BlockThreat - Week 16, 2025

Greetings!

Nearly $14M was stolen across six incidents this week, with the Chinese crypto underground implicated in laundering DPRK-linked funds, and latest crypto phishing techniques including DKIM replay and Calendly spoofing attacks.

Let’s start with the relatively good news: most of that was stolen and later returned in a high-profile heist involving KiloEx. The $7.5M exploit was coordinated across multiple chains and abused the same insufficient function parameter validation to gain control over the protocol’s price-setting method. After manipulating prices and rapidly opening and closing ETH positions, the attacker quickly drained the protocol.

The silver lining? The attacker accepted a 10% bounty and returned the majority of the funds, thanks to efforts from SlowMist, SEAL 911, BlockSec, and others.

Now for the less happy stuff.

A private key compromise on zkSync cost a developer $5M from airdrop-related contracts. On the one hand, it’s good the damage was relatively contained. On the other—why wasn’t a multisig slapped on anything holding more than lunch money?

Then there’s R0AR, which lost $790K due to a backdoor snuck in by one of the developers. Yet again: how was this missed in both pre- and post-deployment audits?

Finally, the rest of the week was marked by alarm bells over Elusive Comet’s latest campaign—sneaking into Telegram chats, phishing emails, and luring victims into malfunctioning Zoom calls. Stay paranoid. Please be safe and review SEAL’s advisory.

Let’s dive into the news!

News

• Non-KYC exchange eXch to close down under money laundering scrutiny tied to Lazarus Group.
• Phantom Wallet Sued Over $500K Meme Coin Theft Linked to Alleged Security Flaw. Unlikely to succeed, but an interesting development if picked up as a trend by other crypto theft victims.
• Chinese chip used in bitcoin wallets is putting traders at risk. The article focuses on bugs/features in ESP32 chip that may allow remote private key theft from hardware wallets such as Blockstream.
• Major crypto exchanges suffer complications after AWS outage.
• Matra of Misfortune by Rekt. Explores a quiet cash out before the full meltdown the Mantra chain with $5B.

Crime

• China Is Fueling Crypto Crime, From North Korea to Mexican Cartels.
• Crypto Casino Founder Richard Kim Arrested After Gambling Away Investor Funds.

Policy

• China debates how to handle criminal crypto cache.

Phishing

• Google Spoofed Via DKIM Replay Attack: A Technical Breakdown. The technique was already used to target crypto folks.
• Crypto CEO Loses $100K in Zoom Call Hack by ‘ELUSIVE COMET’.
• X Account Takeover in One Click From Calendly/Calendar fake link by Louis Marquenet (Opsek).
• Mitigating ELUSIVE COMET Zoom remote control attacks by Trail of Bits.
• Beginner’s Guide to Web3 Security: Clipboard Risks by SlowMist.
• North Korean hackers target crypto devs with fake recruitment tests.

Malware

• Crypto Developers Targeted by Python Malware Disguised as Coding Challenges.
• Node.js Malware Campaign Targets Crypto Users with Fake Binance and TradingView Installers.
• What is Bitcoinlib, and how did hackers target it?.

Media

• Bountyhunt3rz - Episode 11 - merkle_bonsai.

Research

• Time-to-Hack: How fast vulnerable smart contracts get exploited? by Decurity. 49% of vulnerable smart contracts are exploited within the first 30 days after deployment, with many hacks occurring within just 7 days.
• NEAR Smart Contract Auditing: Accounts & Access Control by Elmedin Burnik (Sigma Prime).
• EthCluster: An Unsupervised Static Analysis Method for Ethereum Smart Contract.
• Enhancing Smart Contract Security Analysis with Execution Property Graphs.
• A Multi-Layered Security Analysis of Blockchain Systems: From Attack Vectors to Defense and System Hardening.
• Topological Analysis of Mixer Activities in the Bitcoin Network.
• From Data Behavior to Code Analysis: A Multimodal Study on Security and Privacy Challenges in Blockchain-Based DApp.
• WalletProbe: A Testing Framework for Browser-based Cryptocurrency Wallet Extensions.
• Clustering and analysis of user behaviour in blockchain: A case study of Planet IX.
• OpDiffer: LLM-Assisted Opcode-Level Differential Testing of Ethereum Virtual Machine.
• Malicious Code Detection in Smart Contracts via Opcode Vectorization.

