A 5 step attack process that crypto projects should defend against

On the 10th February 2025, a hacker began to move against three good crypto projects, draining funds and taking control of contracts in an act of greed and destruction over a 24 hour period.

This short post starts with a short introduction to this recent attack but focuses on how these attackers think, and how we need to think to mitigate their actions.

Note that I will not be discussing details of these attacks or their victims but rather the purpose of this post is to set out a 5 step attack process that maps to the traditional 5 step attack process, so that projects can better prepare and defend against these attacks.

The attack

The wallet address 0xcCfe064D2f51e83b99c666c33091ABDbE81344d8 has been in use for at least 3 months, over which it has been used for a number of thefts from private wallets across multiple EVM networks. I’ve identified a number of people who were victims of thefts with the nature of thefts indicating a likely private key exploit. Exactly how these private keys were stolen is unclear and isn’t the focus of this post.

As early as the 17th September 2024, it was known that the Wrapped Xeta smart contract had a vulnerability stemming from an uninitialised contract that allowed the contact owner to be set. It seems this triggered a plan to migrate to a new token which likely played a part in the timing of the hackers attack timeline.

Starting on the 11th February, the attacker moved against this and two other crypto projects, taking control of contract addresses allowing tokens to be minted and transferred to the attackers wallet. The key takeaway here is that all three projects were attacked in a very short space of time in a coordinated fashion. These projects are victims and have good technical teams and so should serve as a reminder that even technically strong teams are not immune to attack. I hope these projects have the support of their communities and get through this, and perhaps the attacker will have some decency and return the funds for the good of the projects and their communities.

Traditional attack process

People studying attack behaviour through courses such as CEH are taught that an attacker typically follows a 5 step process which I will set out below.

1. Reconnaissance (Information Gathering)

• The first phase where hackers gather as much information as possible about the target system.
• Two types:
• Passive Reconnaissance: Gathering information without directly interacting with the target (e.g., WHOIS lookup, Google dorking, social media research).
• Active Reconnaissance: Directly interacting with the target system (e.g., port scanning, network sniffing).
• Tools: Nmap, Shodan, Maltego, Google Dorking

2. Scanning

• Identifying live hosts, open ports, services, and vulnerabilities.
• Types of Scanning:
• Network Scanning: Identifying active devices on the network.
• Port Scanning: Finding open ports and services.
• Vulnerability Scanning: Checking for known vulnerabilities in services and applications.
• Tools: Nmap, Nessus, OpenVAS, Nikto

3. Gaining Access

• The attacker exploits vulnerabilities found in the scanning phase to gain access.
• Methods:
• Exploiting software vulnerabilities (e.g., buffer overflows, SQL injection).
• Using brute force or credential stuffing.
• Social engineering attacks (e.g., phishing).
• Tools: Metasploit, Hydra, SQLmap, Mimikatz

4. Maintaining Access (Persistence)

• Once inside, the hacker ensures continued access by:
• Installing backdoors.
• Creating hidden user accounts.
• Using rootkits or Trojans.
• Ethical hackers analyze this phase to find ways to block persistence mechanisms.
• Tools: Netcat, Meterpreter, Backdoor Factory

5. Covering Tracks (Clearing Evidence)

• The attacker erases logs and any evidence of their activities to avoid detection.
• Techniques:
• Deleting system logs.
• Modifying timestamps.
• Using anti-forensics tools.
• Tools: CCleaner, Timestomp, LogTamper

The reason these phases are set out are to help ethical hackers and defenders to think through how an attack is carried out, the long build up to an attack and the tail after the attack. An attack may happen in minutes but is built on many months of activity planning and preparing for the attack.

This highlights of the importance of vigilance and the danger of the thought process of “we haven’t been hacked yet” which doesn’t mean the attacker isn’t in the system and dormant.

Crypto attack process

It’s interesting when looking at attacks on crypto projects just how closely the attack follows the traditional attack process. In fact, the 5 step process maps quite closely and should be considered for the same reason as traditional blue teams consider the 5 step process.

1. Reconnaissance (Information Gathering)

• Researching project details, whitepapers, GitHub repositories.
• Identifying API endpoints, smart contracts, and backend infrastructure.
• Finding leaked credentials or misconfigurations.
• Tools: Google Dorking, Maltego, GitHub scraping, WHOIS lookup.

2. Scanning (Identifying Weak Points)

• Scanning for exposed wallets, APIs, private keys, and smart contract vulnerabilities.
• Checking DeFi platforms, liquidity pools, and exchange security.
• Using tools like Etherscan, BSCScan, Slither (for smart contract analysis), and Nmap for network scans.

3. Gaining Access (Exploitation)

• Smart Contract Exploits: Reentrancy attacks, integer overflows, flash loan exploits.
• Private Key Theft: Phishing, social engineering, wallet drainer malware.
• Exchange Attacks: API key leaks, exchange API hijacking.
• Brute Forcing Wallets: Cracking weak private keys.
• Tools: Metasploit, Slither, Hardhat (for testing), SQLmap, Burp Suite (for API attacks), Solidity fuzzers.

4. Maintaining Access (Persistence)

• Backdooring Smart Contracts: Adding admin privileges, malicious upgrades.
• Compromising Nodes or Validators: Manipulating consensus mechanisms (51% attack).
• Creating Fake Tokens & Phishing Websites: Setting up scam tokens and fake wallets to drain funds.
• Tools: Hidden contract functions, botnet deployment, persistent malware.

5. Covering Tracks (Clearing Evidence)

• Tumbling/Mixing Funds: Using Tornado Cash or other mixers to obfuscate transactions.
• Using Privacy Coins: Converting stolen funds into Monero (XMR) to prevent tracking.
• Deleting Logs & Traces: Exploiting decentralized logs (or lack thereof).
• Burning Assets: Destroying records of illicit funds.
• Tools: Tornado Cash, Wasabi Wallet, Chain-hopping via DEXs.
• Casinos: Traditional methods that have been used by groups such as Lazarus to convert stolen tokens into casino chips, gamed and cashed out as untraceable money.

Vigilance is key

I was impressed to read how Coinbase has a system that allows them to burn all their virtual infrastructure on a regular cycle, meaning if an attacker has a foothold then he’ll lose it if he doesn’t exploit his position quickly. It’s an extreme approach to security but does have its merit, particularly in a world of Docker images and VM’s. If infrastructure can be cycled through a process of continuous replacement then it helps to ensure that long term squatters are not hiding in plain sight.

But even without such extreme approaches, the entire attack surface of a project should be examined and tested to minimise the risk of exploit.

Good use of Web Application Firewalls (WAFs) in front of nodes and infrastructure to detect unusual activity and block it.

Consider Intrusion Detection Systems (IDS) or even Intrusion Prevention Systems (IPS), whether commercial or free open source monitoring tools.

If operating a network, consider packet monitoring, port scanning, principles of least privilege and tight access policies that ensure only those who need access to a system have access, and only when needed.

Use multisig’s and hardware wallets and think about who has access to those wallets.

For onchain smart contracts, audits are important, as are bounty programs. At intervals, review ownerships and privileges for contracts, particularly important when upgrading contracts.