BlockThreat - Week 32, 2025
Tornado Cash | CrediX | Numa | DPRK
Greetings!
Tornado Cash remains at the center of regulatory battles, with developers and researchers facing mounting legal risks across borders. Roman Storm was convicted of unlicensed money transmission, a charge in direct conflict with recent federal precedent affirming that noncustodial DeFi developers should not be treated as money transmitters. At the same time, Turkey nearly repeated the Tigran Gambaryan playbook by detaining Federico Carrone, an incident defused only after swift international pressure. Together, these cases highlight the escalating legal dangers anyone working in the crypto privacy space.
Google just released a detailed report on the tactics used by a DPRK threat actor to breach the backend infrastructure of cryptocurrency projects, including the Safe Wallet compromise. Some high level TTPs:
- Initial vector is social engineering to execute malicious docker container.
- Social engineering occurred over Telegram and LinkedIn (job offer).
- Installed credential stealing malware.
- Bypassed cloud MFA through admin access and stolen cookies
- Injected malicious JS to subvert key signing by the quorum.
Key technical controls that failed in the two case studies:
- Failed endpoint detection.
- Unsecure cloud credentials.
- Unsecure processes for code review and CI/CD pipelines.
It’s time to train up personnel to recognize the latest social engineering tactics and harden infrastructure before these gaps are exploited.
Speaking of user security be sure to check out this week’s sponsor Coinspect.
Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.
Link: https://www.coinspect.com/wallets/
Let’s dive into the news!
Contests
- Wintermute Alpha Challenge 2025. Challenge your abilities to analyze DeFi exploits, onchain execution, and markets.
News
- Roman Storm Found Guilty of Unlicensed Money Transmission Conspiracy.
- Developer Arrested Over Tornado Cash Research. Federico Carrone was released after 24 hours following an overwhelming international intervention from UAE, UK, US, all around European Union, Argentina and the Catholic Church. A good ending to what could have been a Tigran Gambaryan style incident.
- AIxCC finals: Tale of the tape. Discusses various approaches to AI automatic bug finding and patching for DARPA’s AI Cyber Challenge competition.
- Coinbase Base network halts for 44 minutes due to ‘unsafe head delay’.
- Cracking the Vault: how we found zero-day flaws in authentication, identity, and authorization in HashiCorp Vault by Yarden Porat (Cyata).
- Cloud Threat Horizons Report by Google Cloud Security has an interesting section North Korea’s Social Engineering Leading to Cloud Compromises and Cryptocurrency Thefts. It has detailed TTPs used by a DPRK threat actor tracked as UNC4899 (TraderTraitor) to social engineer their way into crypto projects’ infrastructures such as Safe/Bybit, DMM Bitcoin and many others.
- Cursor Remote Code Execution Vulnerability (CVE-2025-54135).
- Coinbase's Base network resumes normal block production after temporary halt.
Crime
- FT3: Fraud Tools, Tactics, and Techniques Framework by Stripe. An ATT&CK-style security framework, specifically designed to enhance understanding of the tactics, techniques, and procedures (TTPs) used by actors in fraudulent activities.
- How North Korean IT workers leverage AI and vulnerable Americans to infiltrate US companies.
- Leak Reveals the Workaday Lives of North Korean IT Scammers by Matt Burgess (Wired).
- This man used a Coinbase-like URL — Now he’s facing a major lawsuit.
- Meta Removes 6.8 Million WhatsApp Accounts Linked to Pig Butchering Scam Rings.
- WNBA sex toy incidents started by Crypto meme coin group.
Policy
- Six months of crypto policy: The good, the bad, and the lingering questions by Peter Van Valkenburgh (Coin Center).
- SEC-Ripple enforcement case to end after motion to drop appeals.
Phishing
- MetaMask Security Report: July 2025 by Luker (Metamask).
- Reports of a malicious VSCode extension from juan-blanco designed to load additional payloads from a C2 server.
- Threat Intelligence: Uncovering a Web3 Interview Scam by Joker & Ccj (SlowMist).
- North Korean Hackers Are Using Fake Job Offers to Breach Cloud Systems, Steal Billions in Crypto.
- The address 0x2d98...6695 has fallen victim to a phishing attack, resulting in a loss of 3.05M $USDT by Peckshield.
