According to data from the PeckShield situational awareness platform, in the past month, a total of 23 prominent security incidents have occurred in the entire blockchain ecosystem. The degree of damage is rated "Intermediate", and the damage amount is hundreds of millions of yuan, involving 2 DeFi and 6 exchanges. Incidents, 1 public chain, 3 extortion-related incidents, 8 fraud-related incidents, etc.
There were 2 DeFi security incidents in May, as follows:
1) On May 7th, a serious front-end error occurred in the Loopring protocol. The key material was set in a 32-bit integer range, which can exhaustively find all user key pairs. This vulnerability is because the user's EdDSA key pair is actually limited to a 32-bit integer space, so that hackers can find out all users' EdDSA key pairs through exhaustive exhaustion. Affected by this, Loopring Exchange was shut down for half a day for maintenance and upgrades.
2) On May 18th, the tBTC team suspected of discovering a major contract vulnerability, so the recharge service was temporarily suspended and re-examined. tBTC is a trustless ERC-20 token secured by redeemable BTC. The main network of the project was launched on May 15th.
PeckShield Comments: As the functions of DeFi projects become more and more diverse, hidden security issues are gradually exposed. Given its close connection with user assets, the security issues of DeFi projects are very serious. PeckShield hereby suggests that before the DeFi project goes online, it should try to find a team that has in-depth research on the product design of DeFi to do a complete security audit to avoid potential security risks.
A total of 6 exchange-related security incidents occurred in May:
1) According to official sources from Youbi Exchange, after Youbi opened the platform currency subscription on May 06, it suffered a large-traffic DDOS attack for 3 consecutive days, causing the server to be inaccessible for a short time.
2) On May 1, Binxing Exchange officially issued an announcement stating that its website bitsg and app have been under continuous DOSS attacks, resulting in failure to log in normally during certain periods.
3) On May 27th, the LMEX Stock Exchange's community issued a notice on the adjustment of exchange operations, stating that the platform was hacked and stolen and lost 150,000 USDT, which made the platform not low in debt. The deposit and withdrawal has been closed.
4) Recently, some media broke the news that people in the Zhengzhou office of Fubit Exchange went to empty buildings. After being questioned by investors, Fubit officially issued an announcement saying that the debt was insolvent and introduced a settlement plan.
5) At the end of last year, 34,000 ETH was stolen and lost on the Upbit exchange. In the past six months, hackers have used multi-channel money laundering operations on stolen assets. Recently, the laundering has been basically completed.
6) The UEX Exchange officially issued a notice stating that the platform was hacked and it takes about 5 days to repair and verify the data. During the database repair period, the platform will close the deposit and withdrawal and close the internal transfer.
PeckShield Comments: In response to the endless exchange security incidents, the exchange should use a more secure defense system, similar to DDoS attacks, the exchange can configure multiple backup machines to avoid the risk of a single point of failure to the system. In addition, it is not ruled out that there are some small exchanges that “run away” in the name of being attacked.
Public chain security
In May, a serious public chain security problem broke out:
1) The pomegranate mining pool technicians discovered a serious loophole in the Filecoin code, through which the unlimited increase of Filecoin can be realized. The pomegranate mining pool stated that in order to prove the validity of the vulnerability, 6Block's three miner accounts t01043, t027999, and t0234783 have achieved 1.6 billion Filecoin issuance through the vulnerability, occupying the top three of the Filecoin rich list. The 6Block team independently discovered and reported the vulnerability to Filecoin officials, and is currently actively assisting the official to complete the vulnerability repair.
PeckShield Comments: Once a vulnerability on the public chain is discovered, it will have a great impact on the entire chain ecology. Therefore, the public chain must do security testing and vulnerability investigation before the official version is launched, and seek third-party security company audits to avoid the impact of vulnerability threats Public chain ecology.
There were also 3 typical extortion incidents in May, such as:
1) Citing a report from the Russian media RBC, anonymous hackers obtained the data of more than 129 million Russian car owners and exposed it on the "dark web" to blackmail them to obtain cryptocurrency.
2) According to reports, Grubman Shire Meiselas & Sacks was attacked by REvil ransomware (also known as Sodinokibi), and the attackers threatened to release up to 756 GB of stolen data in 9 times. The stolen data includes confidentiality contracts, phone numbers, email addresses, personal communications, confidentiality agreements, etc.
