BlockThreat - Week 17, 2021

Not a week goes by without another record compromise of DeFi platforms. This week Uranium Finance and Spartan Protocol got exploited to the tune of $51M and $30M respectively. Hotbit exchange shut down its operations after attackers penetrated its internal systems. In other news, IRS has been increasingly effective at hunting down criminals using both on-chain and more traditional resources after it identified and arrested Bitcoin Fog’s operator.

News

• Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin. Roman Sterlingov was charged with operating Bitcoin Fog mixer popular with darknet forums since 2011. The perpetrator was identified through a transaction on a Liberty Reserve exchange seized by US DOJ in 2013.
• The IRS Wants Help Hacking Cryptocurrency Hardware Wallets to help it investigate fraud and recover forfeited funds. This is yet another call by IRS to help with its Operation Hidden Treasure.

Hacks

• On April 27, 2021 Uranium Finance account balance calculation error was exploited which resulted in the theft of $51M. Interestingly, the team was about to push a fix before the contract was exploited leading to a suspicion of internal leak. This marks the second time Uranium Finance got exploited this month.
• On April 29, 2021 Hotbit cryptocurrency exchange was compromised resulting in the theft of customer PII including customer email addresses, phone numbers, encrypted passwords and 2FA keys. According to Hotbit, no customer funds were affected.
• On May 2, 2021 Spartan Protocol’s liquidity share calculation flaw was exploited which resulted in the theft of $30M. The BSC smart contract was previously audited by CertiK.

Vulnerabilities

• Tokenlon team patched a critical vulnerability which could have resulted in funds theft. The vulnerability was disclosed by samczsun who also helped the team to secure the funds using Taichi Network to prevent front-running.
• Prysmatic Labs Team published a detailed post-mortem report for the incident causing ETH2 clients to stop producing blocks.

Malware

• Unit 42 report on WeSteal cryptocurrency stealer documents malware capabilities and the malware as a service scheme by its creators.
• Microsoft built-in cryptojacking malware detection into its Microsoft Defender product.

Research

• How to Beat an Ethereum Sweeper Script and Recover Your Assets by Harry Denley is an excellent resource on the sweeper scams plaguing Telegram and how to combat them using Flashbots, private mining pools, and self-destructing contracts.
• Combating Ransomware report by Ransomware Task Force (RTF) outlines a comprehensive set of actions to combat ransomware. It includes detailed threat actor profiles, ransomware payment flows, and other interesting topics such as cyber insurance.
• Vulnerabilities and Open Issues of Smart Contracts: A Systematic Mapping is a nice survey of available literature on the topic in the title.
• Ethereum Uncle Bandit Strikes Again is another fun MEV fight writeup between sandwich and sniper bots by Robert Miller.

Thanks for joining me this week in Blockchain Threat Intelligence!

- Peter Kacherginsky (iphelix)