Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Tay 💖 Profile picture
@tayvano_
May 24, 2023 10 tweets 6 min read Read on X
Scrolly
⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.

The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*

It won’t be flagged and looks super legit.

DO NOT CLICK! 🙏 Image
This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444

aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.

Their spear-phishing methods are diverse, targetted, and hard-to-detect. Image
Recent subject lines / filenames:

Fast Changes in NFT Price (Protected)
Investor Demo Day-Animoca Brands (Protected)
Jump Crypto Investment Agreement
New Credit Investment Opportunity
Spirit Blockchain Capital 2023 - Pitch Deck

Opening the file *may* result in something like: ImageImageImage
If you think you’re too smart to get phished, think again.

They don't spam some airdrop bs, they capitalize on the fact you’re back-to-back all day.

They get you to do what you already do all the time: click a "Google" link from a "colleague."

proofpoint.com/us/blog/threat… Image
And if you accidentally give them a sliver of access, they will silently drop malware made just for you.

Mac, Windows, Linux, anti-virus software, malware scans—it doesn't matter.

They have some new-fangled Mac malware written in Rust:

jamf.com/blog/bluenorof…
And here's some of their latest Windows shit. They always seem to be iterating and experimenting in order to evade detection:

securelist.com/bluenoroff-met…
Think you're safe because you're a hardcore Linux-only person?

lol rip

welivesecurity.com/2023/04/20/lin…
In the past they've dropped a *custom-built MM🦊* that stole funds from a founder's *secured* hardware wallet.

They literally rewrote chunks of MM in order to hide the theft txn behind the legitimate txn he intended to sign. 😱

securelist.com/the-bluenoroff…
Don't get cocky.

I've got countless stories this month from founders and funds seeing these hit their inboxes.

You need to stop clicking links and downloading files—whether they come via email, Telegram, WhatsApp, Linkedin, whatever. ImageImage
If you clicked / downloaded anything that looks like the above, you need to sound the alarm *now.*

- Consider your shit completely compromised
- Get help from experts
- Rotate all keys & pws
- Secure any servers, infra, smart contracts you have access/admin to

PLZ STAY SAFE! 💖 ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tay 💖

Tay 💖 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @tayvano_

Tay 💖 Profile picture
Dec 28, 2024
🚨 Heads up all—some dudes have a slick, new way of dropping some nasty malware.

Feels infostealer-y on the surface but...its not.🫠

It'll really, deeply rekt you.

Pls share this w/ your friends, devs, and multisig signers. Everyone needs to be careful + stay skeptical. 🙏Image
If you get hit with this, you need to wipe your computer. Esp. if your wallets haven't been drained.

Shoot SEAL-911 a message @ and we will help you assess -> next steps.

p.s. mention 'Willo' so we can help you faster (holidays, ppl are afk, etc.)t.me/seal_911_bot
How it works / what we've seen:

Usually starts with a "recruiter" from known company e.g. Kraken, MEXC, Gemini, Meta.

Pay ranges + messaging style are attractive—even to those not actively job hunting.

Mostly via Linkedin. Also freelancer sites, job sites, tg, discord, etc.Image
Read 10 tweets
Tay 💖 Profile picture
Dec 22, 2024
DPRK's trading career is...uh....going.....🙈

tbh if i was the dude managing Hyperliquid's 4 validators (or those fucking ghetto ass binaries on gh) I would be shitting my pants right now.

Hyperliquid dudes dont seem worried at all though so im sure its fine. 🫠 Image
lol @ all you retards who think the risk is USG forcing Hyperliquid to freeze AAAAAAAAAAHHAHAHHHAHAHAHAHAHAHHAHHAHAHHAHAHHAHAHAHAHHAHAHHAHAHHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHHAHAHAHAHAHAAHAHHAHAHAHHAHAHAHHAHAHAHA

Yall, DPRK doesn't trade. DPRK tests.🤦‍♀️
my offer from 2 weeks ago still stands @HyperliquidX

i'm still happy to do it async or via a call. i can even give you one of my super nice happy colleagues if you don't like me.

but a massive amt of harm will come to people if you don't harden your ass asap. Image
Read 4 tweets
Tay 💖 Profile picture
Nov 16, 2024
Gotta correct the record on a headline that's been running wild lately re: the WazirX hack.

