Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Tay 💖 Profile picture
@tayvano_
May 24 10 tweets 6 min read Twitter logo Read on Twitter
Scrolly
⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.

The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*

It won’t be flagged and looks super legit.

DO NOT CLICK! 🙏 Image
This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444

aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.

Their spear-phishing methods are diverse, targetted, and hard-to-detect. Image
Recent subject lines / filenames:

Fast Changes in NFT Price (Protected)
Investor Demo Day-Animoca Brands (Protected)
Jump Crypto Investment Agreement
New Credit Investment Opportunity
Spirit Blockchain Capital 2023 - Pitch Deck

Opening the file *may* result in something like: ImageImageImage
If you think you’re too smart to get phished, think again.

They don't spam some airdrop bs, they capitalize on the fact you’re back-to-back all day.

They get you to do what you already do all the time: click a "Google" link from a "colleague."

proofpoint.com/us/blog/threat… Image
And if you accidentally give them a sliver of access, they will silently drop malware made just for you.

Mac, Windows, Linux, anti-virus software, malware scans—it doesn't matter.

They have some new-fangled Mac malware written in Rust:

jamf.com/blog/bluenorof…
And here's some of their latest Windows shit. They always seem to be iterating and experimenting in order to evade detection:

securelist.com/bluenoroff-met…
Think you're safe because you're a hardcore Linux-only person?

lol rip

welivesecurity.com/2023/04/20/lin…
In the past they've dropped a *custom-built MM🦊* that stole funds from a founder's *secured* hardware wallet.

They literally rewrote chunks of MM in order to hide the theft txn behind the legitimate txn he intended to sign. 😱

securelist.com/the-bluenoroff…
Don't get cocky.

I've got countless stories this month from founders and funds seeing these hit their inboxes.

You need to stop clicking links and downloading files—whether they come via email, Telegram, WhatsApp, Linkedin, whatever. ImageImage
If you clicked / downloaded anything that looks like the above, you need to sound the alarm *now.*

- Consider your shit completely compromised
- Get help from experts
- Rotate all keys & pws
- Secure any servers, infra, smart contracts you have access/admin to

PLZ STAY SAFE! 💖 ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tay 💖

Tay 💖 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @tayvano_

Tay 💖 Profile picture
Apr 18
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭

I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. Image
If you are reading this, you're the type to be drained by this.

This is NOT a low-brow phishing site or a random scammer. It has NOT rekt a single noob. It ONLY rekts OGs.

If you have all your stuff under a single Secret Recovery Phrase / Private Key, please be safe migrate. 🙏 Image
Afaik, no one has determined the source of their compromise.

Multiple devices have been forensic'd. Nothing.

The only known commonalities are:
- Keys were created btwn 2014-2022
- Folks are those who are more crypto native than most (e.g. multiple addresses, work in space, etc)
Read 20 tweets
Tay 💖 Profile picture
Apr 14
hey anyone know whos onboarding the most people to web3 right now?

like taking people who have never done crypto stuff before and getting them to set up an account on a CEX, buy some crypto w/ their fiat, send the coins to their own wallet, and then interact with a dapp?

🤔
"bear market" Image
insane Image
Read 17 tweets
Tay 💖 Profile picture
Apr 5
👀 @sentimentxyz

arbiscan.io/tx/0xb91e4cd53… Image
gm sentiment exploiter Image
i dunno what normal people do all day but it def can't touch crypto life lol 🫡 Image
Read 6 tweets
Tay 💖 Profile picture
Apr 4
Before I forget, I want to share some things I observed here w/ the hopes it helps other teams facing an exploit in the future.

IMHO, the single most valuable thing the Euler team did was fully *own* the responsibility of getting the funds returned. And they never gave up.
They talked to—and *listened* to—people who had done it before. They got help. They worked with the FBI and their legal counsel. They leaned on everyone for *support.*

But their attitude was that no one else was going to get the funds returned so they better get them returned.
This attitude, esp. when combined with them always re-focusing on the end goal of doing right by those who had lost $, is what ultimately made them flexible enough + resilient enough to connect with the exploiter initially, and keep communicating with him over the ensuing weeks.
Read 6 tweets
Tay 💖 Profile picture
Mar 31
The selling of this bitcoin is, by far, the least interesting part of the saga.

The govt's seizure, the dude who had his bitcoin seized, and why it even got seized in the first place is full of so many amazing, hysterical, enraging gems.

Heads up...not a short story. Buckle up.
To set the stage, dude w/ the bitcoin is a super OG bitcoiner living in Gainesville, Georgia.

In Sept 2012 he executed a very basic "hack" on the Silk Road and withdrew the coins.

Not a bad dude. Not a huge hack either. Way less than a mil at the time.

justice.gov/usao-sdny/pr/u…
After collecting up all these coins (~60k BTC) this dude, from at least 2012 thru at least 2021, fucking *lived* life.
Read 37 tweets
Tay 💖 Profile picture
Mar 23
🚨 If you're using Cloudflare for your web3 product, stop what you're doing right now.

You NEED to:

1. Rotate the Global API Key for all your accounts

2. Remove all accounts added to your Cloudflare unless you rotated their Global API Key in step 1

developers.cloudflare.com/fundamentals/a…
I know this sounds dramatic, but it's really not. Please do this. 🙏

The Global API Keys are deadly.

They will rekt you even after youve rotated tokens, changed passwords, or revoked employee access in your offboarding.

They will rekt you even if youre sure they cant rekt you
These are not API tokens or access tokens. They don't have the perms you think they have.

Here's how you rotate the global key:

1. Go to your Cloudflare dashboard
2. My Profile > API Tokens
3. Go to the API Keys section
4. Find your key
5. "Change"

developers.cloudflare.com/fundamentals/a…
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(