BlockThreat - Week 20, 2025

Coinbase | Curve | Xinbi | BrincFi | Zunami

Peter Kacherginsky

20 May 2025 • 8 min read

Greetings!

More than $2.6M was stolen from DeFi projects across eight incidents this week. However, we’re focusing on a much more troubling case: a malicious insider breach at Coinbase—a sobering case study for anyone in security.

But first a quick word from this week’s sponsor - Recon.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back. Use promo code BLOCKTHREAT for a 5k discount on your first engagement.

See our portfolio: https://getrecon.xyz/blockthreat

In a May 14 SEC 8-K filing, Coinbase disclosed it had received a $20M ransom demand from a threat actor who had obtained a significant amount of sensitive customer data and internal documentation. The company traced the breach to customer support agents based in India who were bribed by these actors.

The leaked data includes customer names, the last four digits of Social Security numbers, masked bank account numbers, government ID images, account balances and transactions, and internal documentation. According to Brian Armstrong, Coinbase began notifying affected customers as early as April 11, 2025. Unfortunately, the stolen data has already been used in targeted social engineering attacks.

The exact financial impact to users hasn’t been disclosed, but Coinbase announced plans to spend up to $400M on customer reimbursements and incident remediation—pointing to a likely impact in the hundreds of millions.

In DeFi, $100M+ hacks are surfaced almost instantly. Even attacks over $100K often draw rapid, public investigations by the community. Not so in CeFi. According to ZachXBT, scammers were using highly detailed personal info to target Coinbase customers as far back as December 2024. Reports of widespread customer theft steadily increased, culminating in the ransom email that finally triggered public disclosure. If these attacks had been going on for months, why did it take a ransom demand to bring them to light? How many customers would have been saved with an earlier guidance on the incident and customer support scams?

The ransom email reportedly arrived right after the S&P 500 listing announcement—a moment when companies have a strong incentive to avoid negative news. It’s worth noting that Uber’s CISO was recently criminally charged and sentenced for concealing a breach. Instead of risking the same, Coinbase went public—then offered a $20M bounty for information leading to the attackers’ arrest, along with a video statement from Brian Armstrong.

Was this a publicity move? Maybe. The DoJ is already investigating, and it’s likely they’ll be the ones to catch the perpetrators. Still, public contributions could help.

As ZachXBT noted, the most likely culprits include scammer groups in India and individuals linked to APT groups like The Com and Scattered Spider (aka 0ktapus). Recent arrests show these actors are often US or EU-based, in their late teens or early 20s, and specialize in social engineering. I personally received one of these “Coinbase security” calls. The flawless American accent and young-sounding voice were striking.

Expect to see more names and arrests in the Crimes section of this newsletter. Until then, stay extra vigilant—both online and offline.

Key takeaways from the incident

Security incidents happen. Disclosing them—and your response—is a sign of maturity that helps the broader ecosystem.
Outsourcing support is fine, but only with strict access controls and monitoring.
Assume a malicious insider already works for you. What controls do you have to detect and stop them? Can your project survive a single bad actor?
Train employees regularly on phishing and social engineering threats.

Oh and be sure to check this week’s sponsor to brush up on your opsec practices:

Is your team safe from sophisticated threat actors?

More than 98% of stolen funds in the Web3 ecosystem are hacked without breaking code but by breaking people. Opsek will train your team to become paranoid, and harden your complete operational security stack.

You are already a target, don't get rekt.

Link: https://opsek.io/

Let’s dive into the news!

