BlockThreat - Week 47, 2025

Greetings!

As many of us were out enjoying the warm weather and people of Buenos Aires, the DeFi ecosystem was hit with four exploits totaling nearly $4M in losses. The biggest impact came from GANA, which lost more than $3M in a private key theft. Close behind was the DNS hijacking attack on Aerodrome/Velodrome, resulting in roughly $700K stolen from users who unknowingly signed malicious transactions delivered through a compromised front-end. It’s a stark reminder of the persistent centralization risks across DeFi, where critical infrastructure still depends on components never designed to withstand the high-risk environment we’ve grown accustomed to onchain.

Speaking of 3rd party infrastructure risk, the entire internet including blockchain infrastructure were hit by Cloudflare outage. A simple database mistake on the part of some 3rd party company and suddenly all of our RPC servers and wallet front-ends were out. Between hacks and outages, may be it’s time to start moving to more resilient tech such as IPFS and Lava network (or similar) for hosting critical onchain infrastructure.

DeFi Security Summit was simply outstanding this year. From the venue to the quality of the talks, it is clear that the blockchain security community is thriving. I have added links to the published recordings in the Media section.

Be sure to check out The State of DeFi Security 2025 Edition, which goes beyond the now customary discussion of Top 10 DeFi attack vectors. This year I focused more on emerging threats, the kinds of potential billion dollar failure modes we have narrowly avoided one too many times. These are the areas we need to prioritize before they turn into something more than a dodged bullet.

One topic I had too little time to cover is competitive incident response. The idea comes from the massive success of competitive bug hunting, including bug bounties, competitions, and similar community driven efforts. Why can’t we adapt the same approach for incident response?

Some tasks are difficult to crowdsource, such as incident management, mitigations, communications, coordination with law enforcement, and other responsibilities traditionally handled by an incident commander. These should remain within a tight group of warroom participants. But there are other tasks that, when outsourced, could become a real asset to already stressed and overstretched incident responders.

Even before an incident unfolds there is always a race to detect, triage, and assign severity to potential problems. Teams must deal with constant noise and false positives from onchain monitoring systems, no matter what their marketing claims suggest. In practice many projects rely on third party companies like Peckshield to publicly or privately notify them with an exploit transaction hash. These companies are motivated to be the first to announce a hack because early visibility brings clients, a form of ambulance chasing. Instead of this dynamic, why not create incentives for a wider community to share confirmed incidents through an incident response bounty platform? Crowdsourcing challenges remain such as low quality submissions and high volume, but those could be addressed with the same reputation and triage processes used in mature bug bounty programs.

During an ongoing incident there is a race to identify the root cause. This is an extremely time sensitive task and can be the difference between successful containment or a complete disaster. Researchers already compete on social media to publish the first accurate root cause, so why not incentivize a bounty for the first correct analysis and allow the impacted team to focus on containment and managing the incident. Imagine a well motivated security community diving into an incident with the same energy we see during top security competitions. Every minute saved in analysis could prevent millions in stolen assets.

After an incident the onchain tracking effort often becomes a multi month or even multi year process that many projects eventually abandon. Yet as cases like the Oasis recovery show, it often pays to follow stolen funds and intervene as early as possible. More projects are beginning to offer bounties for help with tracking and asset recovery, so why not formalize this and unleash an army of onchain sleuths without waiting for a public plea.

Below are some of the bounties we could offer at different stages of an incident:

I have seen many pieces of competitive incident response emerge in the incidents I track week after week. The recent Balancer recovery is one example where well aligned incentives helped the defenders succeed. I believe we are now at the point where a new uniquely DeFi security discipline is forming. Imagine a world where we make it significantly harder for attackers not only to find bugs but also to successfully execute attacks and escape with stolen funds. Competitive incident response may be the path that gets us there.

Let’s dive into the news!

News

• The Phishing Dojo is out. Join the public beta! by The Red Guild.
• Trump-backed World Liberty Financial reallocates funds following ‘third-party security lapses’.
• Samourai Wallet crypto mixer’s co-founders sentenced to prison.
• Request for Comments: SEAL Certifications by Security Alliance (SEAL).
• Bitcoin Core’s first public third-party audit finds no major vulnerabilities.
• Etherscan completely removed some Free API access for Base, Optimism and Binance chains with the exception of getAbi, getSourceCode and verifyContract calls.
• Hoskinson involves FBI after developer’s ‘careless’ experiment splits Cardano blockchain.
• When the Web Goes Dark by Rekt. Documents Cloudflare outage on November 18, 2025. A good reminder on your centralized points of failure.
• Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability.
• NHS Warns of PoC Exploit for 7-Zip Symbolic Link–Based RCE Vulnerability.
• AI in Smart Contract Security: 2025 Adoption Pulse by P.M.

Crime

• California man admits to laundering crypto stolen in $230M heist. Kunal Mehta (aka “Papa,” “The Accountant,” and “Shrek”) is yet another participant in the mass social engineering scheme first unraveled by ZachXBT.
• Multiple bad actors involved in a brutal June 2024 home invasion jailed.
• Crypto giants moved billions linked to money launderers, drug traffickers and North Korean hackers by Spencer Woodman, Agustin Armendariz, Miguel Fiandor Gutiérrez and Sam Ellefson (ICIJ).
• Operation Destabilise: NCA exposes billion-dollar money laundering network that purchased bank to fund Russian war effort by NCA.
• Ukrainian Pleads Guilty in DC in Laptop Farm Scheme That Generated Income for North Korean IT Workers.
• Chinese influencer, “Sister Orange,” arrested for pig butchering.
• ‘Modern-Day Pablo Escobar’: Treasury Sanctions Ex-Olympian Over Alleged Crypto-Fueled Crime Empire.
• CFO Convicted for Losing $35 Million of Company Money in Crypto Side Hustle.
• Man behind Barack Obama and Jeff Bezos Twitter hacks to repay over $5 million in stolen bitcoin.
• International operation traces $55 million crypto trail of digital piracy sites.
• Crypto Miners in Malaysia Stole $1 Billion in Power Over Five Years.
• British fraud office arrests two men accused of $28 million Basis Markets rug pull.
• Indonesia Detains Hacker Tied to Markets.com Crypto Theft After $398K Loss.
• US announces new strike force targeting Chinese crypto scammers.
• CrowdStrike catches insider feeding information to hackers. A well-known Scattered Lapsus$ Hunters tactic strikes again.

Policy

• Former SEC staffer Amanda Fischer attacked over Uniswap comments.

Phishing

• Meet “Blackhat” - a developer who dusted off a 4-year-old factory contract and deployed 700+ honeypot tokens in just over a month, harvesting $100K+ from unsuspecting traders by GoPlus Security.
• New Matrix Push C2 Abuses Push Notifications to Deliver Malware by Brenda Robb (BlackFog).
• We should all be using dependency cooldowns by yossarian.
• Reports of an active phishing campaign involving DMT airdrop by GoPlus Security.

Scams

• Libra II - Electric Boogaloo by Rekt. The scam continues with zero consequences for Hayden Davis.
• The Loop Contagion by Rekt. Documenting the saga of Stream Finance and xUSD depeg.

Malware

• New Nova Stealer Attacking macOS Users by Swapping Legitimate Apps to Steal Cryptocurrency Wallet Data.
• SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp by Trustwave. Python-based worm targets Brazillian devices.
• npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects by Socket.
• Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover by Socket.
• CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs.
• DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool by Kedar S Pandit & Jay Prakash (Lat61 Threat Intelligence Team)
• ShadowRay 2.0: Attackers Turn AI Against Itself in Global Campaign that Hijacks AI Into Self-Propagating Botnet by Avi Lumelsky, Gal Elbaz (Oligo).
• Blockchain and Node.js abused by Tsundere: an emerging botnet by Kaspersky.
• ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet.
• Nation-State Actor’s Arsenal: An In-Depth Look at Lazarus’ ScoringMathTea by 0x0d4y Malware Research.

Media

• DeFi Security Summit 2025

  • DeFi Security 101

  • Auditorium Stage - Day 1

  • Auditorium Stage - Day 2

  • Nogal Stage - Day 1

  • Nogal Stage - Day 2

  • Workshops

• Sherlock Web3 Security Podcast - Coinbase’s Auditing Standards with Shashank Agrawal.

