慢雾 SlowMist

Over the past few years, the core issues facing Virtual Asset Service Providers (VASPs) in the field of anti-money laundering (AML) have quietly changed.
Initially, the industry focused more on "whether AML capabilities have been deployed"; now, a more practical question has arisen—whether these capabilities have truly met regulatory standards.
过去的一年里, this change has become more pronounced. Multiple penalty cases send the same signal: under a results-oriented enforcement framework, "investment has been made but the results are insufficient" and "no measures have been taken" are not strictly distinguished at the accountability level.

On March 27, the first Agentic AI Innovation and Security Forum and the first Web 4.0 International Summit in Hong Kong, co-hosted by Hong Kong Cyberport, ME Group, and iPollo, were grandly held at Hong Kong Cyberport. This summit, themed "Agentic AI Innovative Applications: Technological Transformation and Industrial Integration in the Web 4.0 Era", gathered top talents from various sectors, including the Financial Secretary of the Hong Kong SAR Government, Paul Chan, the Chairman of Hong Kong Cyberport, Charles Chan, the Directors of Hong Kong Cyberport and the founder of Nano Labs, Kong Jianping, as well as renowned angel investor Cai Wensheng, to explore the opportunities and challenges of AI's leap from 'dialogue' to 'action' in this new era.

Background
In the world of Web3, security has never been a 'task' that can be checked off; rather, it is a marathon without an end. However, for a long time, the industry's understanding of 'security' has remained stuck in the old paradigm of one-time audits—exchanging code checks at a certain point in time for 'certainty' before going live.
Yet, as threats such as cross-protocol combination attacks, flash loan arbitrage, private key leaks, and front-end hijacking continue to evolve, this 'snapshot security' is rapidly becoming ineffective. Especially after AI Agents have evolved from 'assistive tools' to 'automated executors', the attack surface has further expanded to new dimensions such as prompt injection and malicious Skills / MCPs supply chain poisoning, making security risks exhibit stronger dynamics and interconnectivity. In this context, the security capabilities themselves must also undergo an upgrade.

On March 24, 2026, AI developers were still writing code when LiteLLM on PyPI was quietly "poisoned." The Python open-source library LiteLLM, which had a monthly download volume of up to 97 million times, had its PyPI repository maliciously altered in the early morning, with two contaminated versions (1.82.7, 1.82.8) quietly going online. In just three hours, tens of thousands of development environments and enterprise systems may have been exposed to data leakage risks. Unlike ordinary attacks, this incident was not an isolated malicious injection but a carefully planned chain attack by the hacker organization TeamPCP.

https://x.com/LiteLLM/status/2036503343510778061

1. Background
The Slow Fog security team has detected a supply chain attack. The front-end script file hosted on the Apifox official CDN (hxxps[:]//cdn.apifox.com/www/assets/js/apifox-app-event-tracking.min.js) has been injected with heavily obfuscated malicious JavaScript code. This malicious code disguises itself as legitimate statistical tracking functionality and, when running in the Apifox Electron desktop client environment, will steal user authentication credentials and sensitive system information, sending it to a C2 server controlled by the attacker, which can then pull and execute arbitrary remote code, achieving full remote command execution (RCE).

As AI Agents evolve from "assistive tools" to "autonomous executors", an increasing number of Agents are beginning to possess the ability to install plugins (Skills / MCP), call external APIs, read documents, and even directly participate in on-chain interactions. However, at the same time, a more realistic issue has emerged: when Agents can execute anything, how do they determine what is safe?
In the real world, many attacks are no longer limited to traditional vulnerabilities, but rather involve methods such as malicious code libraries, prompt injection, disguised documents, supply chain contamination, and social engineering to carry out "cognitive layer hijacking" on AI Agents. Against this backdrop, SlowMist officially launched: SlowMist Agent Security Skill 0.1.1 (https://github.com/slowmist/slowmist-agent-security), a comprehensive security review framework aimed at AI Agents.

1. Background
With the rapid development of large model technology, AI Agents are gradually evolving from simple intelligent assistants to automated systems capable of executing tasks autonomously. This change is particularly evident in the Web3 ecosystem. More and more users are beginning to involve AI Agents in market analysis, strategy generation, and automated trading, bringing the concept of a '24/7 automated trading assistant' closer to reality. With Binance and OKX launching multiple AI Skills, and Bitget introducing the Skills resource site Agent Hub and the no-install Lobster GetClaw, Agents can directly connect to trading platform APIs, on-chain data, and market analysis tools, thereby undertaking trading decisions and execution tasks that previously required human involvement to a certain extent.

