1. Home
  2. Social Engineering

Social Engineering

FBI Warns of Sophisticated North Korean Cyber Attacks Targeting Crypto, Defi, ETFs

FBI Warns of Sophisticated North Korean Cyber Attacks Targeting Crypto, Defi, ETFsThe FBI has issued a new warning about North Korea’s cyber campaigns targeting the cryptocurrency sector. The agency highlighted the use of sophisticated, hard-to-detect social engineering tactics to deploy malware and steal digital assets. North Korean hackers are reportedly focusing on decentralized finance (defi) platforms and cryptocurrency exchange-traded funds (ETFs). FBI Warns of North Korean […]

Morocco to Adopt a Legal Framework for Crypto Assets

AI-coded smart contracts may be flawed, could ‘fail miserably’ when attacked: CertiK

CertiK’s security chief thinks inexperienced programmers using AI tools such as ChatGPT to write smart contracts is a recipe for disaster.

Artificial intelligence tools such as OpenAI’s ChatGPT will create more problems, bugs and attack vectors if used to write smart contracts and build cryptocurrency projects, says an executive from blockchain security firm CertiK.

Kang Li, CertiK’s chief security officer, explained to Cointelegraph at Korean Blockchain Week on Sept. 5 that ChatGPT cannot pick up logical code bugs the same way that experienced developers can.

Li suggested ChatGPT may create more bugs than identify them, which could be catastrophic for first-time or amateur coders looking to build their own projects.

“ChatGPT will enable a bunch of people that have never had all this training to jump in, they can start right now and I start to worry about morphological design problems buried in there.”

“You write something and ChatGPT helps you build it but because of all these design flaws it may fail miserably when attackers start coming,” he added.

Instead, Li believes ChatGPT should be used as an engineer’s assistant because it’s better at explaining what a line of code actually means.

“I think ChatGPT is a great helpful tool for people doing code analysis and reverse engineering. It’s definitely a good assistant and it’ll improve our efficiency tremendously.”
The Korean Blockchain Week crowd gathering for a keynote. Source: Andrew Fenton/Cointelegraph

He stressed that it shouldn’t be relied on for writing code — especially by inexperienced programmers looking to build something monetizable.

Li said he will back his assertions for at least the next two to three years as he acknowledged the rapid developments in AI may vastly improve ChatGPT’s capabilities.

AI tech getting better at social engineering exploits

Meanwhile, Richard Ma, the co-founder and CEO of Web3 security firm Quantstamp, told Cointelegraph at KBW on Sept. 4 that AI tools are becoming more successful at social engineering attacks — many of which are identical to attempts by humans.

Ma said Quantstamp’s clients are reporting an alarming amount of ever more sophisticated social engineering attempts.

“[With] the recent ones, it looks like people have been using machine learning to write emails and messages. It's a lot more convincing than the social engineering attempts from a couple of years ago.”

While the ordinary internet user has been plagued with AI-generated spam emails for years, Ma believes we’re approaching a point where we won’t know if malicious messages are AI or human-generated.

Related: Twitter Hack: ‘Social Engineering Attack’ on Employee Admin Panels

“It's gonna get harder to distinguish between humans messaging you [or] pretty convincing AI messaging you and writing a personal message,” he said.

Crypto industry pundits are already being targeted, while others are being impersonated by AI bots. Ma believes it will only get worse.

“In crypto, there’s a lot of databases with all the contact information for the key people from each project. So the hackers have access to that [and] they have an AI that can basically try to message people in different ways.”

“It’s pretty hard to train your whole company to not respond to those things,” Ma added.

Ma said better anti-phishing software is coming to market that can help companies mitigate against potential attacks.

Magazine: AI Eye: Apple developing pocket AI, deep fake music deal, hypnotizing GPT-4

Morocco to Adopt a Legal Framework for Crypto Assets

Crypto payment gateway CoinsPaid suspects Lazarus Group in $37M hack

CoinsPaid said it is now working with Estonian law enforcement and several blockchain security firms are assisting to minimize the impact of the July 22 exploit.

Cryptocurrency payments platform CoinsPaid has pointed the finger at North Korean state-backed Lazarus Group as being behind the hacking of its internal systems, which allowed them to steal $37.3 million on July 22.

“We suspect Lazarus Group, one of the most powerful hacker organisations, is responsible,” CoinsPaid explained in a July 26 post.

While CoinsPaid didn’t explain how the money was stolen exactly, the incident forced the firm to halt operations for four days.

CoinsPaid confirmed that operations are back up and running in a new, limited environment.

The firm added that customer funds remain intact but considerable damage was done to the platform and the firm’s balance sheet.

Despite the huge exploit, CoinsPaid believes the cybercrime organization were chasing a much larger sum:

“We believe Lazarus expected the attack on CoinsPaid to be much more successful. In response to the attack, the company's dedicated team of experts has worked tirelessly to fortify our systems and minimize the impact, leaving Lazarus with a record-low reward.”

CoinsPaid filed a report with Estonian law enforcement three days after the hack to further investigate the exploit. In addition, several blockchain security firms such as Chainalysis, Match Systems and Crystal assisted in CoinsPaid’s preliminary investigation over the first few days.

The firm’s CEO, Max Krupyshev is confident that the Lazarus Group will be held accountable for their actions.

“We have no doubt the hackers won’t escape justice.”

Blockchain security firm SlowMist believes the CoinsPaid hack may be linked to two recent hacks in Atomic Wallet and Alphapo, which were exploited to the tune of $100 million and $60 million respectively.

Lazarus Group targeting crypto devs

Online coding platform GitHub believes — with “high confidence” — that Lazarus Group is conducting a social engineering scheme targeted at workers in the cryptocurrency and cybersecurity sectors.

According to a July 26 post by cybersecurity platform Socket.Dev, Lazarus Group’s objective is to lure in these professionals and compromise their GitHub accounts with malware-infected NPM packages to infiltrate their computers.

Related: Era Lend on zkSync exploited for $3.4M in reentrancy attack

The cybersecurity platform said the first point of contact is often on a social media platform like WhatsApp, where the rapport is built before the victims are led to clone malware-laden GitHub repositories.

Socket.Dev urged software developers to review repository invitations closely before collaborating and to be cautious when abruptly approached on social media to install npm packages.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Morocco to Adopt a Legal Framework for Crypto Assets