BlockThreat - Week 10, 2025

Greetings!

No billion-dollar exploits this week, but a couple of unusual DeFi compromises offered a break from the usual private key smash-and-grabs.

One particularly interesting case was the compromise of 1inch and a few market makers, resulting in around $5M in losses. Unlike traditional smart contract exploits, this attack resembled a memory corruption vulnerability with a carefully crafted transaction payload. You’ll find detailed write-ups, along with the rapid race to recover funds, in the premium hacks section below. Fortunately, the attacker agreed to a $450K “bug bounty,” allowing 1inch and the affected AMM to recover most of their losses. The key takeaway? Overoptimized Solidity/Yul contracts are notoriously difficult to audit and secure.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Things got even more intriguing with a whitehat hack by shouccc and tonykebot targeting Time.fun’s backend. A clever exploit of the backend infrastructure—one that eagerly signed transactions on Solana—allowed them to drain all funds controlled by the internal wallet. Fortunately, all funds were returned.

On a more personal front, I will be working on the newsletter full time now. Please consider becoming a premium member to help support its future development.

Let’s dive into the news!

News

• Darknet marketplace wallet with over $400M BTC awakens after 9 years.
• Japanese telco giant NTT Com says hackers accessed details of almost 18,000 organizations.

Crime

• Crypto, Crime & Corruption: A memecoin family’s checkered past puts the presidency of Argentina’s Javier M. A deep dive into Hayden Davis’s family history filled with crime, drug abuse, counterfeiting, and religious cults.
• Garantex Cryptocurrency Exchange Disrupted in International Operation. The Russian exchange has a long history of allowing money laundering including funds flowing from darkmarkets, ransomware gangs, DPRK and other sanctioned entities.
• Thai Police Raid Five Crypto Firms, Arrest 11 in Crackdown. The arrests targeted unlicensed
• Amouranth Bitcoin Robbery: Attackers Demand Crypto At Gunpoint.
• ‘I don’t think I was a criminal,’ says convicted felon Sam Bankman-Fried from prison. SBF was thrown into solitary confinement shortly after the interview with Tucker Carlson since it was apparently not authorized. The Tucker interview was part of his “bad ideas that aren’t vetted” doc that he developed during the FTX meltdown.
• US seizes $23 million in crypto stolen via password manager breach. The complaint revealed that funds were linked to the LastPass compromise of Ripple co-founder Chris Larsen who lost $150M in crypto.
• US Treasury Sanctions Iranian National for Operating Darknet Market Nemesis by TRM.
• UK hands down first criminal sentence over illegal crypto ATMs.
• How crypto exchanges handle liquidity crises after major hacks.

Policy

• OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities.

Phishing

• The ultimate insider threat: North Korean IT workers by Google Threat Intelligence.
• A victim lost $117k in 2 phishing attacks. First $37k via Permit2 phishing by Scam Sniffer.
• Reports of a new Telegram vulnerability, EvilLoader, used to spoof APKs.
• Bypassing MetaMask’s security filter with a binary notation by Jason Doyle.

Scams

• Plant a red flag by Rekt. A report on the disappearance of the Xeggex exchange and its links to past rugs like Cryptsy and Altilly.
• Andrew Tate struggles to pump memecoin amid Florida criminal inquiry.

Malware

• New PyPI Malware ‘set-utils’ Exfiltrates Ethereum Private Keys Through Blockchain Transactions by Socket.
• Infostealer Campaign against ISPs by Splunk. A malware campaign by an Eastern European threat actor to spread cryptomining and infostealer malware.
• Threat Actors Leverage YouTubers to Attack Windows Systems Via SilentCryptoMiner.

Contests

• HTB CTF - Solidity Shenanigans: Hacking StarGazer by Fuzzing Labs.
• Secureum Race Runner by KupiaSec. A browser extension that helps security researchers simulate Secureum races in a realistic environment. Secureum hosts excellent smart contract security challenges at https://ventral.digital/posts/, but their live races fill up quickly. This tool lets you practice these challenges as if you were in a real race.

Media

• Bountyhunt3rz - Episode 6 - kankodu.
• JohnnyTime interview with Nikita Varabei (ChainPatrol).
• Tucker Carlson interview with SBF.