On March 13, the "On-chain Fund Monitoring and Compliance Boundaries in the AI Era · SlowMist Product Launch" jointly organized by SlowMist and ME Group was successfully held at CAI CAFE in Causeway Bay, Hong Kong. Against the backdrop of rapid development in the digital asset industry and the increasingly完善 global regulatory framework, this launch event focused on the innovative application of AI technology in on-chain security monitoring, officially introducing SlowMist's annual core security product — SlowMist KYT, and discussed a new balance of asset security and privacy protection in the Web3 era with industry leaders.

background
Over the past few years, Virtual Asset Service Providers (VASPs) have been repeatedly reminded that anti-money laundering (AML) and transaction monitoring (KYT) are not "compliance bonuses," but rather the bottom line for sustainable operation. In 2025, several leading or well-known platforms were heavily penalized for insufficient AML compliance.
BitMEX was fined $100 million by the U.S. Department of Justice (DOJ) for violating the Bank Secrecy Act by failing to establish, implement, and sustainably maintain a fully effective anti-money laundering and Know Your Customer (KYC) system.
OKX was fined over $504 million by the U.S. Department of Justice (DOJ) for failing to implement sufficient KYC and transaction monitoring, resulting in illicit fund flows.

The rapid development of AI technology is changing the technological path of on-chain security monitoring and compliance technology. From on-chain fund tracking to anti-money laundering risk identification, an increasing number of institutions are beginning to focus on the application capabilities of AI in on-chain data analysis and threat intelligence, as well as the new possibilities it brings in a compliance regulatory environment.
As a global leader in blockchain security, SlowMist will co-host the "On-chain Fund Monitoring and Compliance Boundaries in the AI Era · SlowMist New Product Launch" with ME Group in Hong Kong on March 13. This launch will focus on the innovative applications of AI technology in on-chain security monitoring, the balance of asset safety and privacy under global compliance trends, and will unveil SlowMist's annual flagship products for the first time, exploring new directions for Web3 security and compliance development with industry partners.

MistEye serves as the retina (threat perception), MistTrack as the immune system (on-chain risk control), OpenClaw security practices as the skeleton (behavioral constraints), MistAgent as the brain (deep analysis and auditing), and ADSS as armor (full lifecycle protection) in a comprehensive defense architecture.

1. Executive Summary (Issues, Solutions, Value)
With the deep integration of AI toolchains and Web3 business, OpenClaw/Agent is upgrading from an auxiliary role to a core productivity node that can directly execute high-privilege actions. Meanwhile, the attack surface has expanded from traditional code vulnerabilities to the level of prompts, tool supply chains, system execution layers, and on-chain asset layers, with risks exhibiting stronger interconnectivity and destructiveness.

As the digital asset industry develops rapidly, the complexity of on-chain fund flows and regulatory requirements are also continuously increasing. From Anti-Money Laundering (AML) to Fund Monitoring (KYT), from on-chain risk identification to global compliance collaboration, security and compliance are becoming an indispensable part of Web3 infrastructure.
In this context, SlowMist will collaborate with ME Group to officially hold the "On-chain Fund Monitoring and Compliance Boundaries in the AI Era · SlowMist New Product Launch" in Hong Kong on March 13. This is not only a product debut but also an in-depth dialogue about the future of digital asset security and global compliance, and we sincerely invite you to witness this important moment together.

Introduction
With the rapid enhancement of autonomous agents' capabilities, AI Agents like OpenClaw, which possess terminal and even Root privileges, are playing a core role in automating operations, on-chain activities, system management, and complex task orchestration. They not only understand instructions but can also directly interact with operating systems, network environments, and external services, becoming truly executable intelligent entities.
However, this capability also comes with significant risks. Traditional security measures (such as chattr +i and firewalls) often cannot accommodate the automated workflows of Agents, while also struggling to defend against specific attacks targeting large language models (LLMs) (such as Prompt Injection). While maximizing capabilities, how to achieve controllable risks and auditable operations has become a problem that must be solved in every high-privilege intelligent agent application scenario.

