Web3 and DeFi have seen a sharp rise in cybercrime, with North Korean actors repeatedly targeting exchanges and DeFi protocols. The attacks combine social engineering, malware, smart contract flaws, and governance exploits, underscoring the need for stronger security across Web3 ecosystems.
#Ronin #SkyMavis #APT38 #DPRK #COVERTCATCH #RUSTBUCKET #JumpCloud #3CX #CurveFinance #EulerFinance #TornadoCash
#Ronin #SkyMavis #APT38 #DPRK #COVERTCATCH #RUSTBUCKET #JumpCloud #3CX #CurveFinance #EulerFinance #TornadoCash
Keypoints
- The growth of Web3 and DeFi has created new opportunities for sophisticated cybercrime, particularly in DeFi ecosystems.
- North Korea’s APT38 (DPRK) is a leading actor behind major Web3 heists.
- In 2022, the largest DeFi heist exceeded $600 million on Sky Mavis’ Ronin blockchain.
- Common attack methods include social engineering, malware, and smart contract exploits.
- Crypto exchanges have long been targeted, with notable incidents dating back to Mt. Gox (2014) and more recent hacks like DMM Bitcoin (2024).
- Social engineering campaigns have targeted finance personnel and developers with fake job offers and malicious PDFs.
- Smart contract vulnerabilities, such as reentrancy, and governance/supply-chain attacks have caused significant losses and operational disruption.
- Organizations must strengthen security postures and leverage advanced security solutions to reduce dwell times and prevent heists.
MITRE Techniques
- [T1203] Social Engineering – Brief description of how it was used. ‘Attackers use fake job offers to lure victims into downloading malware.’
- [T1059] Malware – Brief description of how it was used. ‘COVERTCATCH and RUSTBUCKET malware to gain access to systems.’
- [T1195] Supply Chain Compromise – Brief description of how it was used. ‘Attacks on third-party services to gain access to cryptocurrency platforms.’
- [T1003] Credential Dumping – Brief description of how it was used. ‘Pivoting to password managers to steal credentials.’
- [T1210] Exploitation of Remote Services – Brief description of how it was used. ‘Exploiting vulnerabilities in smart contracts for financial gain.’
- [T1098] Account Manipulation – Brief description of how it was used. ‘Governance attacks to manipulate voting and drain funds from DAOs.’
Indicators of Compromise
- [Domain] C2 domain – autoserverupdate.line.pm and autoserverupdate.line.pm (two formats shown)
- [URL] Command-and-control URLs – https://autoserverupdate.line.pm/qp5FV6ilCJf, https://autoserverupdate.line.pm/Q5wWzIY5%2BSEE07MzxS/TMbSBM7BiR/DIUDMurOYs/xoG5A%3D%3D
- [File/Artifact] Launch Agent/PLIST label – com.apple.safariupdate (Launch Agent persistence)
- [Credential/Secret] AWS SSM Parameters (decrypted credentials) – examples include /prod/wallets/wallets-password, /prod/wallets/eth/db/password
- [Malware] COVERTCATCH and RUSTBUCKET – backdoor malware used in phishing workflows
Read more: https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/