BlockThreat - Week 2, 2026
TrueBit | TMX | USDGambit | Kontigo | Fusion Protocol | Ledger | PMX | FutureSwap
Greetings!
Nearly $30M was stolen this week across ten incidents. Quite a way to start the year with exchanges and DeFi protocols alike getting compromised, while users lost hundreds of millions more to well known support scams. Let’s take a closer look at a few of the most impactful cases.
The TrueBit protocol hack continues a troubling trend of older smart contracts being exploited. More than $26M was drained through a classic integer overflow bug, triggering a wave of copycat attacks. The hard lesson here is longevity does not equal safety. This vulnerability sat undiscovered in a Solidity v0.5.3 contract for nearly four years before being exploited, likely as part of a broader campaign targeting legacy deployments. If you are still hesitant about re auditing older onchain code, now is the time. Otherwise, attackers will be happy to perform that audit for you.
Exchange hacks are relatively rare, which made the compromise of Kontigo particularly notable. The incident occurred just two days after US captured Venezuelan president Maduro. While there is no evidence linking the two events, the timing raised eyebrows given Kontigo’s previously reported ties to Maduro and Venezuela. It is another reminder that real world politics can sometimes spill into the crypto ecosystem in unexpected ways.
Let’s dive into the news!
News
- Legacy DeFi platforms lose $27M as hacking spree continues into 2026.
- Flaw Found in Bitcoin Staking Protocol Babylon Could Disrupt Consensus.
- Tornado Cash volumes hit record high as wallets associated with Richard Heart pour in $400m.
- Crypto wallet shop Ledger confirms customer data lifted in Global-e snafu.
Crime
- Billion-dollar scammer Chen Zhi arrested in Cambodia, extradited to China. Chen Zhi is a founder of the infamous Prince Group.
- Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure by Red Asgard.
- Trump Says He Won’t Pardon Sam Bankman-Fried.
- Masked Gunmen Tie Up Woman in France, Steal Crypto USB.
- No release for French tax agent who gave crypto investor details to gangs.
- Owning crypto puts your keys and life at risk by souilos (Opsek).
Phishing
- VS Code Tasks Abuse by Contagious Interview (DPRK) by SEAL Intel.
- More reports of malicious projects taking over popular IDEs by Slowmist.
- How I lost more than $20k being hacked by allegedly North Korean hackers by Akshit (Epoch Protocol).
- How I Got Drained After Using Public Hotel Wi-Fi by The Smart Ape.
- Telegram has a vulnerability that allows proxy bypass by sending a link disguised as a username. The vulnerability can be used to expose users’ IP address and other sensitive data.
- YubiKeys cheatsheet by souilos (Opsek).
- Unmasking the DPRK Remote Worker Problem by Silent Push.
- A victim lost $282M in BTC and LTC through a Trezor support scam.
- 40% of all EIP-7702 wallets are used for draining compromised accounts according to 0xKofi.
Scams
Malware
- Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns by Check Point.
Media
- The Immunefi Show Episode 4 with Michael Lewin (Turnkey).
- How to solve Ethernaut #40, “NotOptimisticPortal” by typicalHuman.
- Bitcoin++ - The Broken Abstractions of Electrum by Evan Lin.
Research
- The Notorious Bug Digest #6: Balancer Side Story and Rust Specific Issues by OpenZeppelin.
- Flow Security Incident 27th December: Technical Post-Mortem by Flow.
- Audit Checklists by CDSecurity. Including DEX, Lending, Cross-chain, and other general classes.
- Introducing Recon Magic by nican0r (Recon). Writing Stateful Fuzzing 38 times faster using Agentic Workflows - Benchmark inside.
- Fusaka’s Impact On Smart Contract Security by Toon Van Hove (Sigma Prime).
- A practical guide to getting started with Go static analysis by Sigma Prime.
- Sui Move Security workshop writeup & material by Monethic.
- Reports of CPIMP attackers stopped writing to different implementation slots to avoid detection by Defimon Alerts.
Tools
- weasel: Solidity static analyzer you can talk to. MCP integration for Claude Code, Cursor, and Windsurf by slvDev.
- Detect Go’s silent arithmetic bugs with go-panikint by Trail of Bits.
- Mothra - A Ghidra extension that supports EVM bytecode reverse engineering.
- leaker by Maksim Imradaev. A leak discovery tool that returns valid credential leaks for emails, using passive online sources.
