Web3 Warfare Exploring Unknown and Challenging Territories

um territory is known as well as the call in the talk, then that's the idea, learn a little from me, from the thoughts I have about how I face threats, digital investigations, a little pentesting and how criminals are operating right now on Web3. A little about me, I'm the leader of the Cyber Intelligence team at S&W Security. I'm a Threadhunter researcher, one of the professors of B-Hacker Pro, organizer of the event. I'm very passionate about OSINT, intelligence, CTFs, I consider it a way to learn any topic very quickly, and that's what I want us to do today, very quickly learn from Web3. I also had the opportunity last year at B-Sides give a workshop of

two days of how to do tracking to cybercriminals in Colombia. It was very interesting at Intelcon and in Prague we had the opportunity to talk at the Underground Economy Conference, also giving a talk. As I said, I really like learning to make CTFs, it's the best way. I had the opportunity with some friends to set up a CTF team last year. We are very passionate. Last year we managed to be the first ones there in CTF Times. If anyone doesn't know it, there you can play CTF every eight days. I also had the opportunity to play with a team in Chile that has been there for more years, also managing to be the top one.

So it's very cool because there are also challenges right now of Web3 in all CTFs. My last Visites, last year we had two days of training, the CTF was very interesting, networking, knowledge. So if this is the first time you come to Visites, it's the best opportunity to learn and meet very stubborn people. In addition, a lot of beer that they designed seemed great to me. If you have the opportunity to go to the finish line or whatever the party is called, it will be very cool. It is the best way to sometimes tell or know anecdotes, meet very stubborn professionals in a very close way. What is not this talk? It is not an investment talk, I will not invite you to invest in a cryptocurrency, it is

not a scam, it is not far from reality in reality and I do not promote any purchase of cryptocurrencies either. What are we going to learn? The current view of what cyber threats are in Web3, in blockchain. I'm going to share tools, techniques, my thoughts and some application cases that I managed to publish. Right now we are always seeing blockchain everywhere, cryptocurrencies, investments, known, games, but we don't understand it very well. So in this first part I would like to explain very quickly everything that is blockchain. It actually started in 2008, in October, someone published a paper, I don't know who it is, sometimes they say it could be a group of people. The topic was like the work test in a digital

economic system. Blockchain, a decentralized network where it can be said that each transaction is recorded and it is always verifiable and everything is transparent and it is based on blocks, that's why blockchain. So, a transaction is always made, someone presents that transaction to the network, the other nodes record that transaction, someone in the node verifies those transactions and that's why in the end they give a reward, which is the Bitcoin commonly known, but it also happens in other blockchain networks. There are three interesting terms that I want you to remember because it is very important when we are doing open testing research processes. Blocks, hashes and transactions. Each block can have many transactions and each transaction has a

hash of that transaction, that is, it shows that that transaction is unique and anyone can verify it. What else? Transactions, a block can have many transactions and the transactions have the address of who sends something and who receives it. A cryptocurrency is a way in which... Digital currency... The cryptocurrency can operate in a blockchain and it is a way in which the transaction is made and other currencies will see it, as you saw right now, transaction, hash, but they have some characteristics. They are digital, no one controls them, it is versatile, it can be used to buy, to obtain goods, later we will see NFTs. They are safe because they are stored in the blockchain and they are autonomous. I'm going to go

very fast, I hope we can reach the talk, you'll see. But there are also tokens. Tokens operate within the blockchain and allow you to buy some good. Unlike cryptocurrency, a token can operate in other different blockchains. And each blockchain can have different characteristics. Tokens inherit those characteristics of the blockchain. Types of tokens: security, utility, fungible, non-fungible, governance and exchange. This is a list of examples I know of utility. BNB, BAT, security, they can be tokens even for investment or to guarantee the purchase of houses, we are also seeing it. Fungible tokens that are exchanged for the same amount. So we have Ether, Tether or USDT. Non-fungible tokens that are seen a lot in games or NFTs. Governance tokens, exchange tokens like Uniswap or

