Greetings!
This week saw over $62M stolen in five incidents, with operational security failures being the primary root case. Let’s focus on those failures to extract key lessons.
Radiant Capital suffered a sophisticated $58M hack across multiple chains executed within minutes of each other. In this compromise, bad actors were able to take over at least three signers in order to execute malicious upgrades, which quickly drained all stored value. Using on-chain data and the recently published post-mortem, we can reconstruct the exploit timeline:
Prep
2024-10-02 01:12:37 UTC - Prep exploit deployed on Arbitrum.
2024-10-02 08:22:46 UTC - Prep exploit deployed on BSC.
2024-10-02 08:34:51 UTC - Prep exploit deployed on Base.
2024-10-02 08:41:35 UTC - Prep exploit deployed on Mainnet.
Exploit
2024-10-16 15:46:00 UTC - Arb Nonce 230 transaction proposal.
2024-10-16 15:46:00 UTC - Eth Nonce 127 transaction proposal.
2024-10-16 17:09:18 UTC - Arbitrum ownership transfer and exploit.
2024-10-16 17:09:35 UTC - Automated pause triggering on Mainnet.
2024-10-16 17:09:40 UTC - Automated pause triggering on BSC.
2024-10-16 17:11:00 UTC - BSC ownership transfer and exploit.
Triage
2024-10-16 17:12:00 UTC - War room started.
2024-10-16 17:38:00 UTC - Ancilla X announcement.
2024-10-16 17:43:41 UTC - Base contract paused.
2024-10-16 19:27:00 UTC - Radiant X announcement.
Mitigation
2024-10-16 21:36:00 UTC - Removing compromised wallets on Mainnet.
2024-10-16 22:04:00 UTC - Revoke access X post
2024-10-16 21:40:00 UTC - Removing compromised wallets on Base.
2024-10-16 22:10:00 UTC - Removing compromised wallets on BSC.
Thanks to Radiant’s report we now know that they were well prepared by using Hypernative to automatically pause vulnerable contracts. Unfortunately, pausing is only effective for traditional smart contract exploits. Attackers could still upgrade vulnerable contracts to bypass this control.
According to Radiant, the war room was started minutes after the first hack. That’s impressive; however, the investigation clearly didn’t identify key compromise as the root cause since they opted for pausing of the Base contract. Given the circumstances, Radiant’s team should have prioritized moving at-risk funds to a safe wallet rather than relying solely on pausing vulnerable contracts.
To make things even more complicated, Radiant noted their regular practice to simulate transactions to ensure the proposer was not compromised:
Each transaction was simulated for accuracy on Tenderly and individually reviewed by multiple developers at each signature stage. Front-end checks in both Tenderly and Safe showed no anomalies during these reviews.
It took Radiant only a day to identify the most likely attack vector for the exploit, which is stealth transaction replacement using malware on compromised signer machines:
The devices were compromised in such a way that the front-end of Safe{Wallet} (f.k.a. Gnosis Safe) displayed legitimate transaction data while malicious transactions were signed and executed in the background. This breach occurred during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to market conditions and utilization rates.
This attack demonstrates a new level of sophistication from threat actors, capable of taking over developer machines, writing custom malware, navigating on and off chain governance, smart contract development, money laundering.
In the meantime, let’s discuss just a few steps you can take today to better defend your project against this attack:
Multi-sig
Implement time delay on all infrequently used, critical administrative actions (multiple days) with the ability to veto the proposal with a guardian account.
Implement at least a 5/n multi-sig for such critical governance actions.
Move high frequency administrative functions to a separate multi-sig/role with minimum privileges. Time delays could be shorter and multi-sig size smaller, but still require a review process with an ability to veto.
Secops
Dedicated hosts for all critical administrative actions. A cheap $200 Chromebook is sufficient. The key is “dedicated”. So no browsing, tweeting, checking emails or job applicant reviews.
There is a lot more of course and I hope to cover that during the upcoming talk at DeFi Security Summit; however, at the very least buy everyone some Chromebooks.
North Korean IT workers strike again with Tapioca losing $4.4M not counting wider impact of devalued token and infinite minting of USDO. On the bright side, the SEAL 911 team stepped in to save another $2.7M before it could be stolen as well.
In other news, Transak lost almost 100K user records including full names, passport and driver license numbers, user selfies, etc. Get ready for another barrage of sophisticated phishing campaigns.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
Cosmos cofounder blames Iqlusion's Zaki Manian for North Korea-linked security risks in network's liquid staking module. A recent report revealed that a significant portion of the Liquidity Staking Module (LSM) was developed by North Korean agents.
Fraudulent North Korean IT Worker Schemes: From Insider Threats to Extortion by Counter Threat Unit (CTU) Secureworks.
State of Crypto Report 2024: New data on swing states, stablecoins, AI, builder energy, and more by a16z.
