BlockThreat - Week 17, 2025

Greetings!

Almost $9M was stolen this week across 14 incidents! We saw price oracle manipulation, key theft, precision loss, arbitrary external calls, and even the rarer storage manipulation vulnerabilities—all making an appearance.

But let’s focus on a ticking time bomb: the rise in supply chain attacks. These are becoming disturbingly frequent and have the potential to wreck the entire ecosystem. This week, it was Ripple’s turn. The xrpl.js Node package was backdoored by what appears to be a compromised employee. Fortunately, the change was caught early and flagged by Aikido.

Last month, Coinbase’s Agent Kit repo was similarly targeted through a compromised contributor who inserted key-stealing code. In December 2024, Solana’s NPM library was backdoored. We may feel lucky that damage was limited in those cases—but tell that to AdsPower users who lost $4.7M just months ago.

We’ve already witnessed our first >$1B breach due to poor key management practices—Bybit. Unless we begin to seriously lock down our code repositories and dependencies, it’s only a matter of time before another wallet or exchange gets wiped out.

Let’s learn from the infamous XZ Utils/OpenSSH incident, which nearly led to mass compromise of internet-facing servers via a sophisticated supply chain backdoor. Here are some essential controls you should implement now:

• Pin dependency versions to prevent silent, backdoored updates.
• Continuously monitor and test dependencies using tools like GitHub Dependabot, OSS Review Toolkit, and similar.
• Require peer reviews for all commits and deploys.
• Harden your CI/CD pipelines with automated tests and anomaly scanning—both in your code and in your dependencies.
• Minimize the number of privileged admins who can push packages outside the regular process. Treat them with the same caution as your key-signing infrastructure.

I get it—it’s not the glamorous side of blockchain security. But you must lock down your code repos and dependencies. Starting now!

Speaking of locking things down and staying paranoid, BlockThreat is proud to have a very special sponsor and a friend this week: Opsek. Pablo and Louis are exactly who you should be talking to if you want to tune up not just your operational security—but the most critical, vulnerable layer of your organization: your people.

Is your team safe from sophisticated threat actors?

More than 98% of stolen funds in the Web3 ecosystem are hacked without breaking code but by breaking people. Opsek will train your team to become paranoid, and harden your complete operational security stack.

You are already a target, don't get rekt.

Link: https://opsek.io/

For detailed post-mortems, indicators on this week’s smart contract exploits including Loopscale, BTCM, Term Labs, Impermax, LIFE, Aventa, and others see the premium section below.

Let’s dive into the news!

News

• XRP supply chain attack: Official NPM package infected with crypto stealing backdoor by Charlie Eriksen (Aikido).
• Grafana GitHub Actions Security Incident. Another Github Actions exploit used to leak secrets. Please check your 3rd party dependencies and rotate keys.
• ZKsync reclaims $5 million worth of hacked tokens following 10% bounty offer. Interestingly the return was facilitated under the SEAL’s Safe Harbor Agreement which more protocols should adopt.
• Bitget's VOXEL Meltdown by Rekt. When market bots break, traders profit. Not the exchange is attempting to claw back highly profitable trades.
• FBI Releases Annual Internet Crime Report. The report notes a spike in the number of IC3 cryptocurrency related complaints in 2024 with $9.3B in losses.
• Inflection Point: Global Implications of Scam Centres, Underground Banking and Illicit Online Marketplaces in Southeast Asia by UN Office on Drugs and Crime. Great coverage of massive scam centers involved in pig butchering, crypto investment and other scams. The most concerning point is the human trafficking aspect of these operations forcing workers into call centers.

Crime

• LAPD Seizes Stolen Bitcoin Miners Worth $2.7 Million in Cargo Theft Investigation.
• Illegal Crypto Mining ‘Powerful Tool’ for Cybercrime Syndicates: UN Report.
• Nigerian court green lights arrest for six CBEX promoters.
• They Stole a Quarter-Billion in Crypto and Got Caught Within a Month.
• Prosecutors seek 8-year sentence for Mango Markets’ exploiter Avi Eisenberg.

Policy

• China debates how to handle criminal crypto cache.
• Alabama Drops Enforcement Action Case Against Coinbase.

Phishing

• A Bitcoin wallet lost $330.7M. Attacker swapped stolen assets to Monero causing a massive price spike.
• Address poisoning attack results in $467K theft.
• North Korean Hackers Targeting Crypto Developers With U.S. Shell Firms.
• Another day another DPRK IT worker caught. Full set here by Cookie Connoissuer.
• NexVoo Scam — The Technical Approach.
• A sophisticated social engineering attack results in a theft of $40M.
• Reports of a malicious Solidity extension for VS Code impersonating a legitimate one.
• Crypto Drainers: How They Operate and a Case Study of Medusa and Its Broader Ecosystem by AMLBot.
• Hackers abuse Zoom remote control feature for crypto-theft attacks.
• ‘I’m sick’ — Scammers use AI, fake ID of crypto influencer to steal $4M.