Author: Slow Mist Area White Hat wowo
Editor: 77
This article is submitted by Slow Mist Area White Hat wowo, based on its practical security audit summary of several mainstream fingerprint browser products.
Introduction
Fingerprint browsers (Antidetect Browser) have rapidly emerged as a tool software widely used for managing multiple accounts in cross-border e-commerce, social media operations, advertising placements, and in scenarios such as airdrop interactions in the Web3 field ('grabbing wool'), and multi-wallet management. Its core selling point is 'isolation of browser fingerprints and protection of account security', where users often entrust a large number of high-value digital assets—including e-commerce platform login states, social media sessions, payment credentials, and even private keys and mnemonic phrases of cryptocurrency wallets—within it.

Author: Yao & sissice
Editor: 77
Background
Recently, the open-source AI Agent project OpenClaw unexpectedly gained popularity, and its official plugin center ClawHub quickly attracted a large number of developers. The Slow Fog security team has monitored that ClawHub is gradually becoming a new target for attackers to implement supply chain poisoning. Due to the lack of a complete and strict review mechanism on the platform, a large number of malicious skills have mixed in, which are used to spread malicious code or deliver harmful content, posing potential security risks to developers and users.
The Slow Fog security team conducted an analysis immediately after the incident was exposed and issued warnings to the client side through MistEye, while continuously tracking new malicious skills on ClawHub.

In February 2026, as Consensus Hong Kong 2026 is approaching, Hong Kong will welcome a series of industry events focused on Web3, payments, and fintech. As a threat intelligence company specializing in blockchain ecosystem security, SlowMist will present two important summits during the Consensus Hong Kong 2026 event week on February 9, engaging in in-depth discussions with representatives from financial institutions, payment service providers, and the Web3 ecosystem to explore the security challenges and compliance practices faced in the process of scaling on-chain finance.
Next-Gen Payment Summit 2026

On January 30, the "Cybersecurity Elite Award Program 2025" award ceremony, organized by the Hong Kong Police Force Cyber Security and Technology Crime Bureau, in collaboration with the Digital Policy Office (DPO) and the Hong Kong Productivity Council (HKPC), was held at the Hong Kong Police Force Officers' Club. SlowMist was awarded the "Cybersecurity Excellence Contribution Award" in the field of Cybersecurity Professional Awards (CSPA 2025) for 2025; at the same time, SlowMist partner and Chief Information Security Officer Zhang Lianfeng received the "Excellence Award" in the field of Cybersecurity Audit and Consulting in the Cybersecurity Professional Awards (CSPA 2025) for 2025.

Author: Yao
Editor: 77
Background
Recently, Chainbase Labs monitored and captured a phishing email activity disguised as 'Audit/Compliance Confirmation', and shared the relevant malicious samples with the Slow Mist security team after desensitization. Both parties jointly conducted investigation and analysis on the malicious samples.
The attacker first induced the recipient to reply with 'Confirm Company English Legal Name', followed by continuous follow-ups with phrases such as 'FY2025 External Audit' and 'Token Vesting Confirmation Deadline Response', and delivered malicious Word/PDF attachments. By using social engineering, the attacker induced victims to open the attachments and follow the prompts, thereby stealing credentials or sensitive data.

Since its establishment on January 26, 2018, SlowMist has been in the blockchain security field for eight years. Eight years may not seem long on the timeline, but in a rapidly evolving and constantly innovating industry, it is enough to experience multiple cycles of ups and downs, changes in technological paradigms, and repeated upgrades in security threats. Upholding the firm belief of 'bringing a sense of security to the blockchain ecosystem,' SlowMist has always devoted itself to security research and practice with infinite passion, demonstrating its commitment to security through action. We refine our technology through real attacks and emergency responses, and over time, we gradually build the security value that belongs to SlowMist.

Author: enze & Lisa
Edit: 77
Background
Due to the lack of overflow protection in integer addition operations when calculating the amount of ETH required to mint TRU tokens, the price calculation resulted in an abnormal zero value, allowing the attacker to mint a large number of tokens at near-zero cost and drain the contract's reserves.

Root Cause
On January 8, 2026, the Truebit Protocol suffered an attack, where the attacker exploited a contract vulnerability to profit approximately 8,535 ETH (about $26.44 million). The following is a detailed analysis of this incident by the SlowMist Security Team.