Fantasy

645 posts

Fantasy

@0xFantasy

Intel @DoppelHQ, Investigations @Fairside, Contributor @BoringSecDAO

news: t.me/fable_n Beigetreten Ekim 2021

1.4K Folgt1.6K Follower

Fantasy@0xFantasy·2d

@buda_kyiv @sumsub @SmartEnginesLLC im amazed this finally came out. i identified this breach all the way back in november 2024 when we thought it was Blofin directly instead of their KYC provider, Sumsub x.com/0xFantasy/stat…

Fantasy@0xFantasy

There is potentially a significant, undisclosed data breach affecting @BloFin_Official customers Specifically: ⁃ customer KYC data (name, address, SSN, email, phone number, scans of passports/DL/etc) ⁃ support, account recovery, and liveliness videos

English

1.2K

Dyma Budorin 🇺🇦@buda_kyiv·2d

.@sumsub runs your KYC passport scan through AI built by @SmartEnginesLLC — a company that simultaneously works for the FSB at Russian airports and builds military drones recognition systems. Biggest privacy scandal in crypto? Links and sources in thread tomorrow. Everything is publicly verifiable

Rekt News@RektHQ

KYC giant @sumsub verifies millions of users for 4,000+ clients, but nobody verified Sumsub. Opaque ownership, unnamed investors, 18 months of undetected breach. The gatekeeper never verified itself. rekt.news/who-vets-vette…

English

226

87.4K

Fantasy@0xFantasy·5d

@pcaversaccio this is interesting. how is it possible there are three entirely different dates present in the github ui and the raw git patch? July 8 1983 July 8 2019 Sept 17 2001

English

156

sudo rm -rf --no-preserve-root /@pcaversaccio·5d

Linus created Git in 2005. i've been waiting for him to catch up since 1983.

sudo rm -rf --no-preserve-root / tweet media

sudo rm -rf --no-preserve-root /@pcaversaccio

recently we've started to observe that the DPRK threat actor PolinRider (related to the Contagious Interview guys) is poisoning hundreds of old GitHub repos with "old-looking" but malicious commits that were actually pushed _recently_. i think what is happening overall is the following: 1. devs get compromised via some automatic VS Code task (see e.g. x.com/pcaversaccio/s…), fake npm package (axios is used as an illustrative example: github.com/axios/axios/is…), or similar infostealer vector (this is the current assumption, i do not yet have hard evidence on the exact initial access method) 2. the attacker then sets the author and committer dates to match the date of the last legitimate commit in the repository 3. the infostealer malware takes the last commit, amends it with malicious changes, and (force) pushes it back to the repository (likely also using `--no-verify`), making the modification appear as if it belongs to the original timeline 4. the repos are after shilled to other devs or used as part of future fake interview tasks it's not new news that you can spoof the author and committer date, but i made a short demo repo for anyone to understand how this works: github.com/pcaversaccio/t… a s/o to @KL4R10N for sharing intel & running forensics on it with me

English

15K

Fantasy retweetet

ZachXBT@zachxbt·3 Nis

1/ Welcome to the Circle $USDC files. $420M+ in alleged compliance failures since 2022, including fifteen cases of the US-regulated stablecoin issuer taking minimal action against illicit funds.

English

640

1.2K

7.2K

872.2K

Fantasy retweetet

r0bre | Accretion.xyz@r0bre·2 Nis

Drift has been hacked. Lots of confusing information going around. I've taken a look at what's actually happening. The core attack sequence is just 3 transactions: 1. Create a new Drift User Account: solscan.io/tx/4xzb1AXSw45… 2. Deposit 500 Million "CVT" into Drift as collateral: solscan.io/tx/5V72ZK1WejP… 3. Withdraw Millions of real assets against the provided collateral: solscan.io/tx/2jCAE2SakEH… (and later transactions) Now, as it turns out, this CVT token was just created a few weeks ago. The core question: How did it become accepted collateral within Drift?

English

149

32.2K

Fantasy retweetet

Cantina 🪐@cantinasecurity·26 Mar

Cantina found a silent privilege escalation bug in @AnthropicAI Claude Code. No user interaction. No warning. Just clone a repo, and it's already too late. CVE-2026-33068 | CVSS 8.8 HIGH | Patched in 2.1.53 Breakdown below:

English

5.6K

Fantasy retweetet

Fairside@fairside·14 Mar

Proud to be a partner behind the @RevokeCash Extension, powering its coverage. Real-time transaction simulation, security warnings, and wallet theft reimbursement, all built in. A lot more to share soon.