Research

• Sepolia Pectra fork incident recap by Marius Van Der Wijden.
• Across V3: Cross Chain Action Vulnerability Disclosure by zachobront.
• First depositor attack on Hipo Finance on TON network by Saksham (Zokyo).
• Solana Attack Vectors by ImmuneBytes. Account reloading attack.
• Astrill VPN: Silent Push Publicly Releases New IPs on VPN Service Heavily Used by North Korean Threat Actors.
• Safeguarding Blockchain Ecosystem: Understanding and Detecting Attack Transactions on Cross-chain Bridges.
• Protecting DeFi Platforms against Non-Price Flash Loan Attacks.
• BitVM: Unlocking Arbitrary Computation on Bitcoin Through Circuit Abstractions by Katat Choi (ZKSecurity).
• ERC-20 Tokens: Innovation or Exploitation? What We Learned at ETHDenver by GoPlus Security.
• How to Recover Your Browser Wallet Extension from a Sudden Failure? by Lisa & Aro (SlowMist).
• Subverting Web2 Authentication in Web3 Bruno Halltari and Caue Obici (OtterSec)
• Decode Sui Coin Standard by Senn.

Tools

• Safe Watcher - a bot that monitors one or more Safe addresses for critical activities throughout the entire transaction lifecycle.
• EVM Debugger by Rumblefish. Detailed opcode, stack, memory debugging. Also includes function stack trace and source navigation.
• Cryo-MCP - an MPC server enabling your LLMs to query blockchain data using Cryo by z80.
• Solana Program Account Scanner by Crytic. Visualize account relationships.
• Echidna Coverage Reporter by Simon Busch. A TypeScript tool to parse and analyze Echidna code coverage reports for Solidity smart contracts.

Hacks

Pump

Date: March 04, 2025
Attack Vector: Price Oracle Manipulation
Impact: $6,400
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1897115993962635520

https://x.com/SlowMist_Team/status/1897120233481207971

https://x.com/0xNickLFranklin/status/1897168181862785104

https://x.com/TikkalaResearch/status/1896961176606753219

Exploit:

https://bscscan.com/tx/0xdebaa13fb06134e63879ca6bcb08c5e0290bdbac3acf67914c0b1dcaf0bdc3dd

time.fun, Time

Date: March 04, 2025
Attack Vector: Backend injection
Impact: Assets Stolen
Chain: Solana

References:

https://x.com/publicqi/status/1897124894229639418

Exploit:

1inch, Trusted Volumes

Date: March 06, 2025
Attack Vector: Function Parameter Validation
Impact: $5,000,000 (Recovered $4,550,000)
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1897474716492812458

https://x.com/TikkalaResearch/status/1897728336941789428

https://x.com/1inch/status/1897695348232978770https://x.com/SlowMist_Team/status/1897945772307759483

https://x.com/tikkalaresearch/status/1897728336941789428

https://blog.decurity.io/yul-calldata-corruption-1inch-postmortem-a7ea7a53bfd9

Recovery:

https://x.com/shoucccc/status/1897954751205327040

https://etherscan.io/idm?addresses=0xbbb587e59251d219a7a05ce989ec1969c01522c0%2C0x1ef9bfb1e7480c01d3d00e9bca5f29625c6c4806&type=1

Exploit:

https://etherscan.io/tx/0x04975648e0db631b0620759ca934861830472678dae82b4bed493f1e1e3ed03a

https://etherscan.io/tx/0xb5c94efa0c8fd8f5c8cc2826e374a99620b01061d395b59b8f45dddc9fce1c60

https://etherscan.io/tx/0xb16bbf03d324b66685c94d62dbe31c739ee23c114b3915d169c74cd7c98eec8c

https://etherscan.io/tx/0xc69b4c8029c70ae468e92af31120ac6b01bb89c6e35d34818413e9942aedebb6

https://etherscan.io/tx/0xefcb740bf9ec17ed99839ffcc05393fae5ec2d44149aee91ba119f48bc20a1ef

https://etherscan.io/tx/0x74bc4d5dc7f8da468788da6087bb9f73465966ab5b8cf9cf1053d98e78a9bf96

https://etherscan.io/tx/0x3947e5a4d98104e313e08ee321673e1183db3d6ff8b7207f3eabb36f71436c1d

https://etherscan.io/tx/0x9ce5187c7160f531189e4765f21af5975dc2a62d961fb61ae09866d082918256

https://etherscan.io/tx/0xb0688eb1f46c28f36d7397366146fced23d3f8da7e08b760a5f612ce134ee9d2

https://etherscan.io/tx/0x62734ce80311e64630a009dd101a967ea0a9c012fabbfce8eac90f0f4ca090d6

Unkn_d8da9d

Date: March 09, 2025
Attack Vector: Arbitrary External Calls
Impact: $140,000
Chain: Arbitrum

References:

https://x.com/CertiKAlert/status/1898933348069933537

Exploit:

https://arbiscan.io/tx/0x3248bc2271d42fc4ab47567de50d2913e76030f0cc70a8dbc0571137b936ef77