BlockThreat - Week 10, 2025

Greetings!

No billion-dollar exploits this week, but a couple of unusual DeFi compromises offered a break from the usual private key smash-and-grabs.

One particularly interesting case was the compromise of 1inch and a few market makers, resulting in around $5M in losses. Unlike traditional smart contract exploits, this attack resembled a memory corruption vulnerability with a carefully crafted transaction payload. You’ll find detailed write-ups, along with the rapid race to recover funds, in the premium hacks section below. Fortunately, the attacker agreed to a $450K “bug bounty,” allowing 1inch and the affected AMM to recover most of their losses. The key takeaway? Overoptimized Solidity/Yul contracts are notoriously difficult to audit and secure.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Things got even more intriguing with a whitehat hack by shouccc and tonykebot targeting Time.fun’s backend. A clever exploit of the backend infrastructure—one that eagerly signed transactions on Solana—allowed them to drain all funds controlled by the internal wallet. Fortunately, all funds were returned.

On a more personal front, I will be working on the newsletter full time now. Please consider becoming a premium member to help support its future development.

Let’s dive into the news!

News

• Darknet marketplace wallet with over $400M BTC awakens after 9 years.
• Japanese telco giant NTT Com says hackers accessed details of almost 18,000 organizations.

Crime

• Crypto, Crime & Corruption: A memecoin family’s checkered past puts the presidency of Argentina’s Javier M. A deep dive into Hayden Davis’s family history filled with crime, drug abuse, counterfeiting, and religious cults.
• Garantex Cryptocurrency Exchange Disrupted in International Operation. The Russian exchange has a long history of allowing money laundering including funds flowing from darkmarkets, ransomware gangs, DPRK and other sanctioned entities.
• Thai Police Raid Five Crypto Firms, Arrest 11 in Crackdown. The arrests targeted unlicensed
• Amouranth Bitcoin Robbery: Attackers Demand Crypto At Gunpoint.
• ‘I don’t think I was a criminal,’ says convicted felon Sam Bankman-Fried from prison. SBF was thrown into solitary confinement shortly after the interview with Tucker Carlson since it was apparently not authorized. The Tucker interview was part of his “bad ideas that aren’t vetted” doc that he developed during the FTX meltdown.
• US seizes $23 million in crypto stolen via password manager breach. The complaint revealed that funds were linked to the LastPass compromise of Ripple co-founder Chris Larsen who lost $150M in crypto.
• US Treasury Sanctions Iranian National for Operating Darknet Market Nemesis by TRM.
• UK hands down first criminal sentence over illegal crypto ATMs.
• How crypto exchanges handle liquidity crises after major hacks.

Policy

• OCC Clarifies Bank Authority to Engage in Certain Cryptocurrency Activities.

Phishing

• The ultimate insider threat: North Korean IT workers by Google Threat Intelligence.
• A victim lost $117k in 2 phishing attacks. First $37k via Permit2 phishing by Scam Sniffer.
• Reports of a new Telegram vulnerability, EvilLoader, used to spoof APKs.
• Bypassing MetaMask’s security filter with a binary notation by Jason Doyle.

Scams

• Plant a red flag by Rekt. A report on the disappearance of the Xeggex exchange and its links to past rugs like Cryptsy and Altilly.
• Andrew Tate struggles to pump memecoin amid Florida criminal inquiry.

Malware

• New PyPI Malware ‘set-utils’ Exfiltrates Ethereum Private Keys Through Blockchain Transactions by Socket.
• Infostealer Campaign against ISPs by Splunk. A malware campaign by an Eastern European threat actor to spread cryptomining and infostealer malware.
• Threat Actors Leverage YouTubers to Attack Windows Systems Via SilentCryptoMiner.

Contests

• HTB CTF - Solidity Shenanigans: Hacking StarGazer by Fuzzing Labs.
• Secureum Race Runner by KupiaSec. A browser extension that helps security researchers simulate Secureum races in a realistic environment. Secureum hosts excellent smart contract security challenges at https://ventral.digital/posts/, but their live races fill up quickly. This tool lets you practice these challenges as if you were in a real race.

Media

• Bountyhunt3rz - Episode 6 - kankodu.
• JohnnyTime interview with Nikita Varabei (ChainPatrol).
• Tucker Carlson interview with SBF.

Research

• Sepolia Pectra fork incident recap by Marius Van Der Wijden.
• Across V3: Cross Chain Action Vulnerability Disclosure by zachobront.
• First depositor attack on Hipo Finance on TON network by Saksham (Zokyo).
• Solana Attack Vectors by ImmuneBytes. Account reloading attack.
• Astrill VPN: Silent Push Publicly Releases New IPs on VPN Service Heavily Used by North Korean Threat Actors.
• Safeguarding Blockchain Ecosystem: Understanding and Detecting Attack Transactions on Cross-chain Bridges.
• Protecting DeFi Platforms against Non-Price Flash Loan Attacks.
• BitVM: Unlocking Arbitrary Computation on Bitcoin Through Circuit Abstractions by Katat Choi (ZKSecurity).
• ERC-20 Tokens: Innovation or Exploitation? What We Learned at ETHDenver by GoPlus Security.
• How to Recover Your Browser Wallet Extension from a Sudden Failure? by Lisa & Aro (SlowMist).
• Subverting Web2 Authentication in Web3 Bruno Halltari and Caue Obici (OtterSec)
• Decode Sui Coin Standard by Senn.

Tools

• Safe Watcher - a bot that monitors one or more Safe addresses for critical activities throughout the entire transaction lifecycle.
• EVM Debugger by Rumblefish. Detailed opcode, stack, memory debugging. Also includes function stack trace and source navigation.
• Cryo-MCP - an MPC server enabling your LLMs to query blockchain data using Cryo by z80.
• Solana Program Account Scanner by Crytic. Visualize account relationships.
• Echidna Coverage Reporter by Simon Busch. A TypeScript tool to parse and analyze Echidna code coverage reports for Solidity smart contracts.

Hacks

Pump

Date: March 04, 2025
Attack Vector: Price Oracle Manipulation
Impact: $6,400
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1897115993962635520

https://x.com/SlowMist_Team/status/1897120233481207971

https://x.com/0xNickLFranklin/status/1897168181862785104

https://x.com/TikkalaResearch/status/1896961176606753219

time.fun, Time

Date: March 04, 2025
Attack Vector: Backend injection
Impact: Assets Stolen
Chain: Solana

References:

https://x.com/publicqi/status/1897124894229639418

1inch, Trusted Volumes

Date: March 06, 2025
Attack Vector: Function Parameter Validation
Impact: $5,000,000 (Recovered $4,550,000)
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1897474716492812458

https://x.com/TikkalaResearch/status/1897728336941789428

https://x.com/1inch/status/1897695348232978770https://x.com/SlowMist_Team/status/1897945772307759483

https://x.com/tikkalaresearch/status/1897728336941789428

https://blog.decurity.io/yul-calldata-corruption-1inch-postmortem-a7ea7a53bfd9

Recovery:

https://x.com/shoucccc/status/1897954751205327040

https://etherscan.io/idm?addresses=0xbbb587e59251d219a7a05ce989ec1969c01522c0%2C0x1ef9bfb1e7480c01d3d00e9bca5f29625c6c4806&type=1

Unkn_d8da9d

Date: March 09, 2025
Attack Vector: Arbitrary External Calls
Impact: $140,000
Chain: Arbitrum

References:

https://x.com/CertiKAlert/status/1898933348069933537