EmergingTech Spotlight

1. FraudGPT: Following the footsteps of WormGPT, threat actors are advertising yet another cybercrime generative artificial intelligence (AI) tool dubbed FraudGPT exclusively targeted for offensive purposes, such as crafting spear phishing emails, creating cracking tools, carding. [more]

2. Responsible AI: President Biden met with the leaders of seven major technology companies to secure their commitment to a voluntary framework for responsible AI innovation. The voluntary framework consists of eight commitments, each falling under one of three guiding principles: safety, security, and trust. [more][more-Ensuring Safe, Secure, and Trustworthy AI]

3. EY survey: Nearly two-thirds (65%) of CEOs agree that AI is a force for good; however, a near equal proportion say more work is needed to address social, ethical and security risks – from cyberattacks to disinformation and deepfakes. [more]

4. NIST Post-Quantum Cryptography (PQC) Digital Signature Schemes: In response to a September 2022 announcement calling for additional PQC Digital Signature Schemes, NIST received 40 candidates that met all submission requirements. This round of evaluation and analysis will likely last several years. NIST invites feedback on all 40 candidates. NIST anticipates holding the Fifth PQC standardization conference in April 2024. [more][more PQC: Digital Signature Schemes]

Web3 Cryptospace Spotlight

1. Conic Finance lost ~$3M: 21 Jul - DeFi protocol Conic Finance suffered a security attack and lost 1700 ETH (approx. $3M). The attacker used oracle price manipulation that the protocol relied on. [more]

2. CoinsPaid lost ~$37M: 22 Jul - Digital currencies payment service provider, CoinsPaid, said that it suffered an attack and $37.3 million worth of cryptocurrency was stolen. However, the company stated that customer funds are still safe and the incident will not have a significant impact on the company's business. CoinsPaid said the attack was initiated by the Lazarus Group. [more]

3. Alphapo lost ~$60M: 24 Jul - Hot wallets of Alphapo, a cryptocurrency payment service provider, were hacked for over $60 million on Ethereum, Bitcoin and Tron (with some reports suggesting total losses could amount to around $100 million). As a payment processor, Alphapo provides payment services and supports more than 30 digital assets and fiat currencies for numerous crypto gaming and gambling service providers including HypeDrop and Bovada. A DeFi security platform, DeDotFi, said that the hack may have been caused by private key leakage. [more][more-2]

   1. Reports also suggested that Lazarus Group was behind the attack.

4. EraLend lost ~$3M: 26 Jul - A DeFi lending protocol EraLend (on zkSync) was reported to be attacked and lost approx. $3.4 million in USDC. The attacker targeted a vulnerability in EraLend’s smart contract function that controls token minting and burning functions using reentrancy attack. [more][more-2]

5. July 26 - SlowMist tweeted that CoinsPaid, Atomic and Alphapo attackers may all be the North Korean hacker organization Lazarus Group. [more]

6. ChatGPT whitehats usage: While most surveyed whitehats used ChatGPT in Web3 security and found it has potential, they've noted concerns around its ability to identify security vulnerabilities. 64% of surveyed whitehats find ChatGPT lacks accuracy in identifying security vulnerabilities. [more][more-report]

7. macOS crypto wallet malware: The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft. Multiple fake game sites complete with Discord servers and associated Twitter accounts have been created to present the illusion of genuine products and convince users to try them out. As soon as the victim launches these fake games and provides the “installer” with a password, their data, passwords and crypto wallets are stolen. Given the current popular interest in blockchain games, which promise users the reward of making money while gaming, users and security teams are urged to treat solicitations to download and run such games with extreme caution. [more]

8. Web3 security basic test - “Rekt test”: Polygon Labs, Solana Foundation and other players in the Web3 world are about to launch a crypto experiment, known as the “Rekt Test” aimed at serving as a security standard for emerging projects. The test will serve to decrease the frequency of unpleasant incidents that occur in the blockchain landscape such as hacks, exploits or crypto scams. [more]

   1. Going specific, the “Rekt Test” will cover 7 basic requirements that will be submitted to each new emerging project. 

      These include:

      • system documentation and roles;

      • key management and access control;

      • incident response and crisis management;

      • team and staff security;

      • code security and testing; external audits and vulnerability management;

      • attack mitigation;

      • user protection.