BlockThreat - Week 15, 2025

Greetings!

Over $3M stolen this week across six incidents. The bulk of the losses came from the Morpho hack, which lost $2.6M due to an exploit introduced during a front-end upgrade. A misconfiguration in how users were prompted to sign transactions led one user to unknowingly sign an unlimited permit to a multicall contract—allowing anyone to drain it. Fortunately, a known whitehat MEV bot frontran the attacker.

This incident is a stark reminder: even in the world of smart contract exploits, we often overlook trust assumptions in the underlying infrastructure—including the websites that generate complex transactions for users to sign.

The remaining exploits targeted a range of systems—from vulnerable MEV bots to a nine-year-old contract left exposed and carelessly exploitable just last week. Details on each hack are available in the premium section.

One under-the-radar vulnerability report worth highlighting: Supremacy intern Yi discovered a critical flaw in Ping.pub, the Cosmos blockchain explorer. Yi found a way to compromise the hosting server including skeleton SSH keys. If we want to avoid another Wallet/Bybit hack, it’s crucial we give Web2 infra the attention they deserve.

Also notable this week: a spike in phishing campaigns targeting crypto developers via malicious npm, Python, and VS Code packages, as well as code repositories like SourceForge. Be vigilant and lock down your dependencies.

Before we dive into the news, a special thank you to this week’s sponsor—Recon.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back.

See our portfolio: https://getrecon.xyz/#services.

Let’s dive into the news!

News

• ZKasino exploiter saw $27M liquidated on Hyperliquid trade.
• Ethical hacker intercepts $2.6M in Morpho Labs exploit.
• $124M Stolen — The March 2025 Crypto Crime Report by Nefture.
• 2025 Q1 BSC Security Report by HashDit.

Crime

• The FBI Hijacked and Ran a Dark Web Money Laundering Operation Called ‘ElonmuskWHM’.
• Hayden Davis still making millions from LIBRA, MELANIA memecoins.

Policy

• Trade War Theater by Rekt.
• The US Is Turning a Blind Eye to Crypto Crimes.
• Thailand targets foreign crypto P2P services in new anti-crime laws.
• Block Agrees to $40M NYDFS Penalty Over Lackluster Compliance Program.

Phishing

• PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks.
• Leaking crypto secrets through poisoned MCPs specifically targetting Base-MCP by superoo7.
• Your BTC can be swiped by spoofers without them even contacting you.
• The whale, the hack and the psychological earthquake that hit HEX.

Scams

• Spanish police arrest six over $20M AI-powered investment scam.

Malware

• Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses.
• Malicious Python Packages Attacking Popular Cryptocurrency Library To Steal Sensitive Data.
• Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign by Yuval Ronen (ExtensionTotal).
• Attackers distributing a miner and the ClipBanker Trojan via SourceForge by AMR (Kaspersky).

Media

• Bountyhunt3rz - Episode 10 - rootrescue.

Research

• Rooting Cosmos’ Ping.pub explorer by Yi.
• The Pectra Holesky Incident by Eitan Seri-Levi (Sigma Prime).
• Ethereum Liquid Staking: Validator Deposit Risks & Mitigation by Ilya Teterin, Dmitry Zakharov (MixBytes).
• Tolk Security Audit: Evolution from FunC to Tolk and Security Challenges by ExVul.
• Critical Wallet Bugs Expose Users to Silent Crypto Drains by Franco Riccobaldi (Coinspect).
• Sweet Betrayal by Rekt. Governance takeover of PancakeSwap protocol.
• How to use AI (specifically LLMs) in your web3 security workflow by Tumelo_Crypto.
• Massive update to the Recon Book including invariant testing tutorials and exercises.
• Enhancing Smart Contract Vulnerability Detection in DApps Leveraging Fine-Tuned LLM.
• SmartBugBert: BERT-Enhanced Vulnerability Detection for Smart Contract Bytecode.
• Generative Large Language Model usage in Smart Contract Vulnerability Detection.
• Commit-Reveal$^2$: Randomized Reveal Order Mitigates Last-Revealer Attacks in Commit-Reveal.
• Hollow Victory: How Malicious Proposers Exploit Validator Incentives in Optimistic Rollup Dispute Games.
• Security Vulnerabilities in Ethereum Smart Contracts: A Systematic Analysis.
• SolRPDS: A Dataset for Analyzing Rug Pulls in Solana Decentralized Finance.
• Exploring Vulnerabilities and Concerns in Solana Smart Contracts.
• ECDSA Cracking Methods.
• Automated Attack Synthesis for Constant Product Market Makers.

