BlockThreat - Week 9, 2025

Greetings!

Last week, we discussed how a North Korean threat actor compromised Safe’s infrastructure and Bybit’s cold storage wallet. However, the story didn’t end there—the attacker immediately launched a wild money laundering operation, swapping and bridging most of the stolen funds to Bitcoin in just 10 days.

What was fascinating was watching how different exchanges and DeFi protocols reacted as the stolen funds moved through their platforms:

The Good:

• Mantle’s mETH protocol was amoung the first to act, freezing $43M worth of stolen mETH tokens.
• OKX provided next hop addresses for its swapping service.
• Chainflip reacted to swapping attempts by going into maintenance mode and instituting an upgrade to prevent the use of its bridges.
• Tether froze $604K on Tron and Ethereum networks in a couple of hours.

The Bad:

• ThorChain, a DPRK favorite, faced the most heat as the primary tactic to bridge about $1B to bitcoin chain while earning record $5.5M in fees. Unable to implement governance or technical controls to stop transactions, a core ThorChain developer decided to leave the project.
• Circle was, as always, slow to freeze funds, even when presented with solid evidence.

The Ugly:

• eXch was responsible for about $95M of funds but outright refused to assist.

The responses above provide a good indication of what to expect in the event of a hack. If a sufficiently large sum of stolen funds moves through a protocol with freezing or pausing functionality, there’s a strong chance it will take action (e.g. mETH, Tether). Circle remains an exception—it typically requires a significant amount of stolen funds and public outrage before freezing assets without a court order.

Bridges pose a unique challenge since their primary function is to transfer funds between chains without obfuscating the final destination. As ThorChain argued, it’s not their responsibility to stop illicit transactions—just as it’s not up to nodes or RPCs to impose filtering. While this aligns with cypherpunk ideals, courts and law enforcement may not share that perspective. I am worried of a TC-like crackdown on bridge founders which would hurt the industry.

And then, there are platforms like eXch, which provide no controls and actively resist assistance requests. However, as history has shown with ChipMixer, Liberty Reserve, BTC-e, and, more recently, Garantex, these platforms eventually get shut down—only for new ones to emerge and fill the lucrative void.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• LazarusBounty by Bybit. Tracks laundering attempts and awards bounty for freezing funds. Most of the bounties went to CeFi and DeFi protocols while private investigators such as ZachXBT earned a few thousand dollars.
• Chainflip plans upgrade to prevent Bybit hackers from using its cross-chain DEX.
• mETH Protocol announces $43 million recovery from Bybit hack, while Tether freezes $181,000.
• Bybit hackers move over half the stolen ETH onto Bitcoin, largely using ThorChain.
• The 2025 Crypto Crime Report by Chainalysis.

Crime

• Feds Recover $31 Million in Crypto From 2021’s Uranium Finance Exploit. ZachXBT played a crucial role in the recovery. Hurray!
• Silent Push Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks.
• Founder of Cryptocurrency Financial Services Firm “Gotbit” Extradited to the United States to Face Charges of Market Manipulation and Fraud Conspiracy.
• FBI Arrests Three in Pig Butchering Crypto Scam Tied to $13M Fraud Scheme.
• South Korea Police Arrest Four Linked to Murder by Stabbing, Crypto Theft.
• Physical Attacks Against Bitcoin Holders Surge As BTC Price Rises.
• LockBit ransomware gang sends ‘friendly advice’ to new FBI Director Kash Patel.

Policy

• SEC Drops Probe Into Gemini, Cameron Winklevoss Demands Recompense.
• A Win for DeFi ‒ SEC Closes Investigation into Uniswap Labs.
• SEC Closes Investigation Into Robinhood Crypto with No Action.
• SEC‘s ‘Demolition’ of Crypto Enforcement Met With Cheers as Well as Jeers.
• EU Includes Crypto Exchange Garantex in 16th Sanctions Package on Russia.

Phishing

• ZachXBT Exposes Lazarus Group's Latest $3.1M Heist Draining a Tron User’s Wallet.
• Pump Fun X account hacked, used to promote phony governance token.
• Another user lost $763,662 due to transaction history poisoning.
• A victim lost $607,202 due to a phishing approval signed 385 days ago.
• More reports of fake interviews by North Korean threat actors.

Malware

• OKX & SlowMist Joint Report: Bom Malware Hits Tens of Thousands of Users, Stealing Over $1.82 Million.
• The GitVenom campaign: cryptocurrency theft using GitHub by Kaspersky. The campaign is already responsible for almost $500K in losses.
• GrassCall scam drains crypto wallets through fake web3 job interviews.
• Bom Malware Hits Tens of Thousands of Users, Stealing Over $1.82M by OKX and Slowmist.

Contests

• Ph0wn2024 Writeup – Race Roller​ Application reversing by Fuzzing Labs.
• Halmos vs Damn Vulnerable DeFi by Igor Ganich. A series of articles about solving the Damn Vulnerable DeFi CTF using the Halmos symbolic analyzer.

Media

• Unchained - North Korea Is Winning. Is the Crypto Industry Able to Stop It? with Tay.

• Unchained - How the $1.5 Billion Bybit Hack Could Have Been Prevented with Mudit.

• Proof is in the Pudding: How to prove false statements by zkSecurity and Archetype.

• ETHDenver 2025 Playlist

  • Inside Samczsun's SEAL Team | Laurence Day - Wildcat Labs.

  • Red-Teaming Crypto Wallet Operations From TJ Connolly Fireblocks.

  • Troll, but Verify: Security Lessons From North Korean Job Candidates | Thiago Silva & Michael Be.

  • Software Development Isn't a Crime: Coin Center on the Fight With the DOJ | Michael Lewellen.

  • The Unseen Threat: Why Attackers See What Developers Miss | Bartosz Barwikowski - Hacken.

  • Traceability: A Wolf in Sheep’s Skin From Amit Chaudhary - Labyrinth.

  • How Onchain Privacy Failed | Nathaniel Fried - 0xbow.

  • Staying Safe in Web3 | Taylor Monahan - Metamask | Griff Green - Giveth.

  • Audits Are Not Enough | Odysseus Lamtzidis - phylax systems.

  • The New Guard Evolution of Smart Contract Security | Mooly S, Michael L, and Kratos.

  • Formal Verification: Finding Hope in the Impossible | Jonan Scheffler - Certora.

Research

• No More Bets - How Ctrl+F led to breaking Polymarket's polling markets by Trust Security.
• Top 5 Smart Contract Security Findings – January: Issues in Protocols Interacting with Uniswap V3 Liquidity & Cross-Chain Swaps by Chris Dior (CD Security).
• The Bybit Hack and What It Teaches Us About Multisig Wallet Security by Yura Sherman (Certora).
• Bybit Lookback - On hindsight and risk assessment by Andrew MacPherson (Privy).
• Rethinking multisig signing thread by Daniel Von Fange.
• Web3 Operational Security: Design, Processes, Infrastructure by immeas (Cyfrin).
• How to Run a Safe Safer by Emiliano Bonassi. A combination of a local Helios client, Foundry cast and safe cli.
• Private Key Leakage in ECDSA Signatures: Analysis of Malformed Input Vulnerability in the Elliptic Library by enze (SlowMist).
• AI-Assisted Security Audits by Eduard Kotysh (Oak Security).
• Which fuzzer should you use? by 0xScourgedev. Not sure when to use Echidna vs. Slither vs. Foundry, the thread gives you a nice map with pros and cons.
• The Diamond Proxy Pattern Explained by RareSkills.
• Modern Stablecoins, How They're Made: M^0 by Sergey Boogerwooger, Artem Petrov (MixBytes).
• Modern Approach to Attributing Hacktivist Groups by Itay Cohen (CheckPoint).
• How to gain code execution on millions of people and hundreds of popular apps by Kibty. Targeting todesktop electron app bundler for fun and profit.
• Strengthening DeFi Security: A Static Analysis Approach to Flash Loan Vulnerabilities.
• MTVHunter: Smart Contracts Vulnerability Detection Based on Multi-Teacher Knowledge Translation.
• A Multi-Agent Framework for Automated Vulnerability Detection and Repair in Solidity and Move Smart Contracts.
• Maximal Extractable Value in Decentralized Finance: Taxonomy, Detection, and Mitigation.
• 50 days of Crushing Audits by 0xaudron. A fairly comprehensive log of an up and coming bug bounty hunter. Godspeed!

Tools

• Certora Goes Open Source.
• Safe Multisig Transaction Hashes by OpenZeppelin. Another fork of pcaversaccio’s script that adds a locally hosted web UI. Now integrated into the official Safe UI.
• Hypothesis - a Python library for creating unit tests including invariant checks. Here is a sample comparison with Foundry tests by BowTiedDevil.
• Collection of offchain datasets by storm.
• OSINT search engine collection by Daniel Kelley.
• security-guards by MiloTruck. A collection of guards for Safe accounts including transaction restrictions, timelocks, etc.
• Bybit Hack Tracking - 6 hops + Thorchain Dune panel by coldfire.
• Bybit Hack: Thorchain / eXch Shitshow Dune panel by tayvano.
• Bybit Hack Tracing Dune panel by beetle.

Hacks

Toshi

Date: February 24, 2025
Attack Vector: Reentrancy
Impact: $11,000
Chain: Base

References:

https://x.com/TenArmorAlert/status/1894034493675110805

Exploit:

https://basescan.org/tx/0xad3dfc7da49979661404e0e91753d7928dc44bc948a96495b6ea8a7ef9ec7331

https://basescan.org/tx/0x331084925aa1b45ee9087dc4092a4b2fc6bb6c1b155dbe0b405a75541d19ed1a

Invisitech

Date: February 24, 2025
Attack Vector: Insufficient Function Access Control
Impact: $15,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1894099890663289294

Exploit:

https://bscscan.com/tx/0x92126f0bde98d360b37b7074fea6f41fd47fd19d1cced134681ff64b1aef56b8

Teva

Date: February 25, 2025
Attack Vector: Forgotten approval
Impact: Assets Stolen
Chain: Base

References:

https://x.com/TenArmorAlert/status/1894571261843411356

Exploit:

https://basescan.org/tx/0x176f65954008289c996b25324406e518917c739acd2a43ecf3fc89b19504ea7c