BlockThreat - Week 41, 2025

Greetings!

More than $22M were stolen this week across 9 incidents. The majority of losses came from a single Hyperliquid user compromise which cost them $21M. A devastating loss and a continued trend of user attacks across the ecosystem.

A more concerning event was an ecosystem-wide meltdown sparked by tariff panic. Binance was among the platforms affected when a relatively small $60M USDe sell-off caused its price feed to misreport values, triggering a chain reaction of forced liquidations across collateral assets such as wBETH and BNSOL. The flawed oracle relied too heavily on Binance’s own orderbook without sufficient cross-exchange validation or time weighting, turning a localized price move into a $19B cascade of liquidations. Binance later compensated users for roughly $230M in losses, acknowledging that this was an internal systemic failure rather than user error.

We usually focus on security exploits, but market-wide incidents like these can be just as destructive when circuit breakers fail, prices are misreported, and traders are unfairly liquidated. It is a strong reminder that financial safeguards are just as critical as security controls, since their failure can just as easily destroy a protocol.

Let’s dive into the news!

News

• Oracle, Oracle, Oracle: How Price Feed Design Turned $60 Million Into a $19 Billion Catastrophe by YQ. A master class into how a series of depegs triggered a catastrophic oracle failure at Binance. An important reminder to never trust a single price feed especially an internal one whether you are CeFi or DeFi.
• ‘Bitcoin Jesus’ Roger Ver reaches tentative deal with DOJ over $48 million tax case.

Crime

• North Korea’s crypto hackers have stolen over $2 billion in 2025 by Elliptic.
• DPRK’s Dangerous Password and How to Avoid Their Tactics by zeroShadow.
• When Hackers Get Hacked: Analyzing the Breach of LockBit by SlowMist.
• Meet Scattered Spider: The Group Currently Scattering UK Retail Organizations by Adi Bleih (Cyberint). New tactics to recruit agents at high value organizations.
• British Duo On Trial for Planning to Steal $23m in Crypto—From Behind Bars.
• Brazil’s Federal Police Dismantle $540 Million Crypto Laundering Network in “Operation Lusocoin” by TRM.
• Scam Compound Operators: Members of The Four Great Families sentenced to death in China.
• Two Indicted in Tel Aviv Over $600,000 ‘Wrench Attack’ on Bitcoin Trader.

Phishing

• The State of Drainers Vol. 1 by SEAL.
• A victim 0x0cdC...E955 lost ~$21M worth of cryptos on #Hyperliquid due to a private key leak by Peckshield.

Malware

• Astaroth Banking Trojan Harnessing GitHub to Steal Crypto Credentials.

Media

• The Network Podcast - Operational Security with Pablo Sabbatella.
• Web3 Security Podcast - Safe’s $60B security stack: Formal verification, audits, and $1M bounties with Richard Meissner.
• bountyhunt3rz - Episode 26 - alix40.
• Chainalysis - Inside the FBI: Crypto, Crime & National Security – Ep. 171.

Research

• Preventing Second Preimage Attacks in Merkle Trees: A Complete Guide by Ahmad Khan (Adevar Labs).
• AI Bug Hunting: Preventing Fee Accrual in Euler by riptide.
• Governance as an Attack Vector in Web3 Protocols by Paul (Cantina).
• Stablecoin Security: How Design Choices Create Vulnerabilities and Economic Risk by Olesia Bilenka (Hacken).
• Smart Contract Intent Detection with Pre-trained Programming Language Model.
• Security Analysis of Ponzi Schemes in Ethereum Smart Contracts.

