BlockThreat - Week 2, 2025

Greetings!

We’re kicking off the second week of 2025 with nearly a dozen exploits that have collectively netted attackers around $2.7M. Low-TVL, unaudited projects on BSC continue to fall victim to hacks, often losing $10K at a time. However, it’s the two private key compromises that deserve additional discussion—and even a bit of celebration.

On January 8, Moby Trade protocol on Arbitrum suffered a significant breach when an attacker used stolen private keys to upgrade several vaults. Just as the attacker was preparing to drain $2.5M, Tony Ke from SEAL 911 intervened. Exploiting a vulnerability in the attacker’s own unprotected contract, Ke managed to recover nearly $1.5M. While the attacker still escaped with $1M and any funds collected via user approvals, this incident highlights the growing importance of proactive incident response. Whitehats and their bots are increasingly playing a crucial role in mitigating the impact of exploits.

Orange Finance faced a similar attack on the same day. Despite having its upgrade admin account protected by a multisig, a misconfiguration allowed a single compromised key to perform an unauthorized upgrade. The fact that two Arbitrum-based projects were compromised on the same day using the same vector raises questions: coincidence or a coordinated effort?

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

This week brings an intriguing collection of research articles, including a Cosmos engineer’s simulation of an alleged exploit linked to the Terra downfall, insights into 0-day vulnerabilities in a popular wallet and a hashing algorithm implementation, and a wealth of audit tips from some of the industry’s top security researchers.

On the phishing front, scammers and wallet security apps are locked in a cat-and-mouse game to outwit transaction simulation mechanisms. One such successful bypass led to a $460K theft from an unfortunate user who didn’t receive adequate warnings.

In other news, the U.S. government arrested operators of Sinbad and Blender, multiple DeFi security companies announced acquisitions, more regulators departed their posts, and the relentless wave of drainers continues to plague the ecosystem.

Let’s dive into the news!

News

• Whitehat hacker rescues $1.5M from first DeFi hack of 2025.
• The federal government just got the greenlight to sell $6.5 billion in Bitcoin seized from Silk Road.
• Chainalysis Buys Israeli Fraud Detection Startup Alterya for $150M.
• Fuzzland has been acquired by Solayer Labs.
• Analysis of the 2024 Blockchain Security and Anti-Money Laundering Annual Report: Security Landscape, Phishing and Scam Techniques, DPRK & Money Laundering Tools, and AML Trends & Data by SlowMist.
• 2024 Web3 Security Report by PeckShield.
• Telegram snitched on 2,000 users to US authorities in 2024, report.
• CoinSwitch launches $70M recovery fund for WazirX hack victims.
• Breaking Rugs: The state of Web3 Security Report.

Crime

• Russian nationals arrested by US, accused of running crypto mixers Blender and Sinbad.
• New York Attorney General wants to serve crypto thieves via NFT after $2.2m heist.
• Crimeware-as-a-service: A new threat to crypto users.
• Russia to Sell $10M in Bitcoin Seized in Hack Case.
• Thai police seize nearly 1,000 Bitcoin miners in raid.
• UK To Seize $4.3M In Bitcoin From Fugitive Crime Boss.
• Dutch police arrest law student behind multi-million euro crypto scheme.
• Judge pushes Mango Markets exploiter sentencing to April 10.

Policy

• US regulator plans to toughen customer protection on crypto accounts.
• Gemini agrees to a $5M penalty as part of proposed CFTC order.
• U.S. Enforcement Chief Behind CFTC Crypto Cases Exits Before Trump Arrives.

Phishing

• DPRK's Willo Impersonation Campaign by Zero Shadow.
• New Web3 attack exploits transaction simulations to steal crypto.
• String of X hijacks continues as hackers access accounts of Litecoin, Foresight Ventures, and others.
• Fake CrowdStrike job offer emails target devs with crypto miners.
• Text scammers blasting out bogus job offers stole $2.2M in crypto, NY AG says: 'Never-ending nightmare'.
• ‘Money we don’t have to spare’: Spoofed website causes Toronto man to lose $100K.

Scams

• Bad math homework by Rekt. A dive into Solv protocol double and sometimes triple counting BTC deposits in its TVL calculations.
• Squid Game Season 2: A Window Into Popular Culture and Crypto Scams by TRM.
• Bitten by bitcoin scam: Victim talks about experience as law enforcement faces rash of crypto fraud.

Malware

• Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages.
• CrowdStrike Warns of Phishing Scam Targeting Job Seekers with XMRig Cryptominer.
• PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner.

Research

• Blockchain Engineer Alleges Attack Triggered Terra’s $50 Billion Downfall. The reveal includes a video demonstrating an attack on the Cosmos hub with the same effect that caused UST depeg.
• Poseidon Hash Collision vulnerability in iden3's implementation by Marius Van Der Wijden.
• BitsLab’s ScaleBit flags 'alarming' Uniswap Wallet vulnerability.
• Signature Replay Attacks by Joran Honig.
• Top findings in GameFi protocols by gkrastenov.
• Unusual Money by Rekt. A deep dive into the USD0++ depeg.
• MEV resources by The Daily Ape.
• When Should Selfish Miners Double-Spend?.
• Leader Rotation Is Not Enough: Scrutinizing Leadership Democracy of Chained BFT Consensus.
• Knowledge Migration Framework for Smart Contract Vulnerability Detection.
• Leveraging Large Language Models and Machine Learning for Smart Contract Vulnerability Detection.
• SoK: A Review of Cross-Chain Bridge Hacks in 2023.
• Scam Detection for Ethereum Smart Contracts: Leveraging Graph Representation Learning for Secure Blockchain.
• Privacy-Preserving Smart Contracts for Permissioned Blockchains: A zk-SNARK-Based Recipe Part-1.