SushiSwap. So this is the example. As we see quickly, BNB, utility, security, maybe for houses, the issue of fungibles, Tether and Ether, of Exchange, like Uniswap, and these that we have seen a lot on social networks, the MICOs or the CryptoKitties, which are NFTs. We see that all this, now we can start to see the real hacking talk. But before that, I know you saw yesterday that it is a smart contract, but it is important to understand that this is a code that executes a function. But they have different characteristics too. They can be automated, they are transparent, anyone can see the contract and understand it. Even fraud contracts. They can not be modified, but they can also have vulnerabilities. In Defi

Llama, You can see since smart contracts were created, what is the most popular language of smart contracts. It has always been one of the most popular, Solidity. So when I started looking at the Smart Contracts topic, I wanted to learn from that. As you know, I always like something very gamified, it seems to me that it is a way of learning it. Let's see how we can learn it. So this is an example of a Smart Contract. Here in purple we can have the functions, the name of the contract, and here it is saying that it defines a function, a parameter, and consult that parameter. In this other one, it only allows you to establish the chain if the one who establishes it is the creator of the

contract. This one here has a vulnerability and it is that you can steal the owner of the contract. It's a bit of code, we'll see later how to understand it. I found this page, Crypto Zombies. This allows you to create a smart contract from scratch, playing. You create your zombie, you define its functions, that it attacks other zombies, that it attacks people. And as you go doing each part of the game, you actually go down learning Solidity. So, the "Hello world" in Solidity. Then here I started telling him what a zombie is, the name of the zombie, some eye color characteristics. And one is finally creating is the contract.sol in Solidity. So, if anyone wants to learn Solidity, I think this is a very and that I had fun

learning Solidity, which can be useful in the future in the case of pentesting, threat hunting, or among others. Additionally, Wargames, CTFs. At the beginning I thought there were one or two, but I realized that there are a lot of CTFs. The first is this one, capture the ether, I thought it was cool. 20 challenges and each one operates on the Ethereum network. It is also a way to learn once you master Solidity, for example. Open Zeppelin seemed very good to me. Let's say that for updates on the Ethereum network and to avoid abuses in the Ethereum test network, you have to guarantee that you have at least $15 in your Ethereum wallet to be able to transfer proof tokens. So, let's say it wasn't

that cool. But I started to see more challenge platforms. One of them, Dem Vulnerable Defi, has 15 challenges. I think they mentioned it yesterday. As characteristics to learn this, Git, a little bit of Python, Java, anyway, there are already many write-ups of each of the machines. Only Pwner, this one has 15 challenges and all you need is Metamask. complement for the browser, which is your wallet, so you can authenticate there. This, well, the same, this is the example, actually they put you to read the code, so if you already played Solidity and you understand it, you will be able to read the code later, see failures and solve the 15 challenges. This other one, Mr. Steele Yo Crypto, 20 challenges, I also found it very interesting.

It's just reading the codes. This one seemed a little more thematic. It's reading the code, you don't even have to authenticate with Metamask. This one seemed very retro, "Decentralize DeFi" It has only four challenges, but they are very interesting. Each one, when we transform it into the real world, it's like criminals get to a contract, to a cryptocurrency and steal the money. This one, "Web Transponder", seemed very interesting to me, very thematic, each one has different levels. It's reading the contract, executing it, and that's how you're going to solve it. This one seemed interesting to me because it's already a bit of incidents, so There have been incidents of thousands of millions of stolen dollars. He shows you and maps what kind of contract that entity had

and you can read it and understand why that happened. There is another issue and it is audit. We do not necessarily have to go in to read contracts, but in sites like this, d.fi, you can place the address of a wallet or the address of a contract and there you will be able to have him audit you. So you will be able to know what kind of failures it can have or what I told you right now, that a owner is hidden or that he could transfer or steal the contract. Here this will give you a little faster. CoinTool also allows you to run contract audits, you paste the address of the contract and additionally

select the network and you can see what kind of failures it can have according to the audit it executes. In Web 3, let's say this is like evolution. Web 1, we only had everything centralized. Web 2, we already had cloud services, instant messaging. But in Web 3, everything is without intermediaries and decentralized. One of the examples is that in Web 2 we have to use user and password, but in Web 3 it is already to authenticate with a wallet.

