BlockThreat - Week 35, 2025

Greetings!

Almost $5.5M was stolen this week across five incidents. Better Bank suffered a $5M exploit that abused a flaw in its reward mechanism when interacting with fake liquidity pools. Cozy Finance lost $427K in a single case by allowing redemptions without properly verifying source addresses.

Beyond the exploits, the week also underscored the resilience of the ecosystem through the efforts of whitehats and bug bounty programs. Panoptic conducted a whitehat rescue with support from Cantina and SEAL911, while Eigenlayer deployed an emergency patch after a critical bug was disclosed via Immunefi.

On the phishing front, we saw early signs of emerging attack vectors as wallets begin integrating with social media apps and agentic browsers. These trends will open new avenues for exploitation, but also give defenders a chance to start preparing countermeasures today.

A special thanks to this week’s sponsor Coinspect.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Let’s dive into the news!

News

• Panoptic protocol performed a whitehat rescue operation with support from Cantina and SEAL911 across three chains.
• Eigenlayer deployed an emergency patch for EigenPods after a critical bug was responsibly disclosed through Immunefi.
• Bitcoin Core devs think it would be easy, and funny, to attack Knots.
• El Salvador splits bitcoin holdings between 14 addresses to ‘enhance security’ against quantum threats.
• WhatsApp fixes ‘zero-click’ bug used to hack Apple users with spyware.

Crime

• Thai authorities apprehend crypto criminal linked to Phuket crypto heist.
• Ghanaian fraudsters arrested for BEC/Sakawa.
• Inside the Kimsuky APT Leak: Stolen GPKI Certificates, Rootkits, and a Personalized Cobalt Strike from North Korea’s Cyber Unit by Foresiet.
• Treasury Sanctions Fraud Network Funding DPRK Weapons Programs. OFAC sanctions targets the sprawling network of DPRK IT workers including a Russian national who facilitated payments to the regime.
• South Korea Busts Hacking Syndicate After Multi-Million Dollar Crypto Losses.
• Crypto thief earns additional prison time for assaulting witness. Remy Ra St Felix was previously sentenced to 47 years for a series of violent assaults on crypto owners.
• 14 sentenced to life imprisonment in Indian bitcoin extortion case, including 11 police officers.

Policy

• DeFi Education Fund Gathers Largest Industry Coalition To Protect Developers.
• Fork in the Code by Rekt examines digital identities and government oversight proposal by U.S. Treasury.

Phishing

• Reports of a more instances compromised TG accounts inviting victims to fake podcasts with a malware laden form.
• Fake Binance messages and calls are making the rounds again.
• The Vanishing Sandbox: Wallets Inside Social Apps Invite New Attacks by Coinspect Security.
• Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet by Brave.

Scams

• I just got scammed for $1.25 million by Erik Bergman. A story of fake oil wells in Africa, celebrities, and an urgent coin investment.

Malware

• Nx Package Compromise: Malware Creates ‘s1ngularity-repository’ to Steal Secrets by Ossprey Security.
• ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners.
• Finding Malware: DIRTYBULK and Friends - USB Infections To Fuel Cybercriminal Coinmining Operations by Michelle Morales (Google Cloud).

Media

• Web3 Security Podcast - Polygon's 13-Step Multisig Process Protecting Billions with Chris von Hessert.
• bountyhunt3rz - Episode 24 - josselin feist.
• DSS Webinar - Automation Security with Brahma, CoW Swap & Mimic.

Research

• Bybit exploit six months on: Novel laundering tactics, techniques and procedures and the looming threat of DPRK by Elliptic.
• The Economics of MEV in Cross-Chain Bridge Exploits: A Game-Theoretic Analysis by Gareth Larkan (Sigma Prime).
• A Developer’s Guide to Building Safe Noir Circuits by Felix Wegener (OpenZeppelin).
• Implement EIP-7730 today by Coriolan Pinhas (Trail of Bits). Practical solutions for blind signing and multisig hijack attacks.
• Which fuzzer should you use? by 0xScourgedev shares a guide on pros and cons of different fuzzing approaches.
• How to Recover Your Browser Wallet Extension from a Sudden Failure? by Lisa and Aro (SlowMist).
• How Ethereum address are derived (EOAs, CREATE, and CREATE2) by RareSkills.
• EIP-7702: A New Era in Account Abstraction by QuillAudits.
• MoveScanner: Analysis of Security Risks of Move Smart Contracts.
• Blockchain Security Risk Assessment in Quantum Era, Migration Strategies and Proactive Defense.
• Smart Contract Intent Detection with Pre-trained Programming Language Model.
• BridgeShield: Enhancing Security for Cross-chain Bridge Applications via Heterogeneous Graph Mining.

Tools

• Web3 Vulnerabilities Repository by Lyuboslav Lyubenov. A comprehensive collection of clustered smart contract vulnerabilities discovered through security audits, organized by severity and frequency of occurrence. 29k+ unique vulnerabilities across 461 clusters ranked by frequency of occurence.
• Hound by Bernhard Mueller is a a security audit automation pipeline for AI-assisted code review that mirrors how expert auditors think, learn, and collaborate. See Unleashing the Hound: How AI Agents Find Deep Logic Bugs in Any Codebase for additional details.
• ScaBench: Smart Contract Audit Benchmark by Bernhard Mueller. A comprehensive framework for evaluating security analysis tools and AI agents on real-world smart contract vulnerabilities. ScaBench provides curated datasets from recent audits and official tooling for consistent evaluation.
• EvmCast - Foundry Cast in your browser. Execute blockchain commands, query contracts, and interact with EVM networks directly from a web terminal.
• Osiris Lite by Enigma Dark is a clean, plug and play CLI tool for managing remote fuzzing jobs. More details here.
• Halmos Log Parser automatically convert Halmos Tests into Foundry Repros.
• Solana Indexer CLI - A powerful command-line tool for real-time Solana blockchain monitoring, account tracking, and data indexing with advanced caching and gRPC streaming capabilities by senzenn.
• EvmTools - essential blockchain development tools for Ethereum and EVM-compatible networks.

Hacks

Better Bank

Date: August 26, 2025
Attack Vector: Reward Manipulation
Impact: $5,000,000 (Recovered $2,700,000)
Chain: Pulse

References:

https://x.com/CertiKAlert/status/1960512848171557018
https://x.com/shoucccc/status/1960534610485633369
https://x.com/CertiKAlert/status/1960693173589569978
https://x.com/BetterBank_io/status/1960409389627793474 https://x.com/BetterBank_io/status/1960661185226744109
https://rekt.news/betterbank-rekt

Unkn_f340bd

Date: August 27, 2025
Attack Vector: Insufficient Function Access Control
Impact: $4,000
Chain: Ethereum

References:

https://t.me/defimon_alerts/1733

Cozy Finance

Date: August 29, 2025
Attack Vector: Insufficient Function Access Control
Impact: $427,000
Chain: Optimism

References:

https://x.com/DecurityHQ/status/1961810726164533602

Hexotic

Date: August 31, 2025
Attack Vector: Function Parameter Validation
Impact: $500
Chain: Ethereum

References:

https://t.me/defimon_alerts/1757