Skip to content
.ca
sign in
4 minhigh

LABScon25 Replay | Your Apps May Be Gone, But the Hackers Made $9 Billion and They’re Still Here

This report summarizes a LABScon 25 presentation detailing the sophisticated attack vectors used in cryptocurrency heists, which have resulted in $9 billion in losses. Threat actors are increasingly targeting developers and software supply chains—such as modifying production JavaScript code and compromising GitHub accounts via personal infrastructure—to execute massive wallet drains.

Conf:mediumAnalyzed:2026-03-19reports

Authors: Andrew MacPherson, SentinelOne

ActorsDrainers as a Service
BybitCrypto CrimeDrainers-as-a-ServiceSupply ChainDeFi

Source:SentinelOne

Key Takeaways

  • Crypto crime has amassed approximately $9 billion in illicit funds, heavily targeting the decentralized finance (DeFi) space.
  • Attackers exploit the frontend-heavy architecture of crypto applications, targeting interactions that occur via browser wallet extensions.
  • The $1.5 billion Bybit heist involved infecting a developer's machine to modify production JavaScript code, authorizing a full wallet drain during a multi-signature transaction.
  • Supply chain attacks are prevalent, including typo-squatting and compromising GitHub accounts via personal servers like Plex.
  • Stolen funds are laundered using cross-chain swaps, mixers like Tornado Cash, and non-KYC platforms to convert crypto to cash.

Affected Systems

  • DeFi Applications
  • Browser Wallet Extensions
  • Developer Workstations
  • GitHub Accounts
  • Plex Servers

Attack Chain

Threat actors target developer infrastructure by infecting workstations or exploiting personal servers (like Plex) to compromise corporate GitHub accounts. Once access is gained, attackers modify production JavaScript code to manipulate frontend interactions with browser wallet extensions. During legitimate multi-signature transactions, the altered code secretly authorizes a full wallet drain. The stolen cryptocurrency is then laundered through cross-chain swaps, mixers like Tornado Cash, and non-KYC platforms to obscure the trail.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article, as it is a high-level summary of a conference presentation.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect initial infections on developer machines and lateral movement, but lacks visibility into smart contract execution or blockchain transactions. Network Visibility: Low — Most crypto transactions and GitHub interactions are encrypted (HTTPS), making payload inspection difficult without SSL decryption. Detection Difficulty: Hard — The attacks blend in with legitimate developer activity (e.g., committing code to GitHub) and leverage decentralized, anonymizing financial networks for exfiltration.

Required Log Sources

  • EDR telemetry from developer endpoints
  • GitHub audit logs
  • Web proxy logs
  • File Integrity Monitoring (FIM) logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Developers' personal infrastructure (e.g., Plex servers) is being compromised to pivot into corporate GitHub accounts.EDR and Network logs showing unusual inbound connections to developer endpoints or anomalous authentication patterns to source control.Initial AccessMedium
Unauthorized modifications are being made to production JavaScript files handling wallet transactions.GitHub audit logs and File Integrity Monitoring (FIM) showing unexpected commits or file changes outside of standard deployment windows.ExecutionHigh

Control Gaps

  • Lack of strict separation between personal and corporate infrastructure
  • Insufficient code review and integrity checks on frontend JavaScript

Key Behavioral Indicators

  • Anomalous GitHub commits from unrecognized IP addresses
  • Unexpected modifications to frontend transaction logic

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Enforce MFA on all developer accounts, including GitHub and other source control platforms.
  • Audit recent commits to frontend JavaScript repositories for unauthorized changes or suspicious logic.

Infrastructure Hardening

  • Implement strict network segmentation between personal devices/servers and corporate development environments.
  • Require multi-party approval and automated security scanning for all code merges to production.

User Protection

  • Deploy robust EDR solutions on all developer workstations.
  • Restrict access to personal applications (like Plex) from corporate devices.

Security Awareness

  • Train developers on the risks of supply chain attacks, typo-squatting, and targeted phishing.
  • Educate staff on the tactics used by Drainers-as-a-Service and the importance of securing personal infrastructure.

MITRE ATT&CK Mapping

  • T1195.002 - Compromise Software Supply Chain
  • T1078 - Valid Accounts
  • T1176 - Browser Extensions
  • T1565 - Data Manipulation

Related