Hey friends!

If you’ve been following the newsletter for some time you already know that there is never a dull week in blockchain security. The Platypus hack was a real rollercoaster that started with a $9m theft by an inexperienced attacker which ended up locking up most of it. The wild part comes in with BlockSec team swooping in with a counter hack to recover some of the assets. It’s always impressive to watch the good folks operate on this new frontier giving hope during hard times!

Dexible and Revert Finance were exploited with router injection vulnerabilities resulting in $2m+ losses to users who approved their funds to these contracts. All of the indicators are in the Premium section as always.

In other news the Chainalysis 2023 crypto crime report finally dropped which you should definitely check out while along with multiple reports of $7m+ in hacked funds frozen on exchanges.

Oh and be sure to check out a three part investigation blog series by Heidi Wilder and myself exploring the damning zero transfer phishing attack and perpetrators behind one of the campaigns in the Scams section.

Let’s dive into the news, but first some encouraging stats darknet market revenues from our friends at Chainalysis!

Darknet Market Revenue Fell ~50% 2022

Why? Hydra controlled 93% of the illicit market. And when they went down, so did darknet market revenue. But that didn’t stop other shops from attempting to capture market share and fight for users in the wake of the Hydra shutdown.

In our latest crime report preview, we examine how drug buyers and illicit users transitioned to other darknet markets, and where potential Hydra vendors and admins may have migrated.

Get the latest on darknet markets in 2022 now >

News

• The Chainalysis 2023 Crypto Crime Report.

• SEC Charges Terraform and CEO Do Kwon with Defrauding Investors in Crypto Schemes.

• Norwegian Authorities Seize Crypto Worth $6M From Axie Infinity Heist With FBI's Help.

• Binance and Huobi Freeze $1.4 Million in Crypto Linked to North Korea.

• Coins of War: How Crypto Keeps Feeding Russia's War Despite Sanctions.

• Terrorist Financing: Six Crypto-Related Trends to Watch in 2023 by TRM.

• DFPI Launches Scam Tracker to Help the Public Spot Crypto Scams.

• New ‘Sinbad’ Bitcoin Mixer Unmasked As Formerly Sanctioned Blender.

Scams

• Zero Transfer Phishing - Part 1 - Attack Analysis by Heidi Wilder and Peter Kacherginsky.

• Zero Transfer Phishing - Part 2 - Phishing Campaigns by Heidi Wilder and Peter Kacherginsky.

• Zero Transfer Phishing - Part 3 - Hashlinked by Heidi Wilder and Peter Kacherginsky.

• A deep dive into the operation of the monkeydrainer web3 phishing kit by Alchemyst.

• Fake Ethereum Denver website linked to notorious phishing wallet.

• Loyalist: $4m stolen from over 400 victims by ZachXBT.

• User Asset Security - Lesson 7: Offline signatures can drain your wallet Part 1 and Part 2 by DeFiHackLabs.

• User Asset Security - Lesson 6: How to handle or report the theft of crypto? by SunWeb3Sec.

Hacks

• On February 15, 2023 a victim on Multichain’s Anyswap lost $130k due to an old signature verification vulnerability that has been long patched.

• On February 16, 2023 Platypus lost $9m due to a logic error when handling withdrawals with borrowed assets. In a series of bizarre twists attacker failed to implement a withdrawal function in their exploit contract effectively freezing most of the stolen assets, got hacked by the BlockSec team which recovered $2.4m USDC, and also got doxxed by none other than ZachXBT. Overall a happy end to a very sloppy hack.

• On February 17, 2023 Dexible lost $2m due to insufficient validation of user supplied router parameter. The exploit primarily affected platform’s users such as BlockTower Capital which lost $1.5m of the above.

• On February 18, 2023 Revert Finance lost $29k due to insufficient parameter validation which allowed attackers to inject a malicious router.

Vulnerabilities

• Beanstalk Logic Error Bugfix Review by Immunefi.

• EIP4337Manager selfdestruct vulnerability by taek lee.

• Avalanche Protocols Signature Exploit Part One, Two, Three, Four by cryptomedication.

• Dookey Dash - Deep dive into the sewer by cmichel.

• Sewer Pass Flash Claim Vulnerability by BendDAO.

• Logic Error Bug Fix Review by Balancer Labs.

Malware

• 451 PyPI packages install Chrome extensions to steal crypto.

• Check Point CloudGuard Spectral detects malicious crypto-mining packages on NPM.

• New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign.

• SideWinder APT Spotted Targeting Crypto.

Contests

• EKO2022 Enter the metaverse CTF and a Phoenixtto solution by StErMi.

• Huffing Ethernaut challenges and solution implementation by mektigboy.

Research

• How BlockSec Rescued Stolen Funds: From Technical Perspectives of Three Representative Cases by BlockSec.

• Solidity Integer Overflow & Underflow by Neptune Mutual.

• Invariant Testing WETH With Foundry by horsefacts.

• Saving Millions in 2023 with Specification-Guided Fuzzing by Veridise.

• Security Threat Mitigation For Smart Contracts: A Survey.

• Entering the Huff Ecosystem by merkleplant.

• Introduction to Zero-Knowledge Proof Part 2 by Numen.

• Dissecting Ethereum delegated staking from a security perspective — Part 2 by Coinspect Security.

• Security Checkpoints for EIP-4337 Based Account Abstraction Implementation by Fairyproof Tech.

• The ‘U Up?’ Files With Joran Honig by Immunefi.

Tools

• BLUR Airdrop Twitter/Address Miner.

• Navigating through the Web3 tools by Neptune Mutual.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with indicators, special reports, and searchable newsletter archives.

Premium Content

Indicators

Playtypus Attackers

Avalanche: 0x54cdcbdba40e294e8832230db706cee76e1f20f3
Avalanche: 0x503fcc0c1a0bb3c1eba97fc614b36b18dd63630a
Avalanche: 0x67afdd6489d40a01dae65f709367e1b1d18a5322