3) The network security company Group-IB issued a warning that a new type of ransomware ProLock appeared in recent months, relying on the Qakbot banking Trojan to launch attacks. The victims include local government, financial, medical and retail institutions. Group-IB stated that the ransomware attack required a total ransom of 35 bitcoins, which is currently worth $337,750.
PeckShield reviews: Blackmail security incidents have always been a major hidden danger affecting the entire Internet ecology, not limited to the ecology. Moreover, after the gradual popularity of cryptocurrencies in the blockchain field, criminals often use the better anonymity of cryptocurrencies such as Bitcoin for extortion fraud.
In addition to the above, a number of fraudulent runaway incidents occurred in May, which are worthy of vigilance, such as:
1) The Dongyang City Procuratorate of Zhejiang Province filed a public prosecution against a digital currency fraud. The fraud amounted to 380 million yuan and more than 3,000 victims. The fraud group used WeChat, QQ and other methods to win over customers, falsely claiming that investing in digital currency can obtain high returns as bait, and inducing customers to invest in the company's digital currency trading platform.
2) A scammer pretended to be Justin Sun, the founder of TRON, and tried to steal money from unsuspecting victims under the guise of a partnership with TRON.
3) Police in Maanshan City, Anhui Province arrested Rao, a telecommunications fraud criminal who absconded to Dongxiang District. From 2019 to 2020, the criminal suspect Rao cooperated with others to defraud victims of more than 7 million yuan on the grounds of inducing investment in virtual currency on the overseas "SABCT investment platform".
4) Sun and others operate the "Super Wallet" APP, tempting users to deposit on their behalf, and then shut down the platform to embezzle virtual currency. Sun and others have been arrested by the Hanjiang Procuratorate of Putian City, Fujian Province according to law. This case is a new type of crime using virtual currency platforms for fraud, and is the first virtual currency fraud case in Hanjiang District.
5) Some scammers are using images of celebrities to broadcast live on the Youtube platform, and at the same time release Bitcoin addresses for fraud. Currently discovered are Chamath Palihapitiya, founder and CEO of Social Capital, Brad Smith, president of Microsoft, and Lei Jun, founder of Xiaomi.
6) Recently, the Zibo police in Shandong province uncovered an online platform investment fraud case supervised by the Ministry of Public Security. The scam group used the high interest rate obtained by investing in virtual currency as bait to fool more than 300 people in more than 20 provinces across the country, and the amount involved was more than 30 million yuan.
7) In some fraudulent emails, the scammers impersonated members of the Olympic Organizing Committee and asked people to donate to a Bitcoin (BTC) encrypted wallet "belonging to the International Olympic Committee".
8) CoinCorner reported that Google Ads ran ads for CoinCornerr.com, a phishing clone site that imitated CoinCorner.
PeckShield Comments: Due to the lack of user awareness, criminals often design low-investment and high-return Ponzi schemes, and use people's profit-seeking psychology to set up layers. Scams implemented by various scams such as high-interest-return funds and financial wallets are not uncommon.
Other security incidents
1) Tencent Security Threat Intelligence Center has detected that the H2Miner Trojan uses a remote command execution vulnerability in SaltStack to invade enterprise hosts for mining.
2) The security company Red Canary recently discovered that the hacker organization BlueMockingBird targeted thousands of corporate computers to illegally mine cryptocurrencies. It is reported that the hacker specifically targeted the public-facing server running ASP. After obtaining the permission to access the server, the hacker downloaded and installed the Monero mining application XMRRig.
3) Multiple supercomputers across Europe, including the United Kingdom, Germany, and Switzerland, have been infected by cryptocurrency mining malware this week and have been shut down to investigate the intrusion. According to reports, the attacker seems to have gained access to the supercomputer cluster by destroying SSH credentials. Once the attacker gains access, he will use the CVE-2019-15666 vulnerability and then deploy an application for mining Monero (XMR).
PeckShield Comments: Various security risks caused by users' lack of security awareness and standardized operation have been emerging in an endless stream. Various incidents such as phishing attacks and fraud are typical. Here is a reminder that users should keep all types of private information carefully, and any small negligence may cause irreparable losses.