Hacks
Kontigo Compromise
Date: January 5, 2026
Attack Vector: Authentication Bypass
Impact: $340,000
Chain: Ethereum,Base
References:
- https://x.com/kontigo_app/status/2008186734228771285
- https://protos.com/venezuela-focused-neobank-kontigo-pays-back-users-after-340k-usdc-hack/
- https://www.theblock.co/post/384451/kontigo-reimburses-users-after-hack
- https://www.kontigo.com/en/article/security-incident-postmortem-unauthorized-account-access
- https://fintechbusinessweekly.substack.com/p/kontigo-ycombinators-venezuela-sanctions
Ledger Compromise 2
Date: January 5, 2026
Attack Vector: 3rd Party Compromise
Chain: Unknown
References:
- https://x.com/zachxbt/status/2008139053544194545
- https://protos.com/ledger-confirms-customer-data-leaked-in-third-party-global-e-breach/
TMX Compromise
Date: January 5, 2026
Attack Vector: Reward Manipulation
Impact: $1,400,000
Chain: Arbitrum
References:
- https://x.com/certikalert/status/2008360565010559045
- https://x.com/QuillAudits_AI/status/2008459614711386457
- https://rekt.news/tmztribe-rekt
Negotiations:
USDGambit
Date: January 5, 2026
Attack Vector: Stolen Private Keys
Impact: $1,500,000
Chain: Ethereum
References:
Fusion Protocol (Ipor) Compromise
Date: January 6, 2026
Attack Vector: Arbitrary External Calls
Impact: $330,000
Chain: Ethereum
References:
- https://x.com/ipor_io/status/2008728627190321480
- https://x.com/De_FiSecurity/status/2009228568505790624
- https://x.com/SlowMist_Team/status/2008749880995655696
- https://x.com/ipor_io/status/2008728627190321480
- https://blog.ipor.io/post-mortem-ipor-usdc-optimizer-arbitrum-vault-exploit-aff11fd01b62
Negotiations:
- https://arbiscan.io/tx/0x828a7cd22d6ed58d12b54d8fe1d5c2fc6409246ee42499b2fb6b22c930bce850
- https://x.com/defimonalerts/status/2008882952956965003?s=52
Exploit:
- https://arbiscan.io/tx/0x085787456932f72b7552894ff593e795b49ee72be2db091a62be47c018359268
- https://arbiscan.io/tx/0x238b4e619158432ff5ceb279cfea38007d048af4f59901c7af2efcf32e9671b6
Kontigo Compromise 2
Date: January 6, 2026
Attack Vector: Authentication Bypass
Impact: $56,913
Chain: Ethereum,Base
References:
TrueBit Protocol
Date: January 8, 2026
Attack Vector: Integer Overflow
Impact: $26,000,000
Chain: Ethereum
References:
- https://x.com/CyversAlerts/status/2009305178277654894
- https://x.com/De_FiSecurity/status/2009306686742290602
- https://x.com/BlockscopeCo/status/2009316048172966386
- https://x.com/hklst4r/status/2009314260460146917
Root Cause:
- https://slowmist.medium.com/26-44-million-stolen-truebit-protocol-smart-contract-vulnerability-analysis-e44fe7becd8a
- https://quillaudits.medium.com/truebit-26m-hack-explained-ec5f9ff28115
- https://www.certik.com/resources/blog/truebit-incident-analysis
- https://exvul.com/blog/truebit-protocol-attack-analysis
- https://rekt.news/truebit-rekt
Copycats:
Negotiations:
Exploit:
- https://etherscan.io/tx/0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014
- https://etherscan.io/tx/0x71496352b02f974a3898c1b743e9fc2befb935e6c2a3e421134ec09b63052f4b
- https://github.com/DK27ss/Truebit-26.44M-PoC/tree/main
m402
Date: January 8, 2026
Attack Vector: Uninitialized Contract
Chain: Base
References:
Exploit:
PMX Polycule Bot Compromise
Date: January 10, 2026
Attack Vector: Unknown
Impact: $230,000
Chain: Polygon
References:
- https://x.com/pmx_trade/status/2008942249326071949
- https://x.com/pmx_trade/status/2008997887678820862
FutureSwap Compromise 3
Date: January 11, 2026
Attack Vector: Reentrancy
Impact: $74,000
Chain: Arbitrum
References:
- https://x.com/Phalcon_xyz/status/2009992056828244156
- https://x.com/phalcon_xyz/status/2011404828115866061
Exploit: