Despite a previous tumultuous month, with large-scale sanctions and clamp downs on crypto-based cybercrime, September has been no different in the scale and gravitas of attacks. This month holds significance within the crypto community as we saw “The Merge” take place on the Ethereum network, in a big effort to reduce energy consumption. This event and others have led to threat actors conducting a series of scams and attacks. As with August, the cryptocurrency space has grown and a total of 21,158 cryptocurrencies were tracked by coinmarketcap.com by the end of the month. This is an increase of around 340 new coins since the last report.
In this report, we will discuss some of the most impactful threats to the cryptocurrency space that occurred in September.
KyberSwap exchange hit by code injection attack
KyberSwap defines itself as a Dynamic Market Maker, which is a combination of a decentralised exchange (DEX) and a liquidity protocol. This enables users to make fast and efficient trades, using a technique known as Dynamic Trade Routing. This is where several routes of trade are analysed to achieve the best price.
On 1 September, the team at KyberSwap noticed an unusual element on their main page. In a report released by the team, they detail how malicious code had been injected into their Google Tag Manager. This technique was previously noticed by researchers, as threat actors used it to target payment portals as part of an attack known as web skimming. The attackers can inject malicious code into the Google Tag Manager script, causing the normally legitimate service to load malicious elements onto the web page. This can be used, in the case of web skimming, to steal customer card details at payment or, in the case of KyberSwap, to ask users to approve their funds. However, this process sent the funds to the attacker’s wallet.
The KyberSwap team has indicated that around $265,000 worth of user funds were stolen in this attack. Despite this, the company has promised to return all stolen funds to those affected, whilst also releasing a series of advice to help users revoke the malicious approval they may have signed. Interestingly, the team has taken a newly popular route and placed a message within their report to the attacker themselves: this appeals for the attacker to become a “white hat” and return the stolen funds. In exchange for this, they will offer 15% of the funds back as a bounty. The message also details that if they do not pay, the company has enough information to begin a thorough investigation to identify the individual. This trend of offering bounties to “black hat” hackers to turn “white hat” has become increasingly common and is seen by DeFi companies as a simple way to help return the funds. While this is often over market value for a traditional bug bounty, the possibility to return large amounts of funds, or to potentially save a company from liquidation, is a lifeline that many are happy to take.
Bug in ShadowFi causes liquidity to be drained
On 1 September, an attack was conducted against the ShadowFi protocol, specifically targeting their liquidity pools. The protocol, which specialises in providing a private and secure cryptocurrency, aims to protect personal information from “corporate and global financial entities”. The ShadowFi project had only been live just a few hours, launching the same day as the attack.
The team explains that the attack came from a vulnerability within their burn function, due to poorly filtered input values. The attacker was able to place any address into the function, allowing them to burn the majority of the tokens from any user on the protocols. Once the hacker had exploited this vulnerability and burned almost all the tokens, they were able to use the new supply to remove large amounts of BNB from the liquidity pool. This totalled around $300,000 worth of the token, which was then transferred into the crypto-mixing service known as Tornado Cash. This is despite the fact that Tornado Cash was sanctioned last month, as threat actors are still using the service.
Their own report identifies that there is a significant amount of suspicion around the attack, with multiple people accusing the protocol itself of causing it. However, the ShadowFi team maintains that this is not the case and that they are conducting as many investigations as possible. After the attack, the organisation posted a further report titled “ShadowFi — Resurrection”. This details the roadmap back to operation, including employing a third-party to audit their smart contracts, as well as offering a plan for users wishing to exit the service. The team promised that full operation will be back as soon as they raise the missing 1,100 BNB back into their vault.
Islamic State starts using NFTs
NFTs or Non-Fungible Tokens have become one of the most popular and widespread digital assets since the popularisation of cryptocurrencies. It seems, however, that terrorist organisations are not excluded from this. It has been reported that the terrorist organisation known as the Islamic State has begun a foray into the NFT space.
