Subscribe to Blockmage
BlockmageThreat Hunting in Web3, with Blockmage Labs
Quick prefaceIf you aren’t familiar with us or haven’t heard about us before, Blockmage Labs is an organization providing superior Threat Intelligence & Brand Protection services to premier projects, businesses, and communities across Web3. Our work is largely unpublished, but perhaps we will change that detail starting here.Intent & purpose of this writeupWholly for the purposes of documenting findings in a historical, on-chain fashion; and for that matter, we are working on something a bit ...
BlockmageThreat Hunting in Web3, with Blockmage Labs - May 6th, 2023
Quick prefaceIf you aren’t familiar with us or haven’t heard about us before, Blockmage Labs is an organization providing superior Threat Intelligence & Brand Protection services to premier projects, businesses, and communities across Web3. Our work is largely unpublished, but perhaps we will change that detail starting here.Intent & purpose of this writeupWholly for the purposes of documenting findings in a historical, on-chain fashion; and for that matter, we are working on something a bit ...
BlockmageHello, world.
We will be posting here shortly.
<100 subscribers
BlockmageThreat Hunting in Web3, with Blockmage Labs
Quick prefaceIf you aren’t familiar with us or haven’t heard about us before, Blockmage Labs is an organization providing superior Threat Intelligence & Brand Protection services to premier projects, businesses, and communities across Web3. Our work is largely unpublished, but perhaps we will change that detail starting here.Intent & purpose of this writeupWholly for the purposes of documenting findings in a historical, on-chain fashion; and for that matter, we are working on something a bit ...
BlockmageThreat Hunting in Web3, with Blockmage Labs - May 6th, 2023
Quick prefaceIf you aren’t familiar with us or haven’t heard about us before, Blockmage Labs is an organization providing superior Threat Intelligence & Brand Protection services to premier projects, businesses, and communities across Web3. Our work is largely unpublished, but perhaps we will change that detail starting here.Intent & purpose of this writeupWholly for the purposes of documenting findings in a historical, on-chain fashion; and for that matter, we are working on something a bit ...
BlockmageHello, world.
We will be posting here shortly.
Share Dialog
Share Dialog
A Twitter thread posted by @tayvano_ on April 18th, 2023, detailed a novel and sophisticated hacking operation of unknown origin, which has been siphoning wallets of crypto-assets across various networks. The hackers’ origin, the full scope of the affected addresses, and the attack vectors are still unknown.
Since then, and for months before, members of the global crypto-asset community have worked tirelessly to contact identified victims and determine the root cause.
Many of the volunteers have opted to remain anonymous, but have experience in the blockchain development, forensics, and security fields from working at Bidali, Blockmage, ChainSafe, CipherBlade, ConsenSys, Convex Labs, Everlasting, Gray Wolf Analytics, Paradigm, Status and more.
In light of the sensitive and widespread nature of this incident, Blockmage has offered to serve as the legal umbrella for this decentralized network of global volunteers. They will utilize their resources to be the primary point for information collection and dissemination.
The details of the ongoing investigation are outlined in the original Twitter thread by @tayvano_ but here is a brief recap:
Identification of over 100 compromised addresses, with more being discovered.
Uncertainty about how the wallets were compromised or who the threat actors are.
Unknown whether a single group is responsible or if multiple groups are using different attack vectors.
Two victims have had forensic scans performed on their devices, revealing no clues. Others have run malware scans with results that do not point towards a common threat.
Most victims are very experienced in crypto and cybersecurity best practices with above-average security hygiene.
The method of compromise seems to involve seed (recovery) phrases and/or private keys, as supported by multiple assets across multiple networks being stolen, including non-EVM.
No major exchanges, custodians or smart contracts appear to have been affected. All stolen assets were held self-custodied so far.
Compromised addresses range in age and activity. Wallet age ranges from as far back as 2014 to as recent as late 2022. Some wallets were very recently very active, some have been dormant for years with little transaction history.
On-chain theft activity matching the patterns began as early as August 2022, but we are still investigating & tracing these transactions, so it could go back further.
For smaller amounts of stolen crypto-assets, attackers have been reusing another victim’s compromised addresses to attempt to obfuscate the flow of funds.
Stolen assets are swapped on-chain, commonly using FixedFloat, SimpleSwap, SideShift, ChangeNOW, and LetsExchange. We’ve already been in contact with some of these service providers.
