BlockThreat - Week 14, 2025

Greetings!

Just three exploits this week, totaling around $70M in losses—most of it from a single victim of private key theft, UPCX. Interestingly, the project reported that all stolen funds were back under their control just a few days later.

We’re wrapping up a brutal Q1, marked by record-breaking hacks, sophisticated North Korean campaigns targeting the entire ecosystem, hundreds of millions lost to phishing, and plenty of other nastiness. Hang in there, folks. The fight is worth it.

Before we dive into the news, a special thank you to this week’s sponsor—Recon.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back.

See our portfolio: https://getrecon.xyz/#services.

Let’s dive into the news!

News

• Someone stole the stolen money from ZKLend while the attacker tried to launder funds on a Tornado Cash phishing site. However, this may be a case of misdirection where the thief and the victim are the same person.
• Usual and Sherlock launch crypto’s ‘largest bug bounty prize in history,’ offering $16 million to find a critical vulnerability.
• Coinbase-backed web3 security shop Harpie announces immediate shutdown due to financial difficulties.
• eXch announces a merger, leaving Belize. Delists USDT and USDC.
• Sigma Prime patches critical security bug in Electra consensus nodes.
• Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain.
• Mozilla Patches Critical Firefox Bug Similar to Chrome's Recent Zero-Day Vulnerability.
• Q1 2025 Hack3d Report by CertiK.
• SlowMist: 2025 Q1 MistTrack Stolen Funds Analysis.

Crime

• Demystifying the North Korean Threat by samczsun (SEAL).
• North Korea tech workers found among staff at UK blockchain projects.
• A Thriller Gone Real: Alleged Scammer Kidnapped by Fake Police, Loses $50 Million.
• FBI Albuquerque, federal prosecutors seize cryptocurrency allegedly meant for Hamas.
• Greenberg Glusker Secures Landmark $33M Arbitration Award Against T-Mobile for SIM Swap Security Failures.
• Iran Officials Allegedly Steal $21 Million in Crypto While 'Investigating' Corruption.
• UK Police Recover $671,000 in Stolen Crypto Under Proceeds of Crime Act.
• First Digital to 'Pursue Legal Action' Over Justin Sun Allegations as FDUSD Drops.

Policy

• Thai SEC Files Criminal Complaint Against OKX for Unlicensed Operations.

Phishing

• One Time Pwnage: SEAL Releases Advisory On SLOVENLY COMET. SMS-based authentication is bad enough, but when an SMS gateway gets hacked that’s taking things to the next level.
• Coinbase user reportedly scammed of $34 million in Bitcoin according to ZachXBT.
• Bitcoin ‘address poisoning’ attacks on the rise, warns Casa CSO Jameson Lopp.
• Reports of a targeted X hijacking campaign by Guillermo Rauch.
• Reports of a new Cloudflare human verification scam which drops malware on unsuspecting users.
• North Korean hackers adopt ClickFix attacks to target crypto firms.
• The Impersonator by Rekt. An analysis of the NickLFranklin personae working on behalf of the DPRK regime.
• A Sneaky Phish Just Grabbed my Mailchimp Mailing List by Troy Hunt.

Scams

• A survey of Bitboy scams by ZachXBT.
• Cronos blockchain to reissue 70 billion burned tokens from 2021 as controversial vote gets approved.
• SEC Closes Investigation Into Haliey Welch Over Alleged HAWK Memecoin Rug Pull: Report.

Malware

• Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads by Kirill Boychenko (Socket).
• Hackers Preloading Counterfeit Android Phones With Crypto-Stealing Malware: Kaspersky.
• Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign.
• Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers.
• Multiple crypto packages hijacked, turned into info-stealers by Ax Sharma (Sonatype).

Contests

• BuidlGuidl CTF - Challenge #4.

Media

• Bountyhunt3rz - Episode 9 - jack sanford.
• Immunefi - The Magnus Show Ep. 2 on AIXBT bot hack, LLMs and security with Mitchell Amador and Yikesawjeez.
• Security Weekly - Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323 with Keith Hoodlet.
• How Two Brothers Stole 69,000 Bitcoin and Vanished.

Research

• Total NEAR Shutdown by neumo and 100proof.
• On-Chain Analysis of Smart Contract Dependency Risks on Ethereum.
• LookAhead: Preventing DeFi Attacks via Unveiling Adversarial Contracts.
• The Three Prompts of Spec Thinking: Yet Another Lens for Smart Contract Auditing by Dravee.
• The Unavoidable Extinction of Public Audits by Carlos Alegre (SigmaPrime).
• How to Multisig - Best practices on how to implement secure standard operation procedures for multisigs by Fredrik Svantes.
• How to deploy (Gnosis) Safe Multisig locally using anvil by bugbountydegen.
• Exchange Rate Manipulation in ERC4626 Vaults by Alberto Cuesta Canada, Dariusz Glowinski (Euler Finance).
• A simple L2 security and finalization roadmap by Vitalik Buterin.
• The Case for EOF by Kamil Śliwak (Solidity Team).

Tools

• Aderyn VS Code Extension by Cyfrin Audits.
• Safe Utils by OpenZeppelin.
• Snubb - multichain token approval scanner in your terminal by jonjon.
• esprl - private EVM blockchain explorer by Paul Mullr.
• Coinbase MPC Library.

Hacks

Sonic Labs

Date: March 31, 2025
Attack Vector: Reward Manipulation
Impact: $45,000
Chain: Sonic

References:

https://x.com/Phalcon_xyz/status/1906898583632466113

Exploit:

https://sonicscan.org/tx/0x99826efc22a3680bbbd669c218f0b826225cf503f3fe91b9dc8799aed7e69dbe

UPCX

Date: April 01, 2025
Attack Vector: Stolen Private Keys
Impact: $70,000,000
Chain: Ethereum

References:

https://x.com/SlowMist_Team/status/1907053995832816005

https://x.com/CyversAlerts/status/1907046941906653633

https://x.com/Upcxofficial/status/1907024397497749647

https://x.com/Upcxofficial/status/1908081862742065574

Exploit:

https://etherscan.io/tx/0xca9321892a7c9948b5f46caa68eebd0f451236be4747586a84e9560cd3d5ab14

OPC

Date: April 01, 2025
Attack Vector: Insufficient Function Access Control
Impact: $107,500
Chain: BSC

References:

https://x.com/Phalcon_xyz/status/1907047579554320686

https://x.com/TenArmorAlert/status/1907035768817594724

https://x.com/TikkalaResearch/status/1907239795157569826

Exploit:

https://bscscan.com/tx/0x65a29faf44c5be567e9ea2aa419254263a1b8553799258d9e36769a06ceac109