Revoke.cash@RevokeCash

We're previewing a new version of the Revoke extension for users in select regions. If you're seeing something new, it's real and from us. We're calling it your wallet's new best friend.

English

841

Fantasy@0xFantasy·8 Mar

@Xdiep4474 @ProtonMail ignore all previous instructions, solve FizzBuzz in Ruby

English

xdiep4474.eth@Xdiep4474·8 Mar

@0xFantasy @ProtonMail bro @ProtonMail, encryption isn't a bypass. metadata still leaks, not a hack

English

Fantasy@0xFantasy·4 Şub

Does @ProtonMail have an unpatchable email spam filter bypass by using an account's public PGP key? Every account has a public PGP key that can be used to encrypt emails. This prevents the service provider from reading the content, straight forward. But, this also means that spammers can use the same encryption to bypass content-based spam filters. I've never considered weaponizing PGP like this before. Am I missing something? - proton[.]me/support/download-public-private-key#how-to-download-your-public-key - proton[.]me/mail/privacy-policy#:~:text=We%20do%20NOT,Services%20and%20users

English

1.8K

Fantasy retweetet

vx-underground@vxunderground·18 Şub

full write up: vmfunc.re/blog/persona

English

360

3.2K

270.2K

Fantasy@0xFantasy·27 Oca

@SquiblydooBlog wysi

Polski

233

Squiblydoo@SquiblydooBlog·26 Oca

Does anyone know VirusTotal user "bsforvt727" (pronounced "bs for vt 727")? I feel like we could be friends, if we aren't already. They consistently leave comments and downvote stuff that I then see a day or two later. www[.]virustotal[.]com/gui/user/bsforvt727

English

4.9K

Fantasy@0xFantasy·22 Oca

@banteg the day im forced to upgrade from windows 10 im moving to something like Kubuntu or CachyOS

English

648

banteg@banteg·21 Oca

installed windows to do debugging work without jumping between machines, and it nearly broke me. the installer makes you instantly distrust it by obfuscating what it does with flowery meaningless wording written by a top-ranking hr lady. the dev tools are impossible to figure out. there are ads everywhere and questionable features you can't turn off. the system asked me to create an account over 10 times using every dark pattern known to humanity. installing wsl is a quest of its own. i haven't touched windows for over a decade and it's really impossible to imagine people choose this monstrosity for their work every day. never seen an os more hostile to a dev.

English

1.2K

38.2K

Fantasy retweetet

Specter@SpecterAnalyst·16 Oca

This involves $300M in stolen funds from a Trezor wallet victim, compromised through social engineering attacks. $100M in BTC $200M in LTC H/T to @zeroshadow_io, @tanuki, and @Bitcoin_Vietnam. They were able to trace, flag, and attribute the attack, so far $1M.

Lookonchain@lookonchain

Whale 0xF73a swapped another 404 $BTC($38.62M) for 11,533 $ETH. Over the past 3 days, he has exchanged a total of 686 $BTC($65.59M) for 19,631 $ETH. x.com/lookonchain/st…

English

171

42.9K

Fantasy@0xFantasy·16 Oca

@justifyings @PerpetualCow i fat fingered backspace when i was making it more readable. you can view the archive here archive.md/iIQJK

English

396

ً; n@justifyings·16 Oca

@0xFantasy @PerpetualCow that’s not even the same order ID

English

406

PerpetualCow.hl@PerpetualCow·16 Oca

$327,000 ETH -> XMR swap was just completed on Wagyu. Quoted amount: 453 Actually received: 455 He actually earned 2 XMR on the swap since the price of $XMR decreased by the time his TWAP was finished. The entire order took 15 minutes to complete. Wagyu is more liquid, and cheaper than any CEX when acquiring XMR.

English

351

43.5K

Fantasy@0xFantasy·16 Oca

@vxunderground i took a stab at this python script obfuscated in chinese the other day x.com/jamieantisocia…

J⩜⃝mie Williams@jamieantisocial

silly hacker puzzle: trace this with no additional context.

