🧵Highlights from the UN Security Council's 2023 report on DPRK

This one was a whopping 615 pages 😳

These reports are always like a birds eye view of random, raw, deep intel. They're amazing and shed light on attribution, irl banking networks, etc.

un.org/securitycounci… re: Maybachs

Orbit Bridge Hack looking v methodical 👀

Looks like 2024 is going to be another year of handing DPRK billions of dollars on a silver platter. 🙄

embarrassing af. Attacker
0x9263e7873613ddc598a701709875634819176aff

Funds Holders
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0x817bb1761b715a08a9142f99fa7d0ccf73f4c0ef
0x157a409c2bfff38209a32e55d3eac1bfc93dd664
0x5e22cb028865d6a93080d7ab42d2fe9a0e8dc085
0xd283fa3bd85887725c8982f539cc404a450f7fd9
0xf49de491e1c0d84a0e0bd2d57a841825fcf179fd
0x589257e07e11e761f31956d54b2323f63ee36b7d

Receivers
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0xa70f8917a957757f5505a5535df1591c54f65b9d
0x9ca536d01b9e78dd30de9d7457867f8898634049
0xdadfa3ccd40fc3d5a0164c6f9444f60163ccbf3b

Intermediaries
0x0c43edeb2ee69c27d689e912ab5b8e8eef128d4c
0x42839f4423985b5ef989498b0605b1dcca8f0df1
0xe03d37392255fd1dae5476b04388315cc70b78c2

Attacker Funder (from TC)
0x70462bfb204bf3ccb0560f259072f8e3a85b3512

Instaswapper Depo from Attacker
0xbad82ca05bd3d40b783d39e52abc1446f33aae12

Instaswapper Receiver on XRP
rN7EFW25YcGG6nzRY4W7TbX5tRyngW1Dj1

When it comes to financial crime, money laundering, etc. everyone goes thru a phase of thinking that the solution is knowing the identity of the account holder.

"if only we knew who moved these assets! then we would be able to catch them and stop crime!"

N O . twitter.com/i/web/status/1… Literally NO.

It doesn't work at any scale. It's never worked at any scale. It never will work at any scale.

AML laws and all the related shit don't stop crime or money laundering. And it never has.

And it's really important to note that the implementation is NOT the issue.

A thread of misc. interesting things related to the Atomic Wallet hack, Lazarus, and especially what sprawling hacks look like on-chain.

(this thread is gunna get into the weeds. i suggest the other thread if you want something shallow and easy-to-digest 😉)

https://twitter.com/tayvano_/status/1668778031790587905

On Fri June 2nd, thousands of Atomic Wallet users had their wallets drained across basically every chain.

Each theft involved 1-3 new addies. Initially we were only able to link thefts on-chain if they sent gas to multiple addresses.

(green guys are what we put alerts on first)

⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.

The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*

It won’t be flagged and looks super legit.

DO NOT CLICK! 🙏 This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444

aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.

Their spear-phishing methods are diverse, targetted, and hard-to-detect.

For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭

I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. Specifically we are in contact with a handful of victims from July and August who each individually lost between $400k and $4m.

In fact, the amount stolen per victim seem to be increasing over time.

Where the average amt stolen per victim was ~$50k in April, it's now $300k+

hey anyone know whos onboarding the most people to web3 right now?

like taking people who have never done crypto stuff before and getting them to set up an account on a CEX, buy some crypto w/ their fiat, send the coins to their own wallet, and then interact with a dapp?

🤔 "bear market"

👀 @sentimentxyz

arbiscan.io/tx/0xb91e4cd53… gm sentiment exploiter

Before I forget, I want to share some things I observed here w/ the hopes it helps other teams facing an exploit in the future.

IMHO, the single most valuable thing the Euler team did was fully *own* the responsibility of getting the funds returned. And they never gave up.

https://twitter.com/eulerfinance/status/1643027386802270210

They talked to—and *listened* to—people who had done it before. They got help. They worked with the FBI and their legal counsel. They leaned on everyone for *support.*

But their attitude was that no one else was going to get the funds returned so they better get them returned.

The selling of this bitcoin is, by far, the least interesting part of the saga.

The govt's seizure, the dude who had his bitcoin seized, and why it even got seized in the first place is full of so many amazing, hysterical, enraging gems.

Heads up...not a short story. Buckle up.

https://twitter.com/tier10k/status/1641821284341280768

To set the stage, dude w/ the bitcoin is a super OG bitcoiner living in Gainesville, Georgia.

In Sept 2012 he executed a very basic "hack" on the Silk Road and withdrew the coins.

Not a bad dude. Not a huge hack either. Way less than a mil at the time.

justice.gov/usao-sdny/pr/u…

🚨 If you're using Cloudflare for your web3 product, stop what you're doing right now.