This is important because cyber criminals understand this because you give them an anonymity, it is difficult to understand what the criminal is behind a fraud that uses cryptocurrencies. It is easy to use, you just need a wallet. You can not make revolutions if you want to repent cyber criminals. And there are issues of regulation limited in different countries with cryptocurrencies. The most common example, through ransomware, they always put you after encrypting your data, a ransomware address. Here is a graph of what ransomware groups use more cryptocurrencies. In this case, Black Cat. Chain analysis allows us to have reports and I think it is one of the companies with the most experience and cybercrime reports in cryptocurrencies. We have another threat,

the coinminers, is that they infect your PC, use the machine resources of your PC to start mining some cryptocurrency. One of those examples was Monero, which was very used. CryptoJacking, they commit to a website and on the website they store a code so that every time you visit it, it mines coins. One of the examples was CoinHype. This is an example of a code of a site with the CoinHype script and that finally begins to mine cryptocurrencies when you visit the site. Airdrop scams, basically they invite you sometimes in the transaction that you do not get the money, to visit another site to steal your credentials. Official accounts that manage Web3 are also suffering from supplantations. fake emails. I had

an account, for example, in OpenSea, which is about NFT trade. And what they do there is that they tell you that there is a new offer, they send you to a fake site to buy NFT or you see the offer. When you authenticate with Metamask, they steal your credentials. Scams, similar phishing sites to the initial. This happened to me on April 18th, when I was doing the talk, a girl, Sam, put on her Twitter that she was a victim of phishing and that she lost $5,000. Finally, she was tired, she didn't look at the website, she accessed it and lost the money she had in her wallet. But here comes an interesting part, platforms like Etherscam, when we perform analysis of transactions or wallet, they even allow you

to classify what you are consulting. In this case, if she had accessed there to see the address, she would have seen that it is an address that other people have already classified as phishing. You can also see the address, although we do not know the person behind the transplantation, we see that someone created the address, who is behind, in this case the creator of that scam. Here we can also see that it is operating from September 6 to April 20, when I take the screenshot, stealing money. All this is the figures of the people who have fallen in their scam. It also allows us to see the amount of money the wallet has. But additionally, the SCAM contract. So, as you can see, it's also written

in Solidity. Here what it says was, all this is in Etherscam. Well, see the transaction. In the transaction it allows us to look for the contract and start analyzing it. Here is a fragment of the contract. It has three functions that are interesting. Add new owners to the list, which can be victims. Eliminate an existing owner, which can also be done to hide. And remove the contract letter and send it to specific addresses. That is, people fall and the attacker can take the money to other addresses. All this in sites like d.fi allows us to put the contract there. In fact, it gives us a score. It's like if we uploaded a ransomware sample to Virus Total. It will tell us the type of risk of

that contract and some functions that are suspicious to him. So here comes an interesting part of Threat Hunting, which is that we can see the number of victims. So only with this person's phishing on Twitter, analyzing that, we can see that there have been 8,859 transactions. which is a summary of the number of victims. When you start to know, you can see that there are people who fall every 4, 2, 3 hours, up to 16 minutes before, so it's a way to see how active this person has been there for a year, stealing money. Finally, when we look at everything and summarize it, then we have what we know about this attacker. The site where

the phishing is, in apcoins.claims, the name of the contract, the creator of the contract, the number of victims, when you add it up, it gives you 112,000 dollars that have been stolen, and the directions where the money arrives, which are these two. That later one can start looking for how to send that money, which we will see later. Another scam, from the famous. In 2020 they had several famous people who hacked their Twitter accounts and they put similar messages with this. If you look for them, you will also find different scams. You send money and the president, in this case Biden, returns you double. In reality he is an attacker, but they hacked the real

account. Here comes a part of "intra-hunting" in Web3. And before doing all that, and that's it, we understand how Solidity is, the contracts, we have the capacity for that. But also understanding how the crypto scammers think, or the bad guys, is fundamental, I think. For that, there are several sites. Here, this is an example. So you need three basic steps. Access a site like Cointool.app. which is free, it also allows you to perform audits but also be used for bad things, define a name, it can be a name, ibot.2024coin, I don't know, and configure the contract. So, this site allows you to define the blockchain, the name of your cryptocurrency, the amount of cryptos that it will have from the

beginning, and the type of token in which blockchain, as you can see there are several, even the most famous, and it is already that the bad one decides the name. We already created our cryptocurrency, now we have to make people believe that it is a real network and that there are many people there. So we have to make 100, 1000, 10,000 wallets be connected there with our cryptocurrency. Sites like these also allow you to define 100, 1000 directions. You paste them there, you define the network and automatically in a matter of seconds it will create the address, the private key of your wallet and in which network it is. All this, if you create, for example, 10,000 wallets, you can even export them in