An alleged supporter of the Islamic State group has minted the NFT under the title “IS-NEWS #01”. In a report published by the Wall Street Journal, they claim the image contains the Islamic State logo alongside a message praising Islamic militants for bombing a mosque in Afghanistan, an attack which took place back in August. The NFT was briefly visible on popular marketplaces such as OpenSea and Rarible but was swiftly removed by the platforms. Despite the token being removed from trading marketplaces, as it was minted on a blockchain the NFT itself is permanent.
This provides an interesting scenario for how terrorist organisations can distribute protest and campaign material which will exist permanently. Raphael Gluck, co-founder of the jihadist research group “jihadoScope”, was quoted within the report saying that “it’s very much an experiment […] to find ways to make content indestructible”. This tactic was used previously by the Belarusian Cyber Partisans, who minted a series of NFTs by using passport images which depicted government officials within the country. This was reported on in the August Crypto Threat Landscape Report, and it was concluded that the use of NFTs would become an increasingly popular trend for protest and propaganda material. This incident indicates that this is coming to fruition. While the quick takedown from marketplaces was an important step, it is key that this new tactic is monitored closely, as it becomes a powerful tool within the arsenal of malicious actors looking to spread information.
Lawsuit against Tornado Cash sanctions backed by Coinbase
Last month saw the monumental decision from the US Treasury to sanction the Ethereum mixing service known as Tornado Cash. This service is used to anonymise cryptocurrency by mixing it with other cryptocurrencies to make it significantly harder to track. Since the sanction, a series of efforts has been put in place to help quell the usage of the platform, such as blacklisting of wallets and the suspension of developer accounts.
However, on 8 September a lawsuit was filed against the Treasury contesting the decision to sanction the service. What makes this lawsuit special is that the famous cryptocurrency exchange Coinbase has agreed to bankroll the court challenge. The suit was filed by six individuals, two of whom are employees of Coinbase, who all claim they used the service legitimately and have suffered financial damage due to the sanctions. The group claims that by sanctioning a software, the Treasury has gone beyond its legal authority for a process usually reserved for persons and entities.
The sanctions have caused significant unrest among the crypto community, with a wide range of opinions and viewpoints being shared. Whilst Tornado Cash clearly had legitimate users, researchers at TRM Labs have released a report stating that an estimated 41% of all funds transferred through the service were linked to cybercrime. It is important that government organisations use their powers to help tackle the operations being undertaken by cybercriminals. It is, however, clear that they must be careful not to overstep their duty and begin to take down tools which are primarily legitimate. While the outcome of this court case is not yet known, the verdict will set a standard for the future of software sanctions.
Shiba Inu AWS credentials leaked on GitHub
Shiba Inu (SHIB) is a cryptocurrency asset named after the dog breed with the same name. Created by founder Ryoshi in 2020, the coin was originally not treated seriously but is now the fourteenth largest cryptocurrency tracked by CoinMarketCap at the time of writing.
Despite its aesthetic appearance, it is not invulnerable from security flaws as this month saw the project have their AWS credentials leaked on GitHub. On September 8, a researcher released a report detailing the issue discovered. Explaining that after attempting to connect the development team directly to detail the issue, they received no response and so posted their findings to broaden awareness of leaked secrets in code repositories. A developer had committed hard-coded credentials into the official Shiba Inu repository, which had been live for around two days before they were invalidated. The validity of these credentials was verified, and the researcher shows that this could have been used by a threat actor to conduct malicious activities.
This kind of exploit shows the importance of Web3 projects ensuring that standard security does not become forgotten when pursuing secure smart contracts and DeFi infrastructure. A variety of other attacks have also been observed, with protocols such as DNS being targeted to conduct a standard poisoning phishing attack against project websites. It is recommended that all public code repositories ensure that proper reviews are in place to catch such incidents before they happen. It is also important that developers are trained appropriately to avoid using hard-coded credentials, and that proper Key-Management services are provided to help support them.
Ethereum Merge leads to increase in scams
Ethereum is the second largest cryptocurrency used, according to CoinMarketCap, and has been the fundamental coin supporting the recent trend of NFTs. Ethereum has historically been a Proof-of-Work blockchain (PoW) which requires energy-intensive mining to enable the network to operate. The merge has been the process of transmuting the chain to a more energy-efficient method of operation known as Proof-of-Stake (PoS). This is where validators stake capital into a smart contract to act as collateral in cases of dishonesty. According to Ethereum, the merge will increase the energy efficiency of the network by around 99.95%, and it was successfully executed on 15 September.
Despite this positive news, threat actors have been capitalising on the increased confusion and attention on the network by conducting a series of scams themed around the merge. One such exploit has been the creation of fake staking pools to stake currency. Without the required 32 ETH needed to stake, users wishing to help validate on the network are required to join a pool. Experts have warned that threat actors may be generating fake pools, enticing users to deposit and hand over control of their money using classic “rug pull” tactics. Alongside these newly developed tactics, it would not be surprising to see older techniques altered to fit the new scenario. Classic ice phishing tactics, such as fake airdrops and malicious transactions, are expected to be seen more frequently and themed around the merge.
One other interesting development with Ethereum 2.0 is reports that it may be more vulnerable to attacks. In a report published by Cointelegraph, a security researcher details a potential new attack method which makes the PoS blockchain easier to target. The vulnerability is present if the malicious actor controls two consecutive blocks to validate. The actor could begin the exploit on the first block and finish it on the second, allowing them to fix the price without an arbitrage bot affecting the process. Despite this, the blockchain is still considered very safe and Ethereum is currently working to fix the consecutive block issue. It is advised that users be highly wary of any hard-to-believe offers or deals on staking pools and airdrops, and to report all identified malicious campaigns
Vanity Wallet generator vulnerability discovered
Profanity is a service which allows users to generate vanity wallets efficiently. As opposed to the usual wallet addresses which are random collections of characters, vanity wallets have specific attributes that make them attractive. These can include containing large numbers of 0s at the end of the wallet address, or even having text at the beginning. Profanity generates large numbers of addresses, with users hoping for the chance that the one they get assigned contains their desired attributes. Some generators have been known to make millions of addresses per second.
On 15 September, researchers published a report into a potential vulnerability within the Profanity tool. The report details how, due to the way that Profanity generates addresses, the opposite process could be conducted. This meant that the researchers were able to reverse brute-force to find wallet private keys, giving them full access. After developing a Proof-of-Concept (POC) exploit for the brute-force, the team was able to generate the private keys for a wallet in almost the same amount of time that it took to generate one.
What makes this threat important is that the researchers saw examples of it being exploited in the wild. One victim had $3.3 million stollen from various vanity wallets, with the researchers stating in the report that “it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions”. Since the uncovering of the vulnerability, the source code has been removed from GitHub and archived. It is important to note, however, that this tool was not actively maintained when the bug was originally theorised back in January. This highlights that users should try to use software that is being maintained, and for all unmaintained codebases to be appropriately threat-managed.
$160 million lost in Wintermute hack
Wintermute is an Algorithmic Market Maker (AMM) which automatically enables buy and sell orders using a series of smart contracts. On 20 September, the CEO of Wintermute posted a series of tweets to their Twitter account indicating that the service was experiencing a hack.
The CEO told people that the service had $160 million stolen from their operations. However, the company was still able to function due to having double that amount still left in equity. Luckily for Wintermute also, of the 90 affected assets, only two had been hacked for a value of over $1 million, leading to little impact in specific assets.
Whilst no specific explanation has been posted, researchers currently believe that the attack may be due to the previously mentioned Profanity exploit. It is known that the asset vault administrator owned a wallet address which contained seven 0s at the start, making it a vanity address. If this wallet was generated using the Profanity service, it would have been vulnerable to the exploit. The company has agreed that the attack can be treated as a “white-hat” event if the threat actor reaches out to them – a common trend within the crypto community to help lessen the blow from these kinds of hacks.
dYdX compromised through supply-chain attack
Supply-chain attacks have been a popular new way for threat actors to target large numbers of companies by attacking common packages and libraries. This is effective not only because of the damage that can be caused, but also due to the complexities with mapping and managing large supply-chains which span hundreds of software and packages.
