BlockThreat - Week 23, 2025

Greetings!

Over $17M was stolen this week across four separate incidents, with the majority of losses stemming from the compromise of Alex Lab on the Stacks blockchain. This exploit once again highlights how chain- or contract-specific quirks can quietly erode trust assumptions. In Alex Lab’s case, the protocol allowed users to create their own markets—but due to insufficient verification logic, attackers were able to rapidly drain funds. It’s a particularly unfortunate event, as Alex Lab also suffered a $4.3M private key theft by Lazarus just over a year ago.

One of blockchain’s defining features is its radical transparency: hacks are often immediately visible. Detailed technical post-mortems appear within hours before the affected team has even responded. This level of openness is one of the ecosystem’s core strengths.

But what happens when theft occurs beyond the reach of on-chain sleuths or on chains few are watching? This week offered two stark reminders. Bitopro, a centralized exchange, disclosed an $11.5M breach that occurred a month ago after suspicious mixing activity was flagged by ZachXBT. Meanwhile, Marinade Finance suffered a $5M market manipulation scheme that went undetected for months.

How many other attacks remain unseen—either due to the opacity of centralized entities or simply because no one is paying attention? Most blockchain monitoring firms ignore incidents under a few hundred thousand dollars. Yet time and again, we see mass campaigns siphoning small amounts over time, flying just below the radar.

Speaking of transparency, check out the excellent work by our sponsor, Coinspect. From in-depth wallet security reviews to uncovering the latest wallet-draining techniques, the team at Coinspect is focused on protecting one of the most important and vulnerable parts of the ecosystem: the users.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Let’s dive into the news!

News

• Hackers Leak 86 Million AT&T Records with Decrypted SSNs.
• Bitopro Confirms $11M Hack, Taiwan Crypto Exchange Says it Has Replenished Lost Funds. The notification came shortly after ZachXBT exposed the hack about a month after the event.
• Bybit reveals security overhaul in response to $1.4B hack.
• New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch.

Crime

• Alleged mastermind behind French crypto kidnapping spree arrested in Morocco.
• DOJ Seeks $7.7 Million Forfeiture in Crypto From North Korean Hackers Masquerading as IT Workers.
• The Department of Justice just seized crypto and 145 web domains from what they allege was an online marketplace for stolen credit cards - Fortune.
• Hacker arrested for breaching 5,000 hosting accounts to mine crypto.

Policy

• SEC Agrees to Drop Lawsuit Against Binance and Founder CZ.
• Argentina anti-corruption office clears Javier Milei in Libra crypto promotion scandal.
• Crypto groups push to add a bill that aims to protect software developers in overarching legislation.
• No, California didn’t pass a law to seize your idle bitcoin.

Phishing

• EF Security Checklist. Step by step guide to personal digital security and privacy including securing of your messaging, mobile devices, personal computers, smart home, email, physical security, and others.
• The Crypto Threat Landscape: Threats and Exploits Targeting Crypto Users by SomaXBT.
• Evolution of Web3 Phishing – From Email Scams to AI-Driven Hacks - Part 1 by Three Sigma.
• Automated Wallet Drainers & Smart-Contract Phishing Kits by Three Sigma.
• FBI warns of NFT airdrop scams targeting Hedera Hashgraph wallets.
• Understanding EIP-7702 Phishing Attacks: A Comprehensive Guide to Protection Strategies for Wallets by GoPlus Security.
• Crypto complacency: The hidden security threats at industry conferences by Kraken.
• Beyond the Pond Phish: Unraveling Lazarus Group's Evolving Tactics by BitMEX.
• Behind the Mask: SlowMist Reveals How a Fake Security Expert Tricked Crypto Users by Liz & Reborn (SlowMist).

Malware

• Multiple Gluestack NPM packages compromised.
• Cryptojacking Campaign Exploits DevOps APIs Using Off-the-Shelf Tools from GitHub.
• Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets.

Media

• OpenSense - From Clueless to Confident: Sammy’s Web3 Security Journey.
• bountyhunt3rz - Episode 16 - 0xflint.
• Think Like an Attacker: Finding the Attack Vectors Before They Do by Riley Holterhus (Cantina).
• Building an Institutional-Grade Security Practice featuring Ryan (Gauntlet), Gal (Hypernative), Fives (SEAL), Tal, Julia, and Ziggy (ZeroShadow).
• 0xProfiles - Juno by Offbeat.

Contests

• Pectra Educational CTFs by Rotciv. EIP-7702 and other Petra related educational challenges.

Research

• Defining a new methodology for modeling and tracking compartmentalized threats by Talos. A great guide on threat modeling approaches, kill chains, and attribution.
• The Notorious Bug Digest #3 by Frank Lei & Ionut-Viorel Gingu (OpenZepp
• Dodging a Bullet by Rekt. A case study for a successful bug bounty report in Vesu protocols on Starknet.
• Stablecoin Security: Economic Attack Vectors & Black Swan Failures by ImmuneBytes. A relevant read considering recent Chainlink $500K meltdown.
• EulerSwap auditing thought process thread with Daniel Von Fange.
• Rescuing funds with EIP-7702 by pcaversaccio.
• Rescuing a 100 ETH wallet on Base. The story of whitehats at Protofire who frontran a weakness for older Safe wallets.
• Standardizing wallet information so humans can actually know what they are signing by Patrick Collins. Watch this video and the Wise Signer tool for some context.
• Zokyo Auditing Tutorials.
• Decimal Dangers: Exploits from Math Mishaps in Web3 by Three Sigma.
• Institutional Wallet Security by ZeroShadow.
• Incident Post Mortem: op-geth<>op-reth Gas Refund Mismatch by Optimism.
• Pandora’s Box: How Unrestricted LLMs Threaten Crypto Security by SlowMist.
• A Security Engineer's Guide to Reviewing Core Blockchain Nodes by Kirk Baird (Sigma Prime).
• AI-Driven Threat Modeling – LLMs for Automated STRIDE Analysis by Fuzzing Labs.
• elin).
• Why Web3 security is broken (2025 edition) by Charles Wang.
• Talking Transactions: Decentralized Communication through Ethereum Input Data Messages (IDMs).
• Transaction Proximity: A Graph-Based Approach to Blockchain Fraud Prevention.
• BRC20 Pinning Attack.

Tools

• eBurger - a static analysis tool that provides a way to quickly query and analyze solidity smart contracts by forefy. A great tool and action to include in your CI pipeline.
• Radar - A static analysis tool for anchor rust programs by Auditware. Another great tool for the Solana/Rust CI pipeline.

Hacks

Marinade Finance

Date: May 9, 2025
Attack Vector: Reward Manipulation
Impact: $5,000,000
Chain: Solana

References:

https://forum.marinade.finance/t/incident-report-37-000-sol-in-losses-a-call-for-investigation-and-action/1853

https://gemini.google.com/share/4e16c93ca9f9

https://rekt.news/slow-roasted-stake

SSV Network

Date: November 11, 2024
Attack Vector: Server Compromise
Impact: PII Stolen

References:

https://x.com/hudsonjameson/status/1930436484533768288

https://x.com/TheAhmedEffect/status/1860215251263955421

https://handala-hack.to/ssv-blockchain-network-hacked/

BitoPro

Date: May 8, 2025
Attack Vector: Hot Wallet Compromise
Impact: $11,500,000
Chain: Ethereum, Tron, Solana, Polygon

References:

https://x.com/BitoEx_Official/status/1929476662120345863

https://www.bitopro.com/ns/en-US/announcements/1219

https://t.me/investigations/254

https://intel.arkm.com/explorer/entity/bitopro-hacker

Tail Metaverse

Date: June 02, 2025
Attack Vector: Reward Manipulation
Impact: $88,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1929605800529649746

Exploit:

https://bscscan.com/tx/0x2d8befa28bf00788f44f925cc138b65e70e3b2c022c822acb015ba2749f55422

ForceBridge, Nervos

Date: June 02, 2025
Attack Vector:
Impact: $3,700,000
Chain: Ethereum, BSC

References:

https://x.com/CyversAlerts/status/1929428359856935185

https://www.theblock.co/post/356535/hackers-drain-over-3-million-in-crypto-from-nervos-networks-force-cross-chain-bridge-say-security-analysts

https://x.com/magickbase/status/1929375666396418247

https://rekt.news/force-bridge-rekt

Exploit:

https://etherscan.io/tx/0x9a9b03985ff4ebc11490d4245d3a59af190bac6c1524475dd817e0ed62f0a213

TermMax

Date: June 06, 2025
Attack Vector: Price Oracle Manipulation
Impact: $18,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1931065181116801281https://x.com/TermMaxFi/status/1931090453539262598

Exploit:

https://etherscan.io/tx/0x85087fe62e46957b3bdc85c17a56aee22311763b93cf5ff935c21da4d7a7be73

Alex Lab

Date: June 06, 2025
Attack Vector: Reward Manipulation
Impact: $14,000,000
Chain: Stacks

References:

https://x.com/QuillAudits_AI/status/1930961780957757716

https://x.com/ALEXLabBTC/status/1930939119913542029

https://x.com/ALEXLabBTC/status/1931014419133169734https://x.com/LNow_/status/1931063047411703896

https://x.com/LNow_/status/1931241540979925466https://x.com/ma1fan/status/1931615831072313647

https://rekt.news/alexlab-rekt2

Exploit:

https://explorer.hiro.so/txid/0xe8b2ac705dcbb35d487a4efd7a0fe384bbad1d1d97ea970410ad82a3cd0d9daf?chain=mainnet