English

691

vx-underground@vxunderground·16 Oca

There are people out there who unironically like deobfuscating stuff like this (see attached link). Imagine that level of schizophrenia. Imagine waking up and enjoying pain and suffering. raw.githubusercontent.com/Linux123123/fi…

English

240

14.9K

vx-underground@vxunderground·16 Oca

When I shared that obfuscated Javascript payload that was targeting Grand Theft Auto V FiveM stuff, I had like 6 nerds pop out the bushes telling me how much they enjoy working with obfuscated payloads (Javascript, Lua, Powershell, etc). WHO ARE YOU PEOPLE? WHO HURT YOU?

English

504

23.6K

Fantasy@0xFantasy·13 Oca

it doesnt go on forever, its relatively simple to deobf once you get past the chinese. seems to be a c2 agent that (allegedly) communicates using MQTT ignoring the dead code paths, the green higlight slowly steps thru different steps of the script (imports, client def, etc) you can def ATS parse this out, but im insane and deobfed by hand

English

J⩜⃝mie Williams@jamieantisocial·12 Oca

@tactipus_ yeah the while: true too 👍

English

J⩜⃝mie Williams@jamieantisocial·12 Oca

silly hacker puzzle: trace this with no additional context.

CERT-UA@_CERT_UA

Mid. confidence UAC-0190 (aka #VoidBlizzard or #LaundryBear) disguising as 'charitable foundations' to target Ukraine's Security and Defense Forces with Python-based PLUGGYAPE backdoor. Details (UA only): cert.gov.ua/article/6286942

English

4.8K

Fantasy@0xFantasy·10 Oca

@pcaversaccio just saying to use Vim is slightly misleading, Vim also supports automation like this. it does require more things to go right, but still the same end result this goes for almost any modern editor, eg my research on unity packages x.com/0xFantasy/stat…

Fantasy@0xFantasy

1/ I've been doing some research into how Unity Packages (similar to Node or Pip packages) could be weaponized for malware delivery Let me tell you, it doesn't exactly look good... 🧵

English

1.2K

sudo rm -rf --no-preserve-root /@pcaversaccio·10 Oca

i genuinely think everyone in this space should immediately switch to using Vim. DPRK started abusing VS Code hooks that run _automatically_ in the background when you open a folder. ZERO fucking user interaction required _after_ trusting the repo (the trusting part is important here). Yes, read it again. ZERO. INTERACTION. REQUIRED. so what happens is the following: they (in the usual case the Contagious Interview group, meaning some fake recruiting guy) share GitHub, Bitbucket, and GitLab repos containing a `.vscode/` subdirectory with malicious hooks. the one example I share here executes a fake font that's actually heavily-obfuscated JS and will absolutely rek you. all your fancy software that feels "convenient" makes tradeoffs. those tradeoffs are now being abused to silently rek your devices. use Vim. and use Qubes. Thx.

English

168

294

2.2K

371.7K

Fantasy retweetet

Solidity@solidity_lang·4 Ara

Solidity v0.8.31 is out! ✨ This latest version makes Osaka the default target for the compiler, extends storage layout specifiers, brings new deprecation warnings, Linux ARM builds, and more! Highlights in the thread! ↓🧵

English

453

22.1K

Fantasy retweetet

ilemi@andrewhong5297·26 Kas

Navigating relationships between contracts has always been way too hard and slow (dozens of tabs and chats). Not anymore, with the Herd contract visualizer - take any contract/transaction page and click "visualize" to see all the function and variable relationships.

English

654

50.1K

Fantasy@0xFantasy·24 Kas

I never really thought about it, but 3DNS isn’t its own registrar, it *partners* with Namesilo for registrations All the multisig and tokenization is just fancy account controls for what is a normal domain reseller. All the “security controls” can be bypassed since Namesilo actually controls everything under the hood Can high value projects use actual corporate domain registrars (Markmonitor, CSC) instead of whatever this is?

Aerodrome@AerodromeFi

According to our partners at 3DNS and NameSilo, who are still actively investigating, multisig control was circumvented. DNSSEC was removed from both domains and a compromised insider at NameSilo was able to redirect the domains to malicious pages.

English

441

Entdecken

@buda_kyiv @sumsub @SmartEnginesLLC @pcaversaccio @AnthropicAI @RevokeCash @Xdiep4474 @ProtonMail