ChainCatcher message, Slow Mist's Yu Xian disclosed that the phishing technique of poisoning addresses with similar starting and ending numbers is still widespread, severely impacting the security infrastructure of the blockchain industry.Yu Xian pointed out that this type of poisoning targeting wallet transaction history mainly involves various techniques, including fake token contract codes emitting false event logs to deceive block explorers and wallets, as well as using zero-amount transfer event logs to arbitrarily fill in addresses in the from/to fields. These techniques can mislead users into believing that the transactions are from their own actions. Other common techniques include sending small amounts of funds from source addresses with the same starting and ending characters, combining clipboard hijacking technology, and impersonating well-known decentralized exchanges to output false event logs.Yu Xian recommends that users make good use of wallet whitelisting mechanisms, carefully verify complete addresses, and combine well-known hardware wallets for dual verification as defensive measures.Previously reported, two addresses suffered "transaction history pollution attacks" in the past 14 hours, resulting in a total loss of over $140,000.

ChainCatcher news, according to a post by Slow Mist's Yuxian, multiple users mistakenly transferred funds to the contract address of the Magma project on the Monad testnet due to not switching to the correct network environment.Yuxian confirmed through analyzing transaction data and smart contract code that these fund transfers occurred because users did not correctly switch to the Monad testnet while executing functions such as depositMon() and withdrawMon() for the Magma project on multiple blockchains including Ethereum and Binance Smart Chain. This issue may stem from an inadequate network switching mechanism in the wallet application or the project's frontend.Yuxian stated that the project team could implement a fund return mechanism by creating corresponding contracts on the relevant blockchains, and affected users should directly contact the Magma project team for assistance.

ChainCatcher message, Slow Mist Yuxian posted on platform X stating: "An extension can be malicious, such as stealing cookies from the target page, privacy in localStorage (like account permission information, private key information), DOM tampering, request hijacking, clipboard content retrieval, etc. Relevant permission configurations can be made in manifest.json. If users are not careful about the permissions requested by the extension, it can be troublesome.However, for an extension to be malicious and directly target other extensions, such as well-known wallet extensions, it is still not easy... because of sandbox isolation... For example, it is unlikely to directly steal private key/mnemonic-related information stored in the wallet extension. If you are concerned about the permission risks of a certain extension, it is actually easy to assess this risk. After installing the extension, you can choose not to use it first, check the extension ID, search for the local path on your computer, and find the manifest.json file in the root directory of the extension. You can then directly throw the file content to AI for permission risk interpretation. If you have an isolation mindset, you might consider enabling a separate Chrome Profile for unfamiliar extensions, at least making malicious actions controllable; most extensions do not need to be enabled all the time."

ChainCatcher news, Slow Mist founder Yu Xian posted on social media, "There has been a recent surge in social engineering poisoning targeting computers in the past few days. Yesterday, I followed up on 3 cases. Once again, a reminder to those who think using a Mac computer is inherently safe: the reality is actually quite bad. Be sure not to install unofficial applications randomly, as even official sources can have issues."

ChainCatcher message, Slow Mist Yu Xian stated, "Bybit was hacked for nearly $1.5 billion in ETH assets, apart from some being recovered, the rest has left Ethereum, with the vast majority entering the Bitcoin network, where complex coin laundering operations are taking place, and THORChain node operators have profited significantly."

ChainCatcher message, Slow Mist founder Yu Xian tweeted, "If antivirus software falsely reports your browser extension, such as a wallet extension's js file being falsely flagged, the antivirus software usually isolates it, which means the wallet extension will be damaged and unable to open. At this point, you can recover the file from isolation, do not delete it. If you delete it, do not uninstall the wallet extension either, as there may still be a chance to recover files related to the locally encrypted private key."

ChainCatcher news, Slow Mist founder Yu Xian posted on social media that the theft of 12,000 ETH last year was carried out by the Eastern European hacker group Inferno Drainer, not North Korean hackers. The money laundering methods have some overlap with North Korean hackers, making it very difficult to recover the funds.

ChainCatcher message, SlowMist's cosine monitoring, Infini hackers are very skilled in technology and understand smart contract operations, which is why they could steal funds from its Vault and related strategies with a private key, stealing twice:11,455,666 USDChttps://etherscan.io/tx/0xacf84c5944f662a4fcf783806993d713a150994932008e72e4e47a58d6665f7f38,060,996 USDChttps://etherscan.io/tx/0xecb31ff694c0e6c5e5b225c261854c0749ecf5d53c698fcda61f2d8e3db8f9fc

ChainCatcher message, Slow Mist's余弦 responded to Infini founder @Christianeth, stating that they have fully followed up on the Infini attack incident, and the attacker is quite technically knowledgeable.

