BlockThreat - Week 39, 2025

Greetings!

This week felt like a bucket of cold water after last week’s relative calm. More than $51M was stolen across 10 incidents, many of them entirely preventable had projects paid closer attention to the well known attack vectors that threat actors continue to exploit time and time again.

The most severe incident this week was the multisig hijacking of UXLINK, where attackers stole a massive $44.4M after taking control of the project’s contracts across multiple chains. The multisig had been configured with a 2/x threshold but lacked basic safeguards such as guardians, timelocks, or any kind of governance review process. On September 22, the attackers exploited this weak setup to reassign themselves as owners with a threshold of 1 and proceeded to pillage the protocol.

In an ironic twist, the attackers themselves later fell victim to an Inferno Drainer attack, losing 542M freshly stolen UXLINK. No honor among thieves, indeed.

Some critical lessons from the compromise:

• Avoid weak thresholds. A 2/x setup is far too low. For anything beyond a few hundred thousand dollars, raise the threshold to at least 5/x.
• Add timelocks. There’s no reason to allow immediate upgrades or parameter changes on multisigs. A multi-day timelock provides a critical buffer to detect and stop malicious activity.
• Use guardians. Guardians serve as the last line of defense, even if all core developers are compromised and a malicious transaction is about to be executed.

Speaking of preventable hacks, Griffin AI fell victim to yet another LayerZero OFT hijack. If that sounds familiar, it’s because just two weeks ago Yala suffered the exact same fate where a temporary bridge deployment was configured with a malicious token.

Just because you aren’t paying attention to active attack vectors doesn’t mean attackers aren’t. They absolutely are and they will reuse the same techniques until projects finally close the door. So pretty please with a sugar on top, lock down your OFTs and don’t give attackers the keys to print money.

The premium portion of the newsletter contains detailed write ups and indicators for the remainder of 10 hacks this week including UXLINK, Griffin AI, Hyperdrive, Linea, Seedify, Ideal Protocol, dTrinity, Cool, and others.

Amid all these stories of hacks, it’s worth highlighting the unsung heroes and sponsors of this week’s edition - ChainPatrol. The good folks at ChainPatrol are doing simply amazing work protecting protocols’ brands, fighting the barrage of X phishing attacks, and quickly taking down scammers before they can do real damage.

Let’s dive into the news!

News

• Circle rarely freezes stolen funds but wants reversible transactions.

Crime

• Thai Police Bust $15M Crypto Scam Ring Targeting Hundreds of Koreans - Decrypt.
• Eurojust coordinates action to halt cryptocurrency fraud of over 100 million euros across Europe.
• $8M in Crypto Stolen in Armed Kidnapping; Suspects Arrested in Texas.

Policy

• Crypto Exchange KuCoin Hit With Record Anti-Money Laundering Penalty in Canada.

Phishing

• The UXLINK exploiter address appears to have signed a malicious `increaseAllowance` approval to a phishing contract by Scam Sniffer.
• X/Twitter seems to have been compromised at some point in the last 24 hours by Dark Web Informer.
• Report of a phishing campaign stealing X accounts through fake a16z DMs and Google Calendar spoofing by Zak.eth.
• DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception by Eset. One of the more interesting revelation is a close collaboration between fake recruiters and DPRK IT workers who share intelligence gathered through the interviews of legitimate developers.
• GitHub notifications abused to impersonate Y Combinator for crypto theft.
• New advanced X account takeover attack targets crypto community.

Scams

• Parabolic Mirage by Rekt. Sybil and market manipulation of MYX Finance.
• DeFi protocol Hypervault vanishes after $3.6 million suspected rugpull.

Malware

• Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys by Kirill Boychenko (Socket). Mass supply chain attacks continue. Did you pin your dependencies yet?

Media

• DSS Webinar - Trillion Dollar Security with Rajeev, Uri, Fredrik and Mehdi.
• Web3 Security Podcast - Validator sniping: How to harvest IP addresses to redirect MEV | Sebastian Bürgel (Gnosis).
• Scamurai - Ep. #5 Social engineering, AI and security in crypto with Stefan Beyer.
• SEC-T 0x11: Simon Gerst - Attacking and defending GitHub Actions.
• Thinker - Hunting the $477,000,000 FTX Hacker.
• Decrypt - Catching Criminals On-chain with Elliptic’s Matt Price.
• Network Chuck - You need to learn MCP Right Now! A detailed walkthrough on teaching LLMs to interface with security tools using custom MCP servers.

Research

• Blockchain Forensics series by SomaXBT:

  • The Crypto Threat Landscape: Threats and Exploits Targeting Crypto Users.

  • Blockchain Forensics: A Practical Guide to Tracing Stolen Funds.

  • Blockchain Forensics: Attribution Techniques and the Role of OSINT.

  • Blockchain Forensics: Advanced Blockchain Forensics Techniques and Additional Resources.

• Inside Ethereum’s Engine: How the Execution Layer Actually Works by Ezequiel Perez (OpenZeppelin).

• SP1 and zkVMs: A Security Auditor’s Guide by Kirk Baird (Sigma Prime).

• Supply Chain Attacks: Prepare for Next Week by Franco Riccobaldi (Coinspect).

• Supply-Chain Guardrails for npm, pnpm, and Yarn by Franco Riccobaldi (Coinspect).

• Supply chain attacks are targeting Web3: What the September npm hack reveals by Chirag Agrawal (Guardrail).

• Supply chain attacks are exploiting our assumptions by Brad Swain (Trail of Bits).

• Device hardening & factory reset guides by OpSek.

• How to Setup an Ethereum Node Part 1 and Part 2 by Trash Pirate.

• How we trained LLM to find reentrancy vulnerabilities in smart contracts by seth (Unvariant).

• MCP Security: TOP 25 MCP Vulnerabilities by Adversa AI.

• First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails by Idan Dardikman (Koi Security).

• Moving from EVM to Move Part 1 by VulSight.

• Commit-Reveal2: Securing Randomness Beacons with Randomized Reveal Order in Smart Contracts.

• When Priority Fails: Revert-Based MEV on Fast-Finality Rollups.

• BlockScan: Detecting Anomalies in Blockchain Transactions.

• Bribers, Bribers on The Chain, Is Resisting All in Vain? Trustless Consensus Manipulation Through Bribing Contracts.

• Unaligned Incentives: Pricing Attacks Against Blockchain Rollups.

• Decoding TRON: A Comprehensive Framework for Large-Scale Blockchain Data Extraction and Exploration.

• Generic Adversarial Smart Contract Detection with Semantics and Uncertainty-Aware LLM.

Tools

• Introducing V12 by Zellic. An autonomous Solidity auditor designed to find critical bugs consistently and automatically.

Hacks

UXLINK

Date: September 22, 2025
Attack Vector: Multisig Hijacking
Impact: $44,400,000
Chain: Arbitrum, Ethereum, BSC

References:

https://x.com/lookonchain/status/1970330298568319083
https://x.com/CyversAlerts/status/1970167036002132425
https://x.com/exvulsec/status/1970187483498553732
https://x.com/UXLINKofficial/status/1970181382107476362
https://x.com/UXLINKofficial/status/1970318681931669825
https://x.com/UXLINKofficial/status/1970323705856495980
https://x.com/P3b7_/status/1970209897129353546
https://x.com/tayvano_/status/1971296769167515992
https://research.blockscope.co/uxlink-exploit-analysis
https://rekt.news/uxlink-rekt

Phished:

https://x.com/realScamSniffer/status/1970322013597450609
https://x.com/evilcos/status/1970332831890248173
https://arbiscan.io/tx/0xa70674ccc9caa17d6efaf3f6fcbd5dec40011744c18a1057f391a822f11986ee
https://protos.com/uxlink-goes-from-bad-to-worse-to-weird-after-hacker-loses-stolen-tokens/

Exploit:

https://arbiscan.io/tx/0x35edac40767f65d4d1382f0f55cda2f4db321313e16fe059079f0113f9cb5696
https://etherscan.io/tx/0x618e914f8c0afccaaf9be2d502730aa9c89f6cb0cc63aa6e700ef7e1d659b093

Unkn_16c10E

Date: September 22, 2025
Attack Vector: Function Parameter Validation
Impact: $4,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1969974137662640189

Exploit:

https://bscscan.com/tx/0x48ca94237b11c074785a87ba20ac5f013611a627f703a833d67b1d2cd56959b0
https://bscscan.com/tx/0xbf2cfc981637ed84daa1c5327ff1908456f167bcf66d4c9af3ebce247808448e

Unkn_506a8a

Date: September 22, 2025
Attack Vector:
Impact: $22,000
Chain: Base

References:

https://x.com/TenArmorAlert/status/1970015815979171983
https://x.com/Phalcon_xyz/status/1970005105547387243

Exploit:

https://basescan.org/tx/0x39ac5354ef57a77f5eaa8221bf6c2852dd72a5614935fcfd6dbc503090e21cf7

Seedify Bridge

Date: September 23, 2025
Attack Vector: Key/Signer Compromise
Impact: $1,700,000
Chain: Base, Polygon, Arbitrum, BSC

References:

https://x.com/Phalcon_xyz/status/1970510108506591289 https://x.com/meta_alchemist/status/1970470733017968841
https://x.com/meta_alchemist/status/1970505109265072414
https://x.com/SpecterAnalyst/status/1970505411397886046
https://x.com/SpecterAnalyst/status/1970500732928327760
https://x.com/BlockscopeCo/status/1970489759085506700
https://x.com/BlockscopeCo/status/1970543460726800879
https://x.com/SeedifyFund/status/1970537553515417918
https://x.com/SeedifyFund/status/1971558389869142204
https://x.com/meta_alchemist/status/1970839616652488964
https://x.com/meta_alchemist/status/1970809053359100051

Attribution:

https://x.com/zachxbt/status/1970488338529558795

Exploit:

https://basescan.org/tx/0x1dd7c101c18cd1adc80c4c68ce480862245a7223f8e5182136aed316eae54ac9

Linea Bridge

Date: September 24, 2025
Attack Vector: Forgotten approval
Impact: $220,000
Chain: Ethereum, Linea

References:

https://x.com/push0ebp/status/1972284761751388641

Exploit:

https://etherscan.io/tx/0x22ec7deb97dd48099763d0b8bb6d8fb7e1e507f226ffdfb06d198a9bd7d95ddf

Griffin AI

Date: September 24, 2025
Attack Vector: Misconfiguration
Impact: $3,000,000
Chain: BSC, Ethereum

References:

https://x.com/Griffin_AI/status/1971021877272601021
https://x.com/exvulsec/status/1971042064029905104
https://x.com/CertiKAlert/status/1971053766540657069
https://x.com/GoPlusSecurity/status/1971023381282910399
https://x.com/BlockscopeCo/status/1971241389523353830
https://x.com/guardrailai/status/1971612441370148923
https://rekt.news/griffinai-rekt

Exploit:

https://bscscan.com/token/0xacf5a368ec5bb9e804c8ac0b508daa5a21c92e13?a=0xf3d17326130f90c1900bc0b69323c4c7e2d58db2
https://bscscan.com/tx/0xa85b18bdbd32fbe5468de38032f7f2717faaad663d33991b2c71ce0b3892e866

Ideal Protocol

Date: September 24, 2025
Attack Vector: Uninitialized Contract
Impact: $1,000,000
Chain: BSC

References:

https://x.com/blockaid_/status/1970900879055155560

Exploit:

https://bscscan.com/tx/0x5f2042a3096e297bbe73b64111aa82a0505cb18afb1f9b0a27fd3e0c40ded0fd

Hyperdrive

Date: September 27, 2025
Attack Vector: Arbitrary External Calls
Impact: $782,000
Chain: Hyperliquid

References:

https://x.com/CertiKAlert/status/1972117426893738341
https://x.com/hyperdrivedefi/status/1971943575559852327
https://x.com/hyperdrivedefi/status/1972095669403111519
https://x.com/hyperdrivedefi/status/1972458715354935611
https://x.com/BlockscopeCo/status/1972125610949697989
https://x.com/PeckShieldAlert/status/1972119238178754651
https://x.com/BlockscopeCo/status/1972125610949697989

Exploit:

https://hyperevmscan.io/tx/0xb2dfe1bdd723e1fdc3fb74af56db9ab7ae67c484dea6d3cbf84aa625c92e7ac4

Cool

Date: September 27, 2025
Attack Vector: Insufficient Function Access Control
Impact: $100,500
Chain: Ethereum

References:

https://x.com/TenArmorAlert/status/1972123648111558978

Exploit:

https://etherscan.io/tx/0xb2fe540482667d464586aeb9522887a2b3f8bf07ecd9c0873f3a7adc6fa67e04
https://etherscan.io/tx/0x08b83297a0b4c7121ca689a477b260c9c1dacf208c3044e0b1fdd003ff97c516

dTrinity

Date: September 27, 2025
Attack Vector: Function Parameter Validation
Impact: $56,000
Chain: Sonic, Fraxtal

References:

https://x.com/dTRINITY_DeFi/status/1972175656361644448
https://x.com/dTRINITY_DeFi/status/1972564217904644557

Exploit:

https://sonicscan.org/tx/0xa6aef05387f5b86b1fd563256fc9223f3c22f74292d66ac796d3f08fd311d940
https://fraxscan.com/tx/0xd8ae4f2a66d059e73407eca6ba0ba5080f5003f5abbf29867345425276734a32