Tay 💖 Profile picture
dont believe their lies 🦊 💖🗡️
7 subscribers
Nov 16 21 tweets 6 min read
Gotta correct the record on a headline that's been running wild lately re: the WazirX hack.

Bc it is NOT significant. Or a "breakthrough."

Dude they arrested wasnt involved in the hack. He doesnt know the hackers.

Plz stop regurgitating self-aggrandizing press releases. Image Here's the actual situation:

At some point prior to July 2024 the actual hackers landed a backdoor onto something that gave them some access to the WazirX multisig signers and/or their signatures.

We don't know what or who was compromised and it doesn't really matter.
Oct 20 15 tweets 5 min read
With the recent sophisticated hacks fresh on everyone's mind, there's been a lot of talk about ✨fancy stacks and setups.✨

Yes, you should evaluate how—and with what—you sign txns.

But building a custom UI for your LAN Qubes OS AWS KMS everyday is not really the answer 😅 Background on the referenced hacks (feel free to skip):

1. Funds were stolen from each org's multisig.

2. Keys themselves were not compromised.

3. In Radiant and WazirX and maybe DMM, the keys backing the multisig were actually only on hardware wallets + actually controlled by distinct parties.

Radiant - $50m, like 2 days ago
medium.com/@RadiantCapita…

WazirX - $230m in July
x.com/WazirXIndia/st…
liminalcustody.com/blog/update-on…

DMM Bitcoin - $305m in May
The least amt is known about DMM, including whether keys were cold vs hot. Early theories said address poisoning. It def wasn't that. Attached is rampant speculation (likely all wrong)
See also: x.com/mononautical/s…Image
Image
Image
Sep 5 18 tweets 4 min read
Alright so comments here are a bit looney and I don’t particularly like them bc it distracts and undermines the actual risk.

Spoiler: @coinbase getting hacked is not the risk.

But there is still risk. Even when using Coinbase. This gunna be long. Sorry. But it needs to be said. Clearly.

First: the reason I say Coinbase is not the risk is because they take INSANE measures to mitigate the risk of being hacked.

They always have.

They are really fucking serious abt security across the board.
Jul 8 14 tweets 8 min read
Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry.

They rekt more people, companies, protocols than anyone else.

But it's good to know exactly how they get in. Bc another smart contract audit won't save you. For example, one long-time fave method:
- Contact employee via social/messaging app
- Direct them to a Github for a job offer, "skills test," or to help with a bug
- Rekt individual's device
- Gain entry to company's AWS
- Rekt company (and their users)

cloud.google.com/blog/topics/th…
Image
Jun 19 20 tweets 6 min read
Apr 10 25 tweets 14 min read
🧵Highlights from the UN Security Council's 2023 report on DPRK

This one was a whopping 615 pages 😳

These reports are always like a birds eye view of random, raw, deep intel. They're amazing and shed light on attribution, irl banking networks, etc.

un.org/securitycounci… re: MaybachsImage
Image
Image
Jan 1 9 tweets 3 min read
Orbit Bridge Hack looking v methodical 👀

Looks like 2024 is going to be another year of handing DPRK billions of dollars on a silver platter. 🙄

embarrassing af. Image Attacker
0x9263e7873613ddc598a701709875634819176aff

Funds Holders
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0x817bb1761b715a08a9142f99fa7d0ccf73f4c0ef
0x157a409c2bfff38209a32e55d3eac1bfc93dd664
0x5e22cb028865d6a93080d7ab42d2fe9a0e8dc085
0xd283fa3bd85887725c8982f539cc404a450f7fd9
0xf49de491e1c0d84a0e0bd2d57a841825fcf179fd
0x589257e07e11e761f31956d54b2323f63ee36b7d

Receivers
0x009b60aab8e64c8f5fe449bd96fa78b1a7fffcc5
0x3a886a63c768665a9830886e608d6f9dc6b4f730
0xa70f8917a957757f5505a5535df1591c54f65b9d
0x9ca536d01b9e78dd30de9d7457867f8898634049
0xdadfa3ccd40fc3d5a0164c6f9444f60163ccbf3b

Intermediaries
0x0c43edeb2ee69c27d689e912ab5b8e8eef128d4c
0x42839f4423985b5ef989498b0605b1dcca8f0df1
0xe03d37392255fd1dae5476b04388315cc70b78c2

Attacker Funder (from TC)
0x70462bfb204bf3ccb0560f259072f8e3a85b3512

Instaswapper Depo from Attacker
0xbad82ca05bd3d40b783d39e52abc1446f33aae12

Instaswapper Receiver on XRP
rN7EFW25YcGG6nzRY4W7TbX5tRyngW1Dj1
Jul 10, 2023 30 tweets 6 min read
When it comes to financial crime, money laundering, etc. everyone goes thru a phase of thinking that the solution is knowing the identity of the account holder.

"if only we knew who moved these assets! then we would be able to catch them and stop crime!"

N O . Literally NO.

It doesn't work at any scale. It's never worked at any scale. It never will work at any scale.

AML laws and all the related shit don't stop crime or money laundering. And it never has.

And it's really important to note that the implementation is NOT the issue.
Jun 14, 2023 23 tweets 11 min read
A thread of misc. interesting things related to the Atomic Wallet hack, Lazarus, and especially what sprawling hacks look like on-chain.

(this thread is gunna get into the weeds. i suggest the other thread if you want something shallow and easy-to-digest 😉) On Fri June 2nd, thousands of Atomic Wallet users had their wallets drained across basically every chain.

Each theft involved 1-3 new addies. Initially we were only able to link thefts on-chain if they sent gas to multiple addresses.

(green guys are what we put alerts on first) Image
May 24, 2023 10 tweets 6 min read
⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.

The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*

It won’t be flagged and looks super legit.

DO NOT CLICK! 🙏 Image This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444

aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.

Their spear-phishing methods are diverse, targetted, and hard-to-detect. Image
Apr 18, 2023 23 tweets 6 min read
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭

I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. Image Specifically we are in contact with a handful of victims from July and August who each individually lost between $400k and $4m.

In fact, the amount stolen per victim seem to be increasing over time.

Where the average amt stolen per victim was ~$50k in April, it's now $300k+
Apr 14, 2023 17 tweets 6 min read
hey anyone know whos onboarding the most people to web3 right now?

like taking people who have never done crypto stuff before and getting them to set up an account on a CEX, buy some crypto w/ their fiat, send the coins to their own wallet, and then interact with a dapp?

🤔 "bear market" Image
Apr 5, 2023 6 tweets 3 min read
👀 @sentimentxyz

arbiscan.io/tx/0xb91e4cd53… Image gm sentiment exploiter Image
Apr 4, 2023 6 tweets 2 min read
Before I forget, I want to share some things I observed here w/ the hopes it helps other teams facing an exploit in the future.

IMHO, the single most valuable thing the Euler team did was fully *own* the responsibility of getting the funds returned. And they never gave up. They talked to—and *listened* to—people who had done it before. They got help. They worked with the FBI and their legal counsel. They leaned on everyone for *support.*

But their attitude was that no one else was going to get the funds returned so they better get them returned.
Mar 31, 2023 37 tweets 20 min read
The selling of this bitcoin is, by far, the least interesting part of the saga.

The govt's seizure, the dude who had his bitcoin seized, and why it even got seized in the first place is full of so many amazing, hysterical, enraging gems.

Heads up...not a short story. Buckle up. To set the stage, dude w/ the bitcoin is a super OG bitcoiner living in Gainesville, Georgia.

In Sept 2012 he executed a very basic "hack" on the Silk Road and withdrew the coins.

Not a bad dude. Not a huge hack either. Way less than a mil at the time.

justice.gov/usao-sdny/pr/u…
Mar 23, 2023 13 tweets 6 min read
🚨 If you're using Cloudflare for your web3 product, stop what you're doing right now.

You NEED to:

1. Rotate the Global API Key for all your accounts

2. Remove all accounts added to your Cloudflare unless you rotated their Global API Key in step 1

developers.cloudflare.com/fundamentals/a… I know this sounds dramatic, but it's really not. Please do this. 🙏

The Global API Keys are deadly.

They will rekt you even after youve rotated tokens, changed passwords, or revoked employee access in your offboarding.

They will rekt you even if youre sure they cant rekt you
Mar 13, 2023 5 tweets 2 min read
Looked at the timing and transactions around the Euler Finance exploit.

The onchain movements before, during, and after the exploit txns line up with the story told by 0x5F25

There's def 2 diff actors at play and only of them has control of any funds.

etherscan.io/tx/0x44b559c86… Euler Exploiter EOA 1 + 2, Contract 2
(pink, red, the one who has the $)

0xb2698c2d99ad2c302a95a8db26b08d17a77cedd4
0x036cec1a199234fc02f72d29e596a09440825f1c
0xb66cd966670d962c227b3eaba30a872dbfb995db
0xc66dfa84bc1b93df194bd964a41282da65d73c9a
Feb 8, 2023 20 tweets 4 min read
There are a few things that have always stood out to me about these cases:

1. It requires meeting in person

2. It requires them to send a txn / new wallet

I’ve seen all phones, computers, Exodus, Trust Wallet, Blockchain.

I really really dont think it’s malware. The scam has been going on for years. Most recently we’ve seen Rome. Also seen in Antwerp, Brussels, Amsterdam, and Barcelona. The earliest cases I’m aware of are from 2020.
Jan 30, 2023 81 tweets 18 min read
hey CT I genuinely need your help

im trying to compile a buttload of cases where people shared (publicly) their story of how they got rekt by their wallet. key theft, phishing, approval scams, scam scams, etc

if you know of one (or five), id love if you could link them here. 💖 Here's examples of the types of stuff I'm looking for.

Jan 5, 2023 25 tweets 15 min read
so uhhh i dont wanna alarm anyone but i think we're all fucked

or maybe its just those who use
circleci
slack
okta
auth0
lastpass
travisci
heroku
oauth
github
npm
twilio
authy
signal
cloudflare
mailchimp
digital ocean
or anything that hasnt realized its been breached yet

🤷‍♀️😬🧵 CircleCI
December 21 2022 - January 4 2023

"we are confident that there are no unauthorized actors active in our systems"

circleci.com/blog/january-4…
Jan 4, 2023 6 tweets 3 min read
the newest iteration of the twitter scam bots are pretty cute. they're all under 30 "y.o" + have lil nft pfps + face emojis in their names + are fans of activities that have a verb emojis + retweet old shit thousands of times but never a single old tweet more than 5 times/day ImageImageImage please someone violently murder them and their stupid inspirational quotes too ImageImageImageImage