Bc it is NOT significant. Or a "breakthrough."

Dude they arrested wasnt involved in the hack. He doesnt know the hackers.

Plz stop regurgitating self-aggrandizing press releases. Image
Here's the actual situation:

At some point prior to July 2024 the actual hackers landed a backdoor onto something that gave them some access to the WazirX multisig signers and/or their signatures.

We don't know what or who was compromised and it doesn't really matter.
Initial toehold was likely gained by tricking someone at WazirX or Liminal into installing malware -> escalated from there.

This access allowed the hackers to intercept/insert invisible, malicious payloads for signing in a way where none of the 3+ signers were able to notice.
Read 21 tweets
Tay 💖 Profile picture
Oct 20, 2024
With the recent sophisticated hacks fresh on everyone's mind, there's been a lot of talk about ✨fancy stacks and setups.✨

Yes, you should evaluate how—and with what—you sign txns.

But building a custom UI for your LAN Qubes OS AWS KMS everyday is not really the answer 😅
Background on the referenced hacks (feel free to skip):

1. Funds were stolen from each org's multisig.

2. Keys themselves were not compromised.

3. In Radiant and WazirX and maybe DMM, the keys backing the multisig were actually only on hardware wallets + actually controlled by distinct parties.

Radiant - $50m, like 2 days ago
medium.com/@RadiantCapita…

WazirX - $230m in July
x.com/WazirXIndia/st…
liminalcustody.com/blog/update-on…

DMM Bitcoin - $305m in May
The least amt is known about DMM, including whether keys were cold vs hot. Early theories said address poisoning. It def wasn't that. Attached is rampant speculation (likely all wrong)
See also: x.com/mononautical/s…Image
Image
Image
Also, note, any organization that can implement / enforce EDR, etc. should do so. Full stop. End of conversation.

However, the crypto industry generally considers this a non-starter for all sorts of philosophical + practical reasons.

So, until we get there, here's the deal:
Read 15 tweets
Tay 💖 Profile picture
Sep 5, 2024
Alright so comments here are a bit looney and I don’t particularly like them bc it distracts and undermines the actual risk.

Spoiler: @coinbase getting hacked is not the risk.

But there is still risk. Even when using Coinbase.
This gunna be long. Sorry. But it needs to be said. Clearly.

First: the reason I say Coinbase is not the risk is because they take INSANE measures to mitigate the risk of being hacked.

They always have.

They are really fucking serious abt security across the board.
Coinbase is NOT different bc they’ve *eliminated* the risk though.

Bc they haven’t. Bc they can’t. NO ONE CAN.

This shit is wild. The incentives are too much. The hackers have too many resources.

They will literally burn 0 days to get at Coinbase. They *have* burned 0 days.
Read 18 tweets
Tay 💖 Profile picture
Jul 8, 2024
Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry.

They rekt more people, companies, protocols than anyone else.

But it's good to know exactly how they get in. Bc another smart contract audit won't save you.
For example, one long-time fave method:
- Contact employee via social/messaging app
- Direct them to a Github for a job offer, "skills test," or to help with a bug
- Rekt individual's device
- Gain entry to company's AWS
- Rekt company (and their users)

cloud.google.com/blog/topics/th…
Image
With permission, I’m sharing a recent convo that led to $2m+ stolen so you can see how this DPRK crew (TraderTraitor) is operating today.

These convos are pretty rare to see. Thefts occur months later, so very few uncover how the initial entry was made.

cisa.gov/news-events/cy…Image
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(