The Tusk Infostealer Lab investigates a sophisticated cyber threat targeting blockchain based organizations, specifically those managing decentralized autonomous organizations (DAOs) and cryptocurrency assets. The attack was first detected when an employee of a blockchain development company experienced an unauthorized redirection while accessing a DAO management platform. Shortly thereafter, the organization’s linked cryptocurrency wallets were drained of funds, indicating a highly targeted credential theft and fund exfiltration operation. Security analysts suspect that a malicious tool was used to steal credentials, monitor transactions, and replace copied wallet addresses, ultimately diverting digital assets to attacker-controlled accounts.
In this lab, we will analyze key intelligence indicators, including malware hashes, network infrastructure, and cryptocurrency addresses, to uncover the tactics, techniques, and procedures (TTPs) employed by the attackers. Using threat intelligence platforms, we will identify the malicious infrastructure behind the campaign, assess its components, and trace the flow of stolen assets. The investigation will reveal how cybercriminals mimic legitimate blockchain services, deploy multi-stage malware payloads, and use Command and Control (C2) servers to exfiltrate sensitive data. Through this walkthrough, we will examine how the attack was executed, dissect the role of infostealers and clipper malware, and highlight the importance of threat intelligence in tracking and mitigating cryptocurrency-related cybercrime.