BlockThreat - Week 33, 2025

Greetings!

BtcTurk has once again suffered a serious incident with this week’s hot wallet compromise resulting in the loss of $51.7M. This follows a $54M hack in June 2024 and an earlier 2018 incident where its user database was leaked on RaidForums. Two major $50M-plus losses in just over a year point to a troubling pattern and highlight a clear lack of fundamental security controls in their wallet infrastructure.

Speaking of unfortunate hacks, Coinbase inadvertently granted ERC-20 spending approval rights to 0x project’s permissionless Settler contract which is explicitly flagged in their documentation as off-limits. MEV bots immediately swooped in to drain some $550K in various tokens from their fee-collection wallet in mere hours. The news is concerning as Coinbase is about to open up DEX trading to millions of its retail customers.

A special thanks to this week’s sponsor Coinspect.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Let’s dive into the news!

News

• Kraken suspends Monero deposits after 51% attack.
• Hashrate Heist or Hype? by Rekt explores Qubit’s attack on the Monero chain.

Crime

• A deep dive into DPRK IT worker operation after a compromise of one of their machines thread by ZachXBT. 30+ identities including Upwork and LinkedIn accounts, extensive used of Google tools, wallets, telegram channels and plenty of other indicators. A treasure trove of intelligence!
• Meet Gerardo Salgado aka Tammy Hans (the old one) a DPRK IT Worker who infected himself with Contagious Interview malware a thread by Narcass3.
• Someone just dropped almost 1.4k email address list used by North Korean IT workers by StyyK.
• Crypto crasher Do Kwon admits guilt over failed not-so-stablecoin that erased $41 billion.
• Former Pump.fun Employee Pleads Guilty, Awaits Sentencing for $2 Million Solana Theft.
• Treasury Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion and Cyber Criminals. The target exchange, Grinex, is a rebrand of an earlier sanctioned Garantex exchange.
• XSS.IS Silenced! Inside the investigation that shut down one of cybercrime's most feared bazaars by Luca Stivali (Red Hot Cyber).
• U.S. seizes $2.8 million in crypto from Zeppelin ransomware operator.
• Italian Carabinieri Leverage Chainalysis to Dismantle Illicit Crypto Exchange. The report had an interesting note about Chainalysis writing custom bruteforcing scripts to help recover private keys from fragmented seed phrases.
• How Chainalysis Helped Uncover an NCA Officer’s Theft of Seized Bitcoin.
• Crypto Investors Accused of Kidnapping in Soho Townhouse. A bizarre kidnapping scheme fueled by crypto excess.
• Four people who ransomed Brazilian mother for Bitcoin arrested.

Phishing

• A detailed breakdown of a successful phishing attack using a malicious Cursor extension by zak.eth. Interestingly a similar Cursor extension bundled detailed notes on the malware campaign and expected revenues.
• $636k was lost to a poison address scam where a user sent 140 $ETH to a lookalike address a thread by Web3 Antivirus.
• North Korean Hackers Try to Get Hired at Binance Every Day—Here’s How They're Spotted.

Scams

• Fake Law Firms Targeting Crypto Scam Victims, FBI Warns.

Malware

• Crypto24 ransomware hits large orgs with custom EDR evasion tool.

Media

• bountyhunt3rz - Episode 23 - 0xjuann & 0xspearmint.
• Core Memory - How North Korea Infiltrated American Companies With Fake Tech Workers.
• 0xProfiles - Andy Li.

Research

• Crypto Asset Tracing Handbook by Slowmist.
• The Complete Guide to Securing Web3 Projects by Optimum.
• How to Hack a Web3 Wallet (Legally): A Full-Stack Pentesting Guide by 0xaudron (Valkyri).
• ScamDetect: Towards a Robust, Agnostic Framework to Uncover Threats in Smart Contracts.
• Beyond Zero Knowledge: How Fully Homomorphic Encryption Enables Private Shared State by Sam Wong (OpenZeppelin).
• Hunting Crits: Aragon's LockToVote Plugin • Ventral Digital by Patrick Drotleff (Ventral Digital).
• How AI-Powered Defense Stopped a $Millions Crypto Scam in Real-Time by Ninja_Dev.
• The Invariant Testing Bootcamp was added to the Recon Book.
• Top 15 Security Tips for BNB Chain Developers by Paul (Cantina).
• Safer Safe Explainer by DeFi Wonderland.
• How to Hack a Web3 Wallet (Legally): A Full-Stack Pentesting Guide by 0xaudron (Valkyri).

Tools

• Scrape Open Zeppelin Roles from any contract by Recon.
• Save 90% on Report Writing - Guaranteed or Your Money Back! Zero Cool is a new AI tool on the block for DeFi auditors.
• AWS Security Scanner by punishell. A tool to scan for AWS security misconfigurations using the AWS CLI and report issues by severity.

Hacks

Bebop

Date: August 12, 2025
Attack Vector: Function Parameter Validation
Impact: $20,000
Chain: Arbitrum

References:

https://x.com/SuplabsYi/status/1955230173365961128
https://x.com/SuplabsYi/status/1955601118891057517
https://docs.bebop.xyz/bebop/bebop-api-jam/jam-api-endpoints/manage-approvals

Odin Fun

Date: August 12, 2025
Attack Vector: Price Oracle Manipulation
Impact: $7,000,000
Chain: ICP

References:

https://x.com/ethers_security/status/1955591670202003887
https://x.com/PeckShieldAlert/status/1955457951558406332
https://x.com/BobBodily/status/1955303509341114444
https://www.quillaudits.com/blog/hack-analysis/how-odinfun-lost-58-3BTC-to-worthless-liquidity
https://drive.google.com/file/d/1dA3G7bbWkIINqbHK25rZnxA0UYYDO5eI/view
https://rekt.news/odin-fun-rekt

YULIAI

Date: August 13, 2025
Attack Vector: Price Oracle Manipulation
Impact: $78,800
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1955817707808432584

Grizzifi

Date: August 13, 2025
Attack Vector: Reward Manipulation
Impact: $61,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1955825401470578788

Coinbase Exchange

Date: August 13, 2025
Attack Vector: Forgotten approval
Impact: $550,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1955830852182794602
https://x.com/deeberiroz/status/1955718986894549344
https://cryptoslate.com/coinbase-loses-300k-to-rogue-mev-bots-after-token-swap-blunder/
https://rekt.news/drained-by-design

BtcTurk Exchange

Date: August 14, 2025
Attack Vector: Hot Wallet Compromise
Impact: $49,000,000
Chain: Bitcoin, Ethereum

References:

https://x.com/CyversAlerts/status/1955967877602803929
https://x.com/peckshield/status/1955969912477749674
https://x.com/PeckShieldAlert/status/1955984860889408006
https://x.com/BtcTurkKripto/status/1955981988747198513
https://x.com/CertiKAlert/status/1956287719505608920
https://rekt.news/btcturk-rekt
https://therecord.media/turkish-crypto-exchange-warns-cyber-incident

Size Credit

Date: August 15, 2025
Attack Vector: Function Parameter Validation
Impact: $20,000
Chain: Ethereum

References:

https://x.com/SuplabsYi/status/1956306748073230785

Nevis Investment

Date: August 15, 2025
Attack Vector: Key/Signer Compromise
Impact: $3,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1956417681030304217

D3X

Date: August 17, 2025
Attack Vector: Price Oracle Manipulation
Impact: $158,900
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1957279788709671402
https://x.com/BlockSecTeam/status/1956661877473476962
https://x.com/SuplabsYi/status/1956695597546893598