In the light of the recent event of a prop trading firm losing big monies in an old-fashioned Microsoft Word attachment attack, let me sip my tea and try to remember what kind of hacks I have seen over the years.
👇👇👇
2/ I will skip all retail-focused attacks, like fake websites and weak passwords and only focus on serious cases where tanotable business pitself was a victim.
3/ Also no talk about SIM swapping etc. as it is the US only problem and only possible because the US does not have strong ids issued by the government (don't live in a crap nation plz.)
4/ Retail crime is a retail crime and not particularly interesting, as the cost of recovering assets would be higher than the asset value itself. So if you lost $5000 in a scam, please file a police report but you are not going to get money back.
5/ MICROSOFT WORD Attachment
Soon 50 years old MS Office codebase is full of old crappy C code ripe to blow up: macros, buffer overflows, etc.
Open a Microsoft Word document and you are almost guaranteed to have your computer trojaned with RAT (Remote Access Tool).
The sysadmin of Bitstamp got a GMail conversation where he was lied to receiving an honour (from some university / society). Then he was trojaned with a malicious Microsof Word document.
Bitstamp VPN to the server that has the exchange wallet had two-factor.
9/ However, this two-factor was disabled when VPN was run from the office.
The Bitstamp internal investigation post-mortem leaked and is full of good advise, but then it was wiped out from the Internet by Bitstamp legal team.
11/ SOLUTION: Don't install Microsoft Office locally. Even better, don't use PCs and Microsoft products at all. Use Macs and online-only productivity suites (Google Workplace and Microsoft Office 365).
12/ SOCIAL HACKING AND SPOOFING
Also known as CEO fraud, Business Email Compromise (BEC) or Email Account Compromise (EAC)
👇👇👇
13/ This does not concern only crypto, but spoofing corporate invoices for Fortuna 500 companies is a good business. Wire transfers to wrong details and wrong reasons are common.
14/ CEO Fraud was in fact the most common form of fraud in the US. See the FBI cybercrime report 2019 (bear market, so the dynamics may have changed).
16/ Despite what the name says the email account password does not need to be compromised. in the CEO fraud, it is enough to pose as a CEO/CFO of a company and tell accountants to pay something somewhere very fast.
17/ Email sender spoofing is enough, as well as fake Slack account or social engineering by a call.
Train your employees. Don't hire idiots. Don't be an idiot. Have four eyes on every operation so that a single person cannot agree on a high-value transaction alone (multisigs in the case of crypto.)
20/ Then my favourite and most serious one:
COMPROMISING SERVER OR SERVICE PROVIDER
👇👇👇
21/ This could be either your server provider (likes of Amazon, Google, Hetzner) or more usually your DNS provider.
24/ The worst opsec email you can receive is a transactional email stating your server has a new network card installed, which you did not order.
25/ EtherDelta, an early DEX, was a victim of DNS hack. The attacker proxied the website and planted malicious elements to the web frontend. More here:
27/ Any server provider saying they are "privacy-oriented" and hosted in Switzerland usually means they are going to do internal fraud on high-value customers. A real story.
Stick with Amazon, Google, Hetzner, the other tier-one providers.
28/ Encrypt your hot wallet directories yourself and require a password on reboot.
29/ For DNS, don't use Godaddy, Namecheap, but use the same registrar that Google uses. Any retail DNS registrar is a joke.
I have personally reset the @Namecheap two-factor authentication by only using the information in emails they sent to me.
30/ FIN
As a disclaimer, I advise crypto hedge funds on security. My merits include being at the receiving end of every possible cryptocurrency exchange attack (inc. all of those mentioned above) and losing eight figures of money in multisig wallet hack.
31/ The code is the only law the criminals honour.
32/ Now I am going to go to town to have some latte, as this tea makes me angry, and plan for my trip to Lisbon next week. See you there.
So you pulled off a successful blackhat hack, or you just happen to run a profitable ransomware operation. How to convert your profits to Lambos?
Let the daddy godfather @moo9000 to tell you, a thread.
👇👇👇
2/ This is in the light of the the recent OFAC notice against Suex (on paper in Prague, in practice in Russia) money-laundering front. They laundered BTC for the ransomware gangs.
3/ Read this excellent fresh post by @trmlabs on the topic
1/ Climate activist arrested after ProtonMail discloses the IP address.
An interesting case for privacy and why this is significant: A decentralisation and #infosec thread.
Put on your Guy Fawkes masks now.
👇👇👇
2/ "@ProtonMail received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police"
1/ The GoEthereum 1.10.8 "hot fix" patch just went out. This is a critical patch, seems like it is an EVM level exploit, so it affects the whole #Ethereum network.
What's the bug? This is the question of many billion dollars.
Keep reading
👇👇👇
2/ The bug was originally discovered during Telos EVM, an EVM as-a-smart contract implementation on the to of EOS, audit.
Never heard of Telos? It's your VC free grass root effort, based on the EOS codebase.
1/ Welcome to the #DeFi Wednesday, my ladies and penguins.
My fellow DeFi plebs are in the midst of a dark week - namely the largest ANY hack, EVER. And it happens to be a DeFi hack.
Let's dive into the dilemma how to instantly lose $666M
👇👇👇
2/ Poly Network (not affiliated with Polygon or $MATIC) had its cross-chain asset bridge hacked yesterday.
As far as I know this was the largest fintech hack, or even a bug, EVER.
3/ What is a bridge?
This cross-chain bridge is making non-natively issued tokens available on other blockchains. For example, $ETH and $DAI natively exist on only on #Ethereum mainnet. If you trade $ETH or $DAI on Polygon or Binance Smart Chain, it is a bridged asset.