BlockThreat - Week 34, 2025
The Com | EIP-1967 | iOS | North Korea
Greetings!
About $91.4M was stolen across 12 incidents this week, with the majority of losses stemming from a single phishing attack against a user who fell victim to an impersonated exchange and wallet support. Hopefully these bad actors meet the same fate as their predecessors who tried similar tactics exactly a year ago.
Meanwhile, it looks like someone has taken notes from the recent EIP-1967 proxy hijacking spree and is now actively hijacking contracts on Base. A reminder to always initialize contracts atomically in the same transaction as the create.
Woo X published a detailed post-mortem on the July 24 incident, detailing how Lazarus compromised a developer machine and moved laterally through the environment before draining $14M from nine user accounts. It’s a useful case study for building stronger threat models and defenses.
And speaking of threat models, a new iOS 0day is being actively exploited against select users. Combined with the recently posted $20M bounty for zero-click mobile exploits, this should be on your radar especially if you rely on managed wallet infrastructure. What additional defensive layers can you add to ensure you sleep well at night, even if a signer or two is compromised?
A special thanks to this week’s sponsor Coinspect.
Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.
Link: https://www.coinspect.com/wallets/
Let’s dive into the news!
News
- Secret Backdoor: SEAL Issues Advisory on Domain Hijackings. Please don’t expose your users by using easy to hijack “discount” registrars.
- New zero-day startup offers $20 million for tools that can hack any smartphone. Consider listed price in your threat model. Would an attacker spend $20M to gain access to a few of your multisig signers’ phones or laptops?
- Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks. The exploit requires no user interaction, triggered simply by sending a specially crafted image to a vulnerable device.
- DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft.
- Mid-Year 2025 Crypto Crime Report by Blockscope Research.
- U.S. Government Wallet Adds $332,000 Ether From Coinbase After DeFi Hack Seizure. Funds are tied to the massive $57M compromise of Uranium Finance back in 2021.
- Qubic community, Monero’s 51% attacker, votes to target Dogecoin next. That one is going to be tricky since Dogecoin benefits from Litecoin’s merge mining so the latter would become a target as well.
- Trillion Dollar Security - Phase 2. The next phase of Ethereum Foundation’s effort to secure the ecosystem starting with UX and wallet related threats. One such effort is Walletbeat, a wallet security ranking directory.
- Crypto security firm Kerberus acquires Pocket Universe, an anti-fraud browser extension for Ethereum and Solana wallets.
Crime
- APT Down - The North Korea Files by Saber and cyb0rg featured in Phrack 72. Yet another leak and a deep dive into a toolbox of a North Korean threat actor including analysis of backdoors, rootkits, access, etc.
- Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft.
- African authorities dismantle massive cybercrime and fraud networks, recover millions. Operation Serengeti 2.0 targeted illegal crypto mining centers among other criminal enterprises.
- US bill proposes 21st-century privateers to take on cybercrime.
- Kroll faces class-action suit as FTX creditors allege daily scam emails.
- Justice Department Announces Seizure of Over $2.8 Million in Cryptocurrency, Cash, and other Assets. The seizure comes from the operator of Zeppelin ransomware who was trying to launder funds through the recently seized ChipMixer.
- Legislated Sanctions Evasion: How the Garantex Rebrand, Grinex, and the Ruble-Backed Token, A7A5 Have Shaped Russia’s Shadow Crypto Economy by Chainalysis.
- Judge orders $228 million penalty for NY man who used investor funds for luxury cars in crypto trading fraud.
- Scammer Poses as UK Police, Steals $2.8M in Bitcoin From Hardware Wallet.
Policy
Phishing
- On Aug 19, 2025 a victim fell for a social engineering scam and lost 783 BTC ($91M) after exchange and hardware wallet customer support were impersonated.
- Someone lost ~$1.54M due to signing EIP-7702 phishing batch transactions by Scam Sniffer.
- $582K Stolen from Two Wallets Over the Weekend using silent approvals by Web3 Antivirus.
- Invisible Prompts by Rekt. Fake extensions, prompt injections, supply chain compromises and other perils of the brave new AI world.
- Reports of a malicious VSCode Cursor AI extension campaign targeting cryptocurrency holders by vx-underground.
- Threat Intelligence: Clickfix Phishing Attack by SlowMist.
Scams
- At least 94% of the new Kanye token is insider owned -87% of the new Kanye token was owned by a single multisig (now dispersed to multiple wallets) by Conor (Coinbase).
- As he builds US power, Justin Sun fights to control his story by Molly White (Citation Needed).
Malware
- The Ghost in the Machine: The Complete Dossier on TA-NATALSTATUS and the Cryptojacking Turf War by Abhishek Mathew (CloudSEK).
- DNSFilter Research Finds Bad Actors Using Fake CAPTCHAs for Malware Attempts by DNSFilter.
- Infostealer targets Russian crypto developers by Paul McCarty (Safety).
Media
- The Web3 Security Podcast - Security lessons from the oldest bug bounty program w/ Fredrik Svantes (Ethereum Foundation).
Research
- Why does Safe (Gnosis Safe) initialization emit two Upgraded() events with different implementation addresses when initializing a proxy token contract. The story of yet another proxy hijacking campaign now on Base.
- How does the EVM dispatch smart contract functions? by Trash Pirate.
- Pectra's Impact On Smart Contract Security by Toon Van Hove (Sigma Prime).
- Weaponizing image scaling against production AI systems by Kikimora Morozova, Suha Sabi Hussain (Trail of Bits). Not strictly web3 but interesting nonetheless.
- The solution to crypto’s Lazarus problem could be simpler than expected. Guardian nodes with a timelock allows good actors to cancel a malicious proposal before it is executed.