Crime
Fake Rabby Wallet scam linked to Dubai crypto CEO and many more victims. A wild investigation by Tay and SomaXBT linked the scam to Konstantin Pylinskiy aka Konpyl, the CEO of Moonward Capital.
FBI Arrests Alabama Man in the January 2024 SEC X Hack that Spiked the Value of Bitcoin. The fake post confirming SEC’s approval of Bitcoin ETF caused a momentary spike in price.
Indian National Is Sentenced To Prison For $20 Million Dollar Fraud Scheme Involving Fake Cryptocurrency Exchange Websites. In one instance a victim lost $240K thinking they are logging into a Coinbase Pro website. The perpetrator, Chirag Tomar, was arrested last year when visiting United States.
Hong Kong’s Fraud Empire Collapses: How Triads, AI, and Fake Love Fuel Massive Crypto Heist .
Japanese authorities trace Monero, arrest 18 in $670K laundering case .
US prosecutors call for reduced five-year prison sentence for 2016 Bitfinex hacker Ilya Lichtenstein and Heather 'Razzlekhan' Morgan Should Spend 18 Months in Prison, Prosecutors Tell Court.
Senior Promoter In Cryptocurrency Ponzi Scheme Sentenced To 240 Months In Prison. Juan Tacuri (Forcount aka Weltsys) scammed thousands of victims primarily in Spanish-speaking communities.
New bitcoin sextortion scams in Canada use photos of victims’ homes. Massive PII leaks like Kroll, Fractal, Gemini, Trezor and others continue fueling now very direct physical attacks on crypto customers.
The unmasking of threat actor USDoD. What is even more interesting is the Tracking USDoD: The OSINT Breakdown writeup by Baptiste Robert which documents the steps to find the bad guy in Brazil.
Former fugitive Alice Guo tied to crypto exchange that stole millions from users. Atom Asset Exchange (AAX) shut down shortly after FTX collapse while its execs fled with $56M of customer funds.
Hong Kong busts crypto scam that used AI deepfakes to create ‘superior women’.
Manhunt underway for accused crypto fraudster Jicha after he skips bond in $150 million case.
Policy
Phishing
Click and Beware by Rekt.
Eigenlayer’s X account compromised which resulted in the theft of $7M.
MuratiAI X account has been hacked, with phishing links being posted.
Ledger users targeted by malicious ‘clear signing’ phishing email.
Inferno Drainer claims Angel has taken over the entire project. On-chain data shows the drainer fee address changed 12 hours ago to a new address.
Someone lost around 804K worth of $mETH signing a malicious phishing contract by Cyvers.
Pepe Holder Loses $1.4 Million in Uniswap Permit2 Phishing Attack .
Another victim lost $1.57M after signing a "permit" phishing signature.
Scams
Exposing Andrew Tate’s Crypto Grift by Coffeezilla.
An investigation into @MrBeast, how he allegedly made $10M+ by backing low-cap IDO crypto tokens by SomaXBT.
Fake Rabby Wallet scam linked to Dubai crypto CEO and many more victims .
Scammers promote fake Uniswap L2 on Google amid Unichain hype .
Media
Web3 Security Summit I playlist.
Judging Approaches in Audit Contests with Jack Sanford (Sherlock) by TrustX.
Deep Dive into WazirX hack by Ethereum Engineering Group.
Tech Freedom - 387: Crypto Regulation — With Paul Grewal.
Research
Leveraging Fine-Tuned Language Models for Efficient and Accurate Smart Contract Auditing.
BlockFound: Customized blockchain foundation model for anomaly detection.
Interrogation Testing of Program Analyzers for Soundness and Precision Issues.
Beyond Hacks: Understanding and managing economic risks in DeFi.
Layer 2 Security: Unique Challenges and Safeguards in Rollups and Sidechains by Olympix.
Beyond Hacks: Understanding and managing economic risks in DeFi - CryptoSlate .
Navigating and Thriving in the World of 1000 Blockchains by Mitchell Amador (Immunefi).
Possible futures of the Ethereum protocol, part 3: The Scourge by Vitalik Buterin. The article is particularly interesting from MEV and block construction privacy perspectives.
Compound Finance V2 Security Audit Manual by SlowMist.
Multi-Agent Influence Diagrams for Governance Protocols by Chain Risk.
Technical Audits Are Not Enough: Economic Security in DeFi by Chain Risk.
Mastering Audits Mindset: From Beginner to Pro by Zhou Xianyuan.
How to Earn Millions in Web3 Bug Bounties by Arbaz Hussain & Nemveer.
Tools
Compromised wallet frontrunning script by pcaversaccio.
Compromised wallet bundler app by LCFR.
Felina Protocol - safely revoke permits.
Solidity for VS Code extension by Ackee.
Sim Playground - real-time apps and dashboards like a nice on-chain message search.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.