BlockThreat - Week 44, 2025
Garden Finance | Peapods | 402 Bridge | 0xc0ffee | MEV | Thodex | LastPass
Greetings!
More than $11.2M were stolen this week across eleven incidents. Among the more notable exploits was the 0xc0ffee MEV bot hack which lost $218K due to an exposed uniswapV3SwapCallback method. These have been popping up a few times this year so be sure to check out Giovanni Di Siena’s article on hook security in the Research section on how to lock down these callbacks.
Garden Finance lost almost $11M after one of its solvers was compromised and private keys stolen. The irony here is that Garden Finance was previously implicated as a laundering venue for multiple Lazarus-linked hacks like Bybit, SwissBorg, and others. In a classic moment of frontier justice, ZachXBT refused to offer any support and even discouraged attackers from returning any of the illicitly obtained funds.
Oh an be on a lookout for phishing emails from LastPass!
Let’s dive into the news!
News
- Our presence at the biggest security Latin American conference, Ekoparty by The Red Guild.
- Introducing Aardvark: OpenAI’s agentic security researcher. AI audit space is getting hot.
Crime
- A thread on US v Peraire-Bueno trial by Inner City Press.
- An unlikely couple, a doomed affair and their €64mn ransomware scam. An inside view of the CryLock (Cryakl) ransomware operators Vadim Sirotin and Elena Timofeeva.
- Interview with the Chollima III by Mauro Eldritch and Ulises (Bitso).
- Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs by Kaspersky. Details of a new GhostCall campaign targeting crypto community over telegram with macOS malware.
- Indiana Police Recover Stolen Bitcoin Mining Rigs—And $75K Worth of Frozen Turkeys.
- NBA Gambling Scandal: at least $400,000 in ETH seized.
- Royal Thai Police Arrest Fugitive Chinese National Behind Multi-Million Dollar Crypto Fraud Scheme by TRM.
- Chinese Man Arrested in Bangkok Over Alleged $14M Crypto Ponzi Scheme.
- CEO of collapsed Thodex exchange found dead in Turkish prison while serving 11,196-year sentence.
Phishing
- Possible CryptoChameleon Social Engineering Campaign Targeting LastPass Customers, Crypto Exchange Customers, Passkeys, and More. A new phishing campaign using requests for victim’s death certificate as a lure.
- Thread on malicious Merkl campaigns with high APRs and unverified Euler vaults by YAM. Attackers are using fake markets with high oracle prices to drain any supplied liquidity.
Scams
- House Of Cards by Rekt. A story of two stablecoins caught in the mutual backing loop. What could go wrong?
Malware
- Infostealers Disguised as Free Video Game Cheats by vxdb.
- From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign by Lab52.
Media
- bountyhunt3rz - Episode 29 - j4x.
- Governance Futures S.1 Ep.17 - Security, DAOs, and Human Error: Threat Modeling Web3 with Isaac Patka.
Contests
Research
- Uniswap V4 Hooks Security Deep Dive by Giovanni Di Siena (Solodit).
- Multisig Security Analysis by engn33r (Electisec).
- Securing the Blockchain: AI and Staying Ahead of the Curve + Ethena Yield Theft by Bountyhunt3rz.
- How you can be drained years after the protocol’s hack? thread by Ye in Web3 on the victims.
- Bad Vibes by Rekt. An excellent analysis on the future of AI-augmented code development, its risks and pitfalls. As the article mentions: “When will we see our first crypto exploit where we found out the root cause was due to vibe coding?”.
- New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel by Dan Goodin (Ars Technica).
- Oracle Infrastructure: The Backbone of Lending Protocols by Noveleader and Francesco (Castle Labs).
- Core Architecture and Positioning of DeFi’s Top Money Markets by Noveleader and Atomist (Castle Labs).
- Uniswap v1 explained: How it changed DeFi forever by M3D (Zealynx).
- Vibe Fuzzing Guide for Wake’s Manually-Guided Fuzzing by Naoki Yoshida (Ackee).
- Top 7 Findings in Off-Chain Components by Damian Rusinek (Composable Security).
