🚨 MASSIVE $32M RUG PULLS OPERATION UNVEILED 🔒
We are sharing an investigation conducted by our team, which resulted in:
- More than 1.300 different token rug pulls
- More than $32M stolen
- More than 42.000 victims
- Novel techniques used to avoid being detected
A thread 🧵 ...
⚠️Important:
#Sushiswap
has been hacked 🍣
If you were interacting with the $SUSHI protocol, you *must* REVOKE access on
#Metamask
immediately. How to check and revoke - follow our guide in the first comment.
🚨0day & zero-click potential exploits on Telegram and iMessage 🚨
Last week, an exploit for Telegram was published that allowed RCE (Remote Code Execution) on the attacked device simply by sending it a message with a malicious attachment. It is called a zero-click attack because
Another day, another scam.
This time the scammer targeted the
@EthereumDenver
website. Blockfence is here to protect you and fight scammers together: The scam contract was marked as "High Risk" by our ML algorithm and our partners at
@GoplusSecurity
🚨Phishing Alert🚨
Phishing campaign targeting Starknet users, announcing a fake airdrop and linking to a malicious website to claim rewards.
- Malicious URL: strklabs .net
Attacker uses beehiiv newsletter service, so emails arrive directly in the inbox bypassing filters.
🚨Phishing alert🚨
There's an ongoing phishing campaign impersonating Uniswap, alerting about a critical security update and inviting the user to revoke approvals in a malicious website that drains users' assets (revokuni . net).
This campaign bypasses spam filters. Do not
🚨 APPLE URGENT UPDATE:
Apple has released updates for macOS, iOS, iPadOS, tvOS, and watchOS due to security vulnerabilities being actively exploited. Update to these versions ASAP:
- iOS 17.2.1
- iPadOS 17.2
- macOS 14.2.1
- tvOS 17.2.
- watchOS 10.2.
Last week, Mark Cuban's wallet was hacked for about USD 850K. What happened and what simple security measures can we take in order to avoid these risks?
Let's see them one by one👇
🚨 Millions of dollars are being stolen daily due to private keys mismanagement.
🔑 How do they work?
🔏 What measures should you take to avoid getting hacked and having your wallet drained
A thread about this ...🧵
1/🚨Security alert🚨 We've discovered a potential risk involving
#ChatGPT
by
@OpenAI
, similar to the recent
#Samsung
’s leak incident. Undisclosed
#CVEs
(Common Vulnerabilities and Exposures) from 2023 were shared with us, raising grave concerns. Follow this captivating story ->
⚠️ IPHONE & IPAD SECURITY UPDATE ⚠️
iPhone and iPad users must update their devices to iOS and iPadOS 17.4 right now. Between the improvements, they are fixing 4 vulnerabilities of which 2 are being actively exploited by attackers.
This does not affect MacBooks.
⚠️Fake Rabby wallet in Apple Store ⚠️
Be extremely careful when downloading new apps to your phone. Even Apple Store has malicious fake apps, that drain your assets.
Security alert: phishing emails impersonating Trezor are being sent out using trezor real domain (trezor . io). This happens one week after Trezor alerted that customers' emails had been exposed due to a breach in their support ticketing system.
🔓The
@FortaNetwork
& Blockfence discovered a new type of sophisticated scam flow triggered by NFT sleepdrops. There are already over 500K addresses who received the drop, and over 20K confirmed victims. The verified amount of stolen funds crossed $11.5M
🔐 Telegram scam investigation 🕵️♂️
Our team has recently discovered a rug pull scam involving the deposit of around 300 ETH of stolen funds into Biget and Bybit. It has been discovered that fraudulent activity was carried out through the Telegram “NoLiquids”.
Small thread 🧵..
$ETH holder just got rugged for $1.04mn
> Holding 492 $ETH since last 5 years
> No Defi, no NFTs, no farming, no interaction to any contract
> Tries something new for first time & gets rugged by "ClaimReward"
Note a new type of "approval" scam: A fake $BUSD token was reported to send an "approval" notification. Removing those "fake approvals" as they don't exist will grant access to steal victims' funds.
How does Web3 defeat scams? 🤔
By having critical infrastructure integrate Forta monitoring 🤖✅
@blockfence_io
gets it. Their team is now working with Forta to bring threat intelligence to the masses via their open-source, community-driven browser extension
🦭 After Wargames, Whitehat Safe Harbor Agreement, and SEAL 911;
@_SEAL_Org
keeps delivering! Check out this new initiative to consolidate threats and research data in a single tool: SEAL-ISAC 👇
Today, we're launching the latest
@_SEAL_Org
initiative, and it's going to change crypto security forever. It's called SEAL-ISAC, and this is why we need it
🥳 We're excited because Blockfence v0.4.1 is out!
What's new?
👀New design
🔎You can now look up, not only smart contracts, but also URLs
🧠 Improved ML algorithms for detection of phishing attacks
🛡️Check below how Blockfence protects YOU and get it at:
🔒 What is a Sim-swap attack? How do we avoid it?
