BlockThreat - Week 34, 2025

Greetings!

About $91.4M was stolen across 12 incidents this week, with the majority of losses stemming from a single phishing attack against a user who fell victim to an impersonated exchange and wallet support. Hopefully these bad actors meet the same fate as their predecessors who tried similar tactics exactly a year ago.

Meanwhile, it looks like someone has taken notes from the recent EIP-1967 proxy hijacking spree and is now actively hijacking contracts on Base. A reminder to always initialize contracts atomically in the same transaction as the create.

Woo X published a detailed post-mortem on the July 24 incident, detailing how Lazarus compromised a developer machine and moved laterally through the environment before draining $14M from nine user accounts. It’s a useful case study for building stronger threat models and defenses.

And speaking of threat models, a new iOS 0day is being actively exploited against select users. Combined with the recently posted $20M bounty for zero-click mobile exploits, this should be on your radar especially if you rely on managed wallet infrastructure. What additional defensive layers can you add to ensure you sleep well at night, even if a signer or two is compromised?

A special thanks to this week’s sponsor Coinspect.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Let’s dive into the news!

News

• Secret Backdoor: SEAL Issues Advisory on Domain Hijackings. Please don’t expose your users by using easy to hijack “discount” registrars.
• New zero-day startup offers $20 million for tools that can hack any smartphone. Consider listed price in your threat model. Would an attacker spend $20M to gain access to a few of your multisig signers’ phones or laptops?
• Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks. The exploit requires no user interaction, triggered simply by sending a specially crafted image to a vulnerable device.
• DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft.
• Mid-Year 2025 Crypto Crime Report by Blockscope Research.
• U.S. Government Wallet Adds $332,000 Ether From Coinbase After DeFi Hack Seizure. Funds are tied to the massive $57M compromise of Uranium Finance back in 2021.
• Qubic community, Monero’s 51% attacker, votes to target Dogecoin next. That one is going to be tricky since Dogecoin benefits from Litecoin’s merge mining so the latter would become a target as well.
• Trillion Dollar Security - Phase 2. The next phase of Ethereum Foundation’s effort to secure the ecosystem starting with UX and wallet related threats. One such effort is Walletbeat, a wallet security ranking directory.
• Crypto security firm Kerberus acquires Pocket Universe, an anti-fraud browser extension for Ethereum and Solana wallets.

Crime

• APT Down - The North Korea Files by Saber and cyb0rg featured in Phrack 72. Yet another leak and a deep dive into a toolbox of a North Korean threat actor including analysis of backdoors, rootkits, access, etc.
• Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft.
• African authorities dismantle massive cybercrime and fraud networks, recover millions. Operation Serengeti 2.0 targeted illegal crypto mining centers among other criminal enterprises.
• US bill proposes 21st-century privateers to take on cybercrime.
• Kroll faces class-action suit as FTX creditors allege daily scam emails.
• Justice Department Announces Seizure of Over $2.8 Million in Cryptocurrency, Cash, and other Assets. The seizure comes from the operator of Zeppelin ransomware who was trying to launder funds through the recently seized ChipMixer.
• Legislated Sanctions Evasion: How the Garantex Rebrand, Grinex, and the Ruble-Backed Token, A7A5 Have Shaped Russia’s Shadow Crypto Economy by Chainalysis.
• Judge orders $228 million penalty for NY man who used investor funds for luxury cars in crypto trading fraud.
• Scammer Poses as UK Police, Steals $2.8M in Bitcoin From Hardware Wallet.

Policy

• ‘Writing code without ill intent is not a crime,’ says US DOJ official following Tornado Cash verdict.

Phishing

• On Aug 19, 2025 a victim fell for a social engineering scam and lost 783 BTC ($91M) after exchange and hardware wallet customer support were impersonated.
• Someone lost ~$1.54M due to signing EIP-7702 phishing batch transactions by Scam Sniffer.
• $582K Stolen from Two Wallets Over the Weekend using silent approvals by Web3 Antivirus.
• Invisible Prompts by Rekt. Fake extensions, prompt injections, supply chain compromises and other perils of the brave new AI world.
• Reports of a malicious VSCode Cursor AI extension campaign targeting cryptocurrency holders by vx-underground.
• Threat Intelligence: Clickfix Phishing Attack by SlowMist.

Scams

• At least 94% of the new Kanye token is insider owned -87% of the new Kanye token was owned by a single multisig (now dispersed to multiple wallets) by Conor (Coinbase).
• As he builds US power, Justin Sun fights to control his story by Molly White (Citation Needed).

