The Hacktober concludes with another 10 compromises totaling around $20M this week. Of these hacks at least three projects were caused by the weak private keys generated by Profanity. It’s upsetting that these completely preventable hacks already cost millions to the ecosystem. If you ever used Profanity to generate wallet keys, please move your funds as soon as possible.

On the bright side, an FBI double agent was caught accepting bribes in bitcoin mixed with Wasabi wallet which has been oddly experiencing service disruptions lately. A big bust of the Raccoon Stealer developer caught running away from defending Ukraine.

Let’s dive into the news, but first a note from our sponsors at Pocket Universe. I’m pretty excited about the next generation of tools to protect DeFi users so be sure to check out their product:

Pocket Universe protects you from scam transactions in web3. Signing one malicious transaction is all it takes to drain your wallet. Pocket Universe pops up to show you exactly what happens in your transactions before you sign them in your wallet. Join 10,000+ others and get your peace of mind back at

http://pocketuniverse.app

News

• Raccoon Stealer developer arrested in Netherlands are fleeing Ukraine.

• Chinese spies used Wasabi Wallet to pay bitcoin bribes to FBI double agent.

• Wasabi Bitcoin wallet releases update to restore services amid Tor attack.

• Biden Administration Wants To Make It Easier To Seize Crypto Without Criminal Charges.

Scams

• Monkey Drainer phishing campaign stole $1M worth of ETH. However, one community member is fighting back!

• Reports of an ongoing RTKFT phishing campaign which stole $377K.

Hacks

• On October 25, 2022 Melody lost $610K due to a compromise of the offchain signing service.

• On October 25, 2022 NoodleSwap reentrancy vulnerability exploited for $29K.

• On October 25, 2022 FriesDAO lost $2.3M in a profanity exploit.

• On October 26, 2022 ULME lost $50K in a price oracle manipulation attack.

• On October 27, 2022 Team Finance lost $15.8M (recovered $7M) in an attack exploiting its pool migration function.

• On October 27, 2022 Victor the Fortune lost $58K in a reward manipulation exploit.

• On October 27, 2022 UvToken lost $1.5M due to insufficient access controls.

• On October 27, 2022 RTFKT airdrop was exploited to bypass claim limit.

• On October 29, 2022 Giveth and Dappnode lost $50K in a profanity wallet exploit.

• On October 29, 2022 Dappnode lost $300K in yet another profanity wallet exploit.

Vulnerabilities

• OpenSSL to Patch First Critical Vulnerability Since 2016.

Malware

• Massive cryptomining operation leveraging GitHub Actions by Sisdig.

• In-The-Wild: 'it's always a crypto miner!' by OpenPunk.

Research

• SoK: Not Quite Water Under the Bridge: Review of Cross-Chain Bridge

• DAO voting vulnerabilities by Konstantin Nekrasov (MixBytes).

• Uniswap v3 TWAP Oracles in Proof of Stake.

Tools

• Cruise Blockchain Transaction Explorer by Supremacy.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content

Indicators

Monkey Drainer Phishing Campaign

Ethereum: 0x9fc8265f2b376084423a1a348a89ecd894a9d106
Ethereum: 0x84527b5949d479c879b8dd71cd8f79048cdf6fb8

UvToken Attackers

BSC: 0x31635b58af67e48427b6debe4d3ae0f2106bf7c8
BSC: 0xf3e3ae9a40ac4ae7b17b3465f15ecf228ef4f760
BSC: 0x99d4311f0d613c4d0cd0011709fbd7ec1bf87be9