Hacks

TokenHolder

Date: October 07, 2025
Attack Vector: Insufficient Function Access Control
Impact: $26,000
Chain: BSC

Exploit:

https://bscscan.com/tx/0xc291d70f281dbb6976820fbc4dbb3cfcf56be7bf360f2e823f339af4161f64c6
https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-10/TokenHolder_exp.sol

Squid Router

Date: October 07, 2025
Attack Vector: Function Parameter Injection
Impact: $94,000
Chain: BSC, Ethereum, Arbitrum, Optimism, Base

References:

https://x.com/TikkalaResearch/status/1975586031975211116

Exploit:

https://bscscan.com/tx/0xe7db301ac8acf067ad17cf4703fef73770351b98f67b664ae6312cd7b3cea275
https://bscscan.com/tx/0x9666183f62b644b770c001aea49b90f4bcaf5b9bf01d68e84364435f030f78ee
https://bscscan.com/tx/0xcd345310e491195f0500d45d6987eaef342bae24390f4da4f7e6749b8105b4c3
https://etherscan.io/tx/0x933654d457453f9ec73266b605755619ec9155f9d1157c65c76cb0e6f392fcd5
https://arbiscan.io/tx/0x7c04894180f1a3a0eb3339def405c5412b27d11a66396b5c332341388dfed469
https://basescan.org/tx/0x90b88d57303c0b9436ec38c1b1e19a27da93f5643cbc5579bffb21972b53c5be
https://optimistic.etherscan.io/tx/0xfebdef1915c4be6441a4fde9703e3ba76be0d5e0d5a757b3cf04c82ec7c48bd1

VeloraDEX (ParaSwap)

Date: October 07, 2025
Attack Vector: Arbitrary External Calls
Impact: $20,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1975313727009530370
https://x.com/VeloraDEX/status/1770313086072742263
https://paraswap.notion.site/Exploit-cases-ede9067c72dc4326896151ffe29394ad

Exploit:

https://etherscan.io/tx/0x5b1e67ed4c12dcb1b94a32d4e77cd6a6b113d76c1fdb29defd24d0058e4f70de

Peapods

Date: October 09, 2025
Attack Vector:
Impact: Assets Stolen

References:

https://x.com/hklst4r/status/1976339933091484142

Exploit:

https://etherscan.io/tx/0x08a4a6906eaa798fa23fccdebbee4d1b59655d91874cbdcb2af99294d0fc3ea5

Astera

Date: October 09, 2025
Attack Vector: Price Oracle Manipulation
Impact: $573,000
Chain: Linea

References:

https://x.com/asterafinance/status/1976214111332749531
https://x.com/hklst4r/status/1976296543872233508
https://x.com/Phalcon_xyz/status/1977031656663081148

Exploit:

https://lineascan.build/tx/0xc574372f7411415a791e00076582b7f222214049b706991c8b40e2b7a7e7b988

Binance Exchange

Date: October 10, 2025
Attack Vector: Incorrect Price Oracle
Impact: Assets Stolen

References:

https://x.com/diogenes/status/1976947177520808270
https://x.com/yq_acc/status/1977433963728867630
https://x.com/yq_acc/status/1977838432169938955
https://x.com/yq_acc/status/1977057301673787716
https://x.com/yq_acc/status/1977275614873768355
https://www.binance.com/en/support/announcement/detail/d9cb0d52d7c142a5be4f49732bd8760c
https://www.binance.com/en/support/announcement/detail/0989d6c7f32545bfb019e3249eaabc3f
https://www.binance.com/en/support/announcement/detail/d6deec042d784b6ba5d8710a8c69d79d

Hyperliquid User

Date: October 10, 2025
Attack Vector: Key/Signer Compromise
Impact: $21,000,000
Chain: Hyperliquid

References:

https://x.com/PeckShieldAlert/status/1976577386469839269

Shuffle

Date: October 10, 2025
Attack Vector: Supply Chain
Impact: PII Stolen

References:

https://x.com/noahdummett/status/1976558783229985080

Wolf

Date: October 10, 2025
Attack Vector: Malicious Insider
Impact: $600,000
Chain: Ethereum

References:

https://www.ccn.com/news/crypto/defi-startup-wolf-freezes-57-of-token-supply-following-bridge-hack-cites-zero-trust-security-overhaul/