One such target of supply-chain attacks is the Node Package Manager (NPM). On 23 September, an attack was conducted against cryptocurrency trading platform dYdX. The company offers a free trading solution that enables all users to trade across markets using perpetual contracts. The firm had a series of NPM packages which had been developed and published by an employee on the dYdX NPM account. Two of these, named solo and perpetual, were found to be compromised and had been used in developing Ethereum Smart Contracts and the library used for the dYdX Solo Trading Platform. This package had also been used by around 40 other GitHub repositories which belong to a variety of other cryptocurrency firms.
The malware associated with this threat attempts to steal GitHub Tokens, SSH Keys, and AWS credentials from the system, using a preinstall script to drop further payloads as soon as the package is downloaded. This issue was reported to dYdX by a researcher using a GitHub issue which detailed the vulnerability and how it was being exploited. Despite this, however, a tweet from dYdX claims that their website, application and smart contracts are not affected and that all user funds are safe. It is important that all companies conduct regular audits of their supply-chain and regularly check for unsafe or malicious repositories used within their infrastructure.
MEV bot exploit causes $1.5 million to be lost in hack
Since the invention of cryptocurrencies, people have been developing tools and bots to help with the automation of trading. One of these is known as a MEV bot, or Maximal Extractible Value bot. The aim of a MEV bot is to detect and capture excess value from each block by including, changing and excluding different transactions. These kinds of operations are often not beneficial to standard users as they can make them a target for attacks.
A report released by Rekt explains how one MEV bot known as 0xbadc0de was able to capitalise on an awkward transaction, where a user attempted to trade $1.85 million from cUSDC to USDC using Uniswap v2. However, this trader was affected by low liquidity and only received around $500 for their assets. The MEV bot was able to use this transaction to conduct a series of arbitrage trades, profiting by approximately 800 ETH or around $1 million. Only an hour later, a hacker decided to target the bot and exploited a vulnerability which allowed them to wipe the entire bot’s wallet for a total of 1,101 ETH. The vulnerability the attacker found was in their implementation of how to execute dYdX flash-loans. The attacker was able to gain arbitrary code execution on their callFunction, using this to approve a malicious transaction and move all WETH from their wallet.
After this, the team behind 0xbadc0de proceeded to contact the threat actor and indicated that they would treat this as a white-hat incident if the funds were returned to the specified wallet. However, behind this communication, there appeared to be a thinly-veiled threat, stating that if funds were not returned the team would do “everything in our power with the appropriate authorities to retrieve out funds”. This message was then unusually responded to by the threat actor, who was clearly upset about the existence of the MEV bot and said “What about normal people who you have mev’ed and literally fucked them? Will you return them?”. This example of on-chain hacktivism poses an interesting statement as to the importance of not upsetting the wider blockchain community with creations. It is expected that anti-crypto hacktivism may increase, as more countries and institutions begin to incorporate it into their environments.
This month has been a memorable one for both positive and negative effects within the crypto community. On the one side, there have been the energy-efficiency improvements of the Ethereum merge, and the impacts of the sanctions imposed on Tornado Cash. But on the other side, there has been an increase in the quantity of scams, alongside the inclusion of Web3 infrastructure into terrorist organisation toolkits.
One theme throughout this month is that regular code and infrastructure audits are still one of the most important things an organisation can do to protect itself. By conducting these kinds of checks, incidents such as the leak of Shiba Inu’s AWS credentials and the supply-chain attack on dYdX could have been more easily identified and mitigated. While not a perfect solution, it is important that cryptocurrency companies regularly audit both their smart contracts and web3 infrastructure alongside their codebases and supply-chains. This ensures that all elements of security are considered, which helps to build a secure ecosystem.
Another serious threat observed this month was the use of Web3 technology to spread a message of terror. Whilst previously theorised, technology such as NFTs being used to enable threat actors to create permanent messages spreading their doctrine has been realised. Standard internet authorities and websites often have the ability to remove these kinds of content, forcing them underground. However, by using un-removable distribution methods, threat actors can keep their message in the public domain. While this technique is only new, it would not be surprising to see it used to share more explicit and serious material, such as protest documents and data leaks, enabling them to exist as a permanent record.