BlockThreat - Week 48, 2022
Ankr | Helio | North Korea | AppleJeus | Overnight
Greetings!
The focus of this week was on the Ankr compromise. It was a particularly nasty combination of an offchain private key hack and an on-chain contract upgrade which resulted in quadrillions of aBNBc tokens minted on BSC. Attackers were particularly nasty by leaving the minting function exposed inviting a barrage of copycat exploiters. Interestingly a group of traders made three times the profit than the original Ankr attackers by exploiting a slow price oracle to borrow $19M worth of Helios stablecoin. As always a complete set of indicators for all of the attackers and copycats are in the premium section below.
North Korea is at it again with a new AppleJeus malware campaig dubbed BloxHolder. Check out the malware section for details. New scammer techniques emerged despite the overall market slowdown.
On the bright side, this edition features a research section full of thrilling blockchain investigations, a new smart contract auditor book, CTF solutions, and state of the art tools. Enjoy!
News
Coinbase Foils Extortion Attempt, Reinforces Bug Bounty Program.
Russian billionaire latest crypto tycoon to die mysteriously.
AAX Users Storm Crypto Exchange's Nigerian Offices, Attack Employees.
Crime
US Prosecutors Charge 21 Alleged ‘Money Mules’ With Using Crypto to Launder Proceeds of Cybercrimes.
London Court Orders Six Crypto Exchanges to Share Client Details to Assist in $10.7M Fraud Case.
SIM swapper gets 18-months for involvement in $22 million crypto heist.
Scams
Mega Investment Fraud Schemes Pervasive Despite ‘Crypto Winter’ by TRM.
Anatomy of Front Running Scams by CertiK.
Address Poisoning Attack, A continuing Threat by X-explore.
Be Wary of the TransferFrom Zero Transfer Scam by SlowMist.
CashRewindo: How to age domains for an investment scam like fine scotch by Confiant.
Hacks
On December 1, 2022 CoinTracker’s service provider was compromised which resulted in the theft of customer email addresses and referral codes.
On December 2, 2022 Ankr lost $5M as a result of a private key compromise which was used to upgrade aBNBc contract with a malicious minting function.
On December 2, 2022 Helio lost $19M as a result of a delayed price oracle which allowed traders to borrow stablecoin with worthless aBNBc token.
On December 2, 2022 Overnight Finance lost $175K due to a price oracle manipulation exploit.
Vulnerabilities
88MPH Theft Of Unclaimed MPH Rewards Bugfix Review by Immunefi.
Successful Resolution of xAPIC Vulnerability on Secret Network by Secret Network.
Tellor Issue and Fix by Liquidity.
Malware
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware by Volexity.
Accidentally Crashing a Botnet by Akamai.
Research
The Hunt for the Dark Web’s Biggest Kingpin parts 1, 2, 3, 4, 5, 6.
Reckless: The Story Of Cryptocurrency Interest Rates chapters 1, 2, 3.
Tornado Cash Alternatives by Elliptic.
The Auditor Book by Code4rena and Sherlock.
Building Secure Smart Contracts by Trail of Bits now includes Algorand, Cairo, Cosmos, Substrate.
All is Fair in Arb and MEV on Avalanche C-Chain by Daniel D. McKinnon.
The Optimizer’s Guide to Solidity pt. 4 — Binary Size Tricks by Omniscia.
Specialized Zero-Knowledge Proof failures by Trail of Bits.
Designing Secure Access Control for Smart Contracts by Halborn.
EVM through CTFs by Nazar Ilamanov.
Intro to Smart Contract Audit Series: Phishing With tx.orgin by SlowMist.
Why the Moonbeam’s new pre-compile contract can create side-effect on its ecosystem by Haechi.
Tools
Ethereum Transaction Explorers and Analyzers thread by w1nt3r_eth.
grim-reaper - EVM-based on-chain liquidation bot for Aave V3 built with Huff language.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.