BlockThreat - Week 51, 2025
Yearn | Rari Capital | Futureswap | NX Finance | Biswap | Dragun69
Greetings!
Roughly $3.7M was stolen this week across eight incidents. The winter holidays remain one of the most dangerous periods for defenders, as attackers intensify their activity while relying on reduced staffing and slower response times.
The most severe incident this week stemmed from a user falling victim to an address poisoning attack, resulting in a $50M loss. While this does not surpass last year’s record $71M WBTC address poisoning hack, successful compromises of this kind continue to incentivize attackers to flood the blockchain with malicious transactions. What’s frustrating is that this class of attack is largely solvable. Wallets and blockchain explorers could defeat most address poisoning attacks with stronger heuristics. What are the odds that a user legitimately interacts with multiple addresses that share similar prefixes and suffixes? We can do better!
The troubling trend of attacks against older contracts also persists. Yearn was compromised yet again, losing $300K due to a misconfiguration exploit, while Rari’s multisig was taken over, allowing attackers to drain approximately $2M.
Let’s dive into the news!
Events
- DarkMode Conference by SEAL. Call for Papers is now open.
News
- Crypto hacks hit $3.4 billion in 2025, attacks on individual wallets rise: Chainalysis.
- Who Is Stealing Your Crypto Assets? — 2025 Web3 User Security and Risk Trends Report by Go Plus Security.
- Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances.
- Defimon 2025 Recap by Decurity.
- Looking Back at 2025’s Cybersecurity Landscape: Key Trends to Watch in 2026 by TLP Black.
- Is an AI hacker targeting old DeFi projects in $5M spree?.
Crime
- North Korea Drives Record $2 Billion Crypto Theft Year, Pushing All-Time Total to $6.75 Billion by Chainalysis.
- North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location.
- Final Chapter: Interview with the Chollima VII by Mauro Eldritch and Sofia Grimaldo (Bitso).
- North Korea and the Industrialization of Cryptocurrency Theft by TRM.
- Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns.
- TRM Traces Stolen Crypto from 2022 LastPass Breach — On-chain Indicators Suggest Russian Cybercriminal Involvement.
- US seizes E-Note crypto exchange for laundering ransomware payments.
- France on alert for Bitcoin thieves, masked men kidnap and force couple to transfer 8 million euros in cryptocurrency.
- Brooklyn man indicted for allegedly stealing $16 million from Coinbase users through phishing scheme.
Policy
- The U.S. Federal Reserve has decided to withdraw guidance issued in 2023 that had effectively restricted uninsured banks from becoming Federal Reserve members and engaging in crypto-related activities.
- SEC says broker-dealers need to maintain crypto private keys to comply with customer protection rules.
- FTC orders crypto platform Nomad to distribute $37.5 million after 2022 theft.
Phishing
- Crypto trader loses $50 million to address poisoning attack.
- A whale’s Multisig was drained of ~$27.3M due to a private key compromise by Peckshield.
- Approaching stealers devs: a brief interview with Phexia by g0njxa. A rare look into the mind of a malware developer.
- Singapore Entrepreneur Loses Entire Crypto Portfolio After Downloading Fake Game.
Scams
- So far, @atlasx100 has made over $300,000 from more than 300 victims through a scam “private” trading group by Specter.
Malware
- Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users by Lotan Sery,Noga Gouldman (Koi).
- Stealka stealer: the new face of game cheats, mods, and cracks by Artem Ushkov (Kaspersky).
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data.
- Amazon: Ongoing cryptomining campaign uses hacked AWS accounts.
- New SantaStealer malware steals data from browsers, crypto wallets.
Media
- Don’t Get Rekt - Ep04. Pablo Sabbatella and Officer_secrets share great intel on opsec failures and attack patterns. Takeaways.
Research
- The Ultimate Guide to the Top for Security Researchers: Setting Sail by Shealtielanz (SigmaPrime).
- You’re writing require statements wrong by Brock Elmore (Nascent). A new pattern for DeFi Smart Contract Security.
- Decentralized Perpetual Contracts Security Audit Guide by SlowMist.
- Solaris: Stateful, Structure-Aware, sBPF Bytecode Coverage-Guided Fuzzing by Inversive Labs.
- Institutional-Grade Security. Chapter 1: Guardrails and Role Separation by 0xmikko.eth.
- Institutional-Grade Security. Chapter 2: Onchain Github for bytecode by 0xmikko.eth.
- Test Proxy Contracts Safely in Wake by Ackee.
- You are thinking about rounding errors wrong by Jorgect.eth.
- Rebroadcast of my Devcon 7 presentation on Passkeys at 39c3 / CDC by Nicolas Bacca. Remember to keep your most precious passkeys non synchronized on dedicated secure hardware.
- Harvesting MEV Bots by Exploiting Vulnerabilities in Flashbots Relay by BlockSec.
- Don’t underestimate TON: how incorrect gas estimations lead to critical issues by ChainSecurity.
- EIP-712 Encoding in Wake Without Guesswork by Ackee.
- A Developer’s Guide to FHEVM Security by OpenZeppelin.
- Can chatbots craft correct code? by Evan Sultanik (Trail of Bits).
- Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts.
- EIP-7702 Phishing Attack.
- Mage: Cracking Elliptic Curve Cryptography with Cross-Axis Transformers.
- No More Hidden Pitfalls? Exposing Smart Contract Bad Practices with LLM-Powered Hybrid Analysis.
- ScamSweeper: Detecting Illegal Accounts in Web3 Scams via Transactions Analysis.
- Sandwiched and Silent: Behavioral Adaptation and Private Channel Exploitation in Ethereum MEV.
- Detection and Analysis of Sensitive and Illegal Content on the Ethereum Blockchain Using Machine Learning Techniques.
- Clean Up the Mess: Addressing Data Pollution in Cryptocurrency Abuse Reporting Services.
- BugMagnifier: TON Transaction Simulator for Revealing Smart Contract Vulnerabilities.
- Love, Lies, and Language Models: Investigating AI’s Role in Romance-Baiting Scams.
- Vision-Based Learning for Cyberattack Detection in Blockchain Smart Contracts and Transactions.
- BugSweeper: Function-Level Detection of Smart Contract Vulnerabilities Using Graph Neural Networks.
Tools
- CTFBench is a benchmark for evaluating AI smart contract auditors. Repo.
- DeployGuard by 0xstormblessed. A CLI tool for auditing Foundry deployment scripts for security vulnerabilities, best practice violations, and missing test coverage. It focuses on detecting CPIMP (Clandestine Proxy In the Middle of Proxy) vulnerabilities and other security anti-patterns.
- Introducing Hacken’s Open-Source Uniswap v4 Hook Testing Framework.
- Crypto Skills for Python Devs by @fubuloubu. Skills for Claude and other LLMs/Agents to help users build projects in Python for blockchain networks.
Hacks
Detailed indicators of compromise including exploit transactions, attacker address, exploit PoCs are available upon request.
NX Finance
Date: December 15, 2025
Attack Vector: Price Oracle Manipulation
Impact: $400,000
Chain: Solana
References:
https://x.com/NX_Finance/status/2000896087360725427
https://x.com/NX_Finance/status/2001976173086306787
https://docs.google.com/spreadsheets/d/1S5Pkp9lvv4rWvHyTEXwUQaW2xXlUZr9SOf_taIqI2C4/edit?gid=0#gid=0
Biswap
Date: December 15, 2025
Attack Vector: JavaScript Injection
Impact: Assets Stolen
References:
https://x.com/certikalert/status/2000695821281485089
https://x.com/CertiKAlert/status/1996750360070049876
RelayAdapt
Date: December 15, 2025
Attack Vector: Misconfiguration
Impact: $108,700
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/2000753419233931741
https://x.com/Zyy_0530/status/2000823739068678555
Unkn_a59209
Date: December 16, 2025
Attack Vector: Arbitrary External Calls
Impact: Assets Stolen
Chain: BSC
References:
https://x.com/DefimonAlerts/status/2001152276300439729
Futureswap
Date: December 16, 2025
Attack Vector: Governance
Impact: $830,000
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/2001116475424133536
https://x.com/hklst4r/status/2001129275739484627
https://x.com/lzhou1110/status/2001148759720272104?s=20
https://x.com/lzhou1110/status/2001157492814839874
https://x.com/blockful_io/status/2001443082307285427
Yearn
Date: December 16, 2025
Attack Vector: Misconfiguration
Impact: $300,000
Chain: Ethereum
References:
https://x.com/PeckShieldAlert/status/2001080131360842011
https://x.com/yearnfi/status/2001094653391614171
https://x.com/hklst4r/status/2001072409684685003
https://github.com/banteg/iearn-2025-12-investigation/blob/master/readme.md
https://github.com/banteg/iearn-2025-12-investigation/blob/master/technical-writeup.md
https://exvulsec.github.io/defi/security/post-mortem/2025/12/16/yeth-exploit-analysis-part-1.html
https://rekt.news/yearn-rekt4
Rari Capital
Date: December 18, 2025
Attack Vector: Stolen Private Keys
Impact: $2,000,000
Chain: Ethereum
References:
https://x.com/zmtO21/status/2001585158106026270
https://x.com/heatmovr/status/2002186509454356976
Dragun69
Date: December 21, 2025
Attack Vector: Reward Manipulation
Impact: $87,400
Chain: BSC
References:
https://x.com/TenArmorAlert/status/2002924740718067845
https://x.com/hklst4r/status/2003003168943219156