Greetings!

Some of the worst exploit vectors resurfaced this week resulting in more than $30m stolen across 11 incidents. Here are some of the more important ones:

Private key theft is an alarming trend really picking up. Concentric, GAMEE, Somesing, WallStreetMemes lost combined $22.58m.

Two massive phishing campaigns. Mailer Lite came forward as the third party service behind the mass phishing campaign impersonating CoinTelegraph, WalletConnect, and others. Trezor’s “third party” leak also resulted in the expected highly targeted phishing emails this week.

Last but not least, reentrancy exploits are back. Barley and Nebula Revelation suffered $130,000 and $180,000 respectively to one of the oldest exploit vectors.

First known hack on Conflux chain yielded attacker $1.7m in a price oracle manipulation exploit targeting Goledo Finance. The attacker was the first to reach out to negotiate the return. How nice of them or is it? Hours prior to the outreach, they split up stolen funds and transferred them to an exchange which promptly froze them. Now the tables have turned and the Goledo Finance is demanding the attacker cover all of the losses to the protocol worth $3.8m, more than double the stolen amount, or they go to LE! Another wild day on the frontier.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Before going any further, please visit We Want Justice DAO to learn more about Tornado Cash and help defend Roman Storm and Alex Pertsev in upcoming trials.

For decades Governments around the world made repeated efforts to restrict email and phone privacy, safe browsing, and other uses of cryptography in a campaign collectively known as Crypto Wars. Luckily many of these attempts were defeated through legal action, raising awareness, and enduring support by folks like yourself!

Be on the right side of history. Defend our right to private financial transactions. Defeat an attack on open source software and its developers. Donate below.

Let’s dive into the news!

Events

• Capture the Flag Zero-Knowledge - February 3rd, 2024. Here are some resources to brush up on ZK knowledge.

News

• Did law enforcement in Finland crack Monero’s privacy technologies? No, but timing analysis still works.

• Former Ozys security chief accused of sabotaging firewall before $81.5 million Orbit bridge exploit.

• Amazon MGM Studios Developing ‘Razzlekhan,’ Film On $3 Billion Crypto Theft.

Crime

• Analyzing the Northern Myanmar Alliance Army’s “Ransom” Address from an On-Chain Perspective by SlowMist.

• Bitcoin ransomware gang claims to have hacked major UK water provider.

• Developer jailed for aiding Trickbot ransomware behind $800M crypto theft.

• SEC charges founders of $1.7 billion HyperFund scheme with fraud.

• Estonia to extradite duo accused of $600M crypto fraud to US.

• Onecoin Lawyer Mark Scott Sentenced to 10 Years for Money Laundering.

• German National Arrested in Miami for Orchestrating $150 Million Crypto Investment Scheme.

Policy

• U.S., UK, and Australia Target Additional Hamas Financial Networks and Facilitators of Virtual Currency Transfers.

Phishing

• Mailer Lite hacker impersonates crypto firms, draining $600,000 with phishing emails.

• Trezor Issues Urgent Alert on New Phishing Scam.

• Algorand X account hacker brags they’re still in control after ‘taking a nap’. The post came 15 hours after the initial compromise.

• Spotting the Difference: Identifying Genuine and Fake Twitter Accounts by SlowMist.

Scams

• CFTC Customer Advisory Cautions the Public to Beware of AI Scams.

Contests

• SmartSecRiddles by Marq.

• Real World CTF - SafeBridge Writeup by Faith. Challenges are here.

• Real World CTF - SafeBridge Writeup by Kaiziron.

Media

• Darknet Diaries - EP 141: The Pig Butcher.

• Scraping Bits by DeGatchi - #45: How Blocksec Intercepted $15M Of Web3 Exploits In Real Time - Ft. Yajin Andy Zhou.

• Scraping Bits by DeGatchi - #46: Exploring the Hidden Creativity of Exclusive Web3 Exploits - Ft. GalloDaSballo.

• Scraping Bits by DeGatchi - #47: Curve Vyper Compiler Bug Whitehat & Building Ecosystem Tools - Ft. Addison.

• OpenSense. -Invariant Testing Workshop by Antonio Viggiano.

• 22 Vulnerabilities I Use To Find Criticals FAST! by Owen Thurm.

• The $125M Chinese Exit Scam by Junion.

Research

• Owning a Bitcoin ATM by Antonio Requena, Gabriel Gonzalez and Sergio Ruiz (IOActive Labs) on vulnerabilities in Lamassu Douro ATMs.

• Oasys blockchain report study. Everybody goes to jail by Merkle Bonsai.

• Quick tips to start your next invariant test campaign by Antonio Viggiano.

• The Invariant That Wasn’t by Elliot.

• Unraveling the Intricacies of EtherHiding by Neptune Mutual.

• Yes, you really can lose all your ETH if you stake with Geth by Lachlan Feeney (Labrys).

• (Breaking) Circuits on Ethereum by Gonçalo.

• LLM4Fuzz: Guided Fuzzing of Smart Contracts with Large Language Models.

• I’m Not A Pentester (And You Might Not Want To Be One Either) by Assume Breach on bug hunting in traditional security.

• Web3 tutorials for Python.

Tools

• Security Incidents Dashboard by BlockSec.

• Mesc - a standardized approach for configuring RPC endpoints by storm.

• Natspec Smells - automatically identify missing or incomplete natspec by DeFi Wonderland.

• Introducing Wasmcov: Code Coverage Tool for Wasm Projects by Hacken.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content