Badgers and goats and crypto, oh my!

Chris Cronbaugh

Trust has been abused on the Internet since…well…basically since the Internet started. So what happens when you create an online community built around pseudonymously exchanging virtual tokens with real value? Someone is going to abuse that trust.

This is the tale of how a handful of Cloudflare phishing campaigns likely led to the loss of over $100MM in cryptocurrency between 2021 and 2023. Leveraging Cloudflare workers, a single threat actor methodologically injected specific code onto sites normally trusted by crypto users in order to gain their approval and peek into the secrets that secure their crypto. In one case, the attacker likely held onto access for years, only to resurface after the target had made changes to how they deliver content to their users that enabled specific.

And it doesn’t end there. The attacker is likely also involved in distributing trojanized crypto wallet software that leaves a trail that has us wondering if they were also responsible for a $200MM hack of a centralized exchange. They say crypto is anonymous, but in the end, every transaction is public and it takes just a single operational security failure to get caught. We’ll take a look at this attacker’s opsec failures to see what we can learn about who they are and how we can prevent them from continuing to abuse trust.