Awesome On-Chain Investigations HandBook 2.0

Blockchain technology has unlocked a new era of digital innovation, offering unprecedented opportunities and possibilities. However, the decentralized nature of blockchain platforms has also given rise to complex challenges, particularly in the realm of cybersecurity.

As the incidence of crypto hacks and security breaches continues to make headlines, the importance of conducting thorough investigations into these incidents cannot be overstated.

In this article, we will explore the strategies and methodologies for investigating crypto hacks, shedding light on why this process is crucial in safeguarding the integrity and trustworthiness of the blockchain ecosystem. Let’s get started!

How One Can Investigate Crypto Hacks and Security Incidents?

Investigating a crypto hack involves delving into a web of intricate transactions, digital footprints, and decentralized platforms. The process typically begins with the identification of anomalous activities or a reported security breach within a blockchain network. From there, investigators must meticulously trace the flow of compromised assets, analyze transactional data, and uncover  potential  points of vulnerability within the blockchain infrastructure.

To conduct a comprehensive investigation into a crypto hack, individuals and organizations can leverage a range of tools and techniques designed to navigate the complexities of blockchain analytics. These may include blockchain explorers, forensic transaction analysis, and digital surveillance methodologies aimed at elucidating the modus operandi of malicious actors and the trail of illicit transactions.

De-mixing  TornadoCash  (by  flipsidecrypto  and  AMLBotHQ    PureFiProtocol ):

• x.com/amlbothq/status/1740689165652472158

Also (including  RAILGUN_Project  de-mixers), check out awesome tools by  0xKoda :

• x.com/0xkoda/status/1740348122596036689

• x.com/0xkoda/status/1740158988048867724

• t.me/+lP4Tn49176FmMzBk

• t.me/chainchasers

• t.me/railgunwatch

• tutela.xyz

In summary, investigating crypto hacks is an indispensable component of preserving the legitimacy and resilience of the blockchain ecosystem. By unraveling the intricacies of security breaches, deploying advanced investigative methodologies, and embracing a culture of transparency and accountability, the blockchain community can navigate the evolving landscape of cybersecurity with confidence and precision.

How I Investigate Crypto Hacks Security Incidents: A-Z

Usually in blockchain investigation I use tools first for manual analysis such as  tenderly.co ,  ethtective.com ,  breadcrumbs.app ,  9000.hal.xyz ,  dune.xyz ,  nansen.ai , ,  bloxy.info ,  github.com/naddison36/tx2uml ,  github.com/ApeWorX/evm-trace .

• breadcrumbs.app

• t.me/cryptoaml_bot

• lite.crystalblockchain.com

• misttrack.io

• ethtective.com

• bloxy.info

Use all of the tools from my  list   this  website !  Almost all of the presented  tools run a separate knowledge-base, YouTube blog and have a reports base, so  be sure to check  them out! I seen also a rather unusual method — the use of VR, which will empower the first step:  ethresear.ch/t/open-source-3d-and-vr-blockchain-visualizations/3297/2

Honeypot hacker via:  twitter.com/lordnarfz0g/status/1554649309580300288  | CDN NFT honeypot (Canarytokens and Iplogger), or  other   honeypots . | Read:  medium.com/@alxlpsc/critical-privacy-vulnerability-getting-exposed-by-metamask-693c63c2ce94

Second, I try to set clusters to check them through  Chainalysis  or  amlbot.com  (use investigation regime only). See  more similar tools  there. Use all of the tools from my  list   this  website !

As a third step, I check contracts/addresses through the  impersonator , the  unrekt.net  or  revoke.cash  checker and other tools. As an example,  tutela.xyz   github.com/TutelaLabs  tool can help in tacking funds behind  TornadoCash .

When investigating an incident, it is also important to conduct a classic  OSINT   (2)  investigation, for example, if we are investigating a hack — it is necessary to check messages from chats, interview employees and eyewitnesses. Sometimes this yields data:  www.1337pwn.com/how-to-investigate-cryptocurrency-crimes-using-blockchain-explorers-and-osint-tools

Use OSINT  start.me/p/ek4rxK/cryptocurrency-osint   check out  my article s:

• What you should do if you think someone has stolen your crypto-assets

• How I investigate crypto hacks and security incidents: A-Z

• If you have been scammed…

• How to Build A Career In Crypto Forensics In 2023 and find your Dream Web3 Job

We need also to check out this address via  impersonator.xyz  + reverse check:

• github.com/impersonator-eth/iframe#readme

• twitter.com/gf_256/status/1650512743349338119

• x.com/apoorvlathey/status/1728907528237359598

Important tools:  MetaSleuth  /  Phalcon_xyz  /  SlowMist_Team  /  AMLBotHQ  /  MaltegoHQ  /  AppBreadcrumbs  /  ethtective  /  oxt_btc  /  ArkhamIntel

• OSINT Lesson №1: Mind-Mapping

• OSINT Lesson №2: Occam’s Razor Intuition

• OSINT Lesson №3: AI, ChatGPT Choosing a Pathway to Follow

Check out this awesome on-chain OSINT forensics investigation example performed by my ex-colleague! Actually an amazing thread and report made with using  breadcrumbs.app  :

Thread start  |  Thread end

I suggest we go through the steps of the on-chain  investigation  together to understand how they are done.

Use the clickable scheme report below and re-read the thread one more time but with following its on-chain  storyline !

Recovering Lost Assets

We’ve used it to help a few  people  that had leaked wallets private keys or seeds and, specifically,  sweeper bots . So, if you know  anyone  who has this issue feel free to send them  this  article!

