Chainfeeds Summary:

Hacker groups, especially the Lazarus Group, a state-level hacker group, are continuously upgrading their attack methods.

Source:

https://mp.weixin.qq.com/s/imC09I6Ty5aMkkENZTMOVg

Author:

Slow Mist Security Team

Viewpoint:

Slow Mist Security Team: We used on-chain tracking and anti-money laundering tool MistTrack to analyze the initial hacker address 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 and obtained the following information: ETH was dispersed, the initial hacker address transferred 400,000 ETH in batches of 1,000 ETH to 40 addresses, and the transfer is still ongoing. Among them, 205 ETH were exchanged for BTC through Chainflip and cross-chained to the address: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq. The flow of cmETH increased, and 15,000 cmETH were transferred to the address 0x1542368a03ad1f03d96D51B414f4738961Cf4443. It is worth noting that mETH Protocol posted on X that in response to the Bybit security incident, the team promptly suspended cmETH withdrawals, preventing unauthorized withdrawals, and mETH Protocol successfully recovered 15,000 cmETH from the hacker address. 8,000 mETH and 90,375.5479 stETH were transferred to the address 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e. Then, through Uniswap and ParaSwap, they were exchanged for 98,048 ETH and transferred to 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. The address 0xdd9 dispersed the ETH in batches of 1,000 ETH to 9 addresses, and has not yet been withdrawn. After the incident occurred, Slow Mist immediately suspected the attacker to be a North Korean hacker based on the attacker's method of obtaining the Safe multi-signature and money laundering techniques. The analysis using MistTrack also found that the hacker addresses in this incident were associated with the BingX Hacker and Phemex Hacker addresses. ZachXBT also confirmed that this attack was related to the North Korean hacker group Lazarus Group, which has been primarily engaged in cross-border network attacks and cryptocurrency theft. From the perspective of the attack method, the WazirX hack incident and the Radiant Capital hack incident have similarities with this attack, and the targets of these three incidents were all Safe multi-signature wallets. For the WazirX hack incident, the attacker also pre-deployed a malicious implementation contract and used three Owners to sign the transaction, using DELEGATECALL to write the malicious logic contract into STORAGE 0 to replace the Safe contract with the malicious implementation contract. For the Radiant Capital hack incident, according to the official disclosure, the attacker used a complex method to make the signature verifier see a seemingly legitimate transaction on the front-end, which is similar to the information disclosed in Ben Zhou's tweet. And the permission check method of the malicious contracts involved in these three incidents is the same, that is, the owner address is hardcoded in the contract to check the contract caller. The error messages thrown by the permission checks in the Bybit hack incident and the WazirX hack incident are also similar. Combined with Ben Zhou's tweet, the following questions arise: 1) Routine ETH transfer: Did the attacker previously obtain the operational information of Bybit's internal finance team and master the timing of ETH multi-signature cold wallet transfers? Through the Safe system, did they induce the signers to sign the malicious transactions on the forged interface? Was the Safe front-end system compromised and taken over? 2) Safe contract UI was tampered with: The signers saw the correct address and URL on the Safe interface, but the transaction data they signed had been tampered with? The key question is: Who initiated the signature request first? How secure is their device? We have these questions and look forward to the official disclosure of more investigation results.