BlockThreat - Week 8, 2024
Tornado | LastPass | Jeffrey Zirlin | Blueberry | Compound | Aleo | DeezNutz | GAIN
Greetings!
This was a tough week which resurfaced some of the familiar attack patterns. LastPass users continue getting drained from the mass leak last year. Mass hacking campaigns continued as well targeting inattentive governance DAOs, weak ERC-404 tokens, and any vulnerable abandoned projects with remaining funds.
Jeffrey Zirlin (Axie Infinity) suffered a $9.7M loss due to private key theft. The incident is similar to the massive $112.5M theft from Chris Larsen (Ripple). This marks a trend where malicious actors target personal wallets of high level crypto executives.
Tornado Cash is in the news again where a malicious governance proposal managed to inject JavaScript into one of the front-end IPFS mirrors. This allowed bad actors to collect deposit notes which could be used to redeem deposited assets from the mixer. Both the malicious proposal and registration date of the deposit note collector domain place the compromise around January this year.
We have just discussed the birth of a new counter-hack industry following the White-Hat Safe Harbor Agreement. This week we witnessed an example of how things could work. A well-known MEV bot c0ffeebabe.eth managed to frontrun an exploit transaction worth $1.3M targeting Blueberry. The white-hat hack concluded with the return of vulnerable funds minus MEV fees and a 10% bounty.
The week’s premium section contains detailed incident reports and indicators for the total of 13 incidents this week totaling $30M including compromises above.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Let’s dive into the news!
News
Bitfinex Hacker Turns State’s Witness in Bitcoin Fog Mixer Trial.
LockBit ransomware gang has over $110 million in unspent bitcoin. The news comes following recent arrest of an affiliate in Poland.
The 2024 Crypto Crime Report by Chainalysis.
Crime
Policy
Phishing
ZachXBT recovers majority of $177K stolen NFT proceeds after 9-month probe.
Dechat accidentally shares ‘honeypot’ scam link in token announcement.
MicroStrategy Twitter Account Hack: $424K Looted in Fake Ethereum Airdrop Scam.
Reports of a phishing campaign abusing Account Abstraction wallets.
New crypto scam drains users' wallets without transaction approval.
Exodus Bitcoin Wallet: $490K Swindle by Alan Pope.
Scams
Blast Ecosystem Sees First Apparent Scam as 'RiskOnBlast' Rug Pulls $1.3M Ether.
Exit Scam? Bitcoin Exchange BitForex Shutters After $57M Mysteriously Withdrawn.
Dating app encounter leads to $450,000 cryptocurrency romance scam.
Malware
The Enigma of LockBit, The World’s Leading Ransomware Syndicate by SlowMist.
Russian Threat Actors Abuse Cloudflare and Freenom Services to run DaaS Program by Cyfirma.
Migo - a Redis Miner with Novel System Weakening Techniques by Cado.
The Pulse of Fileless Cryptojacking Attacks: Malicious PowerShell Scripts.
Contests
Zero Knowledge Puzzles by spoOds.
Media
Scraping Bits - #57: Designing A Crypto Smart Contract Fuzzer From Scratch - Ft. AlphaRush.
JohnnyTime - Interview with 0xNevi.
Research
Top 10 Blockchain Hacking Techniques of 2023 Candidates features a fascinating list compromises and techniques.
Stacks DoS Bugfix Review by Immunefi.
Paternalism Versus The Invisible Hand in the Risk Management of Lending Protocols by Euler Labs.
Finding Auxdatas in the Bytecode by Kaan Uzdogan and Marco Castignoli.
ERC404: The Experimental Semi-Fungible Standard by Three Sigma covers token functionality and security pitfalls.
Mastering Fuzzing by Elpacos is a repo containing Foundry and Echidna fuzzing examples for the corresponding Web3 Security: All Things Fuzzing workshop.
Uniswap v3: A Fuzzing Review by Nican0r.
Evaluation of ChatGPT's Smart Contract Auditing Capabilities Based on Chain of Thought.
Solana Smart Contract Security Best Practices by SlowMist.
New Hardware Wallet Security Assessment Features for Wallet Security Audit by SlowMist.
SoK: What don't we know? Understanding Security Vulnerabilities in SNARKs.
Latency is Money: Timing Games /acc by Data Always.
Tools
Key by TrueBlocks - Get a complete historical list of appearances (block number, transaction id) for any Ethereum address.
Libmev - MEV transaction and block explorer.
Fuzz-utils - Automated tool for generating Foundry unit tests from smart contract fuzzer failed properties by crytic.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
Keep reading with a 7-day free trial
Subscribe to Blockchain Threat Intelligence to keep reading this post and get 7 days of free access to the full post archives.