BlockThreat - Week 6, 2025

Tornado | KyberSwap | Ionic | Mode | Peapods

Peter Kacherginsky

16 Feb 2025 • 6 min read

Greetings!

More than $12.5M was stolen this week across seven incidents. But before diving into a few intriguing case studies, we need to revisit a fascinating indictment by the U.S. Department of Justice. The case involves Andean Medjedovic, a Canadian hacker responsible for two massive DeFi exploits totaling $65M—Indexed Finance and KyberSwap.

The indictment reads like a spy thriller: brazen hacks, undercover agents, informants, extortion, and a near capture. If you need a refresher, Andy was behind the $16M Indexed Finance compromise in 2021. His identity was exposed due to a series of OPSEC mistakes, forcing him to spend the last three years as a fugitive from Canadian authorities. Now, we’ve learned he funded his life on the run through a years-long hacking spree that included KyberSwap, HXA Coin, QAN Platform, and more. If US DoJ’s ability to recover fugitives is even slightly better than their Canadian counterparts, then Andy may soon be joining Avi and SBF at MDC Brooklyn.

One of the week’s most interesting exploits was a $12.3M attack on Ionic (aka Midas) on Mode chain. Unlike purely technical hacks, this one involved a sophisticated month-long social engineering effort. The attacker convinced the team to add a fake LBTC token into the protocol, then quickly minted $24M worth of it and used it as collateral to drain the protocol. But here’s where it gets interesting—Mode chain intervened, freezing the attacker’s address. However, they were quickly reminded of the same L1 to L2 transaction backchannel that recently caught Soneium off guard.

Lastly, I’m tracking an attacker tearing through multiple no-source MEV contracts across various chains, all exploiting the same Insufficient Access Control vulnerability. Most individual hits are under $5K, but one already reached $188K. Just another reminder that vulnerabilities can be found—with or without source code.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

Tornado Cash Developer Alexey Pertsev Released From Jail to Prepare for Appeal. Alexey was sentenced to more than 5 years in prison in 2024.
Canadian Man Charged in $65M Cryptocurrency Hacking Schemes. The indictment links Andean Medjedovic to at least two hacks involving KyberSwap and Indexed Finance. The connection was further confirmed through onchain tracking by TRM.
Critical zero-day exploit across entire Apple line. Update now!
Adversarial Misuse of Generative AI by Google Threat Intelligence Group. We are not the only ones exploring the use of LLMs for bug hunting.
XRP Ledger's hour-long halt sparks debate over consensus tradeoffs.

Crime

Lebanon man sentenced to 20 years for stealing $37 million in cryptocurrency.
Blood on the Blockchain by Rekt. A deep dive into the kidnapping of a Ledger co-founder, a $10M ransom, severed finger, and a 48-hour manhunt.
Pakistan police officer remanded over USDT theft and kidnapping.
35% Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim Payments by Chainalysis.

Policy

Media

DSS Monthly Webinar - Demystifying Smart Contract Security: Facts & Fallacies with Hari (Spearbit), Matthias (ChainSecurity), Michal (SigmaPrime), Josselin (Trail of Bits), Mooly (Certora) moderated by Rajeev (Secureum).
Runtime Verification x Cantina | Demo + Q&A. Learn about the latest features of Symbolik with Raoul Schaffranek.
Solana Tutorials by ZYJ Liu.
Cosmos SDK Security with Alpin Yukseloglu.

Research

Web3 Security Auditor's 2024 Rewind by Ionut-Viorel Gingu (OpenZeppelin).
DOS in DeFi Liquidity Pools: The Initialization Vulnerability by Patrick Ventuzelo and Mathieu Troullier (Fuzzing Labs). A case study of Raydium CLMM Pool vulnerability.
Starknet Security Update: potential full node vulnerability.
AAVE and Compound Forking: Empty Pool Attacks by Tim Savon (MixBytes).
PAT-tastrophe: How We Hacked Virtuals' $4.6B Agentic AI & Cryptocurrency Ecosystem by Shlomie Liberow. Git never forgets including your cloud secrets.
Vyper and Python Smart Contracts on Blockchain – Full Course for Beginners by freeCodeCamp with Patrick Collins.
Implementing Your First Smart Contract Invariants: A Practical Guide by Nican0r (Recon).
Missing Encryption of Sensitive Data in Coinbase Wallet SDK version 4.0.0 - 4.3.0.
CertiK - Uniswap V4: Hooks Security Considerations by CertiK.
The Prague/Electra (Pectra) Hardfork Explained by Sergey Boogerwooger, Dmitry Zakharov (MixBytes).
The Hacker’s Mindset by Securr.
Security risks of the upcoming Petra upgrade by Arsen.
Interesting limit in LLMs’ ability to find transfer logic bugs by banteg.
The Ultimate Guide to Trusted Execution Environments (TEE) in Crypto by Olympix.
Paradigm CTF 2023 - Black Sheep - Solution by Herman Junge using Huff.
Block withholding resilience.
Following Devils' Footprint: Towards Real-time Detection of Price Manipulation Attacks.
Large Language Models for Cryptocurrency Transaction Analysis: A Bitcoin Case Study.
Deanonymizing Ethereum Validators: The P2P Network Has a Privacy Issue.
The Hitchhiker's Guide To Dark Pools In DeFi: Part Three by Emmanuel Awosika and Koray Akpinar (2077 Research). A great deep dive into Railgun.
Top 5 Mixers in 2024 by Zero Shadown.
Ethereum On-chain Privacy Projects Map by swayam.
The Problems with Solana Data Indexing by Astralane.
The Art of Writing Security Reports by Zokyo.
The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts.

Tools

sb-heists - a comprehensive framework for testing smart contract security patches against real-world exploits by Assert at KTH Royal Institute of Technology.
Arachne - a scaffolding framework built to streamline the development of large-scale fuzzing suites. It offers a range of helper functions and a solid structure to minimize setup time, allowing users to begin fuzzing quickly and efficiently, while keeping the codebase maintainable. A great addition to Echidna and Medusa. Developed by Perimeter Security.
Medusa v1.0.0. A major release introduces on-chain fuzzing, Slither integration, more evm cheatcodes support.
Slither 0.11.0 released. Includes more detectors and printers as well as a beautiful storage viewer.
Search CTF Writeups - Find and explore CTF solutions and writeups including many DeFi contests.
LLM4Decompile - Reverse Engineering: Decompiling Binary Code with Large Language Models.