• BOOM ROOM Podcast - Ep. 28 - Interview with Mitchell Amador (Immunefi).

• bountyhunt3rz - Episode 31 - drastic watermelon.

Contests

• Ultimate Security Games 2025 at DSS live recoding. Congratulations Team Europe (zigtur, Josselin, Alex the Entreprenerd, AliceAndB0b)!
• Congratulations team Stack Too Deep (Anto, usmann, juancito, Drastic Watermelon, adrio) for winning The Wonderland CTF!
• New levels of Ethernaut by OpenZeppelin in time for the DeFi Security Summit.

Research

• Whitehat Rescues by Safe Harbor (SEAL). A database of all whitehat rescues from compromises dating back to 2022. 0xcoffeebabe MEV bot is playing the most prolific role in the majority of these rescues. A good indicator of the future of competitive DeFi defense.
• We found cryptography bugs in the elliptic library using Wycheproof by Markus Schiffermuller (Trail of Bits).
• Blockchain bridge security - Intro & Part 1: Message and Signature replay by Caliber.
• 19 Security Pitfalls in On-Chain Order Books (and How to Fix Them) by Arda Usman (Hacken).
• Blockchain bridge security - Part 2: Cross chain signature and Variations of signature replay by Caliber.
• Balancer Nov 3 Exploit Post-Mortem. Complete analysis of the worst DeFi smart contract compromise in 2025.
• Deep dive into the MoveVM: inspecting a Sui transaction by Quentin.
• How Aztec Works by Alex Korn.
• Heuristics of common math bugs in smart contracts by Bloqari (Zealynx).
• Revealing Adversarial Smart Contracts through Semantic Interpretation and Uncertainty Estimation.
• Incentive Attacks in BTC: Short-Term Revenue Changes and Long-Term Efficiencies.
• SCRUTINEER: Detecting Logic-Level Usage Violations of Reusable Components in Smart Contracts.
• Prompt Engineering vs. Fine-Tuning for LLM-Based Vulnerability Detection in Solana and Algorand Smart Contracts.
• How Exclusive are Ethereum Transactions? Evidence from non-winning blocks.
• Esim: EVM Bytecode Similarity Detection Based on Stable-Semantic Graph.
• SmartPoC: Generating Executable and Validated PoCs for Smart Contract Bug Reports.
• Software Supply Chain Security of Web3.
• Multi-Agent Collaborative Fuzzing with Continuous Reflection for Smart Contracts Vulnerability Detection.

Tools

• Sol-azy new feature – Audit-friendly overviews for Solana programs.
• SuperAudit - A revolutionary hardhat plugin for proper and incentenivized AI powered smart contract audits.
• localsafe.eth. Don’t get caught in the next Cloudflare outage.

Hacks

Layerswap

Date: November 17, 2025
Attack Vector: Incorrect Price Oracle
Impact: $186,000 (Recovered $167,400)
Chain: BSC

References:

https://x.com/layerswap/status/1991810671600673036

GANA

Date: November 20, 2025
Attack Vector: Stolen Private Keys
Impact: $3,100,000
Chain: Ethereum, BSC

References:

https://x.com/GANA_PayFi/status/1991424973190361394
https://x.com/extractor_web3/status/1991439154602008833
https://x.com/BlockscopeCo/status/1991572063379943535
https://hacken.io/insights/gana-payment-hack-explained/
https://rekt.news/gana-payment-rekt

PORT3

Date: November 22, 2025
Attack Vector: Uninitialized Contract
Impact: $166,000
Chain: BSC

References:

https://x.com/peckshield/status/1992388937109868993
https://x.com/Phalcon_xyz/status/1992474569723273380
https://x.com/Port3Network/status/1992371564181164468
https://x.com/Port3Network/status/1992471015948210277

Agentic FoF

Date: November 23, 2025
Attack Vector: Malicious Insider
Impact: $531,000

References:

https://x.com/BasisOS/status/1992689112491725207
https://x.com/BasisOS/status/1992927582556496333
https://x.com/m13_digital/status/1992968371894153509