ChainCatcher news, Slow Mist founder Yu Xian posted on social media, "Through forensic analysis and correlation tracking, we confirm that the attackers of the CEX theft incident are the North Korean hacker group Lazarus Group. This is a nation-state APT attack targeting cryptocurrency trading platforms. We have decided to share the relevant IOCs (Indicators of Compromise), which include some IPs of cloud service providers, proxies, etc. It is important to note that this disclosure does not specify which platform or platforms were involved, nor does it mention Bybit; if there are similarities, it is indeed not impossible."The attackers utilized pyyaml for RCE (Remote Code Execution), enabling the delivery of malicious code to control target computers and servers. This method bypassed most antivirus software. After synchronizing intelligence with partners, multiple similar malicious samples were obtained. The main goal of the attackers is to gain control over wallets by infiltrating the infrastructure of cryptocurrency trading platforms, thereby illegally transferring a large amount of cryptocurrency assets from the wallets.Slow Mist published a summary article revealing the attack methods of the Lazarus Group, and also analyzed their use of social engineering, vulnerability exploitation, privilege escalation, internal network penetration, and fund transfer tactics. At the same time, based on actual cases, they summarized defense recommendations against APT attacks, hoping to provide references for the industry and help more institutions enhance their security capabilities and reduce the impact of potential threats.

ChainCatcher message, Slow Mist Yu Xian posted on platform X: "Give mETH Protocol a thumbs up, intervene in the review in a timely manner, and recover the 15,000 cmETH stolen from Bybit. At this time, the majority of people are applauding such reviews or interventions.mETH Protocol is still not well understood, but another interesting example of security balance design can be cited: Renzo's ezETH contract has issues with excessive permissions, such as being upgradable, and being able to mint/burn, etc. However, the Owner is multi-sig and has a Timelocker of 7 days, and has implemented a proposal mode. Therefore, if ezETH intends to act maliciously, timely detection allows everyone a 7-day buffer to make a choice. This kind of security balance model is quite mature in the Ethereum ecosystem."

ChainCatcher news, the founder of Slow Mist, Cosine, stated on social media that from a security perspective, the suggestion to urgently stop the wallet system in the case of unknown reasons is correct. Bybit's response to the theft was very quick, and identifying the problem was also swift. Slow Mist and some security teams immediately intervened for communication, quickly determining the issue and speculating on the hacker's profile. Bybit was well-prepared and had no issues in promptly reopening withdrawals.Cosine explained that he believes there is no problem with Zhao Changpeng's previous suggestion and Bybit's final resolution. Currently, many industry insiders are infighting over this controversy, forgetting that the common enemy should be North Korean hackers.Previous news, Zhao Changpeng suggested that Bybit temporarily stop all withdrawals, stating that he would provide any assistance if needed.

ChainCatcher message, Slow Mist stated on platform X that the Safe contract is fine, but the issue lies in the non-contract part, where the front end has been tampered with and forged to achieve a deceptive effect. This is not an isolated case. North Korean hackers managed to compromise several companies last year, such as:WazirX 230M USDT Safe multi-signatureRadiant Capital 50M USDT Safe multi-signatureDMM 305M USDT Gonco multi-signatureThis type of attack method has matured in engineering. Other companies also need to pay more attention, as multi-signatures may have similar attack points beyond just Safe.

ChainCatcher message, Slow Fog Yu Xian posted on platform X stating: "Although there is currently no clear evidence, based on the methods used for Safe multi-signature and the current money laundering techniques, it resembles North Korean hackers. North Korean hackers, if I have wronged you, please correct me, and I will apologize..."

ChainCatcher news, Slow Mist founder Cos posted on the X platform that after Argentine President Milei tweeted, the address doodo...kqg7 quickly tested 3 contract addresses (CA). Through data cross-analysis, it was found that these 3 CAs actually came from the same person.Cos stated: "The address owner may know what happened, maybe it's just a routine test he is conducting at Jupiter."Cos mentioned that he posted the above because Jupiter's tweet stated: "If there is evidence that a Jupiter employee has leaked information or engaged in other sniper activities, please contact us directly. If we find that any team member has used non-public information for trading, we will take swift and decisive action."

ChainCatcher news, Slow Mist's Yu Sen stated in a post on X that the group theft incident disclosed by GoPlus today involves over 800 tokens on multiple Ethereum Virtual Machine (EVM) compatible chains, with the attacker having profited $1.24 million.It is worth noting that he pointed out that the victims are primarily from the "yield farming group" (participants active in multiple project airdrop tasks).

ChainCatcher message, Slow Mist's Yu Sen posted on platform X that the Mode network has frozen most of the assets stolen from Ionic, and those that were not intercepted have been laundered through Tornado Cash. In contrast, if Starknet had stepped in to help, the situation for zkLend could have been better. In fact, there is strong support for blockchain audits regarding large thefts occurring on their own networks.

ChainCatcher news, Slow Mist founder Cosine posted on X confirming that the hacker who attacked zkLend is the same as the hacker who attacked EraLend in July 2023.

ChainCatcher news reports that according to Yu Xian, the founder of Slow Mist, the lending protocol zkLend on the Starknet chain was hacked on February 12, resulting in losses exceeding $9.5 million. The reason for the attack lies in the safeMath library used by its market contract, which employs direct division for calculations. This led to a rounding error in the actual number of zTokens that needed to be burned during withdrawals, which the attacker exploited for profit.On-chain data shows that the attacker's address has an active history of 235 days and has interaction records with multiple platforms, including Binance. The hacker has since transferred the stolen funds across chains, with most of it moved to the Ethereum network. Yu Xian stated that by tracking the associated Starknet addresses, it was discovered that this attacker is linked to the hacking incident of EraLend on July 25, 2023.

ChainCatcher message, Slow Mist Yu Sen posted on platform X stating that hackers have cross-chain transferred the stolen funds from zkLend on the Starknet network to other networks, with most of the funds flowing to the Ethereum network.