Greetings!

Everything was hacked this week. Exchanges, smart contracts, telegram bots and some really exotic blockchains all lost almost $67M across 10 incidents. Let’s explore some of the more interesting compromises.

The week started with users of three Telegram bots (Banana Gun, Maestro, Unibot) reporting losing at least $3.2M. Trading bots rely on users exposing their private keys, making them perfect targets for bad actors. What’s interesting about these hacks is that the attack vector came from a vulnerability in the trading bot application itself. Now that Telegram is more friendly to law enforcement requests, maybe there is a chance of the perpetrators getting caught.

Private key theft and malicious insider threats continue to pop up week after week. Rivus DAO experienced an insider adding a backdoor to their smart contracts. Similarly DeltaPrime lost almost $6M due to private key theft which may be related to hiring a North Korean IT worker a few months ago.

Weeks like this wouldn’t be complete without a massive centralized exchange compromise. BingX was unfortunately hit with a $52M hot wallet hack aka “an abnormal network access”. All of the exchange’s EVM wallets were systematically drained for almost 5 hours with attackers not shying away from taking the 0.036 ETH left in the BASE chain wallet. At the same time attackers embarked on a 10-hour-long swapping and laundering frenzy with only two 10 minute breaks. Who operates with such greed and precision!? The exchange attempted to negotiate with bad actors, but of course North Korea doesn’t really do refunds.

I’ll leave you with one of the more exotic hacks this year involving the Stacks chain and Charisma protocol. An attacker found a way to bypass the contract’s access controls by abusing the as-contract feature to effectively act on the target’s behalf.

The premium section of the newsletter contains detailed vulnerability analysis, incident write-ups, and indicators for the aforementioned exploits as well Shezmu, Bankroll, and others.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Oh and be sure to check out another epic investigation by ZachXBT solving a mystery behind last month’s $243M hack. Let’s dive into the news!

News

• Secureum Bootcamp registration is now open.

• Samourai Developers Appear Together In Court For First Time At Status Conference. Founder remains under house arrests due to flight risk.

Crime

• An investigation into how Greavys (Malone Iam), Wiz (Veer Chetal), and Box (Jeandiel Serrano) stole $243M from a single person last month by ZachXBT. The theft triggered a spending spree that culminated in their arrest. This solves the mystery behind a massive theft last month from an account associated with Genesis Trading.

• Hackers Posed as Google Support to Steal $243 Million in Crypto.

• Germany seizes 47 crypto exchanges used by ransomware gangs.

• US Sentences Nigerian Darknet Fraud Leader to Five Years in Prison for $6M Scheme. Can we do a prisoner exchange?

• Brazilian Authorities Launch Operation Niflheim to Tackle Crypto-Related Financial Crimes by TRM.

• SEC sues ‘fake’ crypto exchanges in first action on pig butchering scams. The lawsuit targets five entities and several individuals associated with fake exchange NanoBit and CoinW6.

Policy

• Silvergate Bank Shut Down Because Of Operation Choke Point 2.0, Not Insolvency.

• BNY Identified as First Bank to Receive SEC Exemption From SAB 121.

• Audit Firm Prager Metis Settles SEC Charges for Negligence in FTX Audits and for Violating Auditor Independence Requirements. A $1.95M fine for failing to identify ‘a total absence of trustworthy data and lack of financial safeguards’ to commit a $8B fraud.

• The SEC Thinks Crypto Airdrops Are Securities. Here’s Why This Lawyer Thinks It’s Wrong.

• SEC Charges Flyfish Club, LLC for Unregistered Offering of NFTs. Restaurant memberships offered as NFTs are securities apparently.

• Rari Capital settles with the SEC.

Phishing

• Mass X account compromise used to promote $HACKED token on Solana. Source of the compromised may be linked to Twittimer. In the end attackers rugged the token to only profit $8600.

• Security Awareness Activities On-Site by matta. A proposal to conduct a series of social engineering and phishing exercises during the Devcon. Please do!

• X account of AI Modular Data Preprocessing Layer DIN was hacked.

• Compound’s Discord server has been hacked.

• Decentraland X account has been hacked.

• India's Supreme Court YouTube Channel Hacked to Shill XRP Crypto Scam.

• Someone lost 64 stETH ($163,865) by signing a "permit" phishing signature by realScamSniffer.

• A victim lost $649k by copying the wrong address from a contaminated transfer history by realScamSniffer.

• CarlBot (Which is in 10,636,463 discord servers) had an incident last week where a user could send a message to any channel due to a missing permission check by nft_dreww.

Scams

• Give and Take: An End-To-End Investigation of Giveaway Scam Conversion Rates.

Malware

• Code of Conduct: DPRK’s Python- fueled intrusions into secured networks by Elastic Security Labs.

• "Marko Polo" Navigates Uncharted Waters With Infostealer Empire by Recorded Future.

• Storm clouds on the horizon: Resurgence of TeamTNT? by Group IB.

• Hackers deliver popular crypto-miner through malicious email auto replies, researchers say.