The final destination appears to always be Bitcoin, which is then taken to Wasabi Wallet and other coin-join mixers to try to obfuscate the flow of funds.
On March 1st, 2023 LastPass officially acknowledged the severity of two security incidents that occurred between August and November 2022 that resulted in a significant theft of source code and customer data. This is a leading hypothesis but could be a coincidence as LastPass was very popular.
There have been numerous security updates to fix zero-day exploits in all major browsers, and mobile and desktop operating systems since August 2022, and there has been a notable increase in frequency of security updates since then. This information is contributing toward a potential hypothesis.
On March 6th, 2023 Kudelski Security published an article outlining a methodology where they were able to successfully obtain multiple private signing keys from ECDSA signatures for the Bitcoin network, Ethereum network and TLS. We don’t have enough evidence to support this theory and it is very low probability. They even state: “We couldn’t find any real-world case of recurrence nonces in the Ethereum dataset.”
On April 23rd, 2023 the Trust Wallet team published a post-mortem about a browser extension WASM vulnerability that affected victims over a similar time period. We don’t have any evidence to suggest these incidents are related at this time. They independently confirmed the same.
We need more information from victims in order to narrow down the root cause!
If you fall into one or more of the following scenarios below please fill out the secure victim intake form found at: https://intake.blockmage.org
You have been a victim of the recent LastPass security incident; and
You have had crypto-assets stolen from your own wallet unexpectedly within the last year, seemingly through no fault of your own; and/or
Your address is one of the identified ones in this tweet or this tweet (search Twitter for your addresses; the addresses provided in these links will be copied below).
You can complete the form pseudo-anonymously. All fields in the form are optional. Please read the full disclaimer in its entirety as the form is quite comprehensive. As a result, we are treating this information with utmost confidentiality.
For victims, if necessary, we will contact you directly. Messages will be signed with the following PGP key fingerprint: 53783AD54B35D8188E76889A6701DFE88BE8B569
Found here in full:
53783AD54B35D8188E76889A6701DFE88BE8B569
You can verify this on Twitter through this tweet.
If you have any intel or information you feel may be helpful in investigating this particular attack, you may also email us securely at this email address:
Do not panic! If you have your assets stored with a reputable crypto-asset exchange, a qualified and supervised crypto-asset custodian, or your assets are held self-custodial using a prominent mobile or hardware wallet then you are less likely to be at risk. Still, we highly recommend you follow the steps below to ensure your security.
As of this time, we don’t know the root cause of the crypto-asset losses so we cannot say for certain that you have zero risk unless you move your assets to a cold storage, offline-only wallet. If you are feeling uncomfortable, you can very carefully move your crypto-assets by following the steps below.
Generating a new seed (recovery) phrase, private signing key and public key (address) using one of the following options:
a reputable hardware wallet such as a Ledger or Trezor;
a reputable mobile wallet that uses a strong random number generator; or for more advanced users:
a clean, minimal, air-gapped computer; or
a multi-signature setup such as a Gnosis safe or other multi-signature solution such as Argent
Very carefully transfer your assets to the address of your new wallet from the old
Ensure to double-check the address you are sending to in its entirety (not just the first or last characters) when you send assets.
Perform a test transaction for each asset where possible, by sending an initial small amount to ensure it was received correctly by your new wallet.
Keep your new seed phrase and private key in a secure location. If being stored on a digital device, ideally it should be encrypted with a strong password (20+ characters). Alternatively (and recommended) you can store it offline entirely.
If you use a password manager to secure your seed phrase or private key, change your master password.
All this is merely good security hygiene, so these steps should not be cause for alarm nor should they be interpreted as an indicator of a particular attack vector at this time. If anything, should you find the above recommendations surprising, then it may be worth introspecting your own security practices. It’s unfortunately common for many users, even those who may be more advanced than most, to overlook these practices.
Blockmage is a stealth startup that has been building novel tools for blockchain forensics and analytics. Our team has extensive experience in this area and already have the appropriate contacts and jurisdictional basis to assist with pursuing asset recovery and criminal prosecution, should that be the appropriate course of action.
If you already not already aware of us, rest assured, we intend to be much more apparent in our presence - and especially so, regarding any of the matters above.