Scams

• Crypto crime goes industrial as gangs launch coins, launder billions — UN.

Malware

• Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals.
• Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers.

Media

• Defi Security Summit Webinar - Operational Security in Web3: a review of major OpSec incidents with Louis Marquenet, Pablo Sabbatella, and Peter Kacherginsky moderated by Isaac Patka.
• The UNBOUNDED Podcast - The True Cost of Sovereignty: Diverter on Bitcoin Privacy & Samourai Wallet.
• Soneium Builders Workshop Special Edition 9: TimeLock Vaults with Foundry: A Test-Driven Journey.
• Safe Tx Hashes with Patrick Collins (Cyfrin).

Research

• 0ffbeat - 0xProfiles of Daniel Von Fange, Bernhard Mueller, g, riptide, cmichel, GNSPS, Rappie, alpharush, Noah, M4rio, and many others.
• ThorChain: A Crypto Money Laundering Hub? by Neftune Security.
• Transitioning from EVM to SVM: Key Concepts for Solana Security Assessments by Dimaz Wijaya (Sigma Prime).
• eXch.cx, Crypto Money Laundering and the Bybit Hack by Nefture Security.
• Choosing an Audit Competition: How to Spot Snake Oil by Luna Tong (Zellic).
• SlowMist: Emergency Response Guide for Stolen Funds — On-Chain Messaging (BTC Edition).
• Insecurity Through Obscurity: Veiled Vulnerabilities in Closed-Source Contracts. A great way to reverse engineer and deobfuscate some of the more tricky to analyze MEV bots.
• Mining Characteristics of Vulnerable Smart Contracts Across Lifecycle Stages.
• DMind Benchmark: The First Comprehensive Benchmark for LLM Evaluation in the Web3 Domain.
• AI-Based Vulnerability Analysis of NFT Smart Contracts.
• Evaluating the Vulnerability of ML-Based Ethereum Phishing Detectors to Single-Feature Adversarial Perturbations.
• Fishing for Phishers: Learning-Based Phishing Detection in Ethereum Transactions.
• Foundry best practices by Pandit.

Tools

• Foundry MCP Server by PraneshASP.
• Using Cursor to verify proxies, implementation and storage variables.
• Solidity HTTP - You love foundry so much, now you can browse the internet with it by Recon.

Hacks

USDBIT

Date: April 21, 2025
Attack Vector: Rounding Error
Impact: $5,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1914484898855051328

Exploit:

https://bscscan.com/tx/0xac19d0898dd1a30ecd9eb29a7a4b39db1e5d069d3c68227c81cbdabc6f801e44

Unkn_92d09d

Date: April 22, 2025
Attack Vector: Storage Manipulation
Impact: $40,000
Chain: Ethereum

References:

https://x.com/Phalcon_xyz/status/1914631419432665216

Exploit:

https://etherscan.io/tx/0xe1847152107de8b677fc38399a1c3b86b61852c5772a25f48663edcd8e72e6bb

https://etherscan.io/tx/0xf17d81c7269e1d6ebe9b6fba3d32ba1b624dc6ade847fabd2c7e88ccb0798f23

BTCM

Date: April 22, 2025
Attack Vector: Logic Error
Impact: $1,000,000
Chain: Arbitrum

References:

https://x.com/blockaid_/status/1914680881823822083

Exploit:

https://arbiscan.io/tx/0xc0ef229256b2a6bc076a2de136f00f6161c959e4c56240bdb580ae2fde177c0b

Ripple

Date: April 22, 2025
Attack Vector: Supply Chain
Impact: Assets Stolen

References:

https://x.com/guardrailai/status/1914760244019839478

Exploit:

Oxya

Date: April 23, 2025
Attack Vector: Stolen Private Keys
Impact: $45,000
Chain: Ethereum

References:

https://x.com/CyversAlerts/status/1915118805740638687

https://x.com/OxyaOrigin/status/1915109745553289434

https://x.com/AaronBaylo/status/1915114342905000153

Exploit:

https://etherscan.io/tx/0x646dcacf11a58ea66c5ef5687978712d5073c1d602a3ca0070adf272abc365ab

ACB

Date: April 24, 2025
Attack Vector: Price Oracle Manipulation
Impact: $84,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1915324379757502727

https://x.com/SlowMist_Team/status/1915239816486412697

Exploit:

https://bscscan.com/tx/0x144ff5661f5ce3391ba5b1c5e53366b61b8079d95d9fe8ca19ad87c6bbffc84f

https://bscscan.com/tx/0xca29ad35c05979b0caaa86fa9cb133c8e795c26027efc528de33e2bff100ce5a

https://bscscan.com/tx/0x415b296fe394a68d3b10ef3227fda11958fa0abb571a26bacd9998f6ad175f5d

Zora

Date: April 24, 2025
Attack Vector: Arbitrary External Calls
Impact: $140,800
Chain: Base

References:

https://x.com/TenArmorAlert/status/1915649260499910854

https://x.com/CyversAlerts/status/1915407845899596090

Exploit:

https://basescan.org/tx/0x84367a86229b4868e0224e0ffdc4a78354769c52102850733b3e1f4daf015f6e

https://basescan.org/tx/0xf71a96fe83f4c182da0c3011a0541713e966a186a5157fd37ec825a9a99deda6

Impermax Finance

Date: April 26, 2025
Attack Vector: Price Oracle Manipulation
Impact: $152,000
Chain: Base

References:

https://x.com/TenArmorAlert/status/1916089811770675312

https://x.com/hklst4r/status/1916164701597089826

Exploit:

https://basescan.org/tx/0xde903046b5cdf27a5391b771f41e645e9cc670b649f7b87b1524fc4076f45983

Term Labs

Date: April 26, 2025
Attack Vector: Incorrect Price Oracle
Impact: $1,500,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1916149115630604341

https://x.com/term_labs/status/1916941405173485897

Exploit:

https://etherscan.io/tx/0xaa10cc076f27fcf7fc0b0a83ad170983e6791f5349d097ef4db0592a55d64048

https://etherscan.io/tx/0x8da015d7c362a082fd23736b08dc17d3a9794086b713590273c9535a4c47a7e2

Unkn_8393f7

Date: April 26, 2025
Attack Vector: Function Parameter Validation
Impact: $34,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1916279683093827629

Exploit:

https://bscscan.com/tx/0x93fdf19cf95c7a530b8346afbfd77787140c34ff8efe4cf593109b310ff86d4c

Loopscale

Date: April 26, 2025
Attack Vector: Price Oracle Manipulation
Impact: $5,800,000
Chain: Solana

References:

https://x.com/LoopscaleLabs/status/1916183179469246626

https://x.com/LoopscaleLabs/status/1916230435291713786

https://x.com/greyswan_/status/1916227201067872263

https://www.theblock.co/post/352083/solana-defi-protocol-loopscale-hit-with-5-8-million-exploit-two-weeks-after-launch

Audit:

https://x.com/greyswan_/status/1916227204075180385

Negotiations:

https://x.com/suppvalen/status/1916597817541382564

Exploit:

https://solscan.io/tx/3LcknBmavGUAMJvNMAc5xwsLqFaKs3vfguWsoTNYzpBv76B4ChiagitSHogpdMwWZpuKDV3a62uT4wXn2SvLZvGP

https://github.com/publicqi/loopscale-hack (nonfunctioning PoC)

Unkn_4bbb53

Date: April 27, 2025
Attack Vector: Insufficient Function Access Control
Impact: $1,300
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1916879978878370216

Exploit:

https://bscscan.com/tx/0xc0dcad5927446b9fa560be74a76efa0805e67d4c4cd486a48e9e4248287d777e

Aventa

Date: April 27, 2025
Attack Vector: Reward Manipulation
Impact: $8,000
Chain: Ethereum

References:

https://x.com/SlowMist_Team/status/1916405508833218995

https://x.com/TikkalaResearch/status/1916884429374701793

Exploit:

https://etherscan.io/tx/0x59446b1f58457c83d18864bbfaa8930c9438da33017ad41f08397cf79a8c63e5

LIFE

Date: April 27, 2025
Attack Vector: Price Oracle Manipulation
Impact: $51,000
Chain: BSC

References:

https://x.com/SlowMist_Team/status/1916391258664174045

https://x.com/TenArmorAlert/status/1916312483792408688

https://x.com/TikkalaResearch/status/1916269436035862898

Exploit:

https://bscscan.com/tx/0x74b33c524df438fef28ceab4cf2a38238296d854f02055bf883fd66daf242236

https://bscscan.com/tx/0x487fb71e3d2574e747c67a45971ec3966d275d0069d4f9da6d43901401f8f3c0

https://bscscan.com/tx/0x787dda04a7347d98b3e0293b3d19f7db06fa6a1ef923e36bc92bfef54bb564e7

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-04/Lifeprotocol_exp.sol