BlockThreat - Week 12, 2025

Greetings!

More than $8.6M was stolen this week across six incidents. The majority of the funds were taken from Zoth, which had already lost $285K earlier this month in a traditional smart contract exploit. This time, they suffered a full-blown $8.4M private key compromise. Meanwhile, yet another server breach led to the theft of $100K following the hack of the AI trading platform Aixbt.

What’s more concerning is learning about the $6.2M Wemix compromise nearly a month after the fact. One of the great things about this industry is that onchain events are eventually uncovered—but delays in disclosure only hurt users who might have taken protective action. I wish Wemix had followed the excellent example set by Bybit, which handled its recent incident with full transparency.

Speaking of Bybit, DPRK has moved to the next phase of its laundering operation, actively obfuscating funds using Wasabi, TC, and other tools. Even more interesting is a new tactic to hide the flow of funds: sandwiching transactions with MEV bots. This creates a layer of misdirection, making it appear as though profits are coming from unprofitable trades while actually funneling them to attacker-controlled block builders.

On a more positive note, Tornado Cash is no longer on the OFAC list—an outcome made possible by the relentless efforts of a dedicated group of individuals. You know who you are. Thank you. However, the battle isn’t over yet, as addresses belonging to TC developers remain sanctioned.

Before we dive into the news, a special thank you to this week’s sponsor—Recon. You’re likely already familiar with their groundbreaking research on invariant testing by Nican0r and the team, frequently featured in past editions. Now, you can tap into their expertise to keep your projects and users safe.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back.

See our portfolio: https://getrecon.xyz/#services.

Let’s dive into the news!

Events

• Phrack 72 CFP deadline extended until June 15th. A challenge for the blockchain security community to share their baddest exploitation techniques in the premier hacking zine.

News

• US drops Tornado Cash sanctions, frontend remains compromised. See link for uncompromised version of the UX.
• Money launderers are mimicking terrible traders to bypass detection, crypto security experts say.
• Wemix says delay in disclosing $6.2 million hack was to prevent panic.
• eXch claiming whitehats (bax1337 in particular) are trying to hack them to claim the Lazarus bounty. I would be much more worried about DPRK taking more interest in your rather than security researchers.
• Large enterprises scramble after supply-chain attack spills their secrets. The attack initially targeted Coinbase, but expanded to a wider range of targets.
• 2025 Crypto Crime Report by TRM.

Crime

• Crypto industry is ‘cooked’ when it comes to dealing with hacks, money laundering – ZachXBT.
• N. Korea ramps up cyber offensive: New research center to focus on AI-powered hacking.
• Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds.
• Stolen Bybit funds started moving through mixers including Wasabi, CryptoMixer, Railgun, and TornadoCash.
• Vultisig founder says DPRK-linked Bybit transactions are ‘legitimate’.
• ZachXBT Exposes Hyperliquid Whale’s $20M Profits From Illicit Funds and Casino Exploits.
• Crypto platform Debiex must pay $2.5M in CFTC ‘pig butchering’ case.
• Police Arrest Four Teens Over Amouranth Home Invasion, Attempted Bitcoin Theft.
• Same Garantex, Different Sauce. “New” Russian Exchange Grinex Launched.
• Director arrested after spending $17M budget for failed Netflix show on crypto, sports cars and divorce fees.

Phishing

• SEAL Releases Advisory on Reflected XSS Exploits by Perpetual Drainer.
• Beware of address poisoning attacks on EOS by SlowMist.
• SMS scammers posing as Binance have an even trickier way to fool victims.
• Watcher.Guru Reports X Account Breach Amid Social Engineering Suspicions.

Scams

• You Are the Exit Liquidity by Rekt.
• The Wolf of Rug Street by Rekt. Updates on the exploits of Hayden Davis.

Malware

• AMOS and Lumma stealers actively spread to Reddit users by Jérôme Segura (Malwarebytes). The malware uses “cracked” TradingView software as a lure.
• StilachiRAT analysis: From system reconnaissance to cryptocurrency theft by Microsoft Incident Response. The malware targets sensitive data stored in Chrome extensions such as Metamask.

Contests

• Damn Vulnerable DeFi V4 Foundry Challenge 2 Solution: Naive Receiver by Johnny Time.

Media

• CBER Forum - Mitigation of Maximal Extractable Value (MEV) with Julian Ma.
• How the Rust Compiler Works, a Deep Dive by Daniel Cumming (Runtime Verification).
• Honeypot caught them in 4k by Matt Johansen. The story of industrial espionage and a carefully crafted honeypot to reveal them.