Excel and it's very fast. That's what the malls are doing right now. Those sites also allow the purchase of followers for your Twitter network. I don't know if you've seen them appear in Twitter ads that invest you in a new cryptocurrency. They do all that because they verify the account, but they also buy a lot of followers. I made the conversion on the day of the presentation, more or less 1,000 followers transformed, 380 thousand Colombian pesos. You create your website, almost everyone will identify them because they are like that, they go to the cloud, the number of followers that are already there, but they are wallets created this way. So, they can create the token,

they use GPT to create an attractive name that draws attention, they create many wallets to follow the coin and promote it on social networks by buying followers and buying advertising. It's how they operate right now and it's a way of seeing it. Additionally, there is something called the Bitcoin Mixer. These services can be used for privacy, but also the bad guys use them to avoid being tracked. So, their money comes to some wallets, those wallets are redirected to others, and that makes the process of seeing and following transactions more difficult. When I was already in the process of making OSINT to all this, OSINTframework.com, has like three sections of making OSIN in blockchain. Bitcoin, Ethereum and Monero, but it

has very few sites. Let's say I found myself limited there, I thought there was no more. However, I thought about making my own ways of looking for OSIN or see if someone had already done others. So the first thing is that there are already DORCs for your OSIN in Web3. So one that allows you to see unindexed wallets on Google with this DORC, find them. The other, information about a address too. And these last two are from Shodan. It is to be able to view mining devices of Bitcoin or Ethereum that are indexed on the Internet. So there may be DORCs also for Web3. grep.app, if we look, this site allows us to search in different sites of time repositories for a word.

So, looking Solidity we can see several results, even cryptosombies, Ethereum, code. Osindoyo is a community of OSINT, has flows, challenges for different aspects that you go to perform intelligence. They also have one of how to make OSINT a wallet digital, look at it in different networks, payments, contracts, which is what I have been explaining right now, scam reports, if they are in NFT sites, among others. So it is also important to have it if you are in a process of making or without a wallet. In defi, in def.fi, it also allows you to know if a wallet is in other networks. When you are doing a username, you look for it on Facebook, Instagram, Twitter. In this case, it

is also to look for it in different networks and the wallet will tell you which networks it operates in. It may be that in one network we do not have information, but in the other, if the attacker or the bad guy moves more. Intel.io allows you to search for wallet names. You can see wallets that are exposed, that are even in leaks. InfoStealer also, for example. Cryptscam, I find it very interesting, allows you to report and consult reports of feeds, of emails that are associated with scam addresses. So, at this point, you can already start associating emails to wallets. It can tell you what is associated, what type of scam, the mail, and additionally the address of the wallet

and the country. In this case I took an example by chance, the first in Russia, a wallet. You can combine it with normal OSIN processes, Google Docs. That allows us to see who this person is, see if there is an indexed mail, which in effect was, and finally start associating it to a phone number and identity. Chainabuse also allows me to see different reports, phishing scams. It also shows us the number of scams per network. If you notice, they already talk about thousands in each network, being Bitcoin and Ethereum the main ones. Additionally, it also gives us the domains where these scams can be. Orbit allows us to consult the last 50 transactions or 100 transactions of a wallet and start creating relationships graphics

between those transactions, very similar to how we sometimes do with Maltego. Bitcoin Hushu, I like it a lot, allows you to search by terms. wallets, hash, transactions. So a search, for example, in Bitcoin Jujuy from Colombia, allows us to see relations of wallet tags associated with Colombia. So that's a way to start profiling names, sectors, people with wallets. Breadcrumbs, which is like bread crumbs, allows us to search for wallet addresses, transactions or hash names. This is very interesting because in the end it gives us a relationship of if it is already a scam, what kind of scam it is, the amount that that money wallet can have and start giving us the history of where the money