You NEED to:

1. Rotate the Global API Key for all your accounts

2. Remove all accounts added to your Cloudflare unless you rotated their Global API Key in step 1

developers.cloudflare.com/fundamentals/a… I know this sounds dramatic, but it's really not. Please do this. 🙏

The Global API Keys are deadly.

They will rekt you even after youve rotated tokens, changed passwords, or revoked employee access in your offboarding.

They will rekt you even if youre sure they cant rekt you

Looked at the timing and transactions around the Euler Finance exploit.

The onchain movements before, during, and after the exploit txns line up with the story told by 0x5F25

There's def 2 diff actors at play and only of them has control of any funds.

etherscan.io/tx/0x44b559c86… Euler Exploiter EOA 1 + 2, Contract 2
(pink, red, the one who has the $)

0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4
0x036cec1a199234fc02f72d29e596a09440825f1c
0xb66cd966670d962c227b3eaba30a872dbfb995db
0xc66dfa84bc1b93df194bd964a41282da65d73c9a

There are a few things that have always stood out to me about these cases:

1. It requires meeting in person

2. It requires them to send a txn / new wallet

I’ve seen all phones, computers, Exodus, Trust Wallet, Blockchain.

I really really dont think it’s malware.

https://twitter.com/trustwallet/status/1623355786557632512

The scam has been going on for years. Most recently we’ve seen Rome. Also seen in Antwerp, Brussels, Amsterdam, and Barcelona. The earliest cases I’m aware of are from 2020.

hey CT I genuinely need your help

im trying to compile a buttload of cases where people shared (publicly) their story of how they got rekt by their wallet. key theft, phishing, approval scams, scam scams, etc

if you know of one (or five), id love if you could link them here. 💖 Here's examples of the types of stuff I'm looking for.

https://twitter.com/divergencearran/status/1618359162551009281

so uhhh i dont wanna alarm anyone but i think we're all fucked

or maybe its just those who use
circleci
slack
okta
auth0
lastpass
travisci
heroku
oauth
github
npm
twilio
authy
signal
cloudflare
mailchimp
digital ocean
or anything that hasnt realized its been breached yet

🤷‍♀️😬🧵 CircleCI
December 21 2022 - January 4 2023

"we are confident that there are no unauthorized actors active in our systems"

circleci.com/blog/january-4…

the newest iteration of the twitter scam bots are pretty cute. they're all under 30 "y.o" + have lil nft pfps + face emojis in their names + are fans of activities that have a verb emojis + retweet old shit thousands of times but never a single old tweet more than 5 times/day please someone violently murder them and their stupid inspirational quotes too

@DomSchiener @BadgerDAO @iota @moonpay @Mandiant @DavidSonstebo @Cloudflare @hascj hey so i dunno whos still on this but heres what im v confident abt. happy to provide more detail on any of this.

1. BadgerDAO + Iota were def same attacker and that attacker is nearly certainly lazarus / apt37

https://twitter.com/tayvano_/status/1602837834972266496

@DomSchiener @BadgerDAO @iota @moonpay @Mandiant @DavidSonstebo @Cloudflare @hascj 2. Klayswap BGP Feb'22

injected JS + long prep time + targets end-users (+more) matches to Badger/Iota attacks

BGP + deep niche crypto knowledge (+more) matches to Celer cBridge BGP coinbase.com/blog/celer-bri…

supply chain + JS inject (+more) matches to older Gate/Statcounter

fwiw what I'm seeing on chain doesnt conflict with the story being told by FTX.... 1. txns were composed and sent in a certain way for at least the past few months

so i was washing dishes and my podcast ended and it went back to the last podcast i listened to which happened to be the @BanklessHQ episode with @ErikVoorhees and SBF and wowwwwww its so different the second time around 😳

Erik: "Sam's proposal that a stablecoin should be regulated—at least such that a provider has to prove that it has reserves for the tokens—would be a higher bar than the Federal Reserve..."

if you still have coins on an exchange or custodial platform, you *need* to get them onto your own keys right now.

FTX is the first domino to fall, not the last.

dont make excuses. you’re not too tired or busy for this. sit your ass down and fucking do it.

right now. the only worthwhile thing about crypto is the fact it gives *you* the ability to be in full control of your future.

all other promises are derivative lies.

in order take advantage *you* have to actually do the work. it's not hard. but you must do it.

metamask.zendesk.com/hc/en-us/artic…

lolllllllllllllllllllll this ecosystem is fucking pitiful sometimes it's been nearly a decade since mt gox. we talked about decentralization and proof of reserves.

luna was 6 months ago. we talked about decentralization and proof of reserves.

there's a reason we do the same thing again and again and again and again and again and again.