When a crypto wallet is  compromised , it can feel like all hope is lost… Occasionally, a hacker may  overlook  stealing your  NFT , staking position, or forget to drain assets from other networks. In such instances, the question of how to recover the rest of (untouched by hacker!)  money  emerges.

The outcome can be the same regardless of how you were hacked —  whether  you lost your private keys, made a poisoned  signature  or  approve , or whatever else.

The longer a  compromised  wallet remains in the hands of a hacker, the more difficult it becomes to  recover  the funds. However, this is what you should do first:

• Revoke approvals via  revoke.cash  or  cointool.app  or  app.unrekt.net  or  these tools  or  web3antivirus .

• Blind signing is  also  dangerous! Use transaction  simulators    multi-sig .

• Establish endpoint cluster (use  On-Chain Investigations Tools List  ) and contact them.

• Report your case here:  chainabuse.com    cryptoscamdb.org  or  phishtank.org

Once again, do not hesitate to contact/tag/email CEX’s support, wallet’s support,  stable-coins  operators, and relevant protocols! Email or message costs 0$ for you, please keep this in mind!

After completing the checklist presented above, seeking professional assistance from services like HackedWalletRecovery as soon as you suspect your wallet has been compromised significantly increases the chances of successful recovery!

In case  HackedWalletRecovery.com  won’t help, here are several alternative solutions:

• For unclaimed tokens  x.com/officer_cia/status/1729515020315131994

• For ERC721:  x.com/lcfr_eth/status/1660974943092318208

PSA to anyone who checks their accounts daily to make sure they didnt get hacked — set up a Watch List on  Etherscan  to notify you of any transactions from your  addresses . It’s  free  and the notifications come quickly.  Could  buy you some valuable time while the hacker is still  doing  test transactions:  etherscan.io/myaddress  or use  aml-bot !

• If you need  additional  assistance, feel free to reach out to  whitehat.flashbots.net  — a group of white-hats organized by  Flashbots  that help users recover funds  leftover  from hackers.

• If you have an urgent (and/or potentially massive) situation and need help or a contact, please message us via  seal_911_bot . You can also reach out to  Mycrypto  or  Defiac !

• Check  out this super  simple  contract allowing a target wallet to attempt to recover a token quickly in the  event  it is comprised or  locked  out / keys lost.

• To ensure there’s no ETH in the  compromised  account, it is highly recommended running a  burner bot !

• For Bitcoin there was a similar solution — you can use  something like this  or  this .

• Check out  Accelerator  (Choose Paid accelerating) and  Broadcatst !

Keep in mind, prevention is better than cure. Take the necessary steps to secure your wallet and always stay vigilant. With the right  tools  and precautions in place, you can protect yourself from potential hacks and ensure the longevity and security of your digital assets.

Investigator’s Corner

In the fast-evolving world of blockchain technology, security and trust are of paramount importance. As the decentralized nature of blockchain platforms continues to revolutionize industries, the risks associated with cyber threats and hacks have become a growing concern.

In the event of a hack or security breach involving blockchain assets, it is crucial to consider the significance of reporting such incidents to the authorities, particularly law enforcement agencies.

When faced with the daunting reality of a blockchain hack, the initial reaction for many individuals and organizations may be to mitigate the immediate impact by taking swift remedial actions within the digital realm. However, it is equally important to recognize the value of involving law enforcement in the resolution process. While the instinctual response may not necessarily be to seek assistance from the police, there are compelling reasons why reporting a blockchain hack should be a priority.

In the context of blockchain assets, reporting a hack to the police is not necessarily a plea for authorities to intervene in the recovery of the compromised funds. Instead, it serves the essential purpose of providing evidence to substantiate ownership and custody of the assets in question. By involving law enforcement in the notification process, individuals and organizations can effectively document their claim to the hacked assets, strengthening their legal position in subsequent proceedings.

You don’t have to ask the police to rescue funds but to proof you are holding them and then send these docs to CEXes/tether/circle in order to freeze stolen funds.

In many jurisdictions, a police report can serve as a foundational document to support claims and assertions regarding the ownership and control of blockchain assets. It provides a tangible record that can substantiate the legitimate holding of digital assets and reinforce the veracity of the claimant’s position.

Beyond the immediate implications for the affected parties, reporting a blockchain hack to the police contributes to a broader effort to combat cybercrime and improve cybersecurity practices within the blockchain industry. Law enforcement agencies rely on the aggregation of information and intelligence to investigate and address digital breaches effectively.

By sharing pertinent details of a blockchain hack with the police, individuals and organizations can contribute to the accumulation of critical intelligence that may be instrumental in identifying and mitigating future security threats. This collaborative approach fosters a proactive exchange of insights and data, strengthening the collective resilience of the blockchain community against malicious actors and illicit activities.

You can also either submit a police report yourself or follow our guidelines to do it more effectively via a private company, for example:

My own articles on topic:

• Attacks via a Representative Sample : Myths and Reality:  officercia.mirror.xyz/WeAilwJ9V4GIVUkYa7WwBwV2II9dYwpdPTp3fNsPFjo

• 100 BTC deadman drops: Silk Road:  officercia.mirror.xyz/bekcfdWBwPh4FIzYNKfhaaorjYB90JbNRUb2oiSjiJI

• Ethereum Alarm Clock Exploit: Final Thoughts:  officercia.mirror.xyz/6V1oL16ArHLtkFQFTWhb2Xl0tbLJba89bF7b0rNXDQU

Stay safe!

If you want to support my work, please, consider donating me:

• 0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A  or  officercia.eth  — ETH

• 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU  — BTC

• 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — Monero XMR

• More addresses:  github.com/OffcierCia/support .

Thank you!