BlockThreat - Week 25, 2025

Nobitex, Meta Pool, Bankroll Network, CoinMarketCap, Hacken

Peter Kacherginsky

24 Jun 2025 • 7 min read

Greetings!

The cryptocurrency industry may have just experienced its Stuxnet moment. On June 18th, a pro-Israel threat actor compromised a hot wallet belonging to Nobitex, Iran’s largest crypto exchange. Coming amidst escalating conflict between Israel and Iran, the attack was overtly political with $90 million in stolen assets were sent to wallets with addresses like 1FuckiRGCTerroristsNoBiTEXXXaAovLX. Just as Stuxnet used code to sabotage Iran’s nuclear ambitions, this breach signals a turning point: crypto infrastructure is no longer just financial plumbing, but a strategic national asset and a legitimate target in geopolitical conflict. As blockchain systems become further entangled in the global power structure, a new paradigm is emerging where code is power. And where there is power, there will be adversaries. Nobitex may be the first prominent casualty in a new frontier, where exchanges, validators, and even entire chains become proxy battlefields in an evolving, asymmetric cyberwar. Western platforms like Coinbase, Kraken, Gemini, and others would be naive to think they are immune.

This week also highlighted a troubling trend in phishing and user-targeted attacks. It began with a compromise of CoinMarketCap, where a malicious JavaScript payload with a drainer was injected via a third-party dependency. Soon after, Cointelegraph was also compromised, displaying a crypto drainer popup to unsuspecting users. Last week’s edition focused on the growing threat of supply chain compromises, it’s disheartening to see this already well-known attack vector being exploited yet again to target end users directly. Theft from users is particularly damaging as it erodes the trust that underpins our ecosystem. And without trust, this industry cannot grow.

Speaking of user trust be sure check out the excellent work to uplevel wallet security by this week’s sponsor, Coinspect.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Everyone in blocksec fucks up. It’s part of building in a fast-moving, adversarial, and still-maturing ecosystem. But lately, I’ve noticed a troubling trend: instead of learning from each other’s failures, parts of the community are turning on one another. One recent flame war erupted when a security firm raised valid concerns about the quality of a private audit of a recently compromised protocol. What could’ve been a constructive conversation quickly devolved into public finger-pointing, with the attacker gleefully fueling the drama through onchain taunts. Two more conflicts followed with one involving a private key compromise at a security company and another where a malicious insider exploited a privately disclosed vulnerability. All of these incidents sparked even more accusations, distrust, and taunting.

These incidents are reminders that no one is immune to mistakes. But how we respond matters more than who screwed up. We’re still a small, young industry, and infighting only weakens us while giving attackers exactly what they want. The true villains here are not the audit firms that sometimes should have known better, but the ones who exploit, steal, and burn trust to the ground.

It inevitable that we’ll keep fucking up. But if we own our mistakes, support each other through them, and stay focused on the shared mission of securing the ecosystem, we’ll come out stronger.

Before we dive into this week’s flood of phishing attacks and DeFi hacks, a quick word from our sponsor — Oak Security, a trusted auditor behind some of the ecosystem’s most unique protocols and a long-time supporter of this newsletter.

Oak Security has operated in Web3 Security since 2017, providing security services throughout a project's lifecycle. audits. This includes audits, penetration testing, operational security training, and advisory services. Our signature blinded process emphasizes redundancy: Every line of code is reviewed by multiple auditors with a multi-disciplinary background in parallel.

Link: https://www.oaksecurity.io/

Let’s dive into the news!

Malware

Famous Chollima deploying Python version of GolangGhost RAT by Vanja Svajcer (Cisco Talos). A new variant of the malware family used in fake job interviews targeting crypto industry.
DPRK IT Worker-Related Account Takeover by blackbigswan (Ketman). A deep dive into take over of Keeper-Wallet (Waves Wallet).
Resurgence of the Prometei Botnet by Unit 42 Palo Alto. Yet another cryptojacking campaign.

Media

bountyhunt3rz - Epsiode 17 - lonelysloth.
DSS Webinar - Web 3 Security in Argentina.
Offbeat - 0xProfiles - Riley Holterhus.

Research

Historical web3 contest payouts analysis by wellbyt3.
Advanced Foundry Cheatcodes Series Part 1 Part 2 Part 3 Part 4 by Three Sigma.
Permanent Chain Split in Movement Full Node: Anatomy of a $6,710 Critical Vulnerability That Required a Hard Fork by Yunus Emre Sarıtoprak.
Subgroup Pitfalls in zk-Proofs and Real-World Exploits by Hexens.
What Are BLS Signatures and How Do They Work? by Sylvain Pelissier (Zellic).
Pairing-Based Cryptography Demystified: A Deep Dive into Elliptic Curves by Fuzzing Labs.
Unexpected security footguns in Go's parsers by Vasco Franco (Trail of Bits).
Blockchain Address Poisoning.
zkMixer: A Configurable Zero-Knowledge Mixer with Anti-Money Laundering Consensus Protocols.
Consensus Power Inequality: A Comparative Study of Blockchain Networks.
A theory of Lending Protocols in DeFi.
Explain First, Trust Later: LLM-Augmented Explanations for Graph-Based Crypto Anomaly Detection.
Cross-Chain Arbitrage: The Next Frontier of MEV in Decentralized Finance.

Tools

Quimera by Gustavo Grieco. Data-driven exploit generation for Ethereum smart contracts using LLMs and Foundry
Solodit MCP Server by Lyuboslav Lyubenov. A Model Context Protocol (MCP) server for searching and retrieving Solodit vulnerability reports.
PoC of Ethereum Proxy Contract Analysis & Exploitation Pipeline by Thomas EDET. Detects common issues in EIP1967 transparent proxy initialization.