Gotta correct the record on a headline that's been running wild lately re: the WazirX hack.

Bc it is NOT significant. Or a "breakthrough."

Dude they arrested wasnt involved in the hack. He doesnt know the hackers.

Plz stop regurgitating self-aggrandizing press releases. Here's the actual situation:

At some point prior to July 2024 the actual hackers landed a backdoor onto something that gave them some access to the WazirX multisig signers and/or their signatures.

We don't know what or who was compromised and it doesn't really matter.

With the recent sophisticated hacks fresh on everyone's mind, there's been a lot of talk about ✨fancy stacks and setups.✨

Yes, you should evaluate how—and with what—you sign txns.

But building a custom UI for your LAN Qubes OS AWS KMS everyday is not really the answer 😅 Background on the referenced hacks (feel free to skip):

1. Funds were stolen from each org's multisig.

2. Keys themselves were not compromised.

3. In Radiant and WazirX and maybe DMM, the keys backing the multisig were actually only on hardware wallets + actually controlled by distinct parties.

Radiant - $50m, like 2 days ago
medium.com/@RadiantCapita…

WazirX - $230m in July
x.com/WazirXIndia/st…
liminalcustody.com/blog/update-on…

DMM Bitcoin - $305m in May
The least amt is known about DMM, including whether keys were cold vs hot. Early theories said address poisoning. It def wasn't that. Attached is rampant speculation (likely all wrong)
See also: x.com/mononautical/s…

Alright so comments here are a bit looney and I don’t particularly like them bc it distracts and undermines the actual risk.

Spoiler: @coinbase getting hacked is not the risk.

But there is still risk. Even when using Coinbase.

https://twitter.com/eleanorterrett/status/1831352537670131890

This gunna be long. Sorry. But it needs to be said. Clearly.

First: the reason I say Coinbase is not the risk is because they take INSANE measures to mitigate the risk of being hacked.

They always have.

They are really fucking serious abt security across the board.

Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry.

They rekt more people, companies, protocols than anyone else.

But it's good to know exactly how they get in. Bc another smart contract audit won't save you. For example, one long-time fave method:
- Contact employee via social/messaging app
- Direct them to a Github for a job offer, "skills test," or to help with a bug
- Rekt individual's device
- Gain entry to company's AWS
- Rekt company (and their users)

cloud.google.com/blog/topics/th…

this wild af

https://twitter.com/c7five/status/1803403565865771370

episode 2 even wilder

https://x.com/CertiK/status/1803450205389402215

🧵Highlights from the UN Security Council's 2023 report on DPRK

This one was a whopping 615 pages 😳

These reports are always like a birds eye view of random, raw, deep intel. They're amazing and shed light on attribution, irl banking networks, etc.

un.org/securitycounci… re: Maybachs

Orbit Bridge Hack looking v methodical 👀

Looks like 2024 is going to be another year of handing DPRK billions of dollars on a silver platter. 🙄

embarrassing af. Attacker
0x9263e7873613ddc598a701709875634819176aff

Funds Holders
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0x817bb1761b715a08a9142f99fa7d0ccf73f4c0ef
0x157a409c2bfff38209a32e55d3eac1bfc93dd664
0x5e22cb028865d6a93080d7ab42d2fe9a0e8dc085
0xd283fa3bd85887725c8982f539cc404a450f7fd9
0xf49de491e1c0d84a0e0bd2d57a841825fcf179fd
0x589257e07e11e761f31956d54b2323f63ee36b7d

Receivers
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0xa70f8917a957757f5505a5535df1591c54f65b9d
0x9ca536d01b9e78dd30de9d7457867f8898634049
0xdadfa3ccd40fc3d5a0164c6f9444f60163ccbf3b

Intermediaries
0x0c43edeb2ee69c27d689e912ab5b8e8eef128d4c
0x42839f4423985b5ef989498b0605b1dcca8f0df1
0xe03d37392255fd1dae5476b04388315cc70b78c2

Attacker Funder (from TC)
0x70462bfb204bf3ccb0560f259072f8e3a85b3512

Instaswapper Depo from Attacker
0xbad82ca05bd3d40b783d39e52abc1446f33aae12

Instaswapper Receiver on XRP
rN7EFW25YcGG6nzRY4W7TbX5tRyngW1Dj1

When it comes to financial crime, money laundering, etc. everyone goes thru a phase of thinking that the solution is knowing the identity of the account holder.

"if only we knew who moved these assets! then we would be able to catch them and stop crime!"

N O . Literally NO.

It doesn't work at any scale. It's never worked at any scale. It never will work at any scale.

AML laws and all the related shit don't stop crime or money laundering. And it never has.

And it's really important to note that the implementation is NOT the issue.

A thread of misc. interesting things related to the Atomic Wallet hack, Lazarus, and especially what sprawling hacks look like on-chain.

