT group. The malware is a credential and crypto stealer targeting major wallet software.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Quiet weeks like these are much needed for all of us to catch up on research and tools, so I hope you will find time to read up on research and tool release in this and previous editions of the newsletter!

Be safe and let’s dive into the news!

News

• Crypto Losses Report for August 2023 by Immunefi.

• Brazilian crypto streamer loses money by accidentally exposing private key.

• Slither and Echidna are working on adding support for Vyper.

Scams

• Hundreds of thousands trafficked to work as online scammers in SE Asia, says UN report.

• MetaMask scammers take over government websites to target crypto investors.

• Bitcoin scams targeting elderly victims once again.

Malware

• Infamous Chisel malware report by GCHQ targets Android ecosystem to steal private keys and other sensitive data from Binance, Coinbase, Trust cryptocurrency wallets along with social media and browser apps.

Media

• Evolution of Web3 Security Space: Bot Races and More with Johnny Time and Pashov.

Research

• So you found a compiler bug by banteg.

• Ethereum key theft patterns by Tay.

• Aave v3 bug bounty Part 3 by StErMi.

• Securing Blockchain Systems: A Novel Collaborative Learning Framework to Detect Attacks in Transactions and Smart Contracts.

• Potential Griefing Vector Identified on Ajna Protocol by Maria Magenes (Summer.Fi aka Oasis).

• The Wisdom of the Crowd: Community Driven Security by Ray Xiao.

• Every ERC Explained Part 1 and Part 2 by Andrew Hong dives into popular Ethereum standards from the data analytic’s perspective.

Tools

• Circomscribe - Circom project analysis tool by ZK Security.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content