Malware

• The Ghost in the Machine: The Complete Dossier on TA-NATALSTATUS and the Cryptojacking Turf War by Abhishek Mathew (CloudSEK).
• DNSFilter Research Finds Bad Actors Using Fake CAPTCHAs for Malware Attempts by DNSFilter.
• Infostealer targets Russian crypto developers by Paul McCarty (Safety).

Media

• The Web3 Security Podcast - Security lessons from the oldest bug bounty program w/ Fredrik Svantes (Ethereum Foundation).

Research

• Why does Safe (Gnosis Safe) initialization emit two Upgraded() events with different implementation addresses when initializing a proxy token contract. The story of yet another proxy hijacking campaign now on Base.
• How does the EVM dispatch smart contract functions? by Trash Pirate.
• Pectra's Impact On Smart Contract Security by Toon Van Hove (Sigma Prime).
• Weaponizing image scaling against production AI systems by Kikimora Morozova, Suha Sabi Hussain (Trail of Bits). Not strictly web3 but interesting nonetheless.
• The solution to crypto’s Lazarus problem could be simpler than expected. Guardian nodes with a timelock allows good actors to cancel a malicious proposal before it is executed.
• You’re Probably Using WebViews Wrong: Common Security Pitfalls for Mobile Developers by Bryce and Philip (Zellic).
• Move for Solidity Developers IV: Cross-Contract Call by CertiK.
• Emergency EIP-7702 Wallet Recovery by Bahador Gh.
• Ethereum Crypto Wallets under Address Poisoning: How Usable and Secure Are They?.

Tools

• Echidna Enters a New Era of Symbolic Execution by Gustavo Grieco.
• Open-sourcing Wake AI: the first structured framework for AI-driven security analysis by Wake Framework (Ackee).
• Walletbus: Connect shell terminal to your browser for web3 wallets like metamask.
• VSDeer - Extension Security Scanner for VS Code, Cursor & Windsurf.

Hacks

Unkn_664201

Date: August 18, 2025
Attack Vector: Reward Manipulation
Impact: $3,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1957500585965678828

User_20250819

Date: August 19, 2025
Attack Vector: Spear Phishing
Impact: $91,000,000
Chain: Bitcoin

References:

https://x.com/zachxbt/status/1958583129356345414

Wall Street Pepe (WEPE)

Date: August 19, 2025
Attack Vector: Price Oracle Manipulation
Impact: $10,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1957954884717994175
https://x.com/Phalcon_xyz/status/1957693394089882056

Puffer Finance

Date: August 19, 2025
Attack Vector: DNS Hijacking
Impact: Assets Stolen

References:

https://x.com/CertiKAlert/status/1957989825392570466
https://x.com/AmirOnchain/status/1957917871553802735
https://x.com/AmirOnchain/status/1958055561343431067

AIF

Date: August 20, 2025
Attack Vector: Reward Manipulation
Impact: $98,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1958353552390180870

Unkn_8d2ef0

Date: August 20, 2025
Attack Vector: Insufficient Function Access Control
Impact: $39,991
Chain: Base

References:

https://x.com/TenArmorAlert/status/1958354933247590450

Titan Token

Date: August 21, 2025
Attack Vector: Uninitialized Contract
Impact: Assets Stolen
Chain: Base

References:

https://ethereum.stackexchange.com/questions/170516/why-does-safe-gnosis-safe-initialization-emit-two-upgraded-events-with-diffe

Equilibria

Date: August 23, 2025
Attack Vector: Reward Manipulation
Impact: $64,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1959472873954767298
https://x.com/TenArmorAlert/status/1959455608584757551
https://x.com/SuplabsYi/status/1959219451972469168

ABCCApp

Date: August 24, 2025
Attack Vector: Insufficient Function Access Control
Impact: $10,000
Chain: BSC

References:

https://x.com/CertikAIAgent/status/1959804598350483925
https://x.com/TenArmorAlert/status/1959457212914352530

ShibaSwap

Date: August 24, 2025
Attack Vector: Price Oracle Manipulation
Impact: $27,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1959805512184140043

HMS

Date: August 24, 2025
Attack Vector: Price Oracle Manipulation
Impact: $94,600
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1959822744884814118

Unkn_5a46c6

Date: August 24, 2025
Attack Vector: Reward Manipulation
Impact: $85,000
Chain: BSC

References:

https://x.com/Phalcon_xyz/status/1959825233453650293