(this thread is gunna get into the weeds. i suggest the other thread if you want something shallow and easy-to-digest 😉)

https://twitter.com/tayvano_/status/1668778031790587905

On Fri June 2nd, thousands of Atomic Wallet users had their wallets drained across basically every chain.

Each theft involved 1-3 new addies. Initially we were only able to link thefts on-chain if they sent gas to multiple addresses.

(green guys are what we put alerts on first)

⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.

The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*

It won’t be flagged and looks super legit.

DO NOT CLICK! 🙏 This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444

aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.

Their spear-phishing methods are diverse, targetted, and hard-to-detect.

For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭

I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. Specifically we are in contact with a handful of victims from July and August who each individually lost between $400k and $4m.

In fact, the amount stolen per victim seem to be increasing over time.

Where the average amt stolen per victim was ~$50k in April, it's now $300k+

hey anyone know whos onboarding the most people to web3 right now?

like taking people who have never done crypto stuff before and getting them to set up an account on a CEX, buy some crypto w/ their fiat, send the coins to their own wallet, and then interact with a dapp?

🤔 "bear market"

👀 @sentimentxyz

arbiscan.io/tx/0xb91e4cd53… gm sentiment exploiter

Before I forget, I want to share some things I observed here w/ the hopes it helps other teams facing an exploit in the future.

IMHO, the single most valuable thing the Euler team did was fully *own* the responsibility of getting the funds returned. And they never gave up.

https://twitter.com/eulerfinance/status/1643027386802270210

They talked to—and *listened* to—people who had done it before. They got help. They worked with the FBI and their legal counsel. They leaned on everyone for *support.*

But their attitude was that no one else was going to get the funds returned so they better get them returned.

The selling of this bitcoin is, by far, the least interesting part of the saga.

The govt's seizure, the dude who had his bitcoin seized, and why it even got seized in the first place is full of so many amazing, hysterical, enraging gems.

Heads up...not a short story. Buckle up.

https://twitter.com/tier10k/status/1641821284341280768

To set the stage, dude w/ the bitcoin is a super OG bitcoiner living in Gainesville, Georgia.

In Sept 2012 he executed a very basic "hack" on the Silk Road and withdrew the coins.

Not a bad dude. Not a huge hack either. Way less than a mil at the time.

justice.gov/usao-sdny/pr/u…

🚨 If you're using Cloudflare for your web3 product, stop what you're doing right now.

You NEED to:

1. Rotate the Global API Key for all your accounts

2. Remove all accounts added to your Cloudflare unless you rotated their Global API Key in step 1

developers.cloudflare.com/fundamentals/a… I know this sounds dramatic, but it's really not. Please do this. 🙏

The Global API Keys are deadly.

They will rekt you even after youve rotated tokens, changed passwords, or revoked employee access in your offboarding.

They will rekt you even if youre sure they cant rekt you

Looked at the timing and transactions around the Euler Finance exploit.

The onchain movements before, during, and after the exploit txns line up with the story told by 0x5F25

There's def 2 diff actors at play and only of them has control of any funds.

etherscan.io/tx/0x44b559c86… Euler Exploiter EOA 1 + 2, Contract 2
(pink, red, the one who has the $)

0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4
0x036cec1a199234fc02f72d29e596a09440825f1c
0xb66cd966670d962c227b3eaba30a872dbfb995db
0xc66dfa84bc1b93df194bd964a41282da65d73c9a

There are a few things that have always stood out to me about these cases:

1. It requires meeting in person

2. It requires them to send a txn / new wallet

I’ve seen all phones, computers, Exodus, Trust Wallet, Blockchain.

I really really dont think it’s malware.

https://twitter.com/trustwallet/status/1623355786557632512

The scam has been going on for years. Most recently we’ve seen Rome. Also seen in Antwerp, Brussels, Amsterdam, and Barcelona. The earliest cases I’m aware of are from 2020.

hey CT I genuinely need your help

im trying to compile a buttload of cases where people shared (publicly) their story of how they got rekt by their wallet. key theft, phishing, approval scams, scam scams, etc

if you know of one (or five), id love if you could link them here. 💖 Here's examples of the types of stuff I'm looking for.

https://twitter.com/divergencearran/status/1618359162551009281

so uhhh i dont wanna alarm anyone but i think we're all fucked

or maybe its just those who use
circleci
slack
okta
auth0
lastpass
travisci
heroku
oauth
github
npm
twilio
authy
signal
cloudflare
mailchimp
digital ocean
or anything that hasnt realized its been breached yet

🤷‍♀️😬🧵 CircleCI
December 21 2022 - January 4 2023

"we are confident that there are no unauthorized actors active in our systems"

circleci.com/blog/january-4…

the newest iteration of the twitter scam bots are pretty cute. they're all under 30 "y.o" + have lil nft pfps + face emojis in their names + are fans of activities that have a verb emojis + retweet old shit thousands of times but never a single old tweet more than 5 times/day please someone violently murder them and their stupid inspirational quotes too