BlockThreat - Week 38, 2025

Greetings!

Over $3M was stolen across three incidents this week, a relative breather compared to last week’s ecosystem pillaging. Let’s take the moment to shore up our defenses, dive into a strong set of research articles, and highlight some positive news.

A stage four cancer patient was drained of $32K after downloading a malicious Steam game. Fortunately, a group of security researchers noticed an absolutely appalling crime and got together to track down the malware operator, and enabled a prompt arrest with likely deportation. Interestingly, Valentin Lopez, aka “The Pope” has been linked to the same cryptocurrency theft ring behind the $230M crypto heist last year. Every single person who played a role in uncovering the crime, coordinating the investigation, and bringing the operator to justice deserves enormous respect and admiration. You are true heroes!

The big lesson here is to separate your banking/crypto machine from a daily driver where you play games and interact on social media.

Amid all these stories of hacks, it’s worth highlighting the unsung heroes and sponsors of this week’s edition - ChainPatrol. The good folks at ChainPatrol are doing simply amazing work protecting protocols’ brands, fighting the barrage of X phishing attacks, and quickly taking down scammers before they can do real damage.

In other news, happy 30th anniversary of the movie Hackers!

Let’s dive into the news!

News

• ‘I Was a Weird Kid’: Jailhouse Confessions of a Teen Hacker article on Bloomberg covers Noah Urban, Scattered Spider, and a previously undisclosed Crypto.com hack .
• Self-Replicating Worm Hits 180+ Software Packages. Shai-Hulud malware continues its mass infection developers and their NPM packages including Crowdstrike, tinycolor, and others.
• One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens by Dirk-jan Mollema. Unrestricted access to all Azure accounts. What controls do you have to protect and monitor your cloud account?
• Lazarus Group project by the Security Alliance offers a massive collection of DPRK IT worker personas and a fun presentation.
• MetaMask Security Report: August 2025.

Crime

• Crypto scammer reported to ICE after stealing cancer patient’s treatment fund.
• United Kingdom National Charged in Connection with Multiple Cyber Attacks, Including on Critical Infrastructure and USA vs Thalha Jubair aka EarthtoStar document some of the wildest exploits of a Scattered Spider actors who stole $36M including buying Ubers Eats and Steam using ill gotten funds, social engineering US DoJ to look up his sealed indictment. Interestingly the bad actor was also involved in a video recorded robbery just a few months ago.
• RCMP Busted TradeOgre: Canada’s Biggest Crypto Enforcement Yet. Interestingly RCMP chose to make the notice of fund seizure using an OP_RETURN message while seizing $40M. The enforcement action raised concerns over legitimate customers losing funds.
• Suspect in Coinbase hack kept data for more than 10,000 customers on her phone, court filing alleges.
• Crypto scammers allegedly tried to bribe X employees for account reinstatement.
• Bitcoin, beatings, and a billionaire’s vendetta: Georgia’s Bachiashvili case.
• FBI Asks SafeMoon Victims for Info Amid Restitution Efforts.
• Project Brazen links KuCoin to billions in pig butchering scams.
• Reported Physical Attacks On Bitcoin Holders Surge 169% This Semester.
• US hits Iran’s ‘shadow banking’ network in Hong Kong, UAE.

Policy

• India Mandates Cybersecurity Audits for Crypto Exchanges Amid Record Surge in Hacks.

Phishing

• Scam/Phishing Alert: Fake GitHub Notification Email Impersonating Gitcoin Fund.
• 48% of Ethereum EIP-7702 uses linked to crime, says Wintermute.
• Crypto whale loses $6M to sneaky phishing scheme targeting staked Ethereum.
• DPRK Hackers Use ClickFix to Deliver BeaverTail Malware in Crypto Job Scams.
• A rare recording of a live scammer call and an impromptu interview by zak.eth.
• Someone lost $6.28M in stETH and aEthWBTC after signing multiple phishing “permit” signatures by Scam Sniffer.
• Report of a crypto phishing campaign using Booking by matta.

Malware

• WhiteCobra's Playbook Exposed: Critical Mistake Reveals 24-Extension Campaign Targeting VS Code and Cursor by Yuval Ronen (Koi Security).
• BlockBlasters: Infected Steam game downloads malware disguised as patch by Arvin Lauren Tan (G Data). This is the same malware used to steal $32K from the cancer patient discussed above. Additional indicators and victims.

Media

• Mixers, Bridges, and Dusting Attacks: An On-Chain Detective on Crypto Criminals’ Key Mistakes and video recording (Russian).
• Arbitrage Profits at Decentralized Exchanges by CBER Forum.

Contests

• The Ethernaut CTF just dropped 4 new levels.

Research

• The Notorious Bug Digest #5: Post EIP-7702 Pitfalls, JIT Penalty Rebates, and Manipulation of Recursive Functions by OpenZeppelin.
• The Vulnerability Exposing Tangem Cards to Brute-Force Attacks by Donjon (Ledger).
• Threat Contained: marginfi Flash Loan Vulnerability by Felix Wilhelm (Asymmetric Research).
• How a Single Logic Slip in a Perp DEX Earned us a $50,000 Bounty by VulSight.
• Vulnerabilities in Liquity forks Part 1 and Part 2 by VulSight.
• Yo Protocol's Unseen Dangers: Why Code Audits Aren't Enough by Barış Parlan.
• Red Flags and Green Flags of Yield Bearing Stablecoins by Paweł Kuryłowicz (Composable Security).
• How the U.S. Traced $110M Crypto Money Laundering Cases by BlockSec.
• How to Manage Crypto Keys Without Losing Sleep by Oak Security.
• Building Our Own Post-Quantum FIDO Token by Ruben (Neodyme).
• Use mutation testing to find the bugs your tests don't catch by Guillermo Larregay (Trail of Bits).
• Kocher's Timing Attack: A Journey from Theory to Practice by Martín Ochoa (ZKSecurity).
• SlowMist Founder Cos Shares at HKU: Blockchain Security — Offense, Defense, and Practices.
• Finding Ways To Break Smart Contracts (Auditing: Part 2) by phil.
• Fellowship of Ethereum Magicians - A simple L2 security and finalization roadmap.
• Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study.
• AP2 Transaction Security Model and Potential Risk Analysis by GoPlus Security.
• Sui Transaction Lifecycle by Wang Security.
• Evolving Supply Chain Attacks: Why dApps Avoided a Major Breach by Franco Riccobaldi (Coinspect).
• Who Got Rugged? by Rekt is a valuable lesson on the dangers of misconfigurations during deployments.
• EVM – Cosmos Convergence Research From Security Base Part 1, Part 2, and Part 3 by CertiK.
• ExDoS: Expert-Guided Dual-Focus Cross-Modal Distillation for Smart Contract Vulnerability Detection.
• SmartCoder-R1: Towards Secure and Explainable Smart Contract Generation with Security-Aware Group Relative Policy Optimization.
• Arguzz: Testing zkVMs for Soundness and Completeness Bugs.
• From Paradigm Shift to Audit Rift: Exploring Vulnerabilities and Audit Tips for TON Smart Contracts.
• How to Beat Nakamoto in the Race.
• Commit-Reveal$^2$: Securing Randomness Beacons with Randomized Reveal Order in Smart Contracts.
• Timestamp Manipulation: Timestamp-based Nakamoto-style Blockchains are Vulnerable.
• Automated Attack Synthesis for Constant Product Market Makers.

Tools

• Meet EDB - The first source-level smart contract debugger by William Cheung. Repo here. Additional demoes.
• BlockSec Security Incidents Library
• Snubb - Multichain Token Approval Scanner.

Hacks

LyraDepositWrapper

Date: September 16, 2025
Attack Vector: Function Parameter Validation
Impact: $1,000,000
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1968138774551969874

Exploit:

https://etherscan.io/tx/0xc2bab117b6cb95e12c14eb57deb2cdd592370e2eb614e6d37502dea1480db0ba

Burnedfi

Date: September 16, 2025
Attack Vector: Price Oracle Manipulation
Impact: $150,000
Chain: BSC

References:

https://x.com/Phalcon_xyz/status/1968171129039933751
https://x.com/TenArmorAlert/status/1968136939292258688
https://x.com/TikkalaResearch/status/1967981494359752916

Exploit:

https://bscscan.com/tx/0xcc8e33332999c1df91a39ea780888e1ce5bd444c9ea37a5135c3221f1e1b9424
https://bscscan.com/tx/0x13d8d59b1a13c19229e00e2bd56bc503e4c271ea2d41f13f91f4f24176d87496

WET Token

Date: September 17, 2025
Attack Vector: Price Oracle Manipulation
Impact: $41,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1968223320693686423

Exploit:

https://bscscan.com/tx/0xf92539acf7eadfd4a98925927a52af5349cb13c2a250908373a5baf8ea4b49ad

NGP (New Gold Protocol)

Date: September 17, 2025
Attack Vector: Price Oracle Manipulation
Impact: $2,000,000
Chain: BSC

References:

https://x.com/blockaid_/status/1968397977929515221
https://x.com/Phalcon_xyz/status/1968520529046016248
https://x.com/PeckShieldAlert/status/1968512105880977569
https://x.com/TenArmorAlert/status/1968502320645177731
https://x.com/BlockscopeCo/status/1968534754275565636
https://x.com/hklst4r/status/1968413473487868150
https://blog.solidityscan.com/ngp-token-hack-analysis-414b6ca16d96
https://quillaudits.medium.com/newgold-protocol-exploit-2m-lost-in-flash-loan-attack-9cbf971478e6
https://rekt.news/newgold-protocol-rekt

Attribution:

https://x.com/Whistleblowe007/status/1969180783161057315

Exploit:

https://bscscan.com/tx/0xc2066e0dff1a8a042057387d7356ad7ced76ab90904baa1e0b5ecbc2434df8e1