BlockThreat - Week 21, 2019

This week a number of news sources reported a new twist to the BCH hard fork incident where the previously reported node software exploit was followed by a reorganization attack targeting a blocks mined by a malicious miner. In other news, Cryptopia exchange attackers are attempting to cash out at an exchange, a backdoor discovered in a paper wallet website, and a reported uptick in fake wallet software on Android platform.

News:

• The FIOD and the Public Prosecution Service take money laundering machine for cryptocurrencies offline - a popular cryptocurrency tumbler, Bestmixer[.]io, taken down in a joint effort between McAffee and Dutch FACT (Financial Advanced Cyber Team).

Hacks:

• The Bitcoin Cash Hardfork – Three Interrelated Incidents - a great writeup on the previously missed incident on the BCH network which occurred on May 15th, same day as the hard fork event and the 0day incident described in last week’s newsletter. In the technical report, BitMex Research reports a two block reorganization attack with 3392 BCH double spent on the network. A related blog, Bitcoin Cash Guardians & Pirates in Sight, describes an unknown miner mining a block which claimed newly spendable segwit addresses as a result of the fork and a group of miners BTC.top and BTC.com invalidating that block. In yet another twist to the story, someone who claims to have exploited the 0day vulnerability in ABC node software has published a blog post - sigops counting - explaining the discovery and exploitation of the vulnerability while also noting the reorg on the BCH network.
• Follow The Money — Tracking The Asset Movements Of Cryptopia Hack - PeckShield researchers track the recent funds movement from the Cryptopia hack earlier this year. The report documents a new technique used by attackers to obfuscate their transactions with a large number of fake trades made on a DEX before reassembling funds to be sent to an exchange.

Malware:

• Key generation vulnerability found on WalletGenerator.net—potentially malicious - a great investigation report into apparently backdoored online paper wallet generator WalletGenerator[.]net.
• Discovering Fake Trezor, MetaMask, and MyCrypto Android APKs - a detailed report into several fake cryptocurrency apps found in Google Play Store.

Research:

• Ethereum Smart Contracts Exploitation Using Right-To-Left-Override Character - an interesting application of the RTLO trick to mislead anyone reading a specially crafted smart contract source published on Etherscan.

Events:

• Breaking Bitcoin Conference - upcoming conference in Amsterdam on June 8-9 with a focus on Bitcoin security.

This wraps up this week’s blockchain threat intelligence. In case you were participating, ETH Treasure Hunt has now concluded and a winner announced.