Greetings!

What a crazy week! CeFi and DeFi entities lost combined $160M. In this edition you will learn about new tricks used by North Korean actors, details of the KyberSwap compromise and the actors behind it, the latest criminal and policy actions in the ecosystem, and as always plenty of latest research and tools. Speaking of tools a quick word from this week’s sponsors at Ackee Blockchain who put together a really cool Solidity security testing and development framework called Wake:

Ackee Blockchain (security firm) introduces a new Python-based Solidity development and (fuzz) testing framework with built-in vulnerability detectors and printers. Prevented medium to critical severity bugs on projects such as Axelar, Brahma, IPOR, Solady or 1inch. Comes with a VS Code extension - Tools For Solidity (Wake). Battlefield tested on Ackee Blockchain audits.

Check out Wake here!

Let’s start with CeFi. Lazarus has obviously borrowed deep into Justin Sun’s ecosystem as it continues draining wallets. Heco Bridge and HTX (ex Huobi) Exchange lost more than $108M all due to private key theft just like the $130M Poloniex hack from two weeks ago. These are not fancy Web3 compromises but good old Web2 infrastructure hacks. It’s time to bring in a traditional incident response team to figure out the impact and kick out the bad actors.

On the DeFi side, KyberSwap compromise resulted in almost $49M in losses. The compromise is an interesting case study due to the complexity of the exploit, multiple reputable audits and bug bounty reports that missed the flaw, as well as the overall maturity of the compromised protocol. The attacker side is even more interesting as the $2M tip to the Indexed Finance attacker clearly indicates they subscribe to the same “code is law” paradigm or in their own words “Might makes Right.” This explains their unwillingness to accept the now common 10% ransom and an ongoing trolling to transfer control of the company.

Another alarming trend is the rise in governance attacks with some associated with DPRK actors. Indexed Finance alone got hit twice with one attempt involving a North Korean actor and another from a copycat with an intense “bounty” negotiation. A bold move to negotiate from a doxed wallet. All of these attacks simply involved purchasing low value governance tokens in an attempt to force malicious governance proposals. While all of these attempts failed, someone is definitely persistent enough to hit at least 4 projects in a week and likely to continue.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

In other news, Inferno Drainer is following its predecessor Monkey drainer by shutting down. I would say good riddance, but the last time it happened it caused a Cambrian explosion of new drainer kits. Speaking of phish-kits, the September Nansen leak is now being actively used for phishing campaigns so be on the lookout.

Oh and be sure to check out Tay’s massive archive of North Korean crypto hacks in the research section. Let’s dive into the news!

News

• The Red Guild Zine - Universe 0x00 (Genesis), World 0x01.

• Security Researcher Awarded $1.7 Million by Fantom Foundation.

• Korean gov’t officials targeted by North’s ‘journalist’ crypto hackers.

• Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors.

• Bitcoin user claims to be victim of hack which led to record $3 million transaction fee.

Crime

• Binance and CEO Plead Guilty to Federal Charges in $4B Resolution.

• Tether Assists the U.S. DOJ and U.S. Secret Service in Criminal Investigations and Victim Recovery.

• Tether Worth $9M Tied to 'Pig Butchering' Scams Is Seized by U.S. DOJ.

• HTX skips Dutch court, ordered to reveal user’s identity.

• Hong Kong police vow to make arrests after Hounax virtual asset trading platform allegedly scams 131 people out of nearly HK$120 million.

• Do Kwon’s Extradition Approved by Montenegro Court.

• Scammer Moves $1.2 Million Worth Bitcoin Sitting Inside a Prison.

• Mumbai airport threatened with bombing in bitcoin blackmail plot.

• Richmond man charged in $10 million cryptocurrency home invasion theft.

• Arrest made in Nigeria’s Patricia Technologies crypto wallet heist.

Scams

• Inferno Drainer announces shutdown.

• Nansen phishing emails flood crypto investors’ inboxes.

• Check Point Research Unraveling the Rug Pull: a Million-Dollar Scam with a  Fake Token Factory - Check Point Research.

• Loopring X Twitter account was compromised to promote a phishing link.

Contests

• Curta Cup CTF Write-Up by Cairo.

• Curta Cup CTF Writeup by DeFiHackLabs.

• Curta CTF - Lana Puzzle solution by minaminao. Challenge source.

• Solidity Inheritance Puzzle and Solution by Apoorv Lathey.

Media

• Beyond Fuzzing Symbolic Testing in Practice by Daniel “karmacoma” Reynaud and Daejun Park.

• Unchained Crypto - How DeFi Hack Negotiators Get the Job Done: The Chopping Block. The episode features war stories from Ogle Crypto including the ongoing KyberSwap compromise.

