BlockThreat - Week 40, 2025

Greetings!

Almost $5M were stolen this week across 6 incidents. On the DeFi side, Abracadabra suffered its third exploit which cost them $1.8M. It’s particularly unfortunate as the protocol did not practice defensive coding where a single missed else statement resulted in an unwanted state.

Yet another mining pool exploitation surfaced and was discovered weeks after it happened. The centralized nature of pools, combined with their large routine transfers, often obscures signs of compromise. This time $24M vanished from SBI Crypto were only noticed a week later when stolen funds began flowing to the usual laundering targets. As a reminder, the massive $3.5B Lubian miner hack went undetected for nearly five years, raising the question of how many other CeFi breaches remain unknown.

One of the more interesting exploits this week was a vulnerable 7702 wallet where attackers were able to drain more than $300K. The contract had a an unprotected pancakeV3SwapCallback function which allowed anyone to ask for a “repayment” which is exactly what the attacker for a USDT.C token:

pancakeV3SwapCallback(366,671,873,699, -1, 0x96fb784986284cb6d4a8da6dd50dd7e85ef38f5d)

The exploit was simple and the damage limited, but it’s a warning shot. A single vulnerable smart wallet could one day trigger multimillion losses across the ecosystem. Be careful which 3rd party smart wallet contracts you trust.

Let’s dive into the news!

News

• Intel and AMD trusted enclaves, a foundation for network security, fall to physical attacks. The new Wiretap Fail attack requires physical access but can completely break Intel SGX, Intel TDX, and AMD SEV-SNP. Don’t panic but consider specific provider set up where physical access could be abused.
• Hackers claim Discord breach exposed data of 5.5 million users. Another case of bribery involving outsourced support staff. Did we not learn from the Coinbase incident?
• NIRS fire destroys government’s cloud storage system, no backups available. Web2 security can be wild and a reminder to have a backup strategy.
• Roman Storm Files Motion For Acquittal On All Counts.
• Kim.Fun an interesting approach to catching DPRK IT workers.
• SlowMist: 2025 Q3 MistTrack Stolen Funds Analysis.
• M-Trends 2025: Data, Insights, and Recommendations From the Frontlines by Mandiant.

Crime

• Chinese scammer pleads guilty after UK seizes nearly $7 billion in bitcoin. Zhimin Qian held a massive 61,000 BTC obtained from 128K victims.
• Scattered Lapsus$ Hunters offering $10 in Bitcoin to ‘endlessly harass’ execs. Another heinous tactic by the infamous threat actor while not busy bribing outsourced support staff.
• ‘You’ll never need to work again’: Criminals offer reporter money to hack BBC.
• Leaked Documents Expose $8 Billion Crypto Web Behind Russia’s Sanctions Evasion.
• Kazakhstan Tightens Crypto Rules After Seizing $16.7M From Unlicensed Exchanges.
• Thief Snaps Photo of Victim’s Seed Phrase in Apartment, Steals $1.7M in Crypto.
• Thai Authorities Arrest Portuguese National Linked to $580M Cryptocurrency Fraud.
• Lazarus Group: A criminal syndicate with a flag by Christine Barry (Barracuda).

Policy

• Russia-backed A7A5 stablecoin moved over $6B despite US sanctions.

Phishing

• Top 5 Crypto & Web3 Hacks That Started With Phishing by Rhythm Jain (Resonance Security).
• 0G_labs and 0G_Foundation X accounts have been compromised. The hack was apparently perpetrated by one of the airdrop farmers.
• BNBCHAIN X account has been compromised.
• ZachXBT Flags $400K Exploit: Hypurr NFTs Drained From Compromised HyperEVM Wallets.

Scams

• HyperVault - Rugged by Rekt.

Research

• Cross-Function Reentrancy: When Functions Betray Each Other by Shashank Mudgal (0x00auditor).
• Proper nonce implementation thread by Sigma Prime.
• MEV Spam: The Hidden Blockchain Scalability Crisis by Nefture Security.
• Tracing a $3.4M Crypto Ransom: How Investigators Follow the Blockchain Trail.
• How to npm and avoid getting rekt by The Red Guild Security.
• Awesome Wallet Security by Valkyri Security.
• RISC Zero Security Disclosure: Arbitrary code execution in guest.
• LISA Technical Report: An Agentic Framework for Smart Contract Auditing.
• LLMs as verification oracles for Solidity.
• The Dark Art of Financial Disguise in Web3: Money Laundering Schemes and Countermeasures.
• Secret Leader Election in Ethereum PoS: An Empirical Security Analysis of Whisk and Homomorphic Sortition under DoS on the Leader and Censorship Attacks.
• BugMagnifier: TON Transaction Simulator for Revealing Smart Contract Vulnerabilities.
• Smart Contract Intent Detection with Pre-trained Programming Language Model.
• PROMFUZZ: Leveraging LLM-Driven and Bug-Oriented Composite Analysis for Detecting Functional Bugs in Smart Contracts.
• AI-Based Vulnerability Analysis of NFT Smart Contracts.

Tools

• Wise Signer MetaMask snap to help decode calldata from Patrick Collins.
• rrelayer - an opensource powerful, high-performance blockchain transaction relay service built in Rust, designed for seamless integration with any EVM-compatible network.
• The Recon Extension: Now With More Halmos by Recon.
• Breadcrumbs Investigation Tool.

Hacks

Unkn_dc8275

Date: September 29, 2025
Attack Vector: Bad Randomness
Impact: $143,000
Chain: Ethereum

References:

https://x.com/Phalcon_xyz/status/1972595841245516037
https://t.me/defimon_alerts/1926

Exploit:

https://etherscan.io/tx/0x9061d21aa6c0e2afd07a96a6371bb656bc11155aa9410bfcaa11b0742d159fce

Alt Town

Date: September 29, 2025
Attack Vector: Key/Signer Compromise
Impact: $1,200,000
Chain: BSC

References:

https://x.com/DecurityHQ/status/1972967737992638616
https://x.com/AlttownOfficial/status/1972853816652710317
https://medium.com/alttown/town-post-mortem-report-81322f2b587c

Exploit:

https://bscscan.com/tx/0xf8b234fd5eaa9e860b7d351644c89813158356879f521920d080553fc16d65c6

Hyperliquid User

Date: September 30, 2025
Attack Vector: Insufficient Function Access Control
Impact: $1,100,000
Chain: Ethereum

References:

https://x.com/GoPlusSecurity/status/1973218095272698141
https://x.com/PixOnChain/status/1973078867066716537

Exploit:

https://etherscan.io/tx/0x8bbb18a9c68e391b8b5c489e95d6e71c1908461fddcc33d5cca3c3e1cfb5b5e3

1Inch User

Date: October 01, 2025
Attack Vector: Forgotten approval
Impact: $200,000
Chain: Ethereum

References:

https://x.com/Cycho1337/status/1974101465624097197

Exploit:

https://etherscan.io/tx/0xe5e12f0d1211b5926e9a51bc22a9f289a5d65dadf2331cf31a6f8f9cc18d5085

7702 Wallet

Date: October 02, 2025
Attack Vector: Insufficient Function Access Control
Impact: $336,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1973967082762220003

Exploit:

https://bscscan.com/tx/0x33242482763a2eca804180745bac6b2e96d7258da31ccde9a7345c92689c1668

Abracadabra

Date: October 04, 2025
Attack Vector: Logic Error
Impact: $1,800,000
Chain: Ethereum

References:

https://x.com/MIM_Spell/status/1975130787486831018
https://www.quillaudits.com/blog/hack-analysis/abracadabra-hack-explained
https://x.com/Phalcon_xyz/status/1974533451408986417
https://x.com/extractor_web3/status/1976671424455811296
https://blog.solidityscan.com/abracadabra-hack-analysis-f2efcdee9c05
https://hacken.io/insights/abracadabra-mim-hack-explained/
https://rekt.news/abracadabra-rekt3
https://docs.bughunter.live/blog/abracadabra-bughunter/
https://x.com/hklst4r/status/1974827196557426899
https://x.com/evilcos/status/1975438468219326502

Tracking:

https://x.com/Whistleblowe007/status/1976143986264863220

Exploit:

https://etherscan.io/tx/0x842aae91c89a9e5043e64af34f53dc66daf0f033ad8afbf35ef0c93f99a9e5e6
https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-10/MIMSpell3_exp.sol