BlockThreat - Week 10, 2025
1inch | time.fun | Garantex | Xeggex | SBF | LastPass
Greetings!
No billion-dollar exploits this week, but a couple of unusual DeFi compromises offered a break from the usual private key smash-and-grabs.
One particularly interesting case was the compromise of 1inch and a few market makers, resulting in around $5M in losses. Unlike traditional smart contract exploits, this attack resembled a memory corruption vulnerability with a carefully crafted transaction payload. You’ll find detailed write-ups, along with the rapid race to recover funds, in the premium hacks section below. Fortunately, the attacker agreed to a $450K “bug bounty,” allowing 1inch and the affected AMM to recover most of their losses. The key takeaway? Overoptimized Solidity/Yul contracts are notoriously difficult to audit and secure.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
Things got even more intriguing with a whitehat hack by shouccc and tonykebot targeting Time.fun’s backend. A clever exploit of the backend infrastructure—one that eagerly signed transactions on Solana—allowed them to drain all funds controlled by the internal wallet. Fortunately, all funds were returned.
On a more personal front, I will be working on the newsletter full time now. Please consider becoming a premium member to help support its future development.
Let’s dive into the news!
News
Darknet marketplace wallet with over $400M BTC awakens after 9 years.
Japanese telco giant NTT Com says hackers accessed details of almost 18,000 organizations.
Crime
Crypto, Crime & Corruption: A memecoin family’s checkered past puts the presidency of Argentina’s Javier M. A deep dive into Hayden Davis’s family history filled with crime, drug abuse, counterfeiting, and religious cults.
Garantex Cryptocurrency Exchange Disrupted in International Operation. The Russian exchange has a long history of allowing money laundering including funds flowing from darkmarkets, ransomware gangs, DPRK and other sanctioned entities.
Thai Police Raid Five Crypto Firms, Arrest 11 in Crackdown. The arrests targeted unlicensed
Amouranth Bitcoin Robbery: Attackers Demand Crypto At Gunpoint.
‘I don’t think I was a criminal,’ says convicted felon Sam Bankman-Fried from prison. SBF was thrown into solitary confinement shortly after the interview with Tucker Carlson since it was apparently not authorized. The Tucker interview was part of his “bad ideas that aren’t vetted” doc that he developed during the FTX meltdown.
US seizes $23 million in crypto stolen via password manager breach. The complaint revealed that funds were linked to the LastPass compromise of Ripple co-founder Chris Larsen who lost $150M in crypto.
US Treasury Sanctions Iranian National for Operating Darknet Market Nemesis by TRM.
UK hands down first criminal sentence over illegal crypto ATMs.
How crypto exchanges handle liquidity crises after major hacks.
Policy
Phishing
The ultimate insider threat: North Korean IT workers by Google Threat Intelligence.
A victim lost $117k in 2 phