BlockThreat - Week 29, 2025

Greetings!

It has been a rough week, folks. Almost $75 million were stolen across six separate incidents. Most of the losses came from hot wallet compromises at two exchanges: BigONE with $27 million and CoinDCX with $44.2 million. A key pattern in both cases is that the attackers did not go after the private keys directly. Instead, they took control of the infrastructure responsible for managing those keys. Another shared issue was the delay in notifying users. CoinDCX waited nearly a full day to make a public statement, while BigONE took about half a day. But you cannot quietly move millions onchain without being noticed, so it was the blockchain security community that first flagged these hacks.

Sometimes being too secure can backfire. In the case of Arcadia($3.6M stolen) strict safeguards designed to protect the protocol made it harder to respond during the attack. The cooldown mechanism disabled the ability to pause the protocol after it had been paused and then unpaused due to what appeared to be a false alarm. This created a window for the attacker to exploit a critical vulnerability and drain funds without interruption. Although circuit breakers existed, they could only be triggered after the cooldown period ended. In this situation, security controls intended to prevent abuse ended up turning defense into a liability.

Let’s dive into the news!

News

• Tornado Cash Trial Begins with Discussions around Motions In Limine and Data Custodians and Tornado Cash Trial Day 2: Prosecution and Defense Tell Different Stores about Roman Storm. One witnesses, Andre Marcus Quiddaoen Llacuna, testified that he used Tornado Cash to launder proceeds from an NFT rug pull, a move that ultimately proved futile, as he still faces up to 20 years in prison.
• ‘Existential Threat’: Bitcoin Proposal Would Freeze Satoshi’s Quantum-Vulnerable Coins.
• Mid-Year Crypto Crime Report - H1 2025 by Blockscope.
• 2025 Crypto Crime Mid-year Update: Stolen Funds Surge as DPRK Sets New Records by Chainalysis.
• The state of cross-chain crime 2025 by Elliptic.
• 2025 H1 Report: Crypto Exploits and Security Breaches by QuillAudits.
• State of Code Security in 2025 by Wiz. Exposed secrets and keys, broken CI/CD, permissions, and other familiar flaws from tradsec.

Crime

• North Korea Laundered $1 Billion of Crypto in 4 Months. How Industry Leaders Can Change Crypto Freezes and Recovery by ZeroShadow.
• Former National Crime Agency officer jailed for over 5 years for stealing bitcoin now worth $5.9 million. Paul Chowles stole bitcoin from the Silk Road 2.0 operator, Defcon. It’s an odd repeat of two corrupt agents stealing funds from the original Silk Road just a few years earlier.
• Following the Frozen: An On-Chain Analysis of USDT Blacklisting and Its Links to Terrorist Financing by BlockSec.
• How Crypto Money Launderers Unfreeze Flagged Funds on Exchanges by Nefture Security.
• FBI Tracks 1,610 BTC to Armenian Hacker in Explosive Ransomware Case.
• Seven crypto ATMs seized and two arrested on suspicion of running illegal cryptoasset exchange by British FCA and the Metropolitan Police Service.
• Abacus Dark Web Market Possible Exit Scam with the Bitcoin Payments They Hold.
• DEA, FBI seize $10 million in cryptocurrency 'directly linked to the Sinaloa cartel'.

Policy

• Trump administration ends Polymarket investigations without charges.
• GENIUS Act Passes: Who Are the Winners, Losers, and What Comes Next?

Phishing

• Report of a Trezor phishing campaign by Pablo Sabbatella (OpSek).
• New North Korean malware targets crypto startups via fake Zoom invites by Ray Fernandez (Moonlock).
• Dark Partners: Multi-Platform Crypto Theft via Fake AI, VPN, and Software Sites by Wes (Alphahunt).
• Multiple reports of wallet drains on Solana. Nova issued a statement that their project does not have any apparent vulnerabilities.

Scams

• 13 Billion RMB Vanished: The Collapse of the Xinkangjia DGCX Scam by Lisa and Keywolf (SlowMist).

Malware

• Old Miner, New Tricks - H2miner Resurfaces with Lcrypt0rx Ransomware by Akshat Pradhan (Fortinet).
• CryptoJacking is dead: long live CryptoJacking by Himanshu Anand (C/Side).
• Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader by Kirill Boychenko (Socket).

Media

• bountyhunt3rz - Episode 21 - danielvonfange.
• Electi Security - Block 7 Guest speaker: DevDacian - Smart Contract Heuristics & Auditor Branding.
• Wallet Security with Patrick Collins and Xavier Hendrickx. A good discussion on present and future wallet security trends.
• Summercon 2205 - Cracking DePIN: Decentralized Devices, Centralized Disasters.
• How Echidna inflated 100s of Millions in Voting Power: Writing and Breaking Properties by Alex (Recon).

Research

• Tokens missent to the 1inch Aggregation Router? Forget about them by Carnontec. About $520K worth of missent funds were quietly drained.
• The Reentrancy Riddle — Dissecting The Legendary Bug That Changed Ethereum Forever by Shashank Mudgal.
• Decoding Solidity Metadata by jmcph4.
• Safe: Ownership Infra Layer For Onchain Applications by c4lvin and JW (Four Pillars).
• LLAMA: Multi-Feedback Smart Contract Fuzzing Framework with LLM-Guided Seed Generation.
• Evasion Under Blockchain Sanctions.
• Measuring CEX-DEX Extracted Value and Searcher Profitability: The Darkest of the MEV Dark Forest.
• Inside ZKStack's Crosschain Architecture — Part I: A Deep Dive into Merkle Tree Hierarchies by Andrianna Polydouri & Yuguang Ipsen (OpenZeppelin).

Tools

• Halmos v0.3.0 released. Additions include stateful invariant fuzzing(!), coverage reports, more solver support, and more.

Hacks

Arcadia Finance

Date: July 15, 2025
Attack Vector: Arbitrary External Calls
Impact: $3,600,000
Chain: Base

References:

https://x.com/TenArmorAlert/status/1945008639011340395
https://x.com/shoucccc/status/1945022619063144856
https://x.com/exvulsec/status/1945013507805827429
https://jmcph4.dev/wiki/exploits/arcadia.html
https://arcadiafinance.notion.site/Arcadia-Post-Mortem-14-07-2025-23104482afa780fdb291cd3f41b7fc99
https://x.com/SuplabsYi/status/1945041597118476467
https://www.certik.com/resources/blog/arcadia-incident-analysis-arbitrary-swapData

Exploit:

https://basescan.org/tx/0x06ce76eae6c12073df4aaf0b4231f951e4153a67f3abc1c1a547eb57d1218150
https://basescan.org/tx/0x0b9bed09d241cef8078e6708909f98574c33ee06abcc2f80bc41731cd462d60b
https://basescan.org/tx/0x723989a674074eab665dc93cef3b123f0f5cea764dbfbeb6c8a8c80278d0bc09
https://basescan.org/tx/0x49548943f2d7703336813a59e60e70b77d00bf7e47523eaf5514951f992ef4b3

VDS Vault

Date: July 16, 2025
Attack Vector:
Impact: $13,000
Chain: BSC

References:

https://x.com/CertikAIAgent/status/1945665127296221499
https://x.com/SlowMist_Team/status/1945672192471302645

Exploit:

https://bscscan.com/tx/0x0e01fd8798f970fd689014cb215e622aca8b7c8c243176c5b504e0043402e31f

BigONE

Date: July 16, 2025
Attack Vector: Hot Wallet Compromise
Impact: $27,000,000
Chain: Bitcoin, Tron, Ethereum, Solana

References:

https://www.theblock.co/post/362814/bigone-hack
https://x.com/SlowMist_Team/status/1945346830222680330
https://x.com/CyversAlerts/status/1945357704815378453
https://x.com/PeckShieldAlert/status/1945365665768218646
https://x.com/lookonchain/status/1945360349269778527
https://x.com/zachxbt/status/1945365902133727266
https://bigone.zendesk.com/hc/en-us/articles/48916067512345-BigONE-Security-Incident-Disclosure-and-Progress-Update-July-16
https://rekt.news/bigone-rekt

Exploit:

CoinDCX

Date: July 18, 2025
Attack Vector: Hot Wallet Compromise
Impact: $44,200,000
Chain: Solana

References:

https://x.com/CyversAlerts/status/1946625586597888163
https://x.com/smtgpt/status/1946597988660645900
https://www.theblock.co/post/363479/coindcx-ceo-blames-server-breach-for-44-million-exploit-indian-firm-will-cover-losses

Exploit:

Stepp2p

Date: July 20, 2025
Attack Vector:
Impact: $43,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1946887946877149520

Exploit:

https://bscscan.com/tx/0xe94752783519da14315d47cde34da55496c39546813ef4624c94825e2d69c6a8

Unkn_245a55

Date: July 20, 2025
Attack Vector:
Impact: $32,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1946887946877149520

Exploit:

https://etherscan.io/tx/0xa02b159fb438c8f0fb2a8d90bc70d8b2273d06b55920b26f637cab072b7a0e3e