- An EIP-7702 upgraded address lost $66k to phishing using batch transfers disguised as Uniswap swaps by Scam Sniffer.
- Aave Users Targeted by Google Ads Phishing Scam After $60B Milestone.
- 15,000 Fake TikTok Shop Domains Deliver Malware, Steal Crypto via AI-Driven Scam Campaign.
Scams
- Abracadabra by Rekt. Follows the story of Abra Global with many locked out international customers.
- CrediX Finance Faces 4.5M Exploit (Exit Scam Analysis) by QuillAudits.
- Solana Labs and Jito Labs served Pump Fun lawsuit.
Malware
- GreedyBear: 650 Attack Tools, One Coordinated Campaign by Koi Security. The report reveals a massive campaign of 150 weaponized Firefox extensions that stole $1M in cryptocurrency assets.
- Smart Contract Scams - Ethereum Drainers Pose as Trading Bots to Steal Crypto by Sentinel One. More than $900K stolen according to the report.
- Scammers mass-mailing the Efimer Trojan to steal crypto by Artem Ushkov (Kaspersky).
- Threat actor uses AI to create a better crypto wallet drainer by Paul McCarty (Safety). A deep dive into a malicious npm package loaded 1500 times.
- GitLab uncovers Bittensor theft campaign via PyPI by Gitlab.
- 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign by Kirill Boychenko (Socket).
Media
- Roman Storm Found Guilty: What Does the Money Transmission Conviction Mean? by Rage.
- Live on X with QuillAudits: Decoding 2025's biggest web3 hacks - lessons & trends by Guardrail.
- bountyhunt3rz - Episode 22 - mackenzie.
- Rektoff - Symbolic Execution for Software Security: Practical Guide with publicqi.
- Rektoff - Advanced Solana Vulnerabilities with r0bre.
- Rektoff - Fuzzing Solana Programs with Trident (by Ackee).
- Rektoff - Solana security audits: what to do & what not to do with David (Oshield).
- Zokyo - Differential Testing Workshop with Mahmoud Fathy.
- Zokyo - Oracle Security Workshop with Jose Zokyo.
- The Network Podcast - Using AI as you're learning to audit with Josselin Feist.
- Secure Your ZK Code: Best Practices for Devs & Auditors by rxyz.
- ERC-4626 Vaults & the Inflation Attack Vector by Akshay (QuillAudits).
- COSCUP 2025 Slide Decks hosted by DeFiHackLabs with coverage of Unphishable, use of AI in smart contract audits, and various ERC standards.
Research
- The Ultimate Web3 Security Checklist by Digibastion. A comprehensive checklist including personal, devops, mobile, browser, and other security topics.
- The Notorious Bug Digest #4: Deflationary Token Risks, ERC4626 Override Gaps, and Rust Shift Overflows by Ionut-Viorel Gingu & Jainil Vora (OpenZeppelin).
- AI Auditing Benchmark: A Primer by Antonio Viggiano.
- Secure Contract Development in TON: Top 9 Pitfalls in Tact & FunC by Paul (Cantina).
- Writing Verification-friendly Smart Contracts in Rust by Chandrakana Nandi (Certora).
- ERC721's _safeMint can be exploited to bypass supply limits and drain NFT collections by Wake Framework.
- The Real Minimal Proxy - Powered by EIP-7702 by ChainSecurity.
- Understanding Auto Market Makers for bug bounty by Thomas EDET.
- ZK Math 101: Rings and Fields by Ciara Nightingale (Cyfrin).
- Prompt to Pwn: Automated Exploit Generation for Smart Contracts.
- NATLM: Detecting Defects in NFT Smart Contracts Leveraging LLM.
- MultiCFV: Detecting Control Flow Vulnerabilities in Smart Contracts Leveraging Multimodal Deep Learning.
- UEChecker: Detecting Unchecked External Call Vulnerabilities in DApps via Graph Analysis.
- Measuring CEX-DEX Extracted Value and Searcher Profitability: The Darkest of the MEV Dark Forest.
- Slow is Fast! Dissecting Ethereum's Slow Liquidity Drain Scams.
- 4-Swap: Achieving Grief-Free and Bribery-Safe Atomic Swaps Using Four Transactions.