- Detecting Various DeFi Price Manipulations with LLM Reasoning.
- FLAMES: Fine-tuning LLMs to Synthesize Invariants for Smart Contract Security.
- LLM-Powered Detection of Price Manipulation in DeFi.
- DeepTx: Real-Time Transaction Risk Analysis via Multi-Modal Features and LLM Reasoning.
Tools
- Multisig Security Checker by engn33r. Analyze your Safe multisig contract for security best practices.
- Localsafe.eth is officially launched. Enjoy always available IPFS or local hosted multisig without relying on large cloud infrastructure.
- Device hardening & factory reset guides by Opsek.
- Orb Explorer now includes Solana program source code.
Hacks
VaultManager
Date: October 27, 2025
Attack Vector:
Impact: $3,710
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1982799887596241406
Unkn_25f593
Date: October 27, 2025
Attack Vector: Governance
Impact: $2,078
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1982850945018147072
https://x.com/DefimonAlerts/status/1982797724111319543
402 Bridge
Date: October 27, 2025
Attack Vector: Key/Signer Compromise
Impact: $17,000
Chain: Base
References:
https://x.com/402bridge/status/1982860168464650534
https://x.com/GoPlusZH/status/1983015854859338167
https://x.com/402bridge/status/1983042581190853022
https://x.com/m13_digital/status/1983040577366040855
CAPY Token
Date: October 29, 2025
Attack Vector: Function Parameter Validation
Impact: $20,000
Chain: Base
References:
https://x.com/DefimonAlerts/status/1983488316465938603
Peapods
Date: October 29, 2025
Attack Vector:
Impact: $120,000
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1983646311963615733
https://x.com/DefimonAlerts/status/1985262112034443586
https://x.com/DefimonAlerts/status/1985262007407554674
https://x.com/DefimonAlerts/status/1985261957432373319
Negotiating:
https://etherscan.io/tx/0xd5008433c94131e390d3b89f1d70bd61ee9d62520f2f9d2658c54ef7f7ea8e85
Housing Engine
Date: October 30, 2025
Attack Vector: Sybil Attack
Impact: $2,325
Chain: BSC
References:
https://x.com/DefimonAlerts/status/1983875325693169975
https://x.com/DefimonAlerts/status/1983879728751599770
Garden Finance
Date: October 30, 2025
Attack Vector: Key/Signer Compromise
Impact: $10,800,000
Chain: Ethereum, Arbitrum, Solana
References:
https://x.com/gardenfi/status/1983949462507811095
https://x.com/DefimonAlerts/status/1983885979317424563
https://x.com/DefimonAlerts/status/1983884669834949066
https://x.com/WuBlockchain/status/1983897348901126513
https://x.com/punkaj__/status/1983952241578184907
https://x.com/tanuki42_/status/1984002768131252417
https://x.com/AMLBotHQ/status/1985413035708858825
https://x.com/zachxbt/status/1983959869674942662
Previous concerns:
https://x.com/zachxbt/status/1983114885795066354
Negotiations:
https://etherscan.io/tx/0x4dc7a65efa19ad957359352b6d71750641f38a21a95a3e0d4b470343fee83a2f
0xc0ffee MEV bot
Date: October 30, 2025
Attack Vector: Insufficient Function Access Control
Impact: $218,000
Chain: Base
References:
https://x.com/DefimonAlerts/status/1983810181302538377
https://x.com/CertiKAlert/status/1983742817022439822
Friendtech
Date: October 31, 2025
Attack Vector:
Impact: $15,000
Chain: Base
References:
https://x.com/DefimonAlerts/status/1984327915555958820
https://x.com/DefimonAlerts/status/1984703112020455754
BTS
Date: November 01, 2025
Attack Vector:
Impact: $1,859
Chain: BSC
References:
https://x.com/DefimonAlerts/status/1984805148892545091
Ideal Protocol
Date: November 01, 2025
Attack Vector:
Impact: $4,636
Chain: BSC
References:
https://x.com/DefimonAlerts/status/1984692584451883202
ttps://x.com/DefimonAlerts/status/1984701966539505705