PeckShield: A total of 29 security incidents occurred in October, and virtual currency investment fraud incidents occurred frequently

According to data from the PeckShield situational awareness platform, in the past month, the entire blockchain ecosystem has experienced a total of 29 prominent security incidents, with the degree of harm rated as "advanced", including 4 DeFi-related incidents, 3 wallet security incidents, 2 exchange-related incidents, 5 extortion-related incidents, and 15 fraud incidents.

DeFi Security

There were 4 DeFi-related security incidents in October, as follows:

1) On October 11, the Ethereum project WLEO contract was hacked, resulting in the theft of funds worth $42,000. The hacker stole Ethereum from the decentralized exchange Uniswap’s pool by minting WLEO to himself and exchanging it for Ethereum.

2) On October 26, some users discovered that the DeFi mining project Harvest.finance used the flash loan function to achieve huge arbitrage. Harvest officially tweeted that the arbitrage attack originated from a huge flash loan, and through multiple manipulations of the Curve y Pool price, it took advantage of the price difference between fUSDT and fUSDC to make a profit.

3) Alex Manuskin, a researcher at crypto wallet ZenGo, revealed that UniCats, a so-called "yield farming platform" based on the Ethereum network, was suspected of stealing at least $200,000 worth of crypto assets, including Uniswap's governance token UNI, from several users. A backdoor in the smart contract allowed UniCats to retain control of user tokens even if they had been withdrawn from the user pool. A similar vulnerability was used in previous attacks on Bancor.

4) yearn.finance (YFI) disclosed a new flash loan security vulnerability, which was reported by security researcher Wen-Ding Li through Yearn's security vulnerability disclosure process on October 29, and the team removed the vulnerability 1.5 hours later. According to the disclosure, flash loan attacks may pose a security risk to TUSD vault funds. The problem has been fixed and the TUSD vault has stopped deploying funds.

PeckShield Comment: As the functions of DeFi projects become more and more diverse, the hidden security issues are gradually exposed. Given its close connection with user assets, the security issues of DeFi projects are very serious. Since each project is developed by a different team, they have limited understanding of the design and implementation of their respective products. The integrated products are likely to have security issues in the process of interacting with third-party platforms, and thus be attacked from all sides. PeckShield recommends that before going online, DeFi project parties should try to find a team that has in-depth research on the product design of each link of DeFi to conduct a complete security audit to avoid potential security risks.

Digital wallet security

There were 3 wallet security incidents in October:

1) Hardware wallet manufacturer Ledger suffered a phishing attack. Some users received emails with phishing software, resulting in financial losses. The hacking attack may be related to the company's user data leak in July 2020.

2) A ZDNet investigation revealed that hackers stole $22 million from users of the Bitcoin wallet Electrum by tricking them into installing fake software updates. This method peaked in 2018. Since the attack was first discovered two years ago, the Electrum team has taken some measures to prevent it. But the attack still works for users using older versions of the application.

3) Recently, Alon Gal, chief technology officer of cybercrime intelligence company HudsonRock, tweeted that on October 27, the cold wallet of EtherCrash, which claims to be "Ethereum's most mature and largest gambling game," was stolen, resulting in a loss of approximately US$2.5 million, and it is suspected that it was done by an insider.

PeckShield Comment: As a tool for managing private keys, digital wallets are the closest place to encrypted assets. Although cold wallets are offline wallets that are disconnected from the Internet, they are also at risk of being physically attacked and stolen. For hot wallets such as web wallets, users should also be wary of phishing, malicious code injection and other attacks.

Trading platform related

There were 2 security incidents related to trading platforms in October:

1) On October 16, OKEx issued a "Notice on Suspending Withdrawals" stating that some of the company's private key holders are cooperating with the public security authorities in the investigation and are currently out of contact, making it impossible to complete the authorization. Two sources close to OKEx said that the person who "cooperated with the public security authorities in the investigation" in the announcement was Xu Mingxing, the founder of OKEx. One of the sources also said that Xu Mingxing had been taken away by the police at least a week ago and had not appeared in the work group for many days.

2) imToken wallet users reported that 310,000 DAI was outflowed from accounts related to the DeFi Saver Exchange vulnerability. As early as June 20 this year, DeFiSaver Twitter reported the discovery of a vulnerability in the Exchange. In order to protect user funds, we conducted a white hack and transferred the affected funds (about $30,000) to a smart contract that can only be withdrawn by the original owner.

PeckShield Comment: After stealing assets, hackers will launder money. No matter how elaborate and complicated the process is, they will generally use trading platforms as part of the cash-out channel. This undoubtedly raises the requirements for KYC and KYT services of major digital asset trading platforms. Exchanges should strengthen the review of AML anti-money laundering and fund compliance. For more information, please visit www.coinholmes.com.

Ransomware

There were 5 ransomware-related security incidents in October:

1) Italian multinational energy giant Enel Group recently suffered a ransomware attack, and its computer network was infected with a Windows ransomware called NetWalker. It is reported that NetWalker hackers released screenshots of about 5 TB of stolen data and threatened to release the first batch of data within a week, forcing Enel Group to pay 1,234 bitcoins (about 16.8 million US dollars).

2) On October 28, confidential medical records of tens of thousands of patients receiving psychotherapy in Finland were hacked, and some of them were leaked online. Finnish police revealed that hackers had hacked into the records of Vastaamo, a private company that operates 25 treatment centers across Finland. Thousands of people have reportedly complained to the police about the matter. Many patients reported that they received emails asking for 200 euros in Bitcoin to prevent their discussions with therapists from being made public.

3) On October 14, the first Bitcoin ransomware developer in China, Ju Mou, was successfully captured by the Nantong police in Jiangsu Province. The local police in Nantong City, Jiangsu Province reported that the suspect, Ju Mou, as the creator of multiple Bitcoin ransomware, had successfully committed more than 100 crimes and illegally obtained Bitcoins worth more than 5 million yuan.

4) Recently, a ransomware attack hit the medical software company eResearch Technology (ERT), which provides tools for global pharmaceutical companies to conduct clinical trials (including COVID-19 vaccine trials), thus posing a potential impact on multiple COVID-19 research projects conducted by companies including Bristol-Myers Squibb, AstraZeneca, Pfizer and Johnson & Johnson.

5) Leaders of the Group of Seven (G7) warned on Tuesday about a global surge in ransomware attacks, saying the hacking technique poses a threat to critical infrastructure of the world's major economies. Ransomware infiltrates and encrypts computer networks, then demands that victims pay a ransom to unlock their files. "The fact that criminals often demand ransoms in virtual assets is particularly worrying," the G7 statement warned. EU leaders said "virtual assets" are a way for hackers to launder money. The statement called on more countries to implement the Financial Action Task Force (FATF)'s virtual asset protection measures.

PeckShield Comment: Ransomware security incidents have always been a major hidden danger affecting the entire Internet ecosystem, not limited to the blockchain ecosystem. Moreover, after the gradual popularization of cryptocurrencies in the blockchain field, criminals often use the good anonymity of cryptocurrencies such as Bitcoin to conduct ransomware fraud.

Other fraud incidents

In addition to the above, there were a number of fraud cases in October that deserve attention, such as:

1) A Kusunose user posted on a Google forum that he lost $15,000 to a crypto scam he found in a Google ad. The suspicious website, called Coindaq.io, allegedly attempted to take advantage of China's digital yuan, which is being researched, claiming that users could deposit funds on the platform to participate in the sale of digital yuan. The victim expressed the hope that Google could investigate the matter and set up a webpage targeting the suspected scam.

2) The Guangzhou Public Security Bureau officially released a document stating that on October 3, Ms. Pan, a citizen, reported to the Yunpu Police Station, saying that she had met an "online user" in September, and was later induced by the other party to download a fake APP in the name of investing in digital currency. She invested a total of 2.32 million yuan, which is currently unavailable for withdrawal. Huangpu Public Security urgently reminded people to look at digital currency rationally, and report to the police immediately if they have any questions or find that they have been deceived.

3) Recently, Lin, a resident of Furong District, Changsha, reported to the police that he was defrauded of more than 3.2 million yuan by investing in digital currency. It is reported that Lin downloaded an app called "AOC" through a URL link sent by a "teacher" in a WeChat group and registered an account. Lin transferred a total of more than 3.2739 million yuan to 13 different bank accounts provided by the other party in 25 times. A few days later, the digital currency he purchased showed on the App plummeted by 80%. When Lin reported to the police, the App could no longer be logged in, and the "teacher" WeChat account had been blocked and lost contact. The case is currently under investigation.

4) Recently, a user suffered a phishing attack when visiting the Curve exchange website and lost 20 bitcoins. It is reported that the fraud gang used the Google advertising system to purchase Google search ads and disguised themselves as the Curve exchange to place fraudulent ads. Due to Google's new advertising plan, ads are usually displayed at the top of the search, so many users have been deceived. Dimensionality Reduction Security Lab recommends that users remain vigilant, carefully identify the source of information, and carefully identify the domain name to avoid asset losses.

5) On October 12, Marius, a developer of Ethereum client Geth, tweeted that there was an email phishing in the Ethereum development community, specifically a website called get-eth.com, which showed that the latest Ethereum Geth client could be downloaded. The download address of the geth client is geth.ethereum.org, or it can be downloaded directly from github.

6) Cryptocurrency data company Coingecko announced on Twitter that it had suffered a DDOS attack and temporarily strengthened security measures. Coingecko is currently closely monitoring the situation. Officials are working hard to repair it and hope to resume operations quickly.

7) The Xuzhou Public Security Bureau recently successfully cracked a "CDBC digital currency" major national asset unfreezing fraud case, arrested 16 suspects, seized more than 60 computers, mobile phones, and bank cards, and froze more than 1.5 million yuan of funds involved in the case, achieving the highest number of arrests in the province in such cases. It is reported that this gang claimed that "CDBC digital currency" is the first batch of digital currency issued by the central bank, 100 yuan per order, and each person is limited to 7 orders, which will increase 100 times or 1,000 times in the future; At present, all 16 suspects have been transferred to the procuratorate for prosecution.

8) Recently, the Huanghua police in Hebei Province successfully cracked down on a cross-provincial telecommunications fraud gang and arrested three suspects. The amount involved was more than 1.2 million yuan. It is reported that the criminal gang used an investment APP to use virtual currency to buy and sell electronic pets to commit fraud.

9) P2P Bitcoin market Paxful successfully fended off a series of serious threats in two months, including 220,000 web bot attacks and various social engineering tactics. Paxful said that attackers tried to use automated bots to brute-force break into the accounts of users of the project. Paxful said that it is reported that about a quarter of the world's network traffic is generated by bots, which are actually some programs that simulate the actions of real devices.

10) According to an indictment released by U.S. prosecutors on Monday, Russian state cyber hackers used Bitcoin to cover up their links to key hacking "infrastructure" such as servers and domain names. The lawsuit mentions six members of the Russian state hacking team, who are suspected of attacking thousands of victims of companies, the military, the government and the 2018 Winter Olympics through Russian military unit 7445. Prosecutors also claim that they are responsible for the disastrous "NotPetya" malware attack in 2017, which caused billions of dollars in losses.

11) Pudong police recently successfully destroyed a virtual currency investment fraud den and arrested 22 suspects. The case involved an amount of 7.9 million yuan. It is reported that the "HASTE" virtual currency trading platform involved was developed and maintained by the technical staff of a technology company founded by the suspect Wu, and the use rights were sold to overseas personnel. The platform can directly change the virtual currency quota of users on the platform at will, and simulate the virtual currency exchange rate trend through the trading "robot".

12) Recently, some third parties that are not related to AAX or authorized by AAX have attempted to impersonate AAX customer service through email, WeChat, and Telegram, and spread false associations impersonating AAX online in an attempt to conduct fraudulent activities.

13) Sources from the Spanish National Police said that Arbistar 2.0 CEO Santiago Fuentes was finally arrested and detained by police in the Tenerife region of southern Spain on October 22. Fuentes was accused of defrauding nearly 32,000 investors in a Bitcoin Ponzi scheme worth nearly 850 million euros (about 1 billion US dollars).

14) Russian state cyber hackers used Bitcoin to mask their links to key hacking "infrastructure" such as servers and domain names, according to an indictment released by U.S. prosecutors on Monday. The lawsuit names six members of the Russian state hacking team, who allegedly carried out attacks on thousands of victims of companies, the military, political movements, governments and the 2018 Winter Olympics through Russian military unit 7445.

15) Yearn.Finance A doppelganger scam emerged to trick visitors into sharing the private keys of their cryptocurrency wallets. The scam site managed to copy almost every aspect of the original yearn.finance website, including its design, website copy, and even domain name.

PeckShield Comments: Various security risks caused by lack of user security awareness and lack of operational norms have been emerging one after another, phishing attacks, fraud and other incidents are typical. Here we remind users to carefully keep all kinds of private information, any small negligence may cause irreparable losses.