Tools

• EVM Trackooor: Tracking Anything and Everything on EVM Chains by Zellic.
• Node Snapshots by Allnodes. A large collection of blockchain node snapshots to quickly sync your nodes to a variety of EVM chains.
• Similar Contracts Search by Etherscan.

Hacks

Mosca

Date: January 06, 2025
Attack Vector: Reward Manipulation
Impact: $19,000
Chain: BSC

References:

https://x.com/0xNickLFranklin/status/1876884383736430821

https://nickfranklin.site/2025/01/08/mosca-hacked/

https://x.com/SlowMist_Team/status/1876156823637770441

https://x.com/TenArmorAlert/status/1876142779564277971

https://blog.solidityscan.com/mosca-hack-analysis-85485d0e6bb2

https://nickfranklin.site/2025/01/08/mosca-hacked/

Exploit:

https://bscscan.com/tx/0x4e5bb7e3f552f5ee6ee97db9a9fcf07287aae9a1974e24999690855741121aff

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-01/Mosca_exp.sol

Orange Finance

Date: January 07, 2025
Attack Vector: Stolen Private Keys
Impact: $830,000
Chain: Arbitrum

References:

https://x.com/0xOrangeFinance/status/1876863611458801890

https://x.com/0xOrangeFinance/status/1877008796293468274

https://x.com/TenArmorAlert/status/1877236394999034015

https://mirror.xyz/0x6FA2aF9a4d6fFe654361F713780963C10412e7c3/gN17YMrLhKKg9YT9a391U74pWr9IhqBUDWUqDyDamjE

https://rekt.news/orange-finance-rekt/

Exploit:

https://arbiscan.io/tx/0x4f0690518ae8257b568457f2dccff8608bc8f1997ffafd39dff1592e66309dcc

IPC

Date: January 07, 2025
Attack Vector: Price Oracle Manipulation
Impact: $590,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1876663900663370056

https://x.com/CertiKAlert/status/1876838123281223997

Exploit:

https://bscscan.com/tx/0x5ef1edb9749af6cec511741225e6d47103e0b647d1e41e08649caaff66942a91

https://bscscan.com/tx/0x3a3683119e1801821faa15c319cb9c8fb3fcf6ee92b1904a829d82c432e09a44

HORS

Date: January 08, 2025
Attack Vector:
Impact: $10,300
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1877032470098428058

Exploit:

https://bscscan.com/tx/0xc8572846ed313b12bf835e2748ff37dacf6b8ee1bab36972dc4ace5e9f25fed7

WTO

Date: January 08, 2025
Attack Vector: Price Oracle Manipulation
Impact: $24,200
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1877030261067571234

Exploit:

https://bscscan.com/tx/0x00c5a772a58b117f142b2cbc8721b80d145ef7a910043ad08439863d0e78e300

Moby

Date: January 08, 2025
Attack Vector: Stolen Private Keys
Impact: $1,000,000
Chain: Arbitrum

References:

https://x.com/shoucccc/status/1877036766776967459

https://x.com/BeosinAlert/status/1877180521710596452

https://x.com/Moby_trade/status/1877096336140677458

https://x.com/Moby_trade/status/1877157836230373823

https://x.com/TenArmorAlert/status/1877329787078979940

https://rekt.news/mobytrade-rekt/

https://revoke.cash/exploits/moby?chainId=42161

https://medium.com/moby-trade/moby-post-mortem-report-growth-plan-504ad5b0dd35

Whitehat Hack:

https://x.com/tonykebot/status/1877240684266295373

Exploit:

https://arbiscan.io/tx/0x9da34da770f1e9c5d5e176578b32710d8e288587d8401582f34a9631edf9be4b

LPMine

Date: January 08, 2025
Attack Vector: Reward Manipulation
Impact: $24,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1877030261067571234

Exploit:

https://bscscan.com/tx/0x00c5a772a58b117f142b2cbc8721b80d145ef7a910043ad08439863d0e78e300

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-01/LPMine_exp.sol

AlienBase, BunniHub, Timeless

Date: January 09, 2025
Attack Vector: Insufficient Function Access Control
Impact: $38,000
Chain: Base

References:

https://x.com/TenArmorAlert/status/1877583399050739869

https://x.com/SlowMist_Team/status/1877545774856417400

https://x.com/Phalcon_xyz/status/1877559609776640019

https://x.com/CertiKAlert/status/1877562720205287675

https://x.com/TikkalaResearch/status/1877769482191675554

Exploit:

https://basescan.org/tx/0x77855f3a363f8a3301c612d34e794154a10560be98ed50d64ca0480675625df6

https://etherscan.io/tx/0x2a32fd400186eb7b32d405be008ea74f9f7c820824c11ea22177e0d4ab804188

FortuneWheel

Date: January 10, 2025
Attack Vector: Price Oracle Manipulation
Impact: $21,600
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1877654447540592952

https://x.com/TikkalaResearch/status/1877776767907463222

Exploit:

https://bscscan.com/tx/0xd6ba15ecf3df9aaae37450df8f79233267af41535793ee1f69c565b50e28f7da

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-01/RoulettePotV2_exp.sol

Unilend

Date: January 12, 2025
Attack Vector: Incorrect Reward Calculation
Impact: $200,000
Chain: Ethereum

References:

https://nickfranklin.site/2025/01/13/unilend-hacked/

Exploit:

https://etherscan.io/tx/0x44037ffc0993327176975e08789b71c1058318f48ddeff25890a577d6555b6ba