BlockThreat - Week 4, 2025

Peter Kacherginsky

30 Jan 2025 • 6 min read

Greetings!

We’ve been dreading weeks like this for a while. Nearly $100 million stolen across 10 attacks—a brutal reminder of the relentless pace of crypto exploits. Multiple hot wallet compromises, wallet supply chain attacks, and an exhausting number of price oracle exploits. Let’s start with the worst hack of the year.

The Phemex Heist: A Masterclass in Coordination

Alarm bells rang on January 23rd at 11:55 AM UTC when PeckShield detected large outflows—one token after another—on Ethereum, all within seconds. As the Ethereum drains unfolded, Solana, Bitcoin, Sui, Ripple, and others were hit just minutes later. In total, 16 blockchains were drained in parallel, a staggering display of coordination that pointed to a well-prepared, professional actor.

Then came the laundering—executed with the same speed and precision as the exploit itself. The attacker rapidly hopped between chains, swapping and obfuscating assets, prioritizing the liquidation of freezable tokens first.

Kudos to Phemex for maintaining transparency throughout the incident—an approach that will help elevate industry security standards. Two key timestamps from the preliminary report stand out:

• The attack was detected 25 minutes before draining began at 11:30 AM UTC.

• Deposits and withdrawals were halted at 3:13 PM UTC.

That’s 25 minutes to assemble a war room, triage the incident, assess severity, and initiate containment—longer than the average 15-minute response time for most DeFi projects, yet still not enough. It’s frustrating, but I hope Phemex rebuilds and fortifies their security program to better protect their hot wallets in the future.

As for threat actor attribution, only North Korean-linked groups have executed such a coordinated and devastating attack in the past. But we’ll need more data points to confirm.

More Hacks & A Glimmer of Hope

There were many more incidents this week—details of which you’ll find in the premium section—including:

• $8M NoOnes hot wallet hack

• $4.7M AdsPower wallet supply chain attack

• A clever Odos exploit

• …and many others.

But I want to leave you on a more positive note.

Deep inside the dark forest of blockchain security, it’s not just the predators who lurk. The good guys are there too—turning the same techniques against careless attackers.

On January 18th, Bitfinding, a group specializing in intercepting hacks in progress, noticed storm clouds forming over Paribus on Arbitrum. Without hesitation, they deployed an exploit in just 3.2 seconds—executing a white-hat attack to safeguard funds until their rightful owners could reclaim them.

A rare win in the battle for blockchain security. Hats off to the heroes! Maybe there’s still hope for the future of intrusion prevention after all.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!