Tools

• Recon VSCode Extension is now open source.

Hacks

KiloEx

Date: April 14, 2025
Attack Vector: Function Parameter Validation
Impact: $7,500,000 (Recovered $6,750,000)
Chain: Base, BNB, Taiko, opBNB, Manta

References:

https://x.com/CyversAlerts/status/1912868664946335888

https://x.com/shoucccc/status/1911862514440376446

https://x.com/KiloEx_perp/status/1911899600849617330

https://x.com/SlowMist_Team/status/1911991384254402737

https://rekt.news/kiloex-rekt

https://blog.solidityscan.com/kiloex-vault-hack-analysis-123a086ccae3

https://quillaudits.medium.com/kiloex-exploit-breakdown-7-4m-drained-across-chains-ff6e2293d5cb

Recovery:

https://www.theblock.co/post/350807/kiloex-hacker-legal-pursuit

https://x.com/SlowMist_Team/status/1913184062656909646

Exploit:

https://basescan.org/tx/0x6b378c84aa57097fb5845f285476e33d6832b8090d36d02fe0e1aed909228edd

https://opbnbscan.com/tx/0x79eb28ae21698733048e2dae9f9fe3d913396dc9d93a0e30d659df6065127964

YB Token

Date: April 16, 2025
Attack Vector: Frontrunning
Impact: $15,300
Chain: BNB

References:

https://x.com/TenArmorAlert/status/1912684902664782087

Exploit:

https://bscscan.com/tx/0xe1e7fa81c3761e2698aa83e084f7dd4a1ff907bcfc4a612d54d92175d4e8a28b

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-04/YBToken_exp.sol

Unkn_f02089

Date: April 16, 2025
Attack Vector: Reentrancy
Impact: $9,000
Chain: BNB

References:

https://x.com/TikkalaResearch/status/1912949995013283894

Exploit:

https://bscscan.com/tx/0x9371a97bee0128e5e9712c09d9f302ffb2bc986ea591fe16da604c4787f72e5a

ROAR

Date: April 16, 2025
Attack Vector: Insider Threat
Impact: $790,000
Chain: Ethereum

References:

https://x.com/SlowMist_Team/status/1912417097269014825

https://x.com/MistTrack_io/status/1912418731923501258

https://x.com/CertiKAlert/status/1912430535999189042

https://securrtech.medium.com/roar-th3r0ar-staking-contract-hack-anatomy-of-a-790k-exploit-05fbfbfb6e19

Exploit:

https://etherscan.io/tx/0xab2097bb3ce666493d0f76179f7206926adc8cec4ba16e88aed30c202d70c661

BTNFT

Date: April 18, 2025
Attack Vector: Reward Manipulation
Impact: $19,000
Chain: BNB

References:

https://x.com/TenArmorAlert/status/1913500336301502542

https://x.com/TikkalaResearch/status/1913321886878220525

Exploit:

https://bscscan.com/tx/0x7978c002d12be9b748770cc31cbaa1b9f3748e4083c9f419d7a99e2e07f4d75f

Numa

Date: April 18, 2025
Attack Vector: Price Oracle Manipulation
Impact: $500,000
Chain: Arbitrum

References:

https://x.com/CyversAlerts/status/1913873822987505939

https://x.com/hklst4r/status/1913977267656499662

Exploit:

https://arbiscan.io/tx/0x74a19463e3cc1d131a92599f2ff28effe13064d7c7480c851e7249708de40e3c