Blockchain Threat Intelligence

Share this post
BlockThreat - Week 44, 2021
newsletter.blockthreat.io

BlockThreat - Week 44, 2021

bZx | Rari | Vesper | Synapse | DarkSide | Squid Game

Peter Kacherginsky
Nov 14, 2021
Comment
Share

Welcome to BlockThreat!

This week we are seeing first indications of the North Korean Lazarus APT taking interest in DeFi projects with the $55M compromise of bZx. TWAP price manipulation is a hot new exploit in DeFi space resulting in the compromise of multiple projects. US Government is on the hunt for ransomware actors and anyone supporting them with a recent arrest and a $10M bounty. A rapid increase of social engineering attacks on crypto Discord channels claimed yet another major project, be careful out there! Let’s dive into the news, but first some exciting project news:

Project updates: The newsletter now includes a new paid subscriber section with a growing collection of premium content such as threat indicators for the recent hacks, DeFi exploit PoCs, phishing domains, crypto malware signatures, and others.

I will continue delivering the same free content to help build and secure the blockchain community while providing an added value to professional auditors, blockchain analytics companies, and others who made the leap of making this a full time endeavor.

You can unlock it by upgrading your subscription in your account settings page. Looking forward to your thoughts and suggestions on this new format!

Events

  • Join Formal Verification in the Ecosystem conference on November 16, 2021 featuring speakers from Certora, Flashbots, Trail of Bits, Consensys, and many others.

Competitions

  • Damn Vulnerable DeFi wargame just got four new challenges, hardhat updates, and new fun challenges.

Media

  • Consensys: Securing your Uniswap integration with Scribble by Joran Honig (Consensys)

  • Secureum SafeCast episode with Dan Guido (Trail of Bits).

News

  • US DoJ announced a reward of up to $10M for information on the DarkSide ransomware group responsible for the Colonial Pipeline hack.

  • Denis Dubnikov, a co-founder of Coyote Crypto and EggChange, was arrested in Amsterdam (after previously being detained in Mexico City airport) per extradition request by FBI. The arrest came after a series of cryptocurrency exchange sanctions by U.S. Treasury aiming to dismantle the ransomware and money-laundering industry based out of Russia.

  • Bloomberg reports on an unusual concentration of sanctioned cryptocurrency exchanges in a single skyscraper in Moscow’s business district. Vostok Tower hosts Suex, EggChange, CashBank, Buy-bitcoin[.]pro, and others.

  • Zaryn Dentzel, a founder of Tuenti, was tortured by masked assailants for four hours to gain access to his cryptocurrency assets.

Scams

  • Check Point Research alerts of an ongoing Google Adwords phishing campaign targeting crypto wallet and DeFi users which already resulted in the theft of at least $500K.

  • TRM Labs reports on an ongoing BitRAT malware phishing campaign targeting Mango Markets NFT users on Discord.

  • Axe Infinity was targeted by the now familiar Discord social engineering attack tricking channel operators into leaking their auth token through a screen sharing session and advertising a malicious Dapp to steal users’ tokens.

  • ENS Domains shared an ongoing phishing campaign taking advantage of the recent airdrop.

  • Vice reports on the sophisticated OTP Bot phishing campaign allowing scammers to target 2FA users of Coinbase, PayPal, and other financial institutions.

  • Squid Game operators rug pulled the project which cost investors $12M.

Hacks

  • On October 23, 2021, an attacker exploited a reward calculation logic in Take Profit Finance, a BSC-based DeFi project, to gain $400K.

  • On October 30, 2021 a vulnerability in the Pixel Vault’s Planet DAO token approval mechanism was exploited to mint tokens by burning PUNKS comic NFTs the attackers did not own.

  • On October 30, 2021 Chia Network experienced a Denial of Service attack after a single operator flooded the network with small transactions. This resulted in a number of nodes getting overwhelmed and delaying legitimate transactions from reaching the network.

  • On November 2, 2021, Rari Fuse protocol was exploited with a price manipulation exploit which resulted in the loss of $3M.

  • On November 3, 2021, Vesper Finance lost $3M in yet another TWAP price manipulation attack.

  • On November 5, 2021, bZx lost $55M on ETH, Polygon, BSC, and FTM networks after their private keys were compromised in a spear phishing attack by a North Korean actor.

  • On November 6, 2021, Synapse, a cross-chain protocol, lost $8M due to incorrect price calculation using an external AMM.

Vulnerabilities

  • Inspex fixed a flaw in its farm smart contract which could have allowed users to claim more assets than expected after a friendly notification from the KillSwitch team.

Research

  • Bitcoin Mixing: A Survey & Short Guide on How to trace Malicious Transactions by Rakesh Krishnan.

  • Inside the War Room: How Indexed Finance Traced Its $16M Hacker by Stefan Stankovic (Crypto Briefing).

  • Become a Dapptools Pilled Chad in 30 minutes or Your Money Back by @transmissions11.

  • The Web3 Security Revolution by Immunefi.

  • Preventing Channel Jamming by BitMEX Research.

Premium Content

Indicators

  • Google Adwords phishing domains:

    Indicators:
    phanton[.]app
    phantonn[.]pw
    4vwwwmetamas[.]top
    pancociswap[.]fincancos[.pagedemo[.]co
    www[.]panacakeswap-finannce[.]com
    www[.]poncakeswap-investments[.]com
    uniswap-fath[.]tech

  • Mango Markets fake wallet malware:

    Indicators:
    MD: 51bf6fe3c0583a43e33ef43c8efe2d320
    SHA-1: 091ef6c98197c3e4d5c6feec7a945aae94dee208
    SHA-256: 120213353ac7bd835086e081fb85dfa4959f11d20466fd05789ded3bff30bb11

  • Squid Game scammers:

    Indicators:
    BSC: 0x71D934Aa2119CA3995F702f075d540f7A6b0f728

  • Take Profit Finance exploiter:

    Indicators:
    BSC: 0x2e5f7ead7e26b40e7be8e1f6bd9675cb9f0dfe77

This post is for paid subscribers

Already a paid subscriber? Sign in
© 2022 Peter Kacherginsky
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing