SlowMist Weekly Security Report August 28th to September 3rd

SlowMist
5 min readSep 4, 2023

--

Weekly Update: Approximately $830,000 Lost in Web3 Security Incidents

Overview

According to statistics from SlowMist’s Blockchain Hacking Archive (https://hacked.slowmist.io), from August 28 to September 3, 2023, there were a total of 7 security incidents, resulting in an estimated loss of approximately $830,000.

Specific Incidents

Ivan Bianco

On August 29, 2023, Ivan Bianco, a Brazilian YouTube user, accidentally leaked the mnemonic phrase for his cryptocurrency wallet during a live stream on his Fraternidade Crypto channel. This led to the theft of cryptocurrencies and a batch of NFTs worth nearly $60,000. The account has approximately 34,000 subscribers on YouTube. During the live stream, Bianco opened a file containing his mnemonic phrase, which allowed an unidentified individual to gain control of his wallet and steal the funds. After the loss, Bianco filed a police report. He also stated that following the theft, an unidentified man contacted him on Discord. This anonymous individual claimed to be the thief, expressed regret for his actions, and then abruptly ended the call. After the conversation, the wallet that had been used to steal most of the assets returned cryptocurrencies worth about $50,000 to Bianco.

Starkware

On August 30, 2023, it was reported that Starkware, an Ethereum Layer 2 scaling solution, had repeatedly warned its users over the past few months that if they did not take action before an upcoming upgrade, they would lose access to their funds. Despite these warnings, some users apparently did not see the notices, which led to many being locked out of their Starkware accounts and losing access to their funds. The total value of the affected accounts is estimated to be $550,000. Due to community pressure, Starkware has since re-enabled the wallet upgrade functionality.

BabyShia

On August 31, 2023, the BabyShia project executed a “rug pull” scam. The deployer (address 0xCbcd8) managed to profit 133 ETH, equivalent to approximately $226,000. According to MistTrack analysis, the attacker’s initial funding came from a 0.69 ETH transfer via ChangeNow. The attacker continuously swapped between BABYSHIA and ETH, ultimately transferring the ETH to multiple platforms such as SimpleSwap, FixedFloat, and Binance.

Lamas Finance

On September 1, 2023, Lamas Finance’s Discord channel was attacked. The phishing website involved was lamas[.]co/airdrop.

Balthazar

On September 2, 2023, Balthazar announced that their Discord channel had been compromised. They advised users not to click on any links, or approve or execute any transactions.

CoredeFinance

On September 2, 2023, the CoredeFinance project executed a “rug pull” scam. The externally owned account (EOA) with the address 0x185…fce managed to profit 27 ETH, equivalent to approximately $43,900.

Other

BitBrowser

On August 26, 2023, there were suspicions of a leak involving the private keys of BitBrowser users, with multiple members of the crypto community reporting stolen private keys. Based on community feedback, we have collected some of the hacker’s addresses, and our preliminary assessment indicates that this incident has resulted in losses amounting to at least $520,000.

As of now, we have the following findings:

1. The attacker used FixedFloat, Binance, ChangeNOW, Socket, and Railgun multiple times during the money laundering process.

2. The IP address 147.*.*.198 was identified, suspected to be using a VPN, and shows tendencies of using Hebrew language settings.

3. 83 AVAX (Avalanche tokens) have been frozen.

4. Approximately 307.48 ETH (roughly $502,403) has been transferred to the mixing service eXch, accounting for about 87% of the total stolen funds.

We will continue to monitor the movement of funds and collect clues related to the hackers. If you have relevant information, please feel free to contact us with your feedback.

Summary

Compared to the multi-million dollar losses in previous weeks, this week has seen a significant reduction. However, the number of Discord-related security incidents has continued to increase. Attackers generally prepare a phishing website that closely resembles the official one before the attack. They lure project administrators to click on virus-infected links or malicious bookmarks to acquire related tokens and subsequently gain administrative rights to the project’s Discord server. After securing administrative access, the attacker typically mutes all channels and adds their own Discord Bot to the server. They then disseminate phishing links within the channel, using words like “claim,” “airdrop,” “mint,” “reward” to bait users into clicking. The attackers may also conduct phishing through private messages while impersonating administrators.

Users should enable privacy settings to disable private chats from server members upon joining a Discord server. It is also advisable to add notes to Discord bots that have been verified through multiple layers of official authentication. This helps in identifying fraudulent bots when they publish phishing content. Project teams must pay close attention to community feedback, promptly remove malicious accounts from community Discord servers, and provide anti-phishing safety education to users as soon as they join the Discord server.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.