- You’re Probably Using WebViews Wrong: Common Security Pitfalls for Mobile Developers by Bryce and Philip (Zellic).
- Move for Solidity Developers IV: Cross-Contract Call by CertiK.
- Emergency EIP-7702 Wallet Recovery by Bahador Gh.
- Ethereum Crypto Wallets under Address Poisoning: How Usable and Secure Are They?.
Tools
- Echidna Enters a New Era of Symbolic Execution by Gustavo Grieco.
- Open-sourcing Wake AI: the first structured framework for AI-driven security analysis by Wake Framework (Ackee).
- Walletbus: Connect shell terminal to your browser for web3 wallets like metamask.
- VSDeer - Extension Security Scanner for VS Code, Cursor & Windsurf.
Hacks
Unkn_664201
Date: August 18, 2025
Attack Vector: Reward Manipulation
Impact: $3,000
Chain: BSC
References:
https://x.com/TikkalaResearch/status/1957500585965678828
Exploit:
https://bscscan.com/tx/0x81fd00eab3434eac93bfdf919400ae5ca280acd891f95f47691bbe3cbf6f05a5
User_20250819
Date: August 19, 2025
Attack Vector: Spear Phishing
Impact: $91,000,000
Chain: Bitcoin
References:
https://x.com/zachxbt/status/1958583129356345414
Exploit:
Wall Street Pepe (WEPE)
Date: August 19, 2025
Attack Vector: Price Oracle Manipulation
Impact: $10,000
Chain: Ethereum
References:
https://x.com/TikkalaResearch/status/1957954884717994175
https://x.com/Phalcon_xyz/status/1957693394089882056
Exploit:
https://etherscan.io/tx/0x0ef0cde3d8348fdced3adf7d0475ec1364236dd6ab1d8580addad96b004b604a
Puffer Finance
Date: August 19, 2025
Attack Vector: DNS Hijacking
Impact: Assets Stolen
References:
https://x.com/CertiKAlert/status/1957989825392570466
https://x.com/AmirOnchain/status/1957917871553802735
https://x.com/AmirOnchain/status/1958055561343431067
Exploit:
AIF
Date: August 20, 2025
Attack Vector: Reward Manipulation
Impact: $98,000
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1958353552390180870
Exploit:
https://bscscan.com/tx/0xff29f5adb8932591d4f53356e2f8200503b12fef84f105f0ae3954e713bb8d31
Unkn_8d2ef0
Date: August 20, 2025
Attack Vector: Insufficient Function Access Control
Impact: $39,991
Chain: Base
References:
https://x.com/TenArmorAlert/status/1958354933247590450
Exploit:
https://basescan.org/tx/0x6be0c4b5414883a933639c136971026977df4737b061f864a4a04e4bd7f07106
https://bscscan.com/tx/0xed6fd61c1eb2858a1594616ddebaa414ad3b732dcdb26ac7833b46803c5c18db
Titan Token
Date: August 21, 2025
Attack Vector: Uninitialized Contract
Impact: Assets Stolen
Chain: Base
References:
Exploit:
https://basescan.org/tx/0xc3a64d18ee2b0e848275483e1efa5d552a8bc5297a1c37d9c4596c88c7119db7
Equilibria
Date: August 23, 2025
Attack Vector: Reward Manipulation
Impact: $64,000
Chain: Ethereum
References:
https://x.com/TikkalaResearch/status/1959472873954767298
https://x.com/TenArmorAlert/status/1959455608584757551
https://x.com/SuplabsYi/status/1959219451972469168
Exploit:
https://etherscan.io/tx/0x185a16017fb4d9b2fefdf5935435253d53d4758238275426b507fe54eb4fe97a
https://etherscan.io/tx/0x45047ffa6d8f380b9914053b3fbcc6333422b4ccd7bb6ac829a6c39637aa090f
ABCCApp
Date: August 24, 2025
Attack Vector: Insufficient Function Access Control
Impact: $10,000
Chain: BSC
References:
https://x.com/CertikAIAgent/status/1959804598350483925
https://x.com/TenArmorAlert/status/1959457212914352530
Exploit:
https://bscscan.com/tx/0xee4eae6f70a6894c09fda645fb24ab841e9847a788b1b2e8cb9cc50c1866fb12
ShibaSwap
Date: August 24, 2025
Attack Vector: Price Oracle Manipulation
Impact: $27,000
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/1959805512184140043
Exploit:
https://etherscan.io/tx/0xc5a388c3d94bdba3a2184f558c85d079aeaf2fbe5604bae07e96433a1a9ef188
https://etherscan.io/tx/0x5c17e81b5b976cff66933bc4082ac3e9b21355a455d1864ae5f8ce6d069ea8e7
https://etherscan.io/tx/0x18d9f84e106e26bdfe849ec7034a839b51cca715c84e380727d513276fea8fed
HMS
Date: August 24, 2025
Attack Vector: Price Oracle Manipulation
Impact: $94,600
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1959822744884814118
Exploit:
https://bscscan.com/tx/0x8a680365a2bc0a416b45eaddf9ba56582ef5a96acd0cb14cee0b68cfb20e127e
Unkn_5a46c6
Date: August 24, 2025
Attack Vector: Reward Manipulation
Impact: $85,000
Chain: BSC
References:
https://x.com/Phalcon_xyz/status/1959825233453650293
Exploit:
https://bscscan.com/tx/0x8a7c96521ac64fc33d8d8ceecdea9c1da9c72148c4399905c38a07ee47c3f36f
https://bscscan.com/tx/0x089e37fc8d51a16e4cf1865a5c2ad75ea0c06e50f3e43beb7368706f852f44fc