News

Announcing the Trillion Dollar Security Initiative by Ethereum Foundation. The project will be led by Fredrik Svantes, Josh Stark with support by samczsun, Mehdi Zerouali, and Zach Obront. Consider contributing by filling out the form in the link above.
Blockchain Security Standards Council Publishes First Four Security Standards.
Coinbase data breach exposes customer info and government IDs. In the recent 8K filing, Coinbase estimated $180 - $400M in remediation and compensation costs. The disclosure of the hack came as a result of a ransom demand of a threat actor to pay $20M to conceal the incident.
Sonic Labs secures court order to liquidate Multichain Foundation to recoup losses from $210 million exploit.
World's first CPU-level ransomware can "bypass every freaking traditional technology we have out there" — new firmware-based attacks could usher in new era of unavoidable ransomware.
Q1 2025 Crypto Hacks Report: Breakdown of Tactics, Targets, and Timing by Global Ledger.

Crime

Alabama Man Sentenced to 14 Months in Connection with Securities and Exchange Commission X Hack that Spiked Bitcoin Prices.
North Korean IT Workers Are Being Exposed on a Massive Scale. Although they have been branching out to remote civil engineering gigs as well.
Exposing DPRK’s Cyber Sindicate and Hidden IT Workforce by DTEX.
False Complaints: Criminals Working To Free Frozen Funds by Zero Shadow.
The New Era of Organized Crime by vxdb. The story of Malone Lam aka Greavys and his multi-million crypto crime spree. Additional 12 individuals were recently charged in RICO conspiracy related to the case.
Xinbi: The $8 Billion Colorado-Incorporated Marketplace for Pig-Butchering Scammers and North Korean Hackers by Elliptic. The telegram-based marketplace has since been taken down.
Armed gang tries to kidnap crypto CEO's daughter, grandson in central Paris. In a terrifying video victims were seen fighting attackers. The incident is latest in a series of physical attacks on crypto community in France. France’s interior minister with meet with crypto leaders to address the crime wave.
Crypto High-Rollers Go Big on Bodyguards to Deter Kidnappers.
Europol raids $24 million ‘mafia crypto bank’. The raid led to the arrest of 17 individuals and seizure of €4.5M.
South Korean Woman Jailed for Stealing $500,000 in Crypto From Sleeping Boyfriend.
Hong Kong police arrest 12 suspected of laundering $15 million through crypto exchange shops.
Haishling NFT Founder Accused of Stealing Millions from Investors and Bitcoin Mining Venture.

Policy

Contests

Zero Trust. Social-engineering games based on real-world attacks.
RACE #40 Of The Secureum Bootcamp Epoch∞ write up by patrickd (Ventral). Another great race with a focus on multisig signing and opsec.

Research

The Crypto OpSec Bible by Omar.
Wonderland Handbook. A curated guide to our best practices, processes, and technical insights including multisig, internal reviews, and others.
Key Management Standard, version 1 by Mark Nesbitt (Turnkey), Akshar Rawal (Coinbase), John Kemp (BSSC) developed as part of the Blockchain Security Standards Council.
Secure dApps Against UI Spoofing (Part 1): Decoding Transactions by Valentina Rivas (Cyfrin).
Secure dApps Against UI Spoofing (Part 2): Simulating Transactions by Valentina Rivas (Cyfrin).
Web2: The Hidden Layer of DeFi Risk by Guardian.
Nitron Exploit Post-Mortem: What Happened, What Was Lost, and What’s Next.
Project Glitch - How Samczsun is bridging the old web to the dark forest.
Comprehensive Update: SlowMist’s Solana Smart Contract Security Best Practices.
The cryptography behind passkeys by Joop van de Pol (Train of Bits).
Solana: The hidden dangers of lamport transfers by Nicola Vella (OtterSec).
Enumerating All 69,788,231 Ethereum Contracts by Rainier Wu (Zellic).
Chrome Extension Security by Neplox. A comprehensive view at attack vectors.
Understanding and Characterizing Obfuscated Funds Transfers in Ethereum Smart Contracts.
DMind Benchmark: Toward a Holistic Assessment of LLM Capabilities across the Web3 Domain.
FIRST: FrontrunnIng Resilient Smart ConTracts.
Timestamp Manipulation: Timestamp-based Nakamoto-style Blockchains are Vulnerable.
BM-PAW: A Profitable Mining Attack in the PoW-based Blockchain System.
Detecting Sybil Addresses in Blockchain Airdrops: A Subgraph-based Feature Propagation and Fusion Approach.
Correlating Account on Ethereum Mixing Service via Domain-Invariant feature learning.

Tools

DNS Monitor Bot by wavey0x. A simple to configure, pre-built Cloudflare Worker that monitors DNS records for any list of user-specified domains and sends notifications via Telegram when changes are detected.
Alloy 1.0 - Rust toolkit for the EVM.

Hacks

Sola

Date: May 12, 2025
Attack Vector: Insufficient Function Access Control
Impact: $28,000
Chain: BSC

References:

https://www.certik.com/resources/blog/sola-incident-analysis

Exploit:

https://bscscan.com/tx/0x9371eb4b0da7dedc95568d508a7fc97298a27bb44947c82dc4542fe3a4e5e3c9

Curve

Date: May 12, 2025
Attack Vector: DNS Hijacking
Impact: $200,000
Chain: Ethereum

References:

https://x.com/coinspect/status/1922071837036490937

https://x.com/CurveFinance/status/1922040492121829678

https://decrypt.co/319414/curve-finance-dns-record-attack

https://x.com/CurveFinance/status/1922208277036712431

https://x.com/exvulsec/status/1922240775053836642

https://x.com/realScamSniffer/status/1922105996161188187

BrincFi

Date: May 14, 2025
Attack Vector: Malicious Insider
Impact: $1,000,000
Chain: Ethereum

References:

https://x.com/Beosin_com/status/1470695420301037569

https://x.com/YannickCrypto/status/1470660893218385923

https://rekt.news/brincfi-rekt-coldcase

Exploit:

https://etherscan.io/tx/0x09ae252d00122864070461e78810a3b91c4fb64076f72eb6dba775a80ca00df4

Zunami Protocol

Date: May 15, 2025
Attack Vector: Stolen Private Keys
Impact: $500,000
Chain: Ethereum

References:

https://x.com/ZunamiProtocol/status/1922993510925435267

https://x.com/PeckShieldAlert/status/1923017858033799287

https://securrtech.medium.com/zunami-protocol-hack-anatomy-of-a-500k-defi-exploit-99a4063ac61d

Exploit:

https://etherscan.io/tx/0xec8d87413c3e7dbfa17054e2275e19085facd48b9972763c23c4d76bdcdc3942

BitallxSC

Date: May 16, 2025
Attack Vector: Function Parameter Validation
Impact: $2,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1923446708111016194

Exploit:

https://bscscan.com/tx/0x1fe893e4d8370a8d6da590b32f66bd032217bac2e56bd2bf0de2a9df9c7117dd

Demex

Date: May 16, 2025
Attack Vector: Price Oracle Manipulation
Impact: $950,000
Chain: Arbitrum

References:

https://x.com/demexchange/status/1923188482543059129

https://blog.dem.exchange/nitron-post-mortem/

Exploit:

Unkn_018926

Date: May 17, 2025
Attack Vector: Function Parameter Validation
Impact: $1,400
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1923848340078535073

Exploit:

https://bscscan.com/tx/0x1e70941a327276698f4160b850f8f1123b30620c68fc34a97fc44add6cf0fe50

KRC

Date: May 18, 2025
Attack Vector: Reward Manipulation
Impact: $7,000
Chain: BSC

References:

https://x.com/CertikAIAgent/status/1924280794916536765

Exploit:

https://bscscan.com/tx/0x78f242dee5b8e15a43d23d76bce827f39eb3ac54b44edcd327c5d63de3848daf

News

Crime

Policy

Phishing

Scams

Malware

Media

Contests

Research

Tools

Hacks

Sola

Curve

BrincFi

Zunami Protocol

BitallxSC

Demex

Unkn_018926

KRC

Sign up for more like this.