has been transferred. This is an example of a scam, it allows us to see that a wallet could have gone through a Bitcoin mixer to hide, but in the end it can give us the real wallet of the bad guy. Anubitux, a virtual machine. We can also start to see virtual machines focused on the handling of wallets, to recover wallets that may be compromised. So it is also an invitation to explore this type of machines. Web3 is going red. It's a bit sarcastic. Here you will see news of all the latest web3 scams. This is an example I took on April 24th. An influencer of a crypto fraud. So you can also start getting stuck in these scams out there. Cool projects that I've

seen, Real Scam Sniffer, Wallet Guard, China Analysis, which I shared right now, allows you to be more immersed in what threats there may be, people, incidents, among others. Here I saw an interesting topic, and it is that we have also seen leaks, leaks can be used to profile people behind fraud. This is a list of all the leaks that have occurred in exchanges, cryptocurrencies, projects on Web3. If you notice, some leaks from these sites can contain credentials, emails, among others. This translated is that the bad guys are also registered in these sites. If tomorrow there is a scam in one of these sites, We don't know the bad guy, but the bad guy is registered there

and we have the address. And we can associate the address to an email by the leak. It will finally allow us to profile the person. So, one way to see it is to monitor leaks, gaps, download them if possible, analyze them. And if you suddenly have a bad person of interest, start analyzing it there. Chain analysis also has services of cryptocurrency tracking and transactions. Some services are paid. Chain analysis, this is an example of how scams and services they have there. ArcCamp Intelligence, in this example, is Vitalik's public wallet, all the money he has, but it also allows us to look for the wallet of a bad person, it gives us this type of records, money, since when it operates, how much is, transactions, among others. So it's very

interesting for intelligence processes. Ciphertrace also has all the financial crime and research. IPTIB also has, as you can see, the subject of cryptocurrency tracking, analysis, crime. There are also payment services associated with these.

Here's something interesting, in the Discord of Behacker, I invite you to register, there's a real scam, there's an invitation that tells you, this mail arrived, in this mail, I know everything about you, I work for this cybercrime group, I invite you to pay me $1,000 in this address, and if you pay me, I'm not going to hack you, or publish you, or do doxing you. The challenge, if you decide to accept it, is, with everything I've taught you so far, to get the attacker's address, the number of victims, how much money he has, the date of the first victim, the name of the crypto exchange. This challenge allows you to get to the crypto exchange that the attacker uses and the money he has transferred. An average time

of this basic threat hunting exercise against the attacker, about 40 minutes. My final messages of all this is: Web 3.0, when you talk about all this, you can feel fear, which is unknown, they do not have how to learn new things. In my case, the methodology was to read, look for a game that allows me to learn how to read the code, followed by looking for CTF, followed by looking for tools. All new technologies in this case can have failures, so it's like the thinking we see develop. Cybercrime is always evolving, that's why we and the good guys should continue to evolve too. And finally we also need more good people than bad people fighting this type of scams, because as

we saw, it is a crime that generates a lot of money. So we need more professionals in Web3, in cybersecurity. It was something very fast, thank you very much. Questions? Here, I'm going. Hello. Yes, this one. Thank you. I want to ask you how vulnerable is a Bitcoin mixer against a crypto centered on anonymity like Monero against a taint analysis? Let's say that Monero was used a lot for what was CoinHive, the crypto mixers offer privacy and that, but services like Breadcoms or these that you... more capacity for deep analysis artificial intelligence to follow thousands of transactions can give a little more traceability and even get to see who can be the final wallet more

collaboration between the exchanges but I would not know how to say suddenly those mixers at the level of failures that could have them which can be those I do not know if then these tools are in the class even against - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - What's up, brother? Congratulations for the talk. What do you think? I think there's a feeling that the Web3 issue has cooled down a little bit, because there was a very big media boom with Bitcoin, then with NFTs, and now it's like, the thing is smooth, which gives the impression that it's like a niche issue and not something general or potentially for the whole audience. I think it's relative. I was very active in crypto in 2020, 2021, in pandemic, and it was the rise of NFTs. In fact, one can lose a lot of money there. I think right now it's more crypto scams on Twitter. I see that trend more than NFTs. And it's like Bitcoin went up again, so all the scams

come back. It's very relative to the price. I've seen it like that. No, brother. What I can conclude is that I know who to call in case I need to investigate this topic. Thank you very much.

-