Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Tay 💖 Profile picture
@tayvano_
May 24, 2023 10 tweets 6 min read Read on X
Scrolly
⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.

The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*

It won’t be flagged and looks super legit.

DO NOT CLICK! 🙏 Image
This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444

aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.

Their spear-phishing methods are diverse, targetted, and hard-to-detect. Image
Recent subject lines / filenames:

Fast Changes in NFT Price (Protected)
Investor Demo Day-Animoca Brands (Protected)
Jump Crypto Investment Agreement
New Credit Investment Opportunity
Spirit Blockchain Capital 2023 - Pitch Deck

Opening the file *may* result in something like: ImageImageImage
If you think you’re too smart to get phished, think again.

They don't spam some airdrop bs, they capitalize on the fact you’re back-to-back all day.

They get you to do what you already do all the time: click a "Google" link from a "colleague."

proofpoint.com/us/blog/threat… Image
And if you accidentally give them a sliver of access, they will silently drop malware made just for you.

Mac, Windows, Linux, anti-virus software, malware scans—it doesn't matter.

They have some new-fangled Mac malware written in Rust:

jamf.com/blog/bluenorof…
And here's some of their latest Windows shit. They always seem to be iterating and experimenting in order to evade detection:

securelist.com/bluenoroff-met…
Think you're safe because you're a hardcore Linux-only person?

lol rip

welivesecurity.com/2023/04/20/lin…
In the past they've dropped a *custom-built MM🦊* that stole funds from a founder's *secured* hardware wallet.

They literally rewrote chunks of MM in order to hide the theft txn behind the legitimate txn he intended to sign. 😱

securelist.com/the-bluenoroff…
Don't get cocky.

I've got countless stories this month from founders and funds seeing these hit their inboxes.

You need to stop clicking links and downloading files—whether they come via email, Telegram, WhatsApp, Linkedin, whatever. ImageImage
If you clicked / downloaded anything that looks like the above, you need to sound the alarm *now.*

- Consider your shit completely compromised
- Get help from experts
- Rotate all keys & pws
- Secure any servers, infra, smart contracts you have access/admin to

PLZ STAY SAFE! 💖 ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tay 💖

Tay 💖 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @tayvano_

Tay 💖 Profile picture
Apr 10
🧵Highlights from the UN Security Council's 2023 report on DPRK

This one was a whopping 615 pages 😳

These reports are always like a birds eye view of random, raw, deep intel. They're amazing and shed light on attribution, irl banking networks, etc.

un.org/securitycounci…
re: MaybachsImage
Image
Image
re: DPRK IT Workers



justice.gov/opa/pr/justice…
reuters.com/technology/nor…Image
Image
Image
Image
Read 25 tweets
Tay 💖 Profile picture
Jan 1
Orbit Bridge Hack looking v methodical 👀

Looks like 2024 is going to be another year of handing DPRK billions of dollars on a silver platter. 🙄

embarrassing af. Image
Attacker
0x9263e7873613ddc598a701709875634819176aff

Funds Holders
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0x817bb1761b715a08a9142f99fa7d0ccf73f4c0ef
0x157a409c2bfff38209a32e55d3eac1bfc93dd664
0x5e22cb028865d6a93080d7ab42d2fe9a0e8dc085
0xd283fa3bd85887725c8982f539cc404a450f7fd9
0xf49de491e1c0d84a0e0bd2d57a841825fcf179fd
0x589257e07e11e761f31956d54b2323f63ee36b7d

Receivers
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0xa70f8917a957757f5505a5535df1591c54f65b9d
0x9ca536d01b9e78dd30de9d7457867f8898634049
0xdadfa3ccd40fc3d5a0164c6f9444f60163ccbf3b

Intermediaries
0x0c43edeb2ee69c27d689e912ab5b8e8eef128d4c
0x42839f4423985b5ef989498b0605b1dcca8f0df1
0xe03d37392255fd1dae5476b04388315cc70b78c2

Attacker Funder (from TC)
0x70462bfb204bf3ccb0560f259072f8e3a85b3512

Instaswapper Depo from Attacker
0xbad82ca05bd3d40b783d39e52abc1446f33aae12

Instaswapper Receiver on XRP
rN7EFW25YcGG6nzRY4W7TbX5tRyngW1Dj1
happy new year
Read 9 tweets
Tay 💖 Profile picture
Jul 10, 2023
When it comes to financial crime, money laundering, etc. everyone goes thru a phase of thinking that the solution is knowing the identity of the account holder.

"if only we knew who moved these assets! then we would be able to catch them and stop crime!"

N O . twitter.com/i/web/status/1…
Literally NO.

It doesn't work at any scale. It's never worked at any scale. It never will work at any scale.

AML laws and all the related shit don't stop crime or money laundering. And it never has.

And it's really important to note that the implementation is NOT the issue.
The laws are *designed* to detect and block people from accessing the financial system.

And they do exactly that. Really well. So well in fact that like 1/4th of the world's population doesn't have a basic ass bank account.

And the impact of this is horrifying.
Read 25 tweets
Tay 💖 Profile picture
Jun 14, 2023
A thread of misc. interesting things related to the Atomic Wallet hack, Lazarus, and especially what sprawling hacks look like on-chain.

(this thread is gunna get into the weeds. i suggest the other thread if you want something shallow and easy-to-digest 😉)
On Fri June 2nd, thousands of Atomic Wallet users had their wallets drained across basically every chain.

Each theft involved 1-3 new addies. Initially we were only able to link thefts on-chain if they sent gas to multiple addresses.

(green guys are what we put alerts on first) Image
The lack of consolidation means the majority of addresses collected so far came direct from users sharing their info w/ folks like @zachxbt or w/ Atomic, @elliptic, @SlowMist, etc.

We have no idea how complete our lists are currently, or how long the long tail will be.
Read 23 tweets
Tay 💖 Profile picture
Apr 18, 2023
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭

I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. Image
Specifically we are in contact with a handful of victims from July and August who each individually lost between $400k and $4m.

In fact, the amount stolen per victim seem to be increasing over time.

Where the average amt stolen per victim was ~$50k in April, it's now $300k+
The victim profile remains the most striking thing.

They truly all are reasonably secure.

They are also deeply integrated into this ecosystem: employees of reputable crypto orgs, VCs, people who build defi protocols, deploy contracts, run full nodes, and have ENS name*s*
Read 23 tweets
Tay 💖 Profile picture
Apr 14, 2023
hey anyone know whos onboarding the most people to web3 right now?

like taking people who have never done crypto stuff before and getting them to set up an account on a CEX, buy some crypto w/ their fiat, send the coins to their own wallet, and then interact with a dapp?

🤔
"bear market" Image
insane Image
Read 17 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(