BlockThreat - Week 30, 2025

Greetings!

Over $15M was stolen across three incidents this week, with the majority of losses stemming from the compromise of the Woo X exchange. This marks the third CeFi platform breached in the past two weeks, bringing total losses to $85.2 million. As with the previous two incidents, private keys were not exposed. Attackers instead gained control of the exchange’s infrastructure, allowing them to drain funds from nine whale accounts.

The Tornado Cash trial against Roman Storm is unraveling into a circus, built on flawed blockchain tracing and a fundamental misunderstanding of how decentralized immutable smart contracts work. Prosecutors have misrepresented asset flows, ignored the fact that Storm had no control over the protocol once it was deployed, and continue to manipulate charges in an apparent effort to secure a conviction regardless of the facts or broader consequences. Storm has also been financially deplatformed without a conviction, effectively punished before trial. Hopefully the court sees through the charade and brings this misguided prosecution to an end.

Let’s dive into the news!

News

• Hackers fooled Cognizant help desk, says Clorox in $380M cyberattack lawsuit. When you rely on 3rd parties for internal or external support for your infrastructure, don’t be surprised when they don’t have the same security bar as you do.
• FBI drops probe of Kraken founder, returns dozens of seized devices.
• Roman Storm trial rocked by tracing errors and mistrial calls.
• The Hacken 2025 Half-Year Web3 Security Report.
• Gone Fast: Laundering Timing Report - H1 2025 by Global Ledger.

Crime

• Hacker Com: Cyber Criminal Subset of The Community (Com) is a Rising Threat to Youth Online by FBI.
• US woman helping DPRK infiltration nets 8.5 years in prison.
• Gang kidnapped barber they mistook for crypto billionaire.
• Bitcoin torture suspects granted bail in Manhattan court.
• NFTs qualify for trademark protection, Ninth Circuit rules, sending Yuga Labs case back for trial.
• Russia turns to Kyrgyzstan’s booming crypto sector to evade sanctions, researchers say.

Phishing

• Zombie dApps: Abandoned Web3 Sites Revived as Wallet Drainers by Coinspect.
• The Signature Trap: Why Wallet UX Is Failing Users in Web3 by Immune Bytes.
• Stop using Google search for crypto sites unless you enjoy playing Russian roulette with your wallet! by Scam Sniffer.
• Beware of Google Forms bearing crypto gifts by Kaspersky.
• PoisonSeed bypassing FIDO keys to ‘fetch’ user accounts by Expel.

Scams

• CASPER: Contrastive Approach for Smart Ponzi Scheme Detecter with More Negative Samples.
• An investigation into how @cryptobeastreal scammed followers by lying they were not behind the $ALT market cap crash by ZachXBT.

Malware

• Threat Intelligence: An Analysis of a Malicious Solana Open-source Trading Bot by Joker & Thinking (SlowMist).
• Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks.

Media

• Decoding 2025’s Biggest Web3 Hacks: Lessons & Trends hosted by QuillAudits.

• ETH Belgrade 2025

  • Securing Ethereum Pectra before mainnet - Zigtur | Spearbit & Cantina

  • Promises and Limitations of Passkey-Based Smart Accounts - Sergey Potekhin | Pimlico.

  • How We Built a Local Cross-Chain Simulator - Andrej Rakic | Chainlink.

  • A Law Enforcement Approach to Digital Assets - Michael Halepas | BlockAML.

  • Fuzzing Liquity — Alex The Entreprenerd | Recon.

  • Killing with Keyboards – How Your Digital Footprint Can Be Weaponized — Noah Jelich.

  • How to be secure by design and not pay millions? — Damian Rusinek | Composable Security.

  • Don't get rekt: detecting phishing threats in crypto - tincho | The Red Guild.

  • Inflation Attacks: A deep dive on ERC-4626 - Cupojoseph | Nerite.org.

  • State of Python Tooling for Solidity Development - Michal Převrátil | Ackee Blockchain Security.

  • Solidity Internals - Raoul Schaffranek | Runtime Verification,

Research

• Blockchain Forensics: A Practical Guide to Tracing Stolen Funds by SomaXBT.
• Upgradeable Smart Contracts Explained (2025): Part 1 - Proxy & UUPS Patterns in Solidity by Three Sigma.
• Upgradable Smart Contracts Series: Part 2 - Top Smart Contract Vulnerabilities & Real-World Hacks by Three Sigma.
• Upgradable Smart Contracts Series: Part 3 - Secure UUPS & Transparent Proxies in Solidity by Three Sigma.
• Benchmarking LLMs agents for vulnerability research​ by Yacine Souam (Fuzzing Labs).
• Why Maintaining Privacy on Chain Matters in Bug Bounty Hunting by Thomas EDET.
• Under-Constrained Bug in BinaryMerkleRoot Circuit (Fixed in v2.0.0) by ZK-Kit team.
• Sui Move for EVM and SVM Developers: Part 1 - Mental Models by Ahmad Khan (Nirlin) from Adevar Labs.
• Cantina × Ethereum: $2M Pectra Security Competition. A collection of reports including details of a chain-splitting critical in EIP-2537.
• Attackers using EIP-7702 smart wallets to obfuscate exploits from block explorers thread by Tikkala Security.
• DePIN Security Best Practices by Paul (Spearbit).
• How to track your progress as a security researcher by Kris Renzo.
• LLMs at home: Become a self hosting nerd by Daniel Luca.
• Google Spoofed Via DKIM Replay Attack: A Technical Breakdown update with full replication by Gerasim Hovhannisyan (EasyDMARC).
• The CryptoNeo Threat Modelling Framework (CNTMF): Securing Neobanks and Fintech in Integrated Blockchain Ecosystems.
• Large Language Models in Cybersecurity: Applications, Vulnerabilities, and Defense Techniques.
• Airdrops: Giving Money Away Is Harder Than It Seems.
• ACFIX: Guiding LLMs with Mined Common RBAC Practices for Context-Aware Repair of Access Control Vulnerabilities in Smart Contracts.
• Hedge Funds on a Swamp: Analyzing Patterns, Vulnerabilities, and Defense Measures in Blockchain Bridges.
• Understanding Blockchain Governance: Analyzing Decentralized Voting to Amend DeFi Smart Contracts.
• Measuring CEX-DEX Extracted Value and Searcher Profitability: The Darkest of the MEV Dark Forest.
• Static Analysis for Detecting Transaction Conflicts in Ethereum Smart Contracts.
• Non-Solidity Audit Contests by Meowing.

Tools

• Oracle Drift by Recon. Given the price of two oracles and their deviation threshold, this tool will compute the maximum theoretical values that price feed can reach before it will trigger an update.
• Wise Signer Snap by Patrick Collins. A MetaMask Snap that uses Claude AI to explain blockchain transactions in plain English, helping users understand what they're signing before they sign it.
• Recent Smart Contracts by gegul. A helpful tool to hunt for vulnerabilities in recently deployed smart contracts on EVM chains.

Hacks

GLG

Date: July 21, 2025
Attack Vector: Stolen Private Keys
Impact: $745,000
Chain: BSC

References:

https://x.com/CertiKAlert/status/1947851150377816310
https://x.com/MayCommunity_5/status/1947497554469654812

Unkn_16d7c6

Date: July 23, 2025
Attack Vector: Insufficient Function Access Control
Impact: $610,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1948063277864382599
https://x.com/Phalcon_xyz/status/1947978159149994231

Exploit:

https://bscscan.com/tx/0x960f3fbbe53b80bc306a64ad33d16dd73bfc164c787114d57cfe0080b5c10b08
https://bscscan.com/tx/0xc3745e4f08bcccaf3efe584a9408d77d675cb996151735c8deaff34997c3a10e
https://bscscan.com/tx/0xb92d3594b818470cc3f6c03eff4a9c5704d87df9749557336545c39c7b2bfed9

Woo X

Date: July 24, 2025
Attack Vector: Server Compromise
Impact: $14,000,000
Chain: Bitcoin, Ethereum, BSC, Arbitrum

References:

https://x.com/CyversAlerts/status/1948414103178924286
https://x.com/_WOO_X/status/1948400223761342920
https://x.com/_WOO_X/status/1948422045760389330
https://x.com/_WOO_X/status/1948403834406977748
https://x.com/BlockscopeCo/status/1948793062076940512
https://protos.com/crypto-exchange-woo-x-suspends-withdrawals-users-hacked-for-14m/