October held some of the most innovative attack vectors to date, with spam attacks attempting to cripple the efficiency of a chain; the exposure of personal information from hundreds of thousands of users, tied in with their transaction history; and a supply-chain style matter arising from issues covered in last month’s report. Fitting the trend, October also again saw an increase in the number of tracked cryptocurrencies by coinmarketcap.com reaching a total of 21,590 an increase of 432 tokens since the end of September.
In this report, we will discuss some of the most impactful threats to the cryptocurrency space that occurred in October.
$21 million stolen from Transit Swap but most is returned
On the first day of the month, a decentralised exchange aggregator known as Transit Swap was exploited for an approximate $21 million. The platform, which enables users to make instant trades and swap across chains, operates using the TokenPocket token. Being decentralised, the platform deploys a series of smart contracts; however, one of these contained a vulnerability which was exploited by a hacker.
The vulnerability which was analysed in detail in a report by SlowMist security was caused by a lack of checks on incoming data to a function. This resulted in an arbitrary external call that could be used to steal tokens that were authorised to the platform. In this instance, the attacker was able to steal 2,500 BNB from victims’ wallets, which was then transferred through different services such as LATOKEN for the withdrawal of the funds.
After the attack, the service released an official statement on Twitter detailing what they have been doing to combat this issue. Their main effort involved working with cryptocurrency security companies to carry out an investigation into the threat actor, and they explained they now have the “hacker’s IP, email address, and associated on-chain addresses”. Interestingly, the hacker announced that they would return 70% of the stolen funds which they subsequently did, following the recent trend of “backwards bounties”.
Spam attacks on Zcash cause disruption
While attacks against blockchain systems often aim to steal money from both organisations and users, this is not always the case, as Zcash discovered in October. The service used primarily as a privacy currency offering fast payments with confidentiality has come under attack from an unusual threat.
Where having a large number of transactions across a chain is usually a sign of prosperity, in Zcash’s case this has meant they are under attack. This is known as a transaction spamming attack and it is where large numbers of transactions are made solely to place extra load onto the network. In the case of Zcash, the threat actor has taken advantage of the service’s “shielded transactions” to conduct the attack. This works by using cryptographic proof to obfuscate the in and out values of wallets all for a small fee of 0.0001 ZEC. The attacker has been able to place thousands of these transactions with an estimated cost of only $10 per day to disrupt the chain’s operation and cause its total size to balloon to over 100 GB.
The team behind Zcash released a series of tweets explaining the situation back when the issue arose in July; however, as of the start of October, they had yet to realise a fix. Nevertheless, the organisation behind Zcash, Electric Coin Co, published a statement explaining that despite the increased size of the chain “the vast majority of Zcash users are unaffected by the increased size of the blockchain”. This is backed up by the price of Zcash still holding a relatively solid value of around $55 since the attack began.
Binance Smart Chain exploited for over $100 million
Large cryptocurrency platform and exchange, Binance, operates its own blockchain previously known as the “Binance Smart Chain (BSC)” or “BNB Chain”. The main usage of this blockchain is the sending and receiving of the BNB token, which is the 4th highest ranked cryptocurrency on CoinMarketCap.com.
On 6 October, an attacker targeted the “BSC Token Hub” which acts as a bridge between the old and new Binance chain. The threat actor attempted to steal around 2 million BSC tokens during the exploit, as seen by the amount stored in their wallet. However, Binance was fortunately able to halt the chain quickly, pausing all activity. This meant the attacker was unable to remove all tokens. Binance CEO Changpeng Zhao tweeted that the current estimated loss is around $100 million USD. In a Reddit post explaining the situation, a developer stated that the team coordinated with the validators to temporarily suspend activity on the chain. This is due to it being a decentralised system with no easy way to disable all transactions.
Since this incident, the team behind the Binance Smart Chain has released a blog, not only apologising for the attack, but also thanking the community for helping minimise the impact of it. They have also decided to conduct some important on-chain votes to respond to some questions as to how to deal with such future attacks. This includes answering whether hacked funds should be frozen; whether they should introduce a White Hat program for future bugs; and if bounties should be offered to catch hackers. This attack shows that despite the decentralised nature of blockchains, large community efforts can help tackle crypto theft. Also, the use of on-chain votes on incident response plans helps to ensure that the community feels involved in deciding how to deal with these kinds of incidents.
Names and transactions of Celsius customers exposed
Celsius Network is a crypto lending firm that enables users to take out loans using crypto assets as collateral. The protocol has been operational since around 2018, and has its own CEL token, issued as an incentive for using the platform.