Research

• Lazarus/Bluenoroff Research Database by tayvano. According to Tay’s research the APT group steals $2.93m every day on average.

• You were not pwned by The Red Guild - Ethereum Argentina 2023.

• The Billion Dollar Exploit: Collecting Validators Private Keys via Web2 Attacks by Elad Ernst.

• Lethal Integration: Vulnerabilities in Hooks Due to Risky Interactions by BlockSec.

• Ecosystem Explorer — Exploring Interchain Operability Protocols and Their Security Measures by ChainLight.

• Ghost In The Machine: Liquidations in Aave by Douglas Fir.

• Introduction to fuzzing by bloqarl.

• Web-based Wallet security practices by jayden-sudo has a list of common web3 wallet pitfalls including PoC demos.

• Heuristics for Detecting CoinJoin Transactions on the Bitcoin Blockchain.

• A Guide to Solana for Ethereum Analysts by Andrew Hong.

• Blockchain Security Audit List by 0xNazgul has a nice directory of audit companies and other resources.

Tools

• Wake - The new Python-based Solidity development and testing framework with built-in vulnerability detectors and printers.

• Vulcan - Development framework for Foundry projects, with a focus on developer experience and readability.

• Recovering Funds with HackedWalletRecovery Tool by Officer Cia.

• Free Historical Blockchain Extraction with Cryo + Merkle Reth Nodes by 0xEvan.

• Impersonator Iframe - An iframe component that allows to open dapps with any Ethereum address impersonated.

• anvil-web3 - Easily interact with and create anvil chains from python.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

The content presented below is intended for personal use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.

Hacks

Indexed Finance

Date: November 16, 2023
Exploit Vector: Governance
Impact: None, Failed attempt
Chain: Ethereum

Indicators:
Ethereum: 0xdf0b30404ecbf0fd6905d7722f76b0a9d3da6e14 (DPRK)

References

• https://twitter.com/zachxbt/status/1726002049123340666

• https://twitter.com/functi0nZer0/status/1725922016484597975

• https://www.tally.xyz/gov/indexed/proposal/24?chart=0

Signata

Date: Novermber 20, 2023
Exploit Vector: Governance
Impact: None, Failed attempt
Chain: Ethereum

Indicators:
Ethereum: 0x849635d7ea4c145dc214bfcfa48704ce9de090c5
Ethereum: 0x1efaf213d7ca09e2b5ed837b0f9c9e43f32e9e12
Ethereum: 0xc9ddd242356190d8e7f1910749b44830a1468423

References:

• https://twitter.com/Phalcon_xyz/status/1726790219221930286

Indexed Finance

Date: November 21, 2023
Exploit Vector: Governance
Impact: $10,000 (Ransom)
Chain: Ethereum

Indicators:
Ethereum: 0x284d72effa0a1a6e4801a682c464908c5716d697
Ethereum: 0x4515957daf1c5a1cd2e24d000e909a0ff6be1975 (kiki.eth)

References:

• https://twitter.com/functi0nZer0/status/1728473843054903622

• https://twitter.com/ndxfi/status/1727501640045936954

• https://www.tally.xyz/gov/indexed/proposal/27

Exzo Finance

Date: November 21, 2023
Exploit Vector: Stolen Private Keys
Impact: 470,000
Chain: Ethereum

Indicators:
Ethereum: 0x034b84a81a11af02282c646e956143f6036c34e6

References:

• https://twitter.com/Exzo_Network/status/1726680105915765211

• https://twitter.com/Exzo_Network/status/1727032638479765866

• https://etherscan.io/idm?addresses=0x3160ef53c7b5968f6a3eed0c3659b982603e0622,0x1816687a332a3d0583ea06f725e90dd724b0aff7&type=1

Heco Bridge Finance

Date: November 22, 2023
Exploit Vector: Stolen Private Keys
Impact: 86,600,000
Chain: Heco, Ethereum

Indicators:
Ethereum: 0xfc146d1caf6ba1d1ce6dcb5b35dcbf895f50b0c4
Ethereum: 0xe47e6da16bb83eb0fd26b3f29b15ce8fab089b9e

References:

• https://twitter.com/CyversAlerts/status/1727276003196600539

• https://hacken.io/insights/heco-bridge-hack-explained/

• https://twitter.com/hackenclub/status/1727291161981993093

• https://twitter.com/PeckShieldAlert/status/1727286692489679360

• https://olympixai.medium.com/heco-bridge-hack-analysis-64cffda76684

Exploit:

• https://etherscan.io/address/0xfc146d1caf6ba1d1ce6dcb5b35dcbf895f50b0c4