Millions of dollars are lost weekly due to this kind of attack, which keeps growing.
Let's understand how it works and what we can do to stay safe. A small thread 🧵...
🔐 Whitehat Safe Harbor Agreement - by Security Alliance (SEAL) 🦭
The Whitehat Safe Harbor initiative is a framework in which protocols can offer legal protection to whitehats who aid in recovering assets during an active exploit.
So, let's dig a bit deeper into it. 🧵
1/5 🚨🚨🚨
#Crypto
users, be aware of a
#Chrome
zero-day (CVE-2023-2136) that was actively exploited. The vulnerability affects Chrome's rendering pipeline, potentially leading to unauthorized system access. It's important to update your browser & safeguard your digital assets.
1/ It was recently found out by
@CertiKAlert
that BlockGPT or $AIBGPT is a pure scam, after 816 BNB (~$250K) from its pre-sale contract were just deposited into
@TornadoCash
. However, this scam project even received attention from Bloomberg! Why? and what you must spot? ->>
Last week we joined this great panel at "User Security Summit" in Istanbul with
@NikitaVarabei
from
@ChainPatrol
, Yi Zhang from
@chaintooltech
and İzzet Elpeze from
@GoPlusSecurity
, where we talked about user security data and the challenges we are focusing on!
Let’s analyze step by step how the scam works with one of the thousands of cases. For this example, we will use a fake token they created called “Blockfence.” Yes, Blockfence, like our company's name 🤦🏻♂️
Radiant Capital has been exploited for 1.9K ETH ($4.3M) on Arbitrum. The team has just reached the exploiter with the message:
"Hey, we wanted to reach out about the bug you exploited today. Well done on finding it! We're assuming you've did this exploit as a white or greyhat
🔐🌐 Zk proofs is a technology that is changing the meaning of online privacy and security. With them, we are heading into a revolutionary breakthrough. Imagine being able to confirm the truth of a statement without spilling any other details.
Let´s dive in 👇
1/20
🚨 Centralized exchange HTX (formerly Huobi) has been hacked and lost 5,000 eth ($8M dollars). The stolen funds have been covered by HTX and no user's funds are at risk.
🧵 Have you stumbled upon the acronym 'MPC' and wondered what it's all about? 🤔
MPC stands for Multi-Party Computation, an original approach in computing that's revolutionizing data privacy
In this thread, we will explore how is transforming the way we handle sensitive data 👇
It does this by using a specific and already hardcoded number (183232389747193719218) along with the total supply (10.000.000.000), which is cast into an address datatype, which provides the administrator with the desired address.
1/ 🗝️ What are Passkeys?
Passkeys are a revolutionary approach to digital security designed to replace traditional passwords. They use cryptographic techniques to authenticate users, offering a more secure and user-friendly experience.
Let's dive deeper into this short thread 🧵
Thank you to everyone who joined us at "2024 before 2049" in Singapore during
#Token2049
! 🇸🇬
It was a wonderful evening with an amazing panel, drinks and both old and new friends! 🥂
None of this would have been possible without our partners
@geek_cartel
,
@salus_sec
,
We are very proud to have joined
@_SEAL_Org
in order to make the ecosystem a more secure place!
Kudos to all the people dedicating endless hours to this endeavor. 💪
I'm back, did you miss me? I have some huge news!
Over the last year and a half, I've been working on something big in secret with the rest of the crypto security community. Today, we're finally ready to reveal ourselves to the world. We are
@_SEAL_Org
Unmasking the Connections: The Power and Necessity of Web3 Mapping
Pablo Sabbatella
@PabloSabbatella
Head of Security Research, Blockfence
@blockfence_io
"Machine learning is used to make Blockfence continually smarter, while community-supplied data also expands its knowledge base. As crypto defensive tools go,
#Blockfence
is one of the best all-rounders on the market." Thanks
@CoinGapeMedia
🥳Introducing Blockfence Web: Want to look up🔎 the risk score and information about any smart contract or URL? From now on, you can do it directly from our website. Give it a shot at ->
🚨 Phishing campaign alert 🚨
There is a massive ongoing campaign impersonating ZKSync, promoting an airdrop that leads users to a fake website. Once the user connects their wallet, the site drains their funds.
As we have mentioned over the past few weeks, phishing campaigns are
🚨
#Discord
scam alert🚨
If you're getting this verification request message, especially the request to 'enable bookmark bar,' please ignore and do not proceed! it's a
#scam
!
Our Singapore 2024 Before 2049 event is taking place today!
Will 2024 bring in the next hype? Join us for a panel moderated by
@francescoswiss
-
@Consensys
,
@MetaMask
.
Details
🚨 Telegram no-click exploit on the wild 🚨
There's a potential Telegram vulnerability allowing an attacker to exploit Telegram mobile and PC clients sending a file to the victim, which is auto-downloaded and infects device.
Step by step on how to secure your Telegram 👇
We have partnered with Dappradar to provide users with a comprehensive explanation of the functionalities behind every smart contract, using our ML engine 🤖 . Try it!
📡 At DappRadar, we leverage AI and machine learning broadly. For PRO users, we've collaborated with
@blockfence_io
to offer a feature that uses generative language AI for easy explanations of contract functionalities.
Check it out on
@ApeBond
page 👇
🔐 January 2024 - Blockchain Security Report 📊
Check out our monthly security report on what happened during the first month of the year.
Here you have a brief summary or you can also download it (link in last message).
Let's go! 🧵...
🎙️ Tomorrow, we will be hosting the first live Space of the "Blockchain Security series" with a special guest:
@officer_cia
, and our host
@PabloSabbatella
. We will be talking about physical & on-chain OpSec, current threats, drainers, and more!
Link in the first comment! 👇
🔒 Blockchain Security Report - November 2023
November has emerged as the second most significant month of the year in terms of lost funds, with a total of $369M.
Come with me and let's see in more detail what happened.
Small thread 🧵
In this new era, we start to realize that much of our personal information is not as private as we think. From social media interactions to public records and beyond, our digital lives are visible under the lens of OSINT.
Do you know how much the world knows about you? 🕵️♂️💻
Since April 2023, this scammer has executed over 1200 rug pulls (and continues to do so.) In this picture, we can see some of the money being pulled from one of their addresses.
1/14 🧵
In a previous thread, we discussed MPC (Multi-Party Computation) technology and how it solves the problem of revealing some information while keeping input data absolute secret.
You can read it here:
Today, we continue exploring this technology
🧵 Have you stumbled upon the acronym 'MPC' and wondered what it's all about? 🤔
MPC stands for Multi-Party Computation, an original approach in computing that's revolutionizing data privacy
In this thread, we will explore how is transforming the way we handle sensitive data 👇
Announcing
@DappRadar
Smart Contract AI Explainer 🤖 by Blockfence:
This feature, included in Dappradar Pro, explains code in simple words, allowing users to gain a deeper understanding of smart contract interactions!
⚠️Warning⚠️ A new reported
@telegram
hacking vector:
A contact of yours with whom you shared your phone number in telegram settings will contact you randomly asking something stupid ->
🔐 iPhone users: update to iOS 17.3 and activate this new "Stolen device protection"
This will add a new layer of protection when you are away from home and work.
The Blockfence engine detected $39.85M out of $40.93 total relevant compromised funds. This does not include compromised private keys and centralized exchanges, which can not be detected.
1/16🧵
Today we are going to address one of the fundamental models in the world of cybersecurity🛡️: The CIA Triad
Join us in this journey through Confidentiality, Integrity, and Availability👇
🚨 PHISHING ALERT 🔐
A phishing campaign impersonating Manta Network drives victims to a supposed airdrop campaign, which drains the user's wallet. The email bypasses Gmail filters and lands directly in the inbox.
Today our CEO Omri Lahav talked at the Fintech Junction conference @ Tel Aviv.
@OmriLahav5
discussed the future of
#Web3
security and the security lessons we should learn from fintech.
6/ OpenAI CEO
@SamAltman
has previously confirmed on the
@DailyMailUK
significant issues with ChatGPT, with a bug allowing some users to snoop on others' chat histories. This new CVE revelation raises more questions about the platform's data security.
🔐 March 2024 Blockchain Security Report
March was a quiet month with a relatively low amount of stolen funds ($124M vs. $398M in Feb), even more so when considering that $62M from Munchables was returned by the attacker, lowering the total losses for March to $62M.
Thread 🧵 >
🚨 Fixed Float has been exploited for 1.700 ETH (USD 4.76M)
Drainer address: Drainer address: 0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085
First reported by
@reprove
🚨 Hope Lend has been exploited for $830K (526 ETH)
The attacker was front-run by a bot, which paid 263 ETH of bribe to the validator and kept the proceeds of the attack.
More info 👇
⚠️Warning⚠️
@PeterSchiff
's twitter got compromised. Scammers are using it to promote a fake $GOLD presale. However, note that a presale smart contract is likely not an EOA (Externally Owned Account) as been detected by Blockfence. Confirming this tx would lead to a wallet drain!
1/🚨New malware targeting
#crypto
wallet extensions like
#Metamask
Mystic Stealer is a stealthy malware that poses a threat to both individuals and organizations, and is designed to evade detection and has a range of data exfiltration abilities (such as private keys). ->
⚠️ Be careful with this new type of scam.
Scammers are registering ETH addresses as ENS domains in order to confuse users when sending transactions through Ethereum Mainnet. 👇
first time I've seen this scam, so posting it as a heads up for users and interfaces
someone bought the ens "[myEthereumAddress].eth"
so when you paste in my address, the top result in some UIs is an ens match instead of the resolved ENS name
impt for UIs to filter these out