Earlier this year, the service underwent some tough financial situations and is now subject to bankruptcy proceedings. Unfortunately, however, as part of a standard procedure, Celsius was required to disclose the names and wallet addresses of users from the platform. This resulted in a 14,000-page document being released containing the names of hundreds of thousands of Celsius users and all their recent transactions. Researchers hastily analysed this data, and a report from Gizmodo details that various executives were quick to cash out their money before the chain was halted. This included the former CEO (Alex Mashinsky) and former CSO (Daniel Leon) withdrawing a combined $17 million before the collapse of the service.
This is a devastating blow to the crypto community with thousands of distraught customers and users, and it raises an interesting ethical question surrounding the transparency of crypto purchases and the potential ramifications this could have for those involved. While the court decided this would not put any users at risk, others see this differently, explaining that the treatment of Celsius was harsh. One such example of this risk was the website “celsiusnetwork.com” which was created to rank the worth of doxed Celsius holders by the amount that was locked in their accounts.
It is important to highlight that due to the relatively new concept that is cryptocurrency, it is not surprising that an issue has arisen within a filing such as this. Legislators and regulators must work to streamline these processes for decentralised organisations to ensure the safety of users’ financial and personal security.
Fake security updates distributed using airdropped NFTs
Fake security updates are a common technique used by threat actors to trick victims into installing malware onto their devices, often allowing them to bypass user access control (UAC) and other security mechanisms. An example of this was seen back in May this year, when we noted reports of fake Microsoft Windows updates being targeted at Russian government officials.
In October, however, we saw this same tactic being implemented using NFT airdrops, which masqueraded as updates to the Phantom wallet application. NFTs titled “UPDATEPHANTOM.COM” and “PHANTOMUPDATE.COM” were delivered to victims, claiming to be from the developers of the app. The NFT contained a link to a fake update website, where the user was prompted to download either a batch or executable file which, upon execution, would deliver an info-stealer malware under the name “windll32.exe”. It is estimated that the aim of this campaign was to steal passwords and key information that would allow the threat actors to compromise the victim’s cryptocurrency wallets.
While this attack vector is not new, it adds to the ever-increasing list of classic security tactics being adapted to the Web3 landscape. It is important that traditional security awareness is not forgotten when it comes to blockchain technology. Techniques such as phishing and spamming are ingrained within the threat actor’s playbook and need to be considered and understood in the context of Web3.
Collateral manipulation attacks used against multiple platforms
Borrowing and lending are core components of most traditional banks and financial operators. Cryptocurrency platforms have also begun to support these kinds of services, enabling users to stake cryptocurrencies and other digital assets such as NFTs as collateral against loans. One such platform is Mango Markets, a Solana-based project which hosts a wide range of services including “Decentralised Lending” and offering “Perpetual Futures”.
Mango Markets was targeted by an attacker, who was able to conduct a flash loan attack against the service to steal around $116 million. This type of attack works by taking a large loan to inflate the price of an asset for profit. In this instance, the threat actor took out a loan to raise the price of the platform’s token “Mango coin”, which reportedly increased by around 1000%. According to a security researcher’s Tweet, this newly boosted collateral was then used to take out massive loans from the Mango treasury which they had no intention of paying back. Eventually, the threat actor was contacted to discuss a bounty; they responded that they would return $46 million, keeping around $70 million for themselves. This was rejected, and the attacker ended up returning around $69 million of the funds.
A similar attack to this took place on another marketplace called “Moola Market”. Here, the attacker was also able to manipulate their collateral allowing them to steal around $8.4 million from the protocol in a variety of different currencies. While simple, these attacks can cause significant damage and are difficult to protect against. Some experts are also disputing this attack’s status as a “hack” stating the attack is “more of a market manipulation” attack than a hack, due to the lack of “unauthorized access”. Whether this incident is classed as a hack or not, it is important that platforms ensure that appropriate thought is given to developing security against flash-loan and market manipulation attacks.
Investment in Venture Capital firm intercepted by hacker
Escrow services are a core part of large number of investments and payments where mutual agreements need to be met for money to be released. An interesting threat vector, however, is the threat escrow poses to both parties in the transaction.
On 15 October, a Web3 service known as Syntropy posted a series of tweets detailing such an incident. The service had intended to place a large investment of around 15 million $NOIA tokens into a venture capital fund. To complete the deal, both parties had agreed to use an escrow for the transaction, with Syntropy transferring the tokens to the escrow wallet.
A malicious actor learned about the transaction and was able to impersonate the buyer’s identity. This enabled the threat actor to convince the escrow to release the funds to the attacker’s wallet; they then immediately unloaded the tokens into another token called Kucoin. This caused the price of Syntropy $NOIA token to drop around 32%, with the team contacting Kucoin to freeze the accounts.
While not inherently a threat to cryptocurrencies, transactional security is vital when large amounts of tokens are being transferred; this was highlighted by Optimism’s mistake back in June, where 20 million tokens were falsely sent to a non-existent wallet, landing them in the hands of a malicious actor. To put it simply, when people are involved in transactions, human error is always a factor to consider and requires specific protection mechanisms to be put in place.
BitBTC fails to respond to reported flaw resulting in exploitation
Security researchers are an incredibly useful asset to organisations, often disclosing vulnerabilities or issues that they discover for bounties or notoriety. However, as the old saying goes, “hell hath no fury” like a researcher scorned, and this is what we saw happen with BitBTC’s Optimism bridge.
On 18 October, security researcher Lee Bousfield tweeted that BitBTC’s Optimism bridge was “trivially vulnerable” and proceeded to publish a critical exploit after receiving no response from the team. The exploit enabled attackers to generate tokens on Optimism’s side of the bridge and then transfer those across to any token on the other side of the bridge. This meant they could create tokens with no value and then bridge them to ones with value, printing money out of thin air.
After publishing the details, a hacker conducted the exact exploit, transferring 200 billion BitBTC to their wallet for a total of around $200,000. Interestingly, however, the attacker would have very little chance of liquidating these assets because these tokens have been generated out of thin air and as such would be difficult to realise. The attacker placed a message on the blockchain where they explained that they “just want[ed] to test the exploit with a PoC” and “won’t touch any of the valuable assets”. This highlights the importance of treating all bug reports seriously, as despite this hacker’s seemingly good intentions, when a public PoC exploit is released, it can cause havoc.
Automated Trading bot 3Commas targeted by phishing
Automated Trading bots have become a trend, with traders looking to make some fast cash without having to think too hard about it. The simple premise is a user gives the bot some funds, configures some trading parameters; and then lets it trade for them. This can be a highly profitable way of trading cryptocurrency without requiring much input or thought. Users of the trading bot “3Commas” this month were, however, not so happy after an exploit left many of them out of pocket.
In late October, users realised that large sums of money had gone missing from their FTX accounts connected to the 3Commas bot. Both organisations quickly conducted a joint investigation into the situation, releasing a blog detailing the situation. This explains that a number of API keys had been connected to 3Commas and then used to trade on partner exchanges; however, it was stated that no API keys had been leaked by 3Commas. In the blog, the team explains how they discovered a series of fake 3Commas phishing pages which may have captured users‘ API keys and deployed them to steal the money. This was further supported by 3Commas’ discovery that people on social media were claiming to be victims but could not in fact be verified as customers. Users of the 3Commas service have been advised to ensure that two-factor-authentication is enabled and that they take care to only log into the legitimate 3Commas site.
This attack highlights the importance of ensuring good security awareness around those using cryptocurrency platforms. While it is often assumed that users will understand the technology, Cardify suggests that “the majority of investors (83.1%) report moderate or low levels of cryptocurrency knowledge”. As cryptocurrency becomes more widely adopted, it is vital that users understand the risks that phishing may pose and ensure that fundamentals such as multi-factor-authentication and strong passwords are in place.
Pig Butchering scams utilising dating and social media apps
Scams are one of the most prevalent threats to users within the cryptocurrency space, as threat actors look to exploit the people behind the wallet. However, recently a rise in a scam known as “Pig Butchering” has been used to try to siphon cryptocurrency from vulnerable individuals. The term “Pig Butchering” comes from the practice of fattening up pigs before they are slaughtered. Originating in China, this scam works by building up a relationship with the victim over a long period of time and then asking them to send or invest money in some scheme proposed by the threat actor. The Global Anti-Scam Organisation, estimates that the average loss per victim is $121,926, with the majority of them being young women.
In early October, the FBI released a public service announcement warning the public about cryptocurrency based “Pig Butchering”. They explained that scammers have been approaching individuals either as a potential friend or romantic interest, before encouraging victims to place money into an investment scheme, using fake websites and applications that give an air of legitimacy.
This scam was also explored in a detailed report by ProofPoint, which has been tracking a series of Sha Zhu Pan (“Pig Butchering”) scams, where they show multiple instances of the techniques used to help part someone from their money. One such example is what they call “The 3 Ps”, which they describe as “Pretty Polite People messaging you out of the blue”, as often scammers will use profiles with attractive pictures to contact their victim. They also show how on many occasions, the scammer will ask their target to move the conversation to other platforms such as Telegram “citing it as safer”.
As scammers begin to develop more advanced methods to trick users out of their money, it is vital that cryptocurrency holders are aware of the techniques being used against them. As is detailed within the FBI PSA, users should always be wary of suspicious investment opportunities from anyone who messages them online. It is also important to verify the legitimacy of any application or website they are told to visit, as often linking their wallet addresses to these can lead to their assets being stolen or cryptocurrency-oriented malware such as a “Clipboard Hijacker” being deployed.
GitHub Actions and other CI/CD used to mine cryptocurrency
Cryptojacking is one of the most prolific attacks being used by threat actors targeting cryptocurrency. With the average number of cryptojacking incidents currently standing at over 15 million per month in 2022, threat actors are beginning to innovate on this tactic. A report from Sysdig found that threat actors had been abusing GitHub Actions and other CI/CD services to conduct a tactic known as “freejacking”.
GitHub Actions is a continuous integration and deployment (CI/CD) platform that enables developers to automate sections of the software development lifecycle. The platform freely provides some resources that are used to conduct the task, such as building or testing code. However, a threat actor tracked as PURPLEURCHIN has been utilising CI/CD providers including GitHub, Heroku and Buddy.works to mine cryptocurrencies. With a reported count of roughly 2,930 accounts across the platforms, the threat actor has used a complex web of docker containers, VPN providers and platforms to design a fully automated cryptocurrency mining operation, entirely on free infrastructure.
However, despite this complex setup, researchers estimate that the cost to the providers is no more than around $10 per month, and that the threat actor is making little to no profit either. Nevertheless, it is a powerful technique that, if scaled up correctly, could cost the provider significant amounts of money and generate large sums for a threat actor. This would require a much larger pool of accounts to be used and potentially more sophisticated Captcha and bot avoidance measures to be developed. As a passive action for threat actors, the use of “freejacking” could become common place alongside traditional “cryptojacking” as cybercriminals look to increase the profits of their operation.
“Watch your Profanity!” – the recent effects of the Profanity bug
In Cyjax’s crypto threat landscape report last month we discussed a vulnerability discovered within the Profanity vanity wallet generator. This flaw would allow a malicious actor to brute force the private keys to a wallet in a short space of time, potentially enabling access to any wallet generated by the tool. Within the same report we also discussed an attack concerning this vulnerability, where Wintermute was exploited for $160 million dollars as the wallets containing it had been generated by Profanity.
This month we have also seen further problems and exploitation occurring as a result of this Profanity bug, with a total estimated loss of around $3.5 million dollars. One provider, the QANX Bridge, lost around $1. 16 million dollars after using a different project called “vanity-eth-gpu” within its development. However, this project took large sections of its code from Profanity and thus inherited the flaw. QANX Bridge released a report on the situation, where they detailed continuous updates on the situation. The team explained that the vulnerability does not affect their core offering of quantum-resistant security, but instead the main deployer wallet contained the flaw due to the low entropy levels used. The team has also agreed to reimburse those who purchased QANX tokens during the time of the hack, and has released a full report explaining the exact details of the vulnerability. The token has now been redesigned to help increase protection against this and other kinds of attacks. Another protocol known as friesDAO was also victim to this vulnerability. Being a french-fries themed cryptocurrency, they used a vanity wallet starting with the characters “51D35” or “SIDES” which, due to being generated with Profanity, had around $2.3 million stolen from it. The team tweeted that the attacker was able to drain a series of FRIES tokens from the wallet and then swap them into USDC which were then sold into a Uniswap pool. They also posted a message asking the attacker to reach out to them; however, it is still unclear whether contact has been made.
This vulnerability poses an interesting scenario as to what a Web3 supply-chain attack may look like as we see its impacts ripple not only through those who directly used it, but through libraries that implemented its code. When this is combined with the immutable nature of large portions of Web3 infrastructure, such as smart contracts, a supply-chain attack could pose a critical risk. It is important that regular audits of tooling and libraries used to develop contracts and infrastructure are conducted, especially given that, as previously discussed, this issue was known about since as early as January 2022.
Throughout October we have seen a new side to the cryptocurrency threat landscape, with a focus on threat actors utilising phishing and social engineering both through the “Pig Butchering” scams and their use of social media and the social engineering of an escrow to release funds. While an explored and known tactic, the combination of cryptocurrency and social engineering places the threat firmly at the door of the users, requiring them to be well educated both in how to spot a scam and in how to protect themselves against one. This is a much more complex issue for organisations to solve, with some potential solutions being to distribute educational material in tandem with technical changes to help targets identify when they are becoming the victim of an attack.
Another thing of note this month has been the need to utilise security reporting while developing within Web3. We have seen further problems caused by the Profanity exploit after a multitude of organisations relied on an unmaintained codebase, while no-one paid attention to the security issue which was reported back in January; similarly, in the case of the BitBTC vulnerability, the researcher who reported it to the team received no response. It is vital that security teams pay full attention to all security bugs reported, either within their own codebase, or inside of software within their supply chain. This allows vulnerabilities to be identified and dealt with before a threat actor conducts what could be a multi-million-dollar attack on an organisation’s infrastructure.