BlockThreat - Week 36, 2025

Greetings!

More than $26M were stolen this week across six incidents with the majority of losses coming from Bunni ($8.4M) and Venus ($13.5M) user compromises.

Let’s start with a more positive story this time. A user fell into DPRK’s trap after joining a compromised Zoom call, where a malicious client handed over control of their wallets. Normally this would have been yet another grim statistic, but not this time. The attacker’s greed and the swift response of Venus Protocol turned the tide. Within minutes Venus hit the pause button freezing the attacker in place while still holding the compromised collateral. A new governance proposal was initiated approving a plan to force liquidate the stolen funds in under 12 hours. The result was a full recovery and a rare happy ending to what is usually a disastrous story.

It’s rare to see novel exploit vectors in DeFi, but the Bunni V2 incident is unfortunately one such example. On September 2, 2025 the protocol lost $8.4M across Ethereum and Unichain due to a subtle flaw in its Liquidity Distribution Function (LDF) rebalancing logic. The mechanism was designed to round conservatively in favor of the protocol, but attackers discovered that by repeatedly forcing pool balances to extreme states (as little as 26 wei) they could accumulate tiny rounding advantages. Iterated over multiple cycles and those small discrepancies compounded into millions.

Amid all these stories of hacks, it’s worth highlighting the unsung heroes and sponsors of this week’s edition - ChainPatrol. The good folks at ChainPatrol are doing simply amazing work protecting protocols’ brands, fighting the barrage of X phishing attacks, and quickly taking down scammers before they can do real damage.

In other news, Justin Sun was caught red handed moving massive amounts of WLFI tokens to exchanges and was promptly blacklisted for market manipulation by World Liberty Financial ($100 million total). Despite Sun’s pleas for leniency, mounting a case is tricky when you’re dealing with the U.S. president’s family.

Let’s dive into the news!

News

• Widespread Data Theft Targets Salesforce Instances via Salesloft Drift. Bad actors were able to access emails and other sensitive data from Google, Palo Alto, Cloudflare, Tenable, Qualys, Bugcrowd, PagerDuty, and many others.
• Eth.limo - Legal Update & Full Summary. Another victim of the Tornado Cash saga with costly legal proceedings, subpoenas, and courts.
• Paradigm’s Reth Client Bug Briefly Freezes Ethereum Mainnet Nodes.
• Ethereum Layer 2 Kinto shuts down in wake of $1.6 million July exploit.
• Coinbase thinks vibe-coding 50% of its platform is a good idea.
• Threat Intelligence Report: August 2025 by Anthropic. Includes details on the use of AI by DPRK IT workers and next generation of malware.

Crime

• Lawsuit alleges that Bitmain faked contract breaches.
• How North Korean hackers are using fake job offers to steal cryptocurrency.
• Arkham Finds $5B in Bitcoin Tied to Movie2K Still Unmoved Since 2019.
• French Police Detain Seven Following Latest Crypto Kidnap Attempt.

Phishing

• Phished Founder, Liquidated Thief by Rekt. A rollercoaster of a $13M theft and recovery through a swift governance action by Venus Protocol.
• Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms by Aleksandar Milenkoski (SentinelOne), Sreekar Madabushi (Validin) & Kenneth Kinion (Validin).
• Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook by DomainTools.
• ScamSniffer August 2025 Phishing Report. $12M+ stolen.
• Reports of a virulent DPRK fake interview campaign using Willo by Tay.
• Hackers are using the ‘classic EIP-7702’ exploit to snatch WLFI.
• Dark Web Offers Exploits, AT&T Access, Ledger Scam Kit, and 100K Stolen Cards by SOC Radar.
• Profile 0xAstroBee (@AzurbalaMutant, 1148423802) a serial scammer by NFT_Dreww.eth
• I just got drained for $996,000 by Alexander Choi. The attack involved a series of fake founder calls related to Spark ecosystem.

Scams

• Billionaire Justin Sun begs Trump-backed World Liberty Financial to unfreeze $100 million crypto stash. More details on what happened.
• ZachXBT says over 100 crypto influencers accepted promo deals without disclosing paid ads.

Malware

• From PowerShell to Payload: Darktrace’s Detection of a Novel Cryptomining Malware by Darktrace.
• Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials by Kush Pandya (Socket).
• Ethereum smart contracts used to push malicious code on npm by Lucija Valentić (Reversing Labs).

Media

• Web3 Security Podcast - How to secure $70 billion in DeFi: Aave's approach to Web3 security with Ernesto Boado (BGD Labs)
• CBER Forum - A Structural Model of Automated Market Making with David Cao, Brett H. Falk, Leonid Kogan, Gerry Tsoukalas.
• CBER Forum - A Structural Analysis of MEV Boost Auctions with Mallesh Pai.
• bountyhunt3rz - Episode 25 - adrian hetman.
• Rekt - Episode 1 with Benjamin Samuels

Contests

• Wintermute Alpha Challenge write up by Drun.

