BlockThreat - Week 11, 2025

Greetings!

Only about $1M was stolen this week across four incidents, with the majority of funds lost due to a simple price misconfiguration on wkeyDao.

Slow weeks like these are a good time to catch your breath and dive into the latest research in blockchain security. Pay particular attention to a series of EIPs in the upcoming Petra upgrade, which introduce some concerning security risks. From EIP-7702, which could wipe out entire wallets, to EOF, which reintroduces potential reentrancy exploits, the evolving threat landscape demands constant vigilance.

On a more ironic note, DPRK hackers fell victim to a malicious Tornado Cash UI, losing $3.1M of their stolen funds—no honor among thieves. Meanwhile, authorities made a string of high-profile arrests tied to Garantex exchange, LockBit ransomware, and other operations.

On the downside, the latest DPRK-led phishing tactics are more aggressive than ever. Check out the Phishing section below to ensure your project doesn’t become their next target.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• U.S. intel vets helped crypto firm soar, unaware of infamous hacker behind it. The report reveals Morgan Marquis-Boire, a security professional ostracized from the community for a series of violent sexual assaults, is behind Unciphered, a crypto wallet recovery service.
• Trezor discloses potential vulnerability in older Safe 3 crypto wallets following white hat research by rival Ledger.
• DPRK got rugged for $3.1M by a malicious Tornado Cash UI by ZachXBT.
• Unknown attacker causes headaches during Pectra upgrade on Sepolia.
• THORChain at crossroads: Decentralization clashes with illicit activity.

Crime

• Alleged Co-Founder of Garantex Arrested in India by Krebs On Security.
• Cryptocurrency Founder And CEO Convicted Of Wire Fraud And Money Laundering In Connection With Marketing And Sale Of AML Bitcoin.
• Argentina seeks arrest of U.S. crypto figure tied to Melania and Milei cryptocurrencies. In the meantime, LIBRA co-creator Hayden Davis caught cashing out millions.
• UK CPS authorizes charges against NCA officer over alleged theft of bitcoin now worth $4.2 million.
• Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court.
• Man arrested, accused of being the getaway driver in Amouranth home invasion case.
• MTI Co-Mastermind Clynton Marks Arrested Over Unanswered Questions.
• The Wiretap: A $60 Million Bitcoin Seizure Shows Cops Are Still Chasing Down Silk Road Dealers.

Phishing

• A victim lost $1.82M worth of cUSDCv3 due to phishing transaction signatures by Scam Sniffer.
• Analysis of LinkedIn Recruitment Phishing by 23pds & Thinking (SlowMist).
• I just got a scam attempt by a Linkedin "recruiter" by swader.eth.
• X accounts of Kaito and founder Yu Hu hacked to spread unfounded reports of token supply issues.
• Crypto founders report deluge of North Korean fake Zoom hacking attempts.
• Meteora says co-founder’s X account hacked after ‘parasitic’ memecoin post.

Malware

• Captain MassJacker Sparrow: Uncovering the Malware’s Buried Treasure by Ari Novick (CyberArk). The report uncovers a clipboard hijacking malware campaign to replace crypto addresses with the ones controlled by attackers.
• Exposed Jupyter Notebooks Targeted to Deliver Cryptominer by Tara Gould (Cado).
• Lookout Discovers New Spyware by North Korean APT37 by Lookout. The malware, KoSpy, appears to target South Korean Android users

Media

• Bountyhunt3rz - Episode 7 - riproprip.
• Smart Contract Security and On-Chain Fraud Prevention with AI - DSS Monthly Webinar

Research

• GammaSwap Bug Bounty Write-up by Arz.
• Total network shutdown caused by receipts exceeding max size by 100proof. Exploiting NEAR using action receipts.
• Debugging Hardhat smart contract project with Tenderly by Caliber.
• Using Cursor to explain smart contract logic thread by GuiseppeDeLaZara.
• Attacking & Fuzzing Polkadot Node – Triggering Denial-of-Service via Gossamer RPC Flaws​ by Fuzzing Labs.
• Arbitrary CPI Attacks in Solana by ImmuneBytes.
• Solidity EOF reentrancy possibility in transfer by pcaversaccio.
• A thread on abusing EIP-7702 to drain whole wallets by Daniel Von Fange.
• ERC-7699: ERC-20 with Transfer Reference Extension by Yiğit Yektin (2077 Research).
• Passkeys Explained: How to Use Them Safely by Hilary (Cantina).
• Common security vulnerabilities in APTOS by Spearbit.
• Building a Bitcoin Wallet from Scratch: Two Months of Solo Development Insights by Tristan Bietsch.
• Control Flow Graph reconstruction for EVM bytecode by Franck Cassez.
• Verified Control Flow Graphs for EVM Bytcode by Franck Cassez.
• What's the significance of Custom Storage Layouts? by LearnEVM. A nice discussion in the recently introduced Solidity feature.
• Slow is Fast! Dissecting Ethereum's Slow Liquidity Drain Scams.
• Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis.

Tools

• Daily Warden. Active and upcoming security contests.
• evm-dis by franch44. An EVM bytecode disassembler/assembler which can generate control flow graphs. Used in the ByteSpector tool. Coupled with evm-dis-app by aodhgan for the front-end.
• Introducing Multi-Sim: A new standard for verifying transactions by Gnosis Guild.
• Add halmos docs as context to Cursor by karma.
• BlockSec Launches Safe{Wallet} Security Monitoring Solution.
• CRADLE Intelligence Hub by Prodaft. Batteries included collaborative knowledge management solution for threat intelligence researchers.

Hacks

MAID

Date: March 13, 2025
Attack Vector: Stolen Private Keys
Impact: $166,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1900220648674504819

Exploit:

https://etherscan.io/tx/0xd6ffcbfb3a8032eb91166a993e7b121257e4e0d2430701d1b1d1aaf234d79baf

Berally

Date: March 14, 2025
Attack Vector: Stolen Private Keys
Impact: $86,000
Chain: Berachain

References:

https://x.com/Berally_io/status/1900732333562744870

https://x.com/Berally_io/status/1900855059069759571

Exploit:

https://beratrail.io/tx/0xe98f1eb77661dc6b91c0880b6c29516228134d803500c6abe03beb0140dc5355

H2O Token

Date: March 14, 2025
Attack Vector: Reward Manipulation
Impact: $22,000
Chain: BSC

References:

https://nickfranklin.site/2025/03/16/h20-token-hacked/

Exploit:

https://bscscan.com/tx/0x994abe7906a4a955c103071221e5eaa734a30dccdcdaac63496ece2b698a0fc3

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/41a5677bb70057128bb8d1f817d50d2664093a8a/src/test/2025-03/H2O_exp.sol

wkeyDAO

Date: March 14, 2025
Attack Vector: Incorrect Price Oracle
Impact: $730,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1900699235160650125

https://x.com/Phalcon_xyz/status/1900809936906711549

https://nickfranklin.site/2025/03/16/wkeydao-token-hacked/

Exploit:

https://bscscan.com/tx/0xc9bccafdb0cd977556d1f88ac39bf8b455c0275ac1dd4b51d75950fb58bad4c8