Twitter: @BlockMageSec Telegram Channel: @blockmagelabs Telegram Direct: @blockmagesec Discord: discord.gg/blockmage (inactive, but will be active soon!) Website (live): blockmage.dev
Other domains we own & may occasionally use are as follows:
blockmage.co (namely, used for email) blockmage.org (soon-to-be primary website) blockmagelabs.org blockmagelabs.com blockmage.tech
A Twitter thread posted by @tayvano_ on April 18th, 2023, detailed a novel and sophisticated hacking operation of unknown origin, which has been siphoning wallets of crypto-assets across various networks. The hackers’ origin, the full scope of the affected addresses, and the attack vectors are still unknown.
Since then, and for months before, members of the global crypto-asset community have worked tirelessly to contact identified victims and determine the root cause.
Many of the volunteers have opted to remain anonymous, but have experience in the blockchain development, forensics, and security fields from working at Bidali, Blockmage, ChainSafe, CipherBlade, ConsenSys, Convex Labs, Everlasting, Gray Wolf Analytics, Paradigm, Status and more.
In light of the sensitive and widespread nature of this incident, Blockmage has offered to serve as the legal umbrella for this decentralized network of global volunteers. They will utilize their resources to be the primary point for information collection and dissemination.
The details of the ongoing investigation are outlined in the original Twitter thread by @tayvano_ but here is a brief recap:
Identification of over 100 compromised addresses, with more being discovered.
Uncertainty about how the wallets were compromised or who the threat actors are.
Unknown whether a single group is responsible or if multiple groups are using different attack vectors.
Two victims have had forensic scans performed on their devices, revealing no clues. Others have run malware scans with results that do not point towards a common threat.
Most victims are very experienced in crypto and cybersecurity best practices with above-average security hygiene.
The method of compromise seems to involve seed (recovery) phrases and/or private keys, as supported by multiple assets across multiple networks being stolen, including non-EVM.
No major exchanges, custodians or smart contracts appear to have been affected. All stolen assets were held self-custodied so far.
Compromised addresses range in age and activity. Wallet age ranges from as far back as 2014 to as recent as late 2022. Some wallets were very recently very active, some have been dormant for years with little transaction history.
On-chain theft activity matching the patterns began as early as August 2022, but we are still investigating & tracing these transactions, so it could go back further.
For smaller amounts of stolen crypto-assets, attackers have been reusing another victim’s compromised addresses to attempt to obfuscate the flow of funds.
Stolen assets are swapped on-chain, commonly using FixedFloat, SimpleSwap, SideShift, ChangeNOW, and LetsExchange. We’ve already been in contact with some of these service providers.
The final destination appears to always be Bitcoin, which is then taken to Wasabi Wallet and other coin-join mixers to try to obfuscate the flow of funds.
On March 1st, 2023 LastPass officially acknowledged the severity of two security incidents that occurred between August and November 2022 that resulted in a significant theft of source code and customer data. This is a leading hypothesis but could be a coincidence as LastPass was very popular.
There have been numerous security updates to fix zero-day exploits in all major browsers, and mobile and desktop operating systems since August 2022, and there has been a notable increase in frequency of security updates since then. This information is contributing toward a potential hypothesis.
On March 6th, 2023 Kudelski Security published an article outlining a methodology where they were able to successfully obtain multiple private signing keys from ECDSA signatures for the Bitcoin network, Ethereum network and TLS. We don’t have enough evidence to support this theory and it is very low probability. They even state: “We couldn’t find any real-world case of recurrence nonces in the Ethereum dataset.”
On April 23rd, 2023 the Trust Wallet team published a post-mortem about a browser extension WASM vulnerability that affected victims over a similar time period. We don’t have any evidence to suggest these incidents are related at this time. They independently confirmed the same.
We need more information from victims in order to narrow down the root cause!
If you fall into one or more of the following scenarios below please fill out the secure victim intake form found at: https://intake.blockmage.org
You have been a victim of the recent LastPass security incident; and
You have had crypto-assets stolen from your own wallet unexpectedly within the last year, seemingly through no fault of your own; and/or
Your address is one of the identified ones in this tweet or this tweet (search Twitter for your addresses; the addresses provided in these links will be copied below).
You can complete the form pseudo-anonymously. All fields in the form are optional. Please read the full disclaimer in its entirety as the form is quite comprehensive. As a result, we are treating this information with utmost confidentiality.
For victims, if necessary, we will contact you directly. Messages will be signed with the following PGP key fingerprint: 53783AD54B35D8188E76889A6701DFE88BE8B569
Found here in full:
53783AD54B35D8188E76889A6701DFE88BE8B569
You can verify this on Twitter through this tweet.
If you have any intel or information you feel may be helpful in investigating this particular attack, you may also email us securely at this email address:
Do not panic! If you have your assets stored with a reputable crypto-asset exchange, a qualified and supervised crypto-asset custodian, or your assets are held self-custodial using a prominent mobile or hardware wallet then you are less likely to be at risk. Still, we highly recommend you follow the steps below to ensure your security.
As of this time, we don’t know the root cause of the crypto-asset losses so we cannot say for certain that you have zero risk unless you move your assets to a cold storage, offline-only wallet. If you are feeling uncomfortable, you can very carefully move your crypto-assets by following the steps below.
Generating a new seed (recovery) phrase, private signing key and public key (address) using one of the following options:
a reputable hardware wallet such as a Ledger or Trezor;
a reputable mobile wallet that uses a strong random number generator; or for more advanced users:
a clean, minimal, air-gapped computer; or
a multi-signature setup such as a Gnosis safe or other multi-signature solution such as Argent
Very carefully transfer your assets to the address of your new wallet from the old
Ensure to double-check the address you are sending to in its entirety (not just the first or last characters) when you send assets.
Perform a test transaction for each asset where possible, by sending an initial small amount to ensure it was received correctly by your new wallet.
Keep your new seed phrase and private key in a secure location. If being stored on a digital device, ideally it should be encrypted with a strong password (20+ characters). Alternatively (and recommended) you can store it offline entirely.
If you use a password manager to secure your seed phrase or private key, change your master password.
All this is merely good security hygiene, so these steps should not be cause for alarm nor should they be interpreted as an indicator of a particular attack vector at this time. If anything, should you find the above recommendations surprising, then it may be worth introspecting your own security practices. It’s unfortunately common for many users, even those who may be more advanced than most, to overlook these practices.
Blockmage is a stealth startup that has been building novel tools for blockchain forensics and analytics. Our team has extensive experience in this area and already have the appropriate contacts and jurisdictional basis to assist with pursuing asset recovery and criminal prosecution, should that be the appropriate course of action.
If you already not already aware of us, rest assured, we intend to be much more apparent in our presence - and especially so, regarding any of the matters above.
Twitter: @BlockMageSec Telegram Channel: @blockmagelabs Telegram Direct: @blockmagesec Discord: discord.gg/blockmage (inactive, but will be active soon!) Website (live): blockmage.dev
Other domains we own & may occasionally use are as follows:
blockmage.co (namely, used for email) blockmage.org (soon-to-be primary website) blockmagelabs.org blockmagelabs.com blockmage.tech
If you were a LastPass user at any time prior to April 1st, 2023, and if you have not already done so, you need to change ALL your passwords, move your crypto-assets to a new wallet with a new seed phrase and private key IMMEDIATELY. You should be vigilant in watching for identity theft attempts and contact important service providers, financial institutions and credit rating agencies to notify them of the situation.
Run a virus and malware scan on all your devices. Malwarebytes is a good tool for this task, but whatever you choose, please be certain you verify its legitimacy.
Ensure you download and install any official security updates and patches for all your devices and web browsers ASAP. (Note: You should ALWAYS do this!!)
Be vigilant with any suspicious messages or emails. Do not click on any unexpected links, documents or attachments!
If you were a LastPass user at any time prior to April 1st, 2023, and if you have not already done so, you need to change ALL your passwords, move your crypto-assets to a new wallet with a new seed phrase and private key IMMEDIATELY. You should be vigilant in watching for identity theft attempts and contact important service providers, financial institutions and credit rating agencies to notify them of the situation.
Run a virus and malware scan on all your devices. Malwarebytes is a good tool for this task, but whatever you choose, please be certain you verify its legitimacy.
Ensure you download and install any official security updates and patches for all your devices and web browsers ASAP. (Note: You should ALWAYS do this!!)
Be vigilant with any suspicious messages or emails. Do not click on any unexpected links, documents or attachments!
No comments yet