• An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader by Mandiant.

• Go Injector Leading to Stealers by eSentire. The injector is used by Lumma Stealer and StealC.

• Cencora found to pay a $75M ransom to the Dark Angels group by ZachXBT.

• Jamf Threat Labs observes targeted attacks amid FBI Warnings by Jamf. The report analyzes LinkedIn campaign using RustDoor malware.

Contests

• Grey Cat the Flag 2024 Milotruck challs Writeup by SunSec.

• Damn Vulnerable DeFi v4 Writeup by SunSec. Solutions.

• MultiversX CTF Solutions by rotcivegaf.

Media

• Exposing The Flaw In Our Phone System by Veritasium and LinusTechTips.

• The Compound Governance Attack by Junion.

• Blockchain Security Series 13 - Pashov (Founder @ Pashov Audit Group) by Pablo Sabbatella.

• How to Make It In Web3 Auditing Contests w. Holydevoti0n by JohnnyTime.

• How Trump’s Crypto Project Is Aiming to Protect Against Hackers by Unchained.

• Scraping Bits - #97 - Mikolaj: The Ramifications of MEV And Blockchain Exploits by DeGatchi.

• Scraping Bits - #98 - Kankodu: How Immunefi's Ranked #16 Whitehat Earned $1M USD by DeGatchi.

• Scraping Bits - #99 - Kenmio: Hexen's CTO Automates Crypto Smart Contract Audits by DeGatchi.

• Scraping Bits - #101 - Alejandro: From Solo Auditing In College to Immunefi Triaging by DeGatchi.

• Cybersecurity in Web3. CTO of HackenProof (Alex Horlan) on Bug Bounties, North Korean Hackers, Kraken vs Certik by Daria Strategy.

Research

• Ghost in the Block: Ethereum Consensus Vulnerability by Giuseppe Cocomazzi (Asymmetric Research).

• High severity bug in Bitcoin Core affects 17% of full nodes.

• Bitcoin DoS Attack: Crash Competing Miners for Just 0.14 BTC by Juliano Rizzo (Coinspect).

• Common Vulnerabilities: Liquid Restaking Protocols - Smart Contracts by Elmedin Burnik (SigmaPrime).

• Modern DeFi Lending Protocols, how it's made: Aave V3 by Sergey Boogerwooger, Dmitry Zakharov (MixBytes).

• Modern Lending protocols, how it's made: the compilation by Sergey Boogerwooger, Dmitry Zakharov (MixBytes). Includes coverage of Uniswap v3, LlamaLend, Fluid, Ajna, Euler v2, Morpho, and others.

• Token-2022 Security Best Practices - Part 1: Mint & Token Account by Offside Labs.

• ERC-7726: Never Code an Oracle in Ethereum Again by Alberto Cuesta Cañada.

• Formal Verification for Dummies, Episode 3: Proofs by Raoul Saffron (Runtime Verification).

• Recovering Safe Wallet Signatures by ayc.

• Smart Contract Vulnerabilities by kadenzipfel. A collection of smart contract vulnerabilities along with prevention methods.

• Immunefi Bug Fixes by Tigran Piliposyan. Collection of Immunefi bug fixes from the past 2 years.

• Solana and Ethereum Security Models by Eduard Kotysh (Oak Security).

• Smart contract hackers using "neutral" builders to fund their profitable transactions via sponsored bundles thread by theRaz0r as was used in the WXETA compromise.

• Proxion: Uncovering Hidden Proxy Smart Contracts for Finding Collision Vulnerabilities in Ethereum.

• Detection Made Easy: Potentials of Large Language Models for Solidity Vulnerabilities.

• LookAhead: Preventing DeFi Attacks via Unveiling Adversarial Contracts.

• Analysing Attacks on Blockchain Systems in a Layer-based Approach.

• Assessing the Impact of Sanctions in the Crypto Ecosystem: Effective Measures or Ineffective Deterrents?.

• LookAhead: Preventing DeFi Attacks via Unveiling Adversarial Contracts.

• ContractTinker: LLM-Empowered Vulnerability Repair for Real-World Smart Contracts.

• Blockchain Amplification Attack.

• Using YouTube to steal your files by lyra.

• Gaining access to anyones browser without them even visiting a website (CVE-2024-45489) by xyzeva.

• Is Tor still safe to use? by isabela, pavel. Older version of the client may be de-anonymized using a guard discovery attack.

• Researchers Leverage ChatGPT For Enhanced Cryptography Misuse Detection.

Tools

• Threat Stream by Nefture Security. Freely accessible event log across Ethereum and Arbitrum networks.

• Sourcify - complete verified smart contract repository is available to download in convenient formats including Parquet.

• Meet Rio: A Specialized Fuzzer for Linea’s Zero-Knowledge Infrastructure by Valentin Wüstholz (Linea).

• Foundry UI to easily collapse & view test stack traces added to Swiss Knife.

• Tevm Cast Clone - a web-based Ethereum command-line interface (CLI) emulator similar to foundry cast by evmts.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content