Welcome to BlockThreat!

This week the DeFi ecosystem was rocked by malicious insiders, governance attacks, oracle price manipulations exploits. If you are not already on the lookout for phishing emails, then this week’s massive Robinhood hack should serve as a solid signal for a coming barrage. Europol continues dismantling ransomware groups with a number of key arrests around the world. In the fun news department, thieves in San Francisco are setting up one helluva mining rig while NSA is looking for “a backdoor into the blockchain.”

News

• Europol announced arrests of REvil and GangGrab ransomware affiliates in Romania and Kuwait part of international GoldDust operation involving 17 nations.

• A 26-year old man arrested in Bangalore confessed to hacking Bitfinex and BTC-e exchanges.

• Physical offices of the South Korean Upbit exchange was almost set on fire by a disgruntled customer.

• Thieves rip bitcoin ATM from Barcelona crypto-store recorded on a wild video documenting the ordeal.

• OpenZeppelin released Smart Contract Security Registry to help track projects associated with a smart contract address as well as a security contact in case a vulnerability is discovered.

Ransomware

• P2P Cryptocurrency Exchange Chatex and Two Russian Nationals Indicted and Sanctioned for Roles in Ransomware Operations by Chainalysis.

• MediaMarkt hit with a $240M ransom from Hive ransomware group.

Scams

• A scam campaign extorts Instagram users to record Bitcoin-scam videos to get access back to their stolen funds back.

• Wired published an interesting article on anonymous Twitter users hunting crypto scammers in their spare time.

Hacks

• On November 3, 2021 Robinhood was targeted with a social engineering attack which resulted in unauthorized access to an internal customer management tool. Robinhood reported more than 5 million customer emails, 2 million full names, and other data was compromised.

• On November 10, 2021 Curve suffered an attempted governance attack by Mochi which minted large amounts of its USDM token to purchase CVX tokens used in voting. Curve responded with an emergency DAO action to restrict Mochi ability to vote in changes in the protocol.

• On November 13, 2021 Blizzard, an Avalanche-based DeFi project, lost $1M in assets after a couple of malicious insiders colluded to exploit a previously reported vulnerability.

• On November 13, 2021 Welnance, a BSC-based DeFi project, lost $100K in an oracle price manipulation attack.

Vulnerabilities

• OpenSea patched a critical vulnerability which could allow bad actors to mint NFTs on behalf of unwilling 3rd parties after it was responsibly disclosed by @fuckingrug. The disclosure process itself caused some disagreement in negotiating the bounty size.

• Harvest Finance patched a vulnerability in its proxy contract after it was responsibly disclosed by the Dedaub team using Immunefi.

Malware

• TrendMicro reports on TeamTNT targeting vulnerable docker hub accounts to install Monero miners.

Research

• Europol published Internet Organized Crime Threat Assessment (IOCTA) 2021 report which includes detailed treatment of ransomware and the use of cryptocurrencies in dark web marketplaces.

• Hiding in Plain Sight by samczsun discusses an awesome 0day discovered in Etherscan’s contract verification system and how it was used in the Pinball CTF challenge.

• Manipulating Uniswap v3 TWAP (Time-Weighted Average Price) by Michael Bentley.

• Recovering Assets from a Hacked Account with Flashbots by Kane Wallmann

• Mechanics of reorgs in PoS Ethereum thread by caspar.

• Trojan Source and Solidity thread by Alex Beregszaszi discusses of solidity handling Unicode characters and security implications.

• Bitcoin Explained episode explores a July 12th incident on the bitcoin network where a malicious party was flooding the network with fake peer addresses. A recently published whitepaper explores the attack in more details and how it could be used to map network topology.

• Top 10 DeFi Security Best Practices by Chainlink and CertiK

Tools

• Etherscan released their own token approval checker, a critical tool which can be used to quickly revoke access from compromised or phishing smart contracts.

• Ethereum Node Crawler by Ethereum Foundation.

Premium Content

Indicators

• TeamTNT mining malware:
  Domain: teamtnt[.]red
  IP: 45.9[.]148.182
  Shell Hashes:
  79ed63686c8c46ea8219d67924aa858344d8b9ea191bf821d26b5ae653e555d9
  497c5535cdc283079363b43b4a380aefea9deb1d0b372472499fcdcc58c53fef
  a68cbfa56e04eaf75c9c8177e81a68282b0729f7c0babc826db7b46176bdf222
  

• Welnance Hack
  BSC: 0x3e8164bd6cd56c1793b13a5c82cf17fca0ad44ed
  BSC: 0x96e28c2ffa1bbf45929051289ecfa8aa8039e23f
  BSC: 0xa6516b0fc4e98a942decd6ef733cae29b74a0951
  

• OFAC addresses related to Sodinokibi/REvil actors:
  BTC: 158treVZBGMBThoaympxccPdZPtqUfYrT9
  BTC: 389Sft4nJFkPGhbagk9FN4jXncA9piYTuU
  BTC: 39Te8MbphSgs7npDJPj2hbNzhke61NTcnB
  BTC: 31p6woV4e55HUfC2aGynFhzQnGoJFW26cD
  BTC: 3DNsaQnaUz7wkQny1ZDSmtz6QfbEShxoDD
  BTC: 3AjyprBY5yhijiCjUC5NUJutGbwhd3AQdE
  BTC: 35QpLWYkvD3ALhjbge5bK2kd7HfHYcDMu3
  BTC: 3NQ1aa9ceirMJ1JvRq3eXefvXj1L639fzX
  BTC: 3BsyZ7qRFSi3NsaoV1Ff724qAgrEpjVUHm
  BTC: 372Wk9NLrMkJzKgqJdatWJy4bYRfxFjgat
  BTC: 12udabs2TkX7NXCSj6KpqXfakjE52ZPLhz
  BTC: 1DT3tenf14cxz9WFNxmYrXFbB6TFiVWA9U
  LTC: ​​Leo3j36nn1JcsUQruytQhFUdCdCH5YHMR3
  DASH: Xs3vzQmNvAxRa3Xo8XzQqUb3BMgb9EogF4
  ETH: 0xfec8a60023265364d066a1212fde3930f6ae8da7
  ETH: 0x901bb9583b24d97e995513c6778dc6888ab6870e
  ETH: 0xa7e5d5a720f06526557c513402f2e6b5fa20b008