BlockThreat - Week 46, 2025

Greetings!

A relatively quiet week with just three exploits resulting in $657K in losses. A good week to catch up on research and podcasts just before the week of DeFi Security Summit (DSS) conference which I will cover in the next edition.

Let’s dive into the news!

News

• ‘Fat-Finger’ Fail? Cardano Whale Torches $6M After Hitting Illiquid USDA Pool.
• X Login Outage: Security Key Switch to X.com Locks Out Users as Twitter.com Finally Dies.
• Blockchain Freezing Exposed by Bybit. A nice survey of chains with freezing and blacklisting capabilities.
• Disrupting the first reported AI-orchestrated cyber espionage campaign by Anthropic.

Crime

• Inside a Wild Bitcoin Heist: Five-Star Hotels, Cash-Stuffed Envelopes, and Vanishing Funds by Joel Khalili (Wired).
• China Accuses U.S. of Stealing 127,426 Bitcoin Worth $13 Billion.
• U.S. DOJ Pursues North Korea’s Illicit Money Machine, Seizes More Crypto.
• U.S. Sanctions DPRK Crypto Laundering Network: Multiple Bank Staff and Financial Institutions Affected.
• Dubai Court Freezes $456M Linked to Justin Sun’s Bailout of TrueUSD Issuer Techteryx.
• Thai-FBI Operation Recovers $432,000 in Crypto From Alleged European Hacker.
• Australia Warns Criminals Are Abusing National Cybercrime Platform to Drain Crypto Wallets.
• Scammers posed as Australian police to steal crypto, authorities warn.
• “Bitcoin Queen” gets 11 years in prison for $7.3 billion Bitcoin scam.

Phishing

• DPRK “Contagious Interview” BestCity Campaign Targets Crypto Developers via Fake Recruitment Test by zeroShadow.
• Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery by NVISO Labs.
• Bad opsec: Collection of links on bad opsec by jermanuts. Many stories of onchain and offchain investigations leading to real identities.
• I Checked the Worst OpSec Practices So You Don’t Have To by OfficerCia. More bad opsec stories and consequences.
• Reports of attackers abusing the comment section of Polymarket to carry out scam activities, resulting in losses exceeding $500,000 by 25usdc.

Malware

• “IndonesianFoods” spam campaign publishes more than 86,000 malicious NPM packages by Paul McCarty (SourceCodeRed).
• Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchain.

Scams

• Investigation into how BTX_Capital and its founder Vanessa Cao are behind the token manipulation like $POPCAT on Hyperliquid by Specter.

Media

• Software Engineers to Plumbers: FULL COURSE by Patric Collins (Cyfrin). Epic episode and mix!
• Immunefi Show Ep. 2: What It Takes to Secure a Trillion Dollars on Ethereum with Mehdi Zerouali and Zach Obront.
• Rekt - Don’t Get Rekt - ep03 with Nethermind Security.
• Web3 Vulnerability Research with Glider | Query Mistakes to Avoid by Jason aka thank_you (Remedy).
• Understanding The Risky Business of DeFi’s Risk Curators by Ruca and Giel.
• Trust X Online - Fuzzing for security research for beginners by Alex the Entreprenerd (Recon).

Research

• How to Find Scammers Using OSInt! by Intelligence on Chain.
• Blockchain Interoperability Part-1 : Interoperability Problem And Bridges by themj0ln1r.
• Web3 Security Open Class: An Introductory Basic Course by OpenBuild for Chinese speakers.How Multi-Agent AI Is Catching the 80% of Hacks That Audits Miss by Chirag Agrawal (Web3Sec).
• Leveraging VSCode internals to escape containers by matta (The Red Guild).
• Threat Intelligence: Analysis of the NOFX AI Automated Trading Vulnerability by SlowMist.
• Uniswap v4 Hooks Security Deep Dive: Vunerabilities and Analysis by Giovanni Di Siena (Cyfrin).
• Most common mistakes when configuring password managers by Pablo Sabbatella (Opsek).
• Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire.
• One Signature, Multiple Payments: Demystifying and Detecting Signature Replay Vulnerabilities in Smart Contracts.
• Attack-Centric by Design: A Program-Structure Taxonomy of Smart Contract Vulnerabilities.

Tools

• Level up your Solidity LLM tooling with Slither-MCP.

Hacks

RWB

Date: November 10, 2025
Attack Vector:
Impact: $180,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1988079052238864757
https://x.com/DefimonAlerts/status/1987960353989255183
https://x.com/TikkalaResearch/status/1987956444654956870

DRLVaultV3

Date: November 11, 2025
Attack Vector: Price Oracle Manipulation
Impact: $97,600 (Recovered $97,600)
Chain: Ethereum

References:

https://x.com/DefimonAlerts/status/1988162277397205015
https://x.com/TenArmorAlert/status/1988080735354274053
https://blog.verichains.io/p/the-drlvaultv3-exploit-a-slippage

https://etherscan.io/tx/0xe3eab35b288c086afa9b86a97ab93c7bb61d21b1951a156d2a8f6f5d5715c475

Impermax Finance

Date: November 11, 2025
Attack Vector: Logic Error
Impact: $380,000

References:

https://x.com/hklst4r/status/1988339429354656191
https://x.com/hklst4r/status/1988339762537918895
https://x.com/ImpermaxFinance/status/1988360915041874331
https://x.com/ImpermaxFinance/status/1988636882977116667