Greetings!

Almost $28M were stolen this week across 5 incidents. Indonesian exchange, Indodax, accounts for the majority of these losses with a $25M hot wallet hack across Bitcoin, Tron, Ethereum, Polygon, and Optimism chains. No additional information is available on the exact attack vector of the compromise, but luckily the exchange was able to halt further losses from its $400M vault.

FBI published a report on the state of crypto-related fraud. According to the report, crypto-related losses exceeded $5.6B in 2023 (a 45% increase) which is half of total reported financial fraud losses processed by the agency. At the same time 69K+ crypto related complaints constitute only 10% of total complaints. I’ve previously noted this outsized impact per incident in a talk at DSS last year and concerned that these numbers will continue attracting bad actors for easy profits.

The premium section below contains details analysis and indicators for Indodax, Caterpillar (CUT), OTSEA, and other compromises.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news and enjoy this rad Darknet Diaries remix!

News

• FBI Cryptocurrency Fraud Report 2023.

• Stablecoin issuers freeze $5 million worth of stablecoins tied to Lazarus Group by ZachXBT. The event follows ZachXBT’s earlier post in late April documenting 25+ connected hacks by the North Korean actor. The reason it took so long was primarily due to 4.5 month wait on Circle to freeze funds at the same time as other stablecoin issuers.

• DeFi Lending Giant Sky (aka MakerDAO) Sets Vote to Offload Wrapped Bitcoin as Justin Sun Concerns Linger.

• Tether, Tron, And TRM Labs Join Forces To Combat Crypto Crime.

• Liminal cleared by independent security audit after WazirX breach, no vulnerabilities found. We are done here folks, it’s nobody’s fault that $230M were stolen.

Crime

• Florida Man Hit With 47 Years in Prison Over Violent Home Invasions to Steal Bitcoin. Ringleader Remy St Felix was sentenced to 47 years. The crew was caught due to almost nonexistent opsec while laundering funds.

• FTX Founder Sam Bankman-Fried Files Appeal to Overturn Fraud Conviction. It’s a bold strategy Cotton. Let’s see if it pays off for ‘em.

• Caroline Ellison seeks to duck prison sentence for role in FTX collapse.

• FBI San Diego Seizes Cryptocurrency Recovery Websites.

• Treasury Sanctions Cambodian Tycoon and Businesses Linked to Human Trafficking and Forced Labor in Furtherance of Cyber and Virtual Currency Scams

• Indian Police Investigate Cryptocurrency Fraud Targeting Ex-Servicemen.

• Operation Niflheim: Brazilian Authorities Crack Down on $9.7 Billion Crypto Money Laundering Rings.

• US Treasury Sanctions Cambodian Tycoon Over Crypto Fraud and Trafficking Links.

• UK Regulator Charges First Individual With Running a Network of Illegal Crypto ATMs.

• How to Make Millions as a Professional Whistleblower. A different kind of bounty hunter.

Policy

• The SEC claims that when it said 'crypto asset securities' it never meant tokens were actually securities. Looking at the cases below, may be SEC should start returning some of those $7.5B in fines.

• SEC’s Crypto Enforcement Fines Exclusive Report 2024 by Social Capital Markets. Almost $7.5B in fines were levied against crypto firms and individuals since 2013 with a massive $4.68B fine against Terraform in 2024.

• eToro Reaches Settlement with SEC and Will Cease Trading Activity in Nearly All Crypto Assets.

• Attorney General Bonta Secures $3.9 Million Settlement with Cryptocurrency Company Robinhood for failing to allow crypto withdrawals.

• "Rife with fraud": Crypto industry PAC raises $200+ million to fight regulations.

• Nigeria SEC to Commence Enforcement Action on Unlicensed Crypto Firms.

• Atomic Wallet wins dismissal of class suit over $100M hack.

Phishing

• A victim lost $36,316 due to signing a "setOwner" phishing signature that changed its DSProxy's ownership by realScamSniffer.

• Your seed phrase is at risk! by The Smart Ape. An investigation of the SpyAgent malware and exposed infrastructure.

• Beginner’s Guide to Web3 Security: Avoiding Honeypot Scams by SlowMist.

Scams

• China’s ‘point running’ crypto scams, pig butchers kidnap kids. A new scam turns crypto users into money mules.

• Did a Polymarket trader rig election odds for a side bet?

• CFTC announces partnerships to tackle crypto pig butchering scams.

Malware

• Fake human captcha style verification pages lead to copy/paste script for Lumma Stealer by Unit 42.

• Hackers Proxyjack & Cryptomine Selenium Grid Servers.

• New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency.

• Binance Warns of Malware Targeting Crypto Addresses, Urges Users to Always Verify.

• So you paid a ransom demand … and now the decryptor doesn't work.

Contests

• The Vulnerable Vault Challenge by BlockChomper.

• RACE #32 Of The Secureum Bootcamp Epoch∞ by Patrick Drotleff.

Media

• Decoding DeFi: Breaking Down the Future of Decentralized Finance by GOP Financial Services.

• Fuzzing from First Principles with Alisa Esage by Stephen Sims (Off By One Security). Optimizing fuzzing in traditional security.

• RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM by Covert Channels.

Research

• The Risk of Contract Upgrades: How Fuzzland Saved $2.8 Million from Hackers by Fuzzland.

• Learn How To Make Secure Upgradeable Smart Contracts by Lior Abadi (Coinspect).

• I have a great idea for a DeFi protocol. Where should I deploy it? by Eduard Kotysh (Oak Security). A great read that explores blockchain-level risks with a number of case studies including the recent Astroport/Terra hack.

• Circuit Breakers in Web3: A Comprehensive Analysis of DeFi’s Emergency Brake by Olympix.

• To Reverse A Big Brain by jtriley.eth.

• Functional Changes of EOF by jtriley.eth.

• SPL Token-2022: Don't shoot yourself in the foot with extensions by Mathias (Neodyme).

• Security notes on ERC4337 and smart wallets by adriro (yAcademy).

• Best Practices for Toncoin Smart Contract Security by SlowMist.

• Friends don’t let friends reuse nonces by Trail of Bits.

• Elliptic Curve Pairing Stealth Address Protocols.

• Analyzing the Impact of Copying-and-Pasting Vulnerable Solidity Code Snippets from Question-and-Answer Websites.

• Ethereum Fraud Detection via Joint Transaction Language Model and Graph Representation Learning.

• Summarizing and Analyzing the Privacy-Preserving Techniques in Bitcoin and other Cryptocurrencies.

• Automated Cybersecurity Compliance and Threat Response Using AI, Blockchain & Smart Contracts.

• BACKRUNNER: Mitigating Smart Contract Attacks in the Real World.

• Bitcoin Vaults and the Future of Bitcoin Custody by Ivan Serrano (Bitcoin Magazine).

• Punk 2386, with a current high bid of 600 eth, sold for 10 ETH after a successful bid on an abandoned platform.

• Bitcoin puzzle #66 was solved: 6.6 BTC (~$400k) withdrawn.

• A History of eth_sign in MetaMask by Dan Finlay.

Tools

• Clear: Interactive formal verification tool for Solidity by Nethermind Security.

• tree-sitter grammar for the circom language by Decurity.

• Foundry now supports several Kontrol cheatcodes.

• Dedaub adds “find similar” functionality for public functions.

• Gaboon - Vyper-based Pythonic smart contract development framework that is fast and easy.

• Moccasin - A fast, pythonic, Vyper smart contract testing and development framework.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content