BlockThreat - Week 6, 2022
Bitfinex | PayBito | Dego | Superfluid | EarnHub | Optimism | Coinbase
Hello, crocodiles of web3!
This week features a rare event of good guys catching some of the actors behind the Bitfinex exchange hack from almost 6 years ago. To balance this piece of good news, PayBito exchange fell victim to a ransomware attack, another $11M stolen from DeFi projects, Optimism and Coinbase patched critical bugs, and reports of insidious phishing/scam attacks below.
In other news, we are finally caught up on all the news! Thanks for your patience and see you in future, more regular editions of Blockchain Threat Intelligence.
If you are enjoying these newsletters consider subscribing to the paid edition to get access to full archives and premium content such as indicators from recent compromises and scams.
Events
ETHDenver on February 15, 2022 featuring a number of security talks.
Underhanded Solidity Contest 2022 is now accepting submissions with this year’s theme of Decentralized Exchanges.
News
Russia Seizes Four Major Dark Web Carding Sites with $263 Million in Crypto Sales.
US Treasury Department Warns of NFT Risk in Art-Related Money Laundering.
FTC Warns of Romance Scams Luring People Into Bogus Cryptocurrency Investments.
Tether Blacklists Ethereum Address Linked to Multichain Hack.
Bitfinex Arrest
Arrests of Ilya “Dutch” Lichtenstein and his wife, Heather Morgan for allegedly laundering $4.5B in BTC stolen from the 2016 Bitfinex hack is a fascinating and at times whacky story of FBI’s excellent investigative capabilities. Only 94K BTC were seized out of the total 120K BTC stolen. Below are select documents which describe the hunt and the eventual arrest:
US DoJ - Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency contains detailed investigation timeline including the AlphaBay connection and a BTC wallet decrypted on Ilya’s cloud drive.
US District Court - Government’s reply in support of review of detention order provides further details of the investigation and an escape plan.
Heather Morgan Ethereum wallet analysis with a $7M balance and a registered RZK.eth ENS name by CryptoGulper.
The Rabbit Hole Beneath the Crypto Couple Is Endless by Vice provides a great overview of the above two documents as well as commentary from their friends and coworkers.
Summary of Heather Morgan’s talk on “How to Social Engineer Your Way Into ANYTHING”.
Scams
Arrow DAO founder targeted in an elaborate token approval phishing scheme designed to steal aWETH.
Harry is at it again taking over unprotected MetaMask phishing servers.
Reports of users losing funds from their Atoken wallets.
Hacks
On February 3, 2022 LockBit ransomware group announced the compromise of PayBito exchange and the theft of 100K user PII.
On February 7, 2022 EarnHub lost $275K due to a reentrancy vulnerability.
On February 8, 2022 Superfluid Finance got exploited by injecting a malicious calldata serialized payload which resulted in the loss of $8.7M.
On February 9, 2022 Dego Finance lost $2.4M after its private key was compromised.
Vulnerabilities
Optimism patched a critical money printing vulnerability after it was responsibly disclosed by Saurik.
Coinbase patched a market manipulation vulnerability after it was responsibly disclosed by Tree of Alpha.
DogeGF reports a money printing vulnerability on their Polygon network contract.
CoinDesk fixed a vulnerability allowing anyone to read draft articles after it was responsibly disclosed by Tree of Alpha.
Least Authority issued a public warning about a number of undisclosed vulnerabilities in the Atomic Wallet software.
Malware
Mods accused of bitcoin mining and downloading viruses removed from Steam.
Ransomware dev releases Egregor, Maze master decryption keys.
Google Cloud introduced cryptomining threat detection.
Research
Under-constrained computation, a new kind of bug by Joran Honig (Consensys).
4 Strategies for picking the perfect bounty hunting targets by Joran Honig.
Sample bug bounty vulnerability report template by Daniel Von Fange.
Web3 and Security: It’s time to grow up by Nathan Hamiel (Kudelski)
NFT Wash Trading: Quantifying suspicious behaviour in NFT markets.
Solidity DevSecOps Standard by Morphean Security.
Dice CTF 2022: Commitment Issues challenge solution breaks a custom RSA signature commitment scheme.
Tools
Compilation of smart contract security tools by @officer_cia.
EVM Symbolic Execution in Solidity for Foundry by leonardoalt.
Flashbots Proxy by Arachnid.