Tools

• Halmos-helpers library v0.1.0 by Ihor Hanich. A solidity library for quick and convenient preparation of solidity project for symbolic execution stateful checks under the halmos engine.
• The Rekt Security Intelligence Terminal.

Hacks

MEV_49e27d

Date: April 07, 2025
Attack Vector: Insufficient Function Access Control
Impact: $181,000
Chain: Ethereum

References:

https://x.com/SlowMist_Team/status/1909459139715023097

https://x.com/muststopye/status/1909504698568392937

https://x.com/TenArmorAlert/status/1909465828178690454

Negotiations:

https://etherscan.io/tx/0xf31130c9a9141cf0656381dca532b86e0dedeed407814dbff7ba06afebd7f526

Exploit:

https://etherscan.io/tx/0x1681c269e702ccaea4a3595037b7d1c2fa4551330451ef9c61cf1db0e63e7627

Unkn_8c6562

Date: April 08, 2025
Attack Vector: Insufficient Function Access Control
Impact: $1,600
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1909814943290884596

Exploit:

https://etherscan.io/tx/0x08ffb5f7ab6421720ab609b6ab0ff5622fba225ba351119c21ef92c78cb8302c

Morpho

Date: April 10, 2025
Attack Vector: Misconfiguration
Impact: $2,600,000 (Recovered $2,600,000)
Chain: Ethereum

References:

https://x.com/PeckShieldAlert/status/1910584222315586044

https://x.com/MorphoLabs/status/1910534213259964571

https://x.com/MorphoLabs/status/1910597882836566100

https://x.com/coinspect/status/1910748629125521492

https://x.com/TenArmorAlert/status/1910550219206303933

https://x.com/Phalcon_xyz/status/1910594360821113136

Exploit:

https://etherscan.io/tx/0xbcb1e5f7e432cf899af665b3c9f87e24337d3570e68fa7e211c962eadd83ea60

https://etherscan.io/tx/0x5ce2cf51f0e6e099c33eabb84561cb01a1acb2c9fc26c5388cedec0e4292ce99

Wayfinder

Date: April 10, 2025
Attack Vector: Frontrunning
Impact: $200,000
Chain: Ethereum

References:

https://x.com/0x_ultra/status/1910323014853611905

https://x.com/tokentable/status/1910329521326510184

https://x.com/tokentable/status/1910637960955052139

https://www.theblock.co/post/350479/someone-built-an-mev-bot-to-frontrun-the-wayfinder-prompt-airdrop-claims-on-kaito-stealing-200000-in-eth-from-yappers

LibertyUseCase

Date: April 12, 2025
Attack Vector: Price Oracle Manipulation
Impact: $70,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1911040262157074447

https://x.com/Phalcon_xyz/status/1911050576521236750

Exploit:

https://bscscan.com/tx/0xff77c9d0530fe6bbf6a5f24c5ddff466e0eaaa7630ecdd8cc6015c2eabf57881

Unkn_623c1c

Date: April 12, 2025
Attack Vector: Insufficient Function Access Control
Impact: $28,100
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1911041324117032961

Exploit:

https://bscscan.com/tx/0x9371eb4b0da7dedc95568d508a7fc97298a27bb44947c82dc4542fe3a4e5e3c9