BlockThreat - Week 52, 2025

Greetings!

We are closing out the year with nearly $13M stolen across five incidents. The most severe was the complete compromise of the Trust Wallet browser extension.

According to the recently published post mortem, Trust Wallet’s GitHub repository had been compromised since November(!) by the infamous Shai Hulud worm. After sitting on stolen GitHub secrets and Chrome Web Store API key the attackers finally struck, uploading a malicious extension that exfiltrated users’ private keys. More than $8.5M has already been stolen from thousands of victims. Supply chain attacks of this nature are likely to become a recurring theme in 2026. As I have warned before, it is long past time to lock down repositories and, critically, to rotate compromised credentials immediately rather than weeks later.

Another particularly rare exploit happened this week involving Flow blockchain. An attacker waited until the very end of the year to exploit an infinite mint vulnerability in chain’s execution layer, draining $3.9M. Flow operators later chose to roll the chain back to a pre-hack checkpoint. This is a blunt and largely ineffective mitigation, as it negatively impacts every legitimate user who transacted after the attack while the attacker had already bridged the stolen funds out of the ecosystem. A far more effective response would have been to isolate or filter attacker’s transactions, as demonstrated in the recent Balancer incident, where chains such as Polygon, Gnosis, Berachain, and others assisted in recovery without disrupting normal network activity. This incident highlights the need for Flow to develop a comprehensive and well rehearsed incident response plan.

In the premium section of the newsletter, you will find detailed coverage of the Polymarket compromise, Trust Wallet post mortems and backdoor analysis, the Flow blockchain infinite mint vulnerability, and more.

As we are quickly approaching the end of the year with about $2.8B stolen across 363 incidents from various DeFi protocols, blockchains, and centralized exchanges it’s easy to call 2025 one of the more challenging years that I’ve seen in about 8 years of following this industry. And yet, we must continue fighting the good fight and make this industry succeed for every family out there that can’t afford basic needs because their savings were devalued by failed economies, assets stolen by corrupt institutions with no chance of lifting themselves out of poverty without access to global financial markets. Crypto has a chance of solving this and many more hardships by enveloping the world in an unstoppable global financial network where people can safely transact with anyone anywhere. As a blockchain security industry we can pave the road for this future to arrive sooner by creating a safe and trustworthy environment for billions of users that will be coming onchain soon.

Have a safe new year and many more adventures together. Let’s dive into the news!

News

• Trust Wallet confirms extension hack led to $7 million crypto theft.
• Gnosis executed hard fork to recover the funds lost in Balancer hack.
• T-Mobile USA has leaked all its customers' phone numbers. Google support calls here they come.
• Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances.
• MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know by Wiz.
• 2025 Blockchain Security and AML Annual Report by SlowMist.
• Cyfrin 2025 Wrap-Up: Web3 Security Audits & Developer Education.
• The Hacken 2025 Yearly Security Report.
• Hack3d: The Web3 Security Report 2025 by CertiK.

Crime

• Coinbase CEO announces first arrest in India over insider data breach: ‘More still to come’.
• Brooklyn Man Charged with Stealing nearly $16 Million by Presenting Himself as Cryptocurrency Exchange Rep and Scamming Users. It took just a few months after ZachXBT’s investigation.
• Former Exchange Employee Sentenced to 4 Years for Selling Military Secrets to North Korea for Bitcoin.
• Former Pump.fun Dev Sentenced to Six Years in Prison for $2 Million Solana Fraud.
• ‘Someone’ is taking advantage of HTX’s reserves.

Phishing

• The OpSec Wakeup Call by Pablo Sabbatella (Opsek).
• Another victim of address poisoning attack lost $450K in tBTC.

Media

• Unchained - How Crypto Users Get Rekt and How You Can Stay Safe with Pablo Sabbatella and Isaac Patka.
• Lume - The Hacker Who Stole $1.5 Billion In 2 Minutes.

Research

• The Death of the Audit Contest? by alix40.
• USCSA: Evolution-Aware Security Analysis for Proxy-Based Upgradeable Smart Contracts.
• Blockchain Interoperability Part-2 : All About Atomic Swaps by TheMj0ln1r.
• King Of Bug Bounty Tips. A currated collection of tips from well known (web2) bug hunters.
• Awesome Move Security by Monethic.
• Radiant: Concolic Execution for Solana Programs by Inversive Labs.

Tools

• heimdall-eval by Jon Becker. A structured approach to evaluating and benchmarking Heimdall's decompilation accuracy and CFG generation quality.

Hacks

Polymarket

Date: December 24, 2025
Attack Vector: Authentication Bypass
Chain: Polygon

References:

https://www.theblock.co/post/383711/polymarket-third-party-vulnerability-hack
https://x.com/spreekaway/status/2003471040417268192

JFIN Bridge

Date: December 24, 2025
Attack Vector: Reward Manipulation
Impact: $13,400
Chain: Ethereum

References:

https://x.com/DefimonAlerts/status/2003862392866734530

Exploit:

https://etherscan.io/tx/0xf867d1d7164ac9178d81696c989f65e817b8cab14850345ab3a1f99bbe547210

Trust Wallet

Date: December 25, 2025
Attack Vector: Supply Chain
Impact: $8,500,000
Chain: Ethereum

References:

https://x.com/TrustWallet/status/2004316503701958786
https://x.com/EowynChen/status/2004649284537647161
https://x.com/k_firsov/status/2004573924349390933
https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd
https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update

Backdoor:

https://x.com/0xakinator/status/2004297673067704651
https://x.com/AndrewMohawk/status/2004332447937581460
https://x.com/slowmist_team/status/2004505094646345905
https://www.koi.ai/blog/trust-wallet-binance-compromised-inside-the-code-that-stole-7m-on-christmas-eve

Laundering:

https://x.com/PeckShieldAlert/status/2004382831158714735
https://metasleuth.io/result/eth/0x3b09a3c9add7d0262e6e9724d7e823cd767a0c74?source=c723b0c4-7610-47a2-815c-bd9cf02953f4

Post-mortem:

https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update

Debot

Date: December 27, 2025
Attack Vector: Stolen Private Keys
Impact: $255,000
Chain: Ethereum

References:

https://x.com/evilcos/status/2004936235949981886

Exploit:

https://etherscan.io/tx/0x71c740e92fc9dc1694bf755c81b264507445cf4006cfec7c5b0e1a4209767039

Flow

Date: December 27, 2025
Attack Vector: Infinite Minting
Impact: $3,900,000
Chain: Flow

References:

https://x.com/flow_blockchain/status/2005021612714668518
https://x.com/findlabs/status/2005021008156078274
https://x.com/m13_digital/status/2005142577255731453
https://x.com/diamondnfl/status/2005417419582722307

Recovery:

https://x.com/flow_blockchain/status/2005465916226605313
https://x.com/flow_blockchain/status/2005095181755052120
https://x.com/obsrvgmi/status/2005279352993493270
https://x.com/alexsmirnov/status/2005220790703136833

Exploit:

https://www.flowscan.io/account/0xfd595328d97d33d5
https://www.flowscan.io/tx/b374c54d92c1d2324f739cad3546eb1aa441aef15892054d333ab81dc058b810?tab=events

MSCST

Date: December 28, 2025
Attack Vector: Insufficient Function Access Control
Impact: $129,000
Chain: BSC

References:

https://x.com/Phalcon_xyz/status/2005518274864595002
https://x.com/TenArmorAlert/status/2005509505988055471

Exploit:

https://bscscan.com/tx/0x6c9ed4c2d81b6abfdf297b0cbc13585ed91f2a5e69e3545d3ea4316f50021b56