BlockThreat - Week 2, 2026

Greetings!

Nearly $30M was stolen this week across ten incidents. Quite a way to start the year with exchanges and DeFi protocols alike getting compromised, while users lost hundreds of millions more to well known support scams. Let’s take a closer look at a few of the most impactful cases.

The TrueBit protocol hack continues a troubling trend of older smart contracts being exploited. More than $26M was drained through a classic integer overflow bug, triggering a wave of copycat attacks. The hard lesson here is longevity does not equal safety. This vulnerability sat undiscovered in a Solidity v0.5.3 contract for nearly four years before being exploited, likely as part of a broader campaign targeting legacy deployments. If you are still hesitant about re auditing older onchain code, now is the time. Otherwise, attackers will be happy to perform that audit for you.

Exchange hacks are relatively rare, which made the compromise of Kontigo particularly notable. The incident occurred just two days after US captured Venezuelan president Maduro. While there is no evidence linking the two events, the timing raised eyebrows given Kontigo’s previously reported ties to Maduro and Venezuela. It is another reminder that real world politics can sometimes spill into the crypto ecosystem in unexpected ways.

Let’s dive into the news!

News

• Legacy DeFi platforms lose $27M as hacking spree continues into 2026.
• Flaw Found in Bitcoin Staking Protocol Babylon Could Disrupt Consensus.
• Tornado Cash volumes hit record high as wallets associated with Richard Heart pour in $400m.
• Crypto wallet shop Ledger confirms customer data lifted in Global-e snafu.

Crime

• Billion-dollar scammer Chen Zhi arrested in Cambodia, extradited to China. Chen Zhi is a founder of the infamous Prince Group.
• Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure by Red Asgard.
• Trump Says He Won’t Pardon Sam Bankman-Fried.
• Masked Gunmen Tie Up Woman in France, Steal Crypto USB.
• No release for French tax agent who gave crypto investor details to gangs.
• Owning crypto puts your keys and life at risk by souilos (Opsek).

Phishing

• VS Code Tasks Abuse by Contagious Interview (DPRK) by SEAL Intel.
• More reports of malicious projects taking over popular IDEs by Slowmist.
• How I lost more than $20k being hacked by allegedly North Korean hackers by Akshit (Epoch Protocol).
• How I Got Drained After Using Public Hotel Wi-Fi by The Smart Ape.
• Telegram has a vulnerability that allows proxy bypass by sending a link disguised as a username. The vulnerability can be used to expose users’ IP address and other sensitive data.
• YubiKeys cheatsheet by souilos (Opsek).
• Unmasking the DPRK Remote Worker Problem by Silent Push.
• A victim lost $282M in BTC and LTC through a Trezor support scam.
• 40% of all EIP-7702 wallets are used for draining compromised accounts according to 0xKofi.

Scams

• An investigation into the person behind the $NYC token, which was launched hours ago and publicly posted by Eric Adams, former mayor of New York by Specter.

Malware

• Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns by Check Point.

Media

• The Immunefi Show Episode 4 with Michael Lewin (Turnkey).
• How to solve Ethernaut #40, “NotOptimisticPortal” by typicalHuman.
• Bitcoin++ - The Broken Abstractions of Electrum by Evan Lin.

Research

• The Notorious Bug Digest #6: Balancer Side Story and Rust Specific Issues by OpenZeppelin.
• Flow Security Incident 27th December: Technical Post-Mortem by Flow.
• Audit Checklists by CDSecurity. Including DEX, Lending, Cross-chain, and other general classes.
• Introducing Recon Magic by nican0r (Recon). Writing Stateful Fuzzing 38 times faster using Agentic Workflows - Benchmark inside.
• Fusaka’s Impact On Smart Contract Security by Toon Van Hove (Sigma Prime).
• A practical guide to getting started with Go static analysis by Sigma Prime.
• Sui Move Security workshop writeup & material by Monethic.
• Reports of CPIMP attackers stopped writing to different implementation slots to avoid detection by Defimon Alerts.

Tools

• weasel: Solidity static analyzer you can talk to. MCP integration for Claude Code, Cursor, and Windsurf by slvDev.
• Detect Go’s silent arithmetic bugs with go-panikint by Trail of Bits.
• Mothra - A Ghidra extension that supports EVM bytecode reverse engineering.
• leaker by Maksim Imradaev. A leak discovery tool that returns valid credential leaks for emails, using passive online sources.

Hacks