Crypto's Achilles' Heel

In the realm of crypto, where digital fortresses guard virtual fortunes, the most dangerous threat isn't always a line of faulty code, it's the person behind the keyboard.

While blockchain evangelists tout unhackable ledgers and cryptographic marvels, cybercriminals are exploiting a far simpler vulnerability, human nature itself.

Case in point: Evolve Bank and Trust's epic face plant in May 2024. One employee, one click, one malicious link, that's all it took for LockBit to make off with 33 terabytes of juicy user data.

Over 155,000 accounts from Bitfinex, Copper Banking, and Nomad users got their dirty laundry aired out for all to see.

Names, addresses, social security numbers, account balances - the whole enchilada.

This isn't just a one-off. It's the new normal in a world where your keys might be safe, but your identity is up for grabs.

From the constant threat of phishing attacks, to celebrity Twitter accounts shilling scam coins, to fake LinkedIn recruiters smooth-talking their way into GitHub repos, the human factor is the soft underbelly of crypto security.

The fallout? Trust in tatters, users in panic mode, and regulators licking their chops. It's a stark reminder that in crypto, your weakest link isn't your code, it's your people.

Buckle up as we dive into the dumpster fire of human error in crypto security.

As we confront the harsh reality of our own fallibility in the realm of crypto security, it's time to ask ourselves, can we truly secure our digital assets without first mastering the vulnerabilities of our own human nature?

Cybercriminals are no longer just coders in dark rooms; they're master manipulators, adept at exploiting human nature.

Several key trends shape the evolving minefield in crypto.

One major trend involves targeted phishing campaigns, where attackers disguise themselves as legitimate crypto services to lure unsuspecting victims.

In June, a threat actor compromised Ethereum's mailing list provider and sent to over 35,000 addresses a phishing email with a link to a malicious site running a crypto drainer.

Ethereum disclosed the incident in a blog post and said that it had no material impact on users.

Did they dodge a bullet?

According to Scam Sniffer’s Mid-Year Phishing Report, 260k victims lost $314M across EVM chains, surpassing the $295 million stolen in the previous year.

With half the year left, phishing attacks still loom large.

Notably, most ERC20 token thefts among the top 20 victims involved sneaky signature phishing tactics like Permit, IncreaseAllowance, and Uniswap Permit2.

Most of the large thefts involved assets in Staking, Restaking, Aave Collateral, and Pendle tokens.

These tokens also support Permit. Once stolen, your staked assets cannot be retrieved.

For example, one victim lost $11 million worth of aEthMKR and Pendle USDe tokens due to signing multiple Permit phishing signatures.

Transaction:

0x8d0360632bc385171e20c12aa3152933bb041402bb3e06ab29136985a4745e57

Victim:

0xfb94d3404c1d3d9d6f08f79e58041d5ea95accfa

Scammer:

0x739772254924a57428272f429bd55f30eb36bb96

Additionally, social media account takeovers have become more prevalent, as cybercriminals spread malicious links through compromised profiles.

Scam Sniffer stated that most phishing attacks were caused by impersonator accounts on X.

Many of these hijacked accounts shill Solana meme coins, the line-up of recent imposters include the likes of Doja Cat, Hulk Hogan, 50 Cent and Metallica.

These cases of compromised accounts are not to be confused with celebrities that are actually out there scamming people with their pump and dump trash coins.

Anyone else feeling PumpDotDone?

Not Your Comrade

While social media scams cast a wide net, some predators prefer a more targeted approach.

Enter the realm of insider threats and state-sponsored hacking groups, where social engineering meets cyber espionage.

These aren't garden-variety scammers, but the Special Forces of the digital underworld.

The infamous Lazarus Group, widely recognized as one of the most active threats targeting the crypto industry, exploits human vulnerabilities rather than technical ones.

Their approach involves:

• Contacting employees via social media or messaging apps

• Directing them to a GitHub repository for a job offer or bug bounty

• Compromising the individual's device

• Gaining unauthorized entry to company infrastructure

• Compromising the company and its users

In one notable case highlighted by security researcher Tayvano, a Lazarus operative used a fake LinkedIn profile to engage two technical employees of the same company.

The attacker compromised the first employee's device with malware, even paying them $100 USDT to maintain the charade.

Upon discovering the first employee's lack of access, they shifted focus to the second employee, compromising them as well, resulting in a substantial theft a month later.

Another incident saw CoinsPaid staff contacted by fake recruiters on LinkedIn, promising salaries up to $24,000 per month.

Employees were tricked into installing malware during "test assignments," leading to a $37.3 million theft.

The biggest crypto heist in history, the $625 million Axie Infinity hack, stemmed from a single engineer opening a malicious PDF job offer.

These incidents underscore Lazarus' sophisticated social engineering, adaptability, and persistence. They target individuals across various roles and use diverse platforms like Telegram, Slack, email, and Discord.

For more insight into the tactics and history of Lazarus, check out How Lazarus Group laundered $200M from 25+ crypto hacks by ZachXBT and this brilliant rabbit hole collection of articles, analysis and heists attributed to their group and associated groups.

By understanding their methods, individuals and organizations can strengthen their defenses against advanced threat actors like Lazarus.

Huione Guarantee: The Amazon of Cybercrime

If Lazarus Group is the Special Forces of cybercrime, then Huione Guarantee is the Amazon Prime.