Research

• The Notorious Bug Digest #2 by Frank Lei, Ionut-Viorel Gingu and Victor Xie (OpenZeppelin).
• Halting Cross-chain: Axelar Network Vulnerability Disclosure by Marco Nunes.
• From exposed Redis to full RCE to exploit web3 by publicqi (Fuzzland).
• Cross-chain Reentrancy Attack by Naoki Yoshida (Ackee Security).
• Differential Cryptanalysis 101​ – Exploring Differential Methods in Block Ciphers​ by Matteo Ahouanto and Patrick Ventuzelo (Fuzzing Labs).
• Awesome Solana Security by 0xMacro.
• Reversing Solana programs with IDA by Alexey Posikera (Decurity).
• Solana Attack Vector #3: Solana Account Revival Attacks by ImmuneBytes.
• NEAR Smart Contract Auditing: Storage by Toon Van Hove (Sigma Prime).
• Leveraging Slither and Interval Analysis to build a Static Analysis Tool by Stefan-Claudiu Susan. A neat approach to reach previously unreachable code.
• zkMixer: A Configurable Zero-Knowledge Mixer with Proof of Innocence and Anti-Money Laundering Consensus Protocols.
• Bitcoin Battle: Burning Bitcoin for Geopolitical Fun and Profit.
• Scam Detection for Ethereum Smart Contracts: Leveraging Graph Representation Learning for Secure Blockchain.
• Scam Detection for Ethereum Smart Contracts: Leveraging Graph Representation Learning for Secure Blockchain.
• AI Agents in Cryptoland: Practical Attacks and No Silver Bullet.
• EOF: When Complexity Outweighs Necessity by pcaversaccio.
• The Yieldoor Gas Optimizoor by Dacian.
• Modern Stablecoins, How They're Made: F(x) Protocol 2.0 by Sergey Boogerwooger and Artem Petrov (MixBytes).
• Cross-Chain Protocol Analysis Series: THORChain by Lyndon and Lisa (SlowMist).
• ERC-4337: 2 Years After by Nikhil Bhintade (2077 Research).
• Intro to Smart Contract Security Auditing — Deploying Different Contracts to the Same Address by White (SlowMist).
• A questionable design choice in Stacks/Clarity by 100proof and neumoXX. Exploiting NFT contracts on Stacks.
• What Smart Contracts Developers Can Adopt from Aerospace Software Security Practices by Cyfe45.
• Hacker breaks into AI crypto bot aixbt’s dashboard to snatch 55 ETH.

Hacks

DeHub

Date: March 17, 2025
Attack Vector: Insufficient Function Access Control
Impact: $5,000
Chain: BSC

References:

https://x.com/Phalcon_xyz/status/1901599212397027541https://x.com/TenArmorAlert/status/1901645173576138843

Exploit:

https://bscscan.com/tx/0xa294e867ca061b74980d4915190c3e3fffcc8d3e8d71f54b6267e49bc21f2856

Four Meme

Date: March 17, 2025
Attack Vector: Insufficient Function Access Control
Impact: $130,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1901914087799546343

https://x.com/PeckShieldAlert/status/1901875929904971861

https://quillaudits.medium.com/four-memes-120k-attack-analysis-600069c05436

https://protos.com/binance-memecoin-platform-four-meme-exploited-again-this-time-for-130k/

Recovery:

https://x.com/four_meme_/status/1901927377917350033

Exploit:

https://bscscan.com/tx/0xd9177f643e29fea98a609a9a82cd97bb843f914e3eddf4fbaa6f0da7b5824f3d

AIXBT Agent

Date: March 18, 2025
Attack Vector: Server Compromise
Impact: $105,000
Chain: Base

References:

https://x.com/0rxbt/status/1901898651926143088

https://x.com/0rxbt/status/1901992776436441176

https://x.com/supremeleadoor/status/1901869830267167026

https://decrypt.co/310510/aixbt-ai-influencer-hacked-100k-ethereum

https://www.tradingview.com/news/cointelegraph:61f9396f2094b:0-hacker-breaks-into-ai-crypto-bot-aixbt-s-dashboard-to-snatch-55-eth/

Exploit:

https://basescan.org/tx/0xddf07a87ec863b45fc91ea519acc7b6c318a6fdd49968d9a17aba8a0e135ee2a

Vicuna Finance

Date: March 19, 2025
Attack Vector: Function Parameter Validation
Impact: $4,700
Chain: Sonic

References:

https://x.com/Phalcon_xyz/status/1902323718031822931

https://x.com/0xNickLFranklin/status/1902370410223530237

https://nickfranklin.site/2025/03/19/vicuna-finance-exploit/

Exploit:

https://sonicscan.org/tx/0xc306328c30822c1ac802021cba89c24ac7c0b5227f9f5d965bb8e16a21682192

BBX Token

Date: March 20, 2025
Attack Vector: Price Oracle Manipulation
Impact: $12,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1902651550733906379

https://blog.solidityscan.com/bbx-token-hack-analysis-f2e962c00ee5

Exploit:

https://bscscan.com/tx/0x0dd486368444598610239b934dd9e8c6474a06d11380d1cfec4d91568b5ac581

Zoth

Date: March 21, 2025
Attack Vector: Stolen Private Keys
Impact: $8,400,000
Chain: Ethereum

References:

https://x.com/0xtroll/status/1903014129457332346

https://x.com/PeckShieldAlert/status/1903029531558154725

https://x.com/CyversAlerts/status/1903021017460600885https://x.com/zothdotio/status/1903024419028734265

https://protos.com/rwa-platform-zoth-suffers-second-hack-this-month-loses-8-4m/

Exploit:

https://etherscan.io/tx/0x33bf669d125d11c432ac9b52b9d56161101c072fd8b0ac2aa390f5760fb50ca4

https://etherscan.io/tx/0xb2335f7bf58abbcaa006d0a2bed7db2c64a5dabed56fb1759260adc012c49abe