BlockThreat - Week 27, 2025

Greetings!

Over $5.5 million was stolen this week across three protocols, using familiar attack vectors like price oracle manipulation and private key theft. But it was the controversy surrounding the massive 80,000 BTC transfer that truly stole the spotlight.

A mysterious on-chain campaign was spotted targeting dormant 2011-era Bitcoin wallets. It uses OP_RETURN transactions to send legal notices along with links to an online form that collects sensitive wallet data. One of the recipients moved 80,000 BTC ($8.6B) which triggered a wave of speculative frenzy. Theories emerged, ranging from a hack or ECDSA nonce reuse exploit to a coordinated legal seizure. A questionable legal entity calling itself Salomon Brothers shared a statement that their client “seeks to mitigate global security issues presented by the abandoned wallets.” Despite all the noise, there is still no concrete evidence of what would have been the largest hack in Bitcoin’s history.

Oak Security has operated in Web3 Security since 2017, providing security services throughout a project's lifecycle. This includes audits, penetration testing, operational security training, and advisory services. Our signature blinded process emphasises redundancy: Every line of code is reviewed by multiple auditors with a multi-disciplinary background in parallel.

Link: https://www.oaksecurity.io/

Let’s dive into the news!

News

• CVE-2025-32462 , CVE-2025-32463 Sudo chroot, host Option Elevation of Privilege Vulnerabilities by Rich Mirch (Stratascale). A 12 year old vulnerabilities found in the most audited security utility. Leaving this here in case you feel like all of the bugs have already been found ;-)
• AT&T now lets you lock down your account to prevent SIM swapping attacks.
• How a Hacker Spent Only $2.7K to Steal $140 Million From Brazilian Banks.
• The state of The Red Guild #17.
• OpenZeppelin is sunsetting Defender security dashboard.
• 2025 Q2 MistTrack Stolen Funds Analysis by Lisa (SlowMist).
• 2025 Mid-year Blockchain Security and AML Report by SlowMist.
• Hack3d: The Web3 Security Quarterly Report - Q2 + H1 2025 by CertiK.

Crime

• $2,800 bribe led to $148m hack of Brazilian finance firms; $40m laundered via crypto.
• Bitcoin dev Jon Atack got arrested in El Salvador this weekend.
• Crypto investment fraud ring dismantled in Spain after defrauding 5000 victims worldwide by Europol.
• Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals and Technology Theft.
• Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes.
• Four North Koreans Charged in Nearly $1 Million Cryptocurrency Theft Scheme.
• He Thought an Employee Stole Crypto. The FBI Says It Was a North Korean Scammer.
• Burwick Law wants a $440M crypto lawsuit served via NFT.
• Online hacks to offline heists: crypto leaders on edge amid increasing attacks.
• ZKasino rug pull suspect arrested in United Arab Emirates.

Phishing

• A Popular Solana Tool on GitHub Conceals a Crypto-Stealing Trap by Thinking (SlowMist).
• Comprehensive On-Chain Phishing Analysis and User Anti-Fraud Guide by SafePal and GoPlus.
• The Synthetix main X(Twitter) account has been hacked.
• Inside a malicious job interview repo by pcaversaccio.
• Scammer Posed as Trump-Vance Official to Steal $250K in Crypto.
• AI-Themed SEO Poisoning Attacks Spread Info, Crypto Stealers.

Scams

• The Eco-Friendly Rug Pull by Rekt.

Malware

• macOS NimDoor - DPRK Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware by Phil Stokes & Raffaele Sabato (Sentinel One).
• FoxyWallet: 40+ Malicious Firefox Extensions Exposed by Yuval Ronen (Koi Security).
• Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open by Yaara Shriki, Gili Tikochinski (Wiz).

Media

• Crypto In America - Roman Storm Breaks Silence on Tornado Cash & DOJ Court Case.

• EthCC[8] 2025 - Security and related talks:

  • Tincho (The Red Guild), Matta (The Red Guild) - Practical phishing detection with The Phishing Dojo.

  • Maxim Andreev - Reconstructing Control Flow Graphs from EVM Bytecode: Faster, Better, Stronger.

  • Jan Gorzny - Challenges of Replicating Historical Exploits.

  • Jack Sanford (Sherlock) - Zero to Smart Contract Auditor in 1 Month.

  • nisedo (Trail of Bits) - How to Become a Smart Contract Auditor.

  • Robin Guerchon(Ministry of interior - Cyberspace)-Cryptoassets security: protecting people and funds.

  • Matthias Egli (Chainsecurity), Julien Bouteloup (Rekt)-Top Hacks since ETHCC 2024.

  • noid (Kraken)-Troll, but Verify: Security Lessons from North Korean Job Candidates.

  • Karolina GORNA (Ledger) - Hunting Blockchain Clients' Bugs with Concolic Execution.

  • Bartek Kiepuszewski (L2BEAT) - State of L2s after recategorization.

  • Michael Zaikin (StarkWare)-On the security challenges of L2 and L3 AppChains.

  • Ellie (Espresso Systems) - Are sequencer confirmations good enough?

  • Ábel Nagy (Budapest, Eötvös Loránd University) - Forking RANDAO Manipulations.

  • Ray Orlev (Certora) - Restaking Protocols: Exposing the Achilles' Heels.

  • Noah Jelich - Killing with Keyboards – How Your Digital Footprint Can Be Weaponized.

  • Charles Guillemet (ledger) From Chaos to confidence: Simulate and clear sign your transactions.

  • Ryan McPeck (MetaMask) - Next-Gen Permissions: How MetaMask is Empowering Users.

  • Mooly Sagiv (Certora) Securing AI-Assisted DeFi Development with Formal Verification.

  • Pamina Georgiou (Certora) - Securing your protocol with the Certora Prover.

  • Uri Kirstein (certora) - Best of both fuzzing and formal verification.

  • Kostas Ferles (Veridise) - ZKVM Determinism That Lasts: From Audits to Continuous Verification.

  • Agustincito (SCI) - SCI: Enhancing Web3 Security Through Smart Contract Verification.

  • Benjamin Samuels (Trail of Bits)-The $1.5B Problem: How Exchanges Can Build Safer Cold Storage.

  • btchip, Julien Ready, Seb - Self-custody: for hippies VS for heroes.

  • CvH (Polygon)-The harsh reality of being a CISO.

  • Maya Dotan - UnSafe: When web2 security undermines web3.

  • EMRAH SARIBOZ (Coinbase), Tom Ryan (Coinbase)-You Deployed Your Project, Now What?

  • Jonathan Levin - Shut the windows and lock the front door, preventing fund losses in 2025.

  • Remi Gai (Inco) - Confidential ERC20 Framework: A New Primitive for Onchain Confidentiality Propose.

  • Christoph Niemann (AWS) - Indexing Blockchains.

  • btchip (ZKNox), Christina Frankopan (Lazard), Anya Nova (GK8 ) - Personal opsec: Bling vs bland.

  • Deli Gong - Ethereum’s future hinges on TEEs.

  • Ouriel ohayon (Zengo) - Physical and Digital protection for crypto entrepreneurs.

• Episode 18 - riptide.

• Episode 19 - 0xe4669da [SPECIAL n00b EDITION].

• Offbeat (@offbeatblog_eth) on X.

  🚨 PSA - The F*ck Kim Jong family test is compromised 🚨 The entire family is onto us. Stay safu!

Research

• Pwning Solana for Fun and Profit - Exploiting a Subtle Rust Bug for Validator RCE and Money-Printing by Anatomist.
• Rekt - After the Post-Mortem. The story with the Cork Protocol hack continues.
• LISA Achieves 90% Detection on OWASP Smart Contract Top 10.
• Access Control Flaw in Hyperlane's Rate-Limited ISM and Hook by Sujith Somraaj.
• Supply Chain Attacks in The Solana Ecosystem by Catalin Neagu (Adevar Labs).
• Bug Hunt: Zero-Knowledge, Full-Paranoia, and the AI That Stares Back by ZKSecurity.
• Using Claude To Evolve Specialist AI Smart Contract Auditors by Dacian.
• Inside the Nobitex Breach: What the Leaked Source Code Reveals About Iran’s Crypto Infrastructure by TRM.
• Magic Animal Carousel: Full Exploit and Vulnerabilities by Cyphertux.
• The Need for Robust Web3 Pentesting and Supply Chain Security by Chirag Agrawal (Guardrail).
• Rational Censorship Attack: Breaking Blockchain with a Blackboard.
• Blockchain Address Poisoning.

Tools

• LISA - An LLM-powered Intelligent Security Analyzer.
• Quimera - feedback-driven exploit generation for Ethereum smart contracts using LLMs.
• AI Auditor Primers by Dacian. This repository contains open-source Primer documents to be ingested by AI prior to conducting smart contract audits.
• Audit Contests Rewards Calculator by valuevalk.
• deployment_validation - Simplified Deployment Validation of EVM-Based Smart Contracts by ChainSecurity.

Hacks

FPC (Future Protocol)

Date: July 02, 2025
Attack Vector: Price Oracle Manipulation
Impact: $4,700,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1940423393880244327
https://blog.verichains.io/p/burned-by-design-the-fatal-flaw-behind

Exploit:

https://bscscan.com/tx/0x3a9dd216fb6314c013fa8c4f85bfbbe0ed0a73209f54c57c1aab02ba989f5937

Neemo

Date: July 05, 2025
Attack Vector: Stolen Private Keys
Impact: $625,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1941689712621576493
https://x.com/neemofinance/status/1941808285721743608
https://medium.com/@neemo_fi/neemo-post-mortem-report-76ff2bacb0b8

Exploit:

https://etherscan.io/tx/0xa57ec56af91ec70517ca71ca50101958d9c2ec9fdb61edcf35a9081c375725c2

RANT

Date: July 05, 2025
Attack Vector: Price Oracle Manipulation
Impact: $203,800
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1941519470016557290
https://x.com/Phalcon_xyz/status/1941788315549946225

Exploit:
https://bscscan.com/tx/0x2d9c1a00cf3d2fda268d0d11794ad2956774b156355e16441d6edb9a448e5a99