While state-sponsored hackers craft bespoke attacks, there's a growing market for off-the-shelf cybercrime solutions.

Why reinvent the wheel when you can simply add fraud to your cart?

Meet Huione Guarantee, the Cambodian conglomerate turning cybercrime into a one-click experience.

This digital den of iniquity sprawls across thousands of instant messaging app channels, offering a smorgasbord of services for the discerning fraudster.

Today's offerings include illicit services such as money laundering, tailor-made scam website development, and the sale of recently obtained personal data.

For the more sinister operators, there's even a selection of torture tools, reportedly used on enslaved workers within scam compounds.

But don't take our word for it. Elliptic's blockchain bloodhounds have sniffed out over $11 billion flowing through Huione's crypto wallets since 2021.

Spoiler alert: It wasn't all from selling Girl Scout cookies.

Not content with just being the Etsy of evil, Huione's subsidiary, Huione International Payments, decided to get their hands dirty too.

For a modest fee, they'll launder your ill-gotten gains faster than you can say KYC.

In the world of digital fraud, Huione isn't just playing the game, they're selling the whole damn casino.

Messaging Apps

But why bother with a cybercrime superstore when the tools for chaos are right at your fingertips?

Our beloved chat apps have evolved into unsuspecting breeding grounds for cybercrime.

It is hard to be in the crypto space without at least using X and Telegram, since that is where much of the action takes place.

I’m sure you already know by now that X is a security concern due to compromised accounts and phishing scams.

Telegram is quite the hotbed for the same behavior, but it is also being weaponized via OTP bots (One-time passwords).

Two-factor authentication isn't a bulletproof solution, thanks to sophisticated OTP bots running on Telegram.

Hackers get your login info from data breaches or phishing. They use AI-powered bots to call you, impersonating your bank.

The bot tricks you into giving up your one-time password, sent legitimately by your real service. Once you enter that code, the scammer's in your account instantly.

These bots are a booming business, with weekly subscriptions and features like number spoofing and voice customization.

They're turning 2FA into a speed bump rather than a fortress.

Signal has been compromised too, the desktop app was found exposing user's secrets by leaving encryption keys in plain sight.

This security blunder allows prying eyes to sneak into chat histories and stealthily clone sessions.

Although Signal attempted to downplay the issue, critics insist on improved local data protection to prevent this embarrassment from escalating into a full-blown scandal.

Telegram and Signal boast about their encryption capabilities, with Signal’s being pretty questionable.

Discord doesn’t use end-to-end encryption.

There is transport layer security (TLS) encryption, which encrypts the message in transit, but that’s the full extent of Discord’s security.

This means that Discord can view your communication with others, and so can anyone who might hack into Discord’s systems.

Not only do you have to worry about your private conversations being leaked, but Discord's security limitations pose additional risks.

The platform's lack of end-to-end encryption and susceptibility to phishing scams can lead to stolen game and Discord accounts, widespread spam, and compromised personal information.

With cunning groups like Pink Drainer, Discord has become a perilous playground for crypto criminals.

These digital pirates have cracked the code on exploiting Discord's vulnerabilities, turning the platform into a hunting ground for their phishing escapades.

By weaving intricate webs of deceit, they've managed to snatch millions in digital assets right under the noses of users and moderators alike.

Also, some of the shenanigans that Discord bots are capable of are quite scary.

Look no further than this YouTube video “Infiltrating a Discord Bot that spies on people.”

From phishing frenzies to insider shenanigans, state-sponsored heists to DIY cybercrime kits, we've peeled back some of the layers of the crypto-crime onion.

Turns out the juiciest target isn't some unhackable blockchain, but the squishy gray matter between our ears.

In this crypto minefield, we must ponder our role as users and employees.

Are we the weakest link in crypto security and how can we fortify our defenses against the relentless tactics of cybercriminals?

Before you go full doomsday prepper and bury your seed phrases in the backyard, hold your horses.

Sure, the crypto wild west makes the actual Wild West look like a kiddie pool, but that doesn't mean we're all sitting ducks in a shooting gallery.

So, before you swear off the internet and go live in a Faraday cage, stick around.

Time to switch gears from doom and gloom to your personal cybersecurity boom.

Are you ready to protect yourself?

If you work for a protocol, decentralization helps to eliminate single points of failure.

If you’re on a team that is using a single private key and not a multisig, are you sure you should be here?

Private key compromises are one of the current top exploits.

If you’re storing funds in a hot wallet, you as well might walk around with a target on your back. Opt for a cold wallet at any chance.

This should be a no-brainer, but people keep falling for it, do not click on links or download files from random strangers.

Don't use SMS for authentication, ever! Use authenticator apps or 2FA hardware keys.

Also consider using different devices for personal use vs accessing crypto.

It is a good practice to check Revoke approvals, either on Rabby or on RevokeCash.

Whether you’re a crypto native or working in the industry, using some of these measures can help you to fortify your castle, but they’re not a sure fire solution.

For a deep dive into security tips and devices for digital nomad, this piece by Officer’s Blog is a great resource.

If you want to understand how hackers can infiltrate and compromise your device, read this entry in Officer’s Blog.

Arm yourself with knowledge, your bulletproof vest against the outlaws of crypto.

As you ride the wild frontier, remember to stay vigilant and secure your digital strongholds.

In the high-stakes game of crypto security, can you afford not to be one step ahead of the outlaws?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.