Research

• Launching the Learn EVM Attacks Explorer by Lior Abadi (Coinspect). A curated collection of Foundry attack scripts from real world exploits, bug bounty reports, and theoretical vulnerabilities on EVM chains.
• Position Spoofing Post Mortem by Panoptic.
• The Dark Side of Upgrades: Uncovering Security Risks in Smart Contract Upgrades.
• Blockchain Forensics: Attribution Techniques and the Role of OSINT.
• Safer cold storage on Ethereum by Trail of Bits.
• “Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development by Calif.
• DevSecOops handbook by The Red Guild.
• Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more by Darius Houle (Trail of Bits).
• Unraveling crypto crimes through blockchain tracing.
• Large Language Models for Cryptocurrency Transaction Analysis: A Bitcoin Case Study.
• KGBERT4Eth: A Feature-Complete Transformer Powered by Knowledge Graph for Multi-Task Ethereum Fraud Detection.
• LMAE4Eth: Generalizable and Robust Ethereum Fraud Detection by Exploring Transaction Semantics and Masked Graph Embedding.
• SoK: Root Cause of $1 Billion Loss in Smart Contract Real-World Attacks via a Systematic Literature Review of Vulnerabilities.
• Time Tells All: Deanonymization of Blockchain RPC Users with Zero Transaction Fee (Extended Version).
• Performance analysis of common browser extensions for cryptojacking detection.
• Interaction-Aware Vulnerability Detection in Smart Contract Bytecodes.
• TraceLLM: Security Diagnosis Through Traces and Smart Contracts in Ethereum.
• Token Risk Scanning for Traders: Glider Flags 20+ on-chain risks others miss by Hexens.
• DNS Security in Web3: Attacks & Monitoring Setup Explained by Chirag Agrawal.

Tools

• A step closer to isolation —devcontainer-wizard by The Red Guild.
• dApp Observatory by Coinspect. Track supply chain risks for popular web3 apps.
• Bridge WTF - cross-chain analytics dashboard.

Hacks

OlaXBT

Date: September 01, 2025
Attack Vector: Key/Signer Compromise
Impact: $2,000,000
Chain: Ethereum

References:

https://x.com/olaxbt_terminal/status/1962494096578420981
https://x.com/olaxbt_terminal/status/1962858131605835800
https://x.com/CertiKAlert/status/1962439772280094975
https://x.com/zeroshadow_io/status/1962565116576096605

Unkn_46cbe7

Date: September 01, 2025
Attack Vector: Insufficient Function Access Control
Impact: $88,900
Chain: Base

References:

https://x.com/TenArmorAlert/status/1962413608182128843
https://x.com/SuplabsYi/status/1962501887414190477

Exploit:

https://basescan.org/tx/0xdc6658ce341f5699915cf33ef5f4d3d6298c841f4c333d31543f6ec6ff8dd2ea

Bunni

Date: September 02, 2025
Attack Vector: Rounding Error
Impact: $8,400,000
Chain: Ethereum, Unichain

References:

https://x.com/phalcon_xyz/status/1962743751568433416
https://x.com/TenArmorAlert/status/1962766519391170988
https://x.com/CertiKAlert/status/1962755574283768308
https://x.com/CertiKAlert/status/1962782447931703548
https://x.com/hackenclub/status/1962768341367390643
https://x.com/bunni_xyz/status/1962833866277744953
https://x.com/bunni_xyz/status/1962773674634756450
https://rekt.news/bunni-rekt
https://blog.bunni.xyz/posts/exploit-post-mortem/
https://protos.com/uniswap-hook-bunni-hacked-for-over-8m-after-precision-bug-exploited/
Exploit gist by giovannidisiena
https://quillaudits.medium.com/bunni-v2-exploit-8-3m-drained-50acbdcd9e7b
https://x.com/vutran54/status/1962770733769367780
https://x.com/1zaqk1/status/1962775495184977956

Exploit:

https://etherscan.io/tx/0x1c27c4d625429acfc0f97e466eda725fd09ebdc77550e529ba4cbdbc33beb97b
https://uniscan.xyz/tx/0x4776f31156501dd456664cd3c91662ac8acc78358b9d4fd79337211eb6a1d451

Venus User

Date: September 02, 2025
Attack Vector: Approval Phishing
Impact: $13,500,000
Chain: BSC

References:

https://x.com/PeckShieldAlert/status/1962844096856568262
https://x.com/BlockscopeCo/status/1962915846688321973
https://x.com/VenusProtocol/status/1962856368832192556
https://slowmist.medium.com/slowmist-in-depth-analysis-of-the-13-million-venus-user-hack-13f35287a743
https://rekt.news/phished-founder-liquidated-thief
https://x.com/VenusProtocol/status/1963251755543839227
https://x.com/KuanSun1990/status/1963568732917113141

Recovery:

https://x.com/PeckShieldAlert/status/1962909410436452800

https://snapshot.box/#/s:venus-xvs.eth/proposal/0x140da3dcb6dc711429700443d3b9f1def51eaae3b791f8b774664676f418a132

https://www.theblock.co/post/369040/venus-protocol-pauses-after-user-loses-27-million-in-suspected-phishing-attack
https://cointelegraph.com/news/venus-protocol-recovers-13-5m-stolen-phishing-attack
https://x.com/peckshield/status/1963031758347370608
https://bscscan.com/tx/0xee9928b8d1a212f4d7b7e9dca97598394005a7b8fef56856e52351bc7921be43

Exploit:

https://bscscan.com/tx/0x75eee705a234bf047050140197aeb9616418435688cfed4d072be75fcb9be0e2
https://bscscan.com/tx/0xbc9820b11c8358abaa2c6de212d3401007e5e109fafa80cf3fa220ad58cf7b81

E2X

Date: September 04, 2025
Attack Vector: Reward Manipulation
Impact: $38,000
Chain: Ethereum

References:

https://x.com/CertikAIAgent/status/1963788894098596149

Exploit:

https://etherscan.io/tx/0x04f4c2b4c21f8abe17024e93c1afd00072002ba7957a8bf6301cea9eb87ee401

Nemo Protocol

Date: September 07, 2025
Attack Vector: Price Oracle Manipulation
Impact: $2,400,000
Chain: Sui

References:

https://x.com/peckshieldalert/status/1964936862566592938
https://x.com/nemoprotocol/status/1964996522052911603
https://x.com/exvulsec/status/1964968239311765780

Exploit:

https://suiscan.xyz/mainnet/account/0x01229b3cc8469779d42d59cfc18141e4b13566b581787bf16eb5d61058c1c724/activity