- AI Agent Smart Contract Exploit Generation.
- Phantom Events: Demystifying the Issues of Log Forgery in Blockchai
- Prompt injection engineering for attackers: Exploiting GitHub Copilot by Kevin Higgs (Trail of Bits).
Tools
- Introducing sol-azy: A CLI Toolkit for Solana Program Static Analysis & Reverse Engineering by Fuzzing Labs.
- Solana Analyzer by Scab24. A powerful static analysis tool for Solana smart contracts written in Rust. Detect vulnerabilities, security issues, and code quality problems in your Solana/Anchor projects.
- Buttercup is now open-source! by Trail of Bits.
- pbctf23-move-vm by publicql. Move Bytecode Symbolic Execution Engine.
- Token Risks API by Hexens. Automatically identifies concerning properties such as external calls in transfer functions, balance manipulation, etc using Glider.
- FACADE High-Precision Insider Threat Detection Using Contrastive Learning.
- ChromeAlone - A Browser C2 Framework by Praetorian.
- BonkFun Migration Sniper by FuzzLand.
Hacks
CrediX Finance
Date: August 04, 2025
Attack Vector: Key/Signer Compromise
Impact: $4,500,000
Chain: Solana
References:
https://x.com/BlockscopeCo/status/1952397315861250328
https://x.com/CertiKAlert/status/1953752324909707322
https://x.com/SlowMist_Team/status/1952312873822396712
https://quillaudits.medium.com/credix-finances-4-5m-exploit-96526a5119cc
https://www.theblock.co/post/365458/solana-lender-credix-defi-exploit
https://x.com/CrediX_fi/status/1952296077308428311
https://rekt.news/credix-rekt
Exploit:
https://sonicscan.org/tx/0x0cc3520951a2b41281dcc9a0d37ef3f7f139b75675d83ae72e3b8e903334f35e
Vodra
Date: August 07, 2025
Attack Vector:
Impact: $83,000
Chain: Solana
References:
https://x.com/vodra/status/1953653576774901913
Exploit:
Aurora
Date: August 07, 2025
Attack Vector: Insufficient Function Access Control
Impact: $240
Chain: Near
References:
https://x.com/alexauroradev/status/1953795850406437264
Exploit:
Unkn_6c80d6
Date: August 07, 2025
Attack Vector: Reentrancy
Impact: $10,000
Chain: Ethereum
References:
https://x.com/TikkalaResearch/status/1953610898133991716
Exploit:
https://etherscan.io/tx/0x467d3f58707dc4922ed27398162f8e09535ecf1b4545bfd8cbe073f4433f9f54
Whales
Date: August 09, 2025
Attack Vector: Reward Manipulation
Impact: $23,000
Chain: Ethereum
References:
https://x.com/roffett_eth/status/1954208887890133005
https://x.com/roffett_eth/status/1954214180833366527
Return:
https://etherscan.io/tx/0x1127415f0a4830aed0ee8fc64021580aba0ebf52e312024c612a7e690f90483b
Exploit:
https://etherscan.io/tx/0xe006430b995941f9a738d2bad3cf0a0e972398fab29e8376c820c9245af5bc06
https://etherscan.io/tx/0x94de4c7cde396a35f46d48b7d488553fa82fd4c1fe8a2e90c50dd20308290d20
WXC
Date: August 10, 2025
Attack Vector: Price Oracle Manipulation
Impact: $30,900
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1954774967481962832
Exploit:
https://bscscan.com/tx/0x1397bc7f0d284f8e2e30d0a9edd0db1f3eb0dd284c75e30d226b02bf09ad068f
Numa
Date: August 10, 2025
Attack Vector: Reward Manipulation
Impact: $313,000
Chain: Sonic
References:
https://x.com/extractor_web3/status/1954832372534243738
https://www.certik.com/resources/blog/numa-incident-analysis
Exploit:
https://sonicscan.org/tx/0x56abdbc84232658617853f233f52e6b4c855129c7ab163a588c2bac62ea30408
https://sonicscan.org/tx/0x230467308679169c3cb6966b43759ba53d1ee856b4148ff936f8f8638353a710
https://sonicscan.org/tx/0x916fc5e65eec759979529336522fe7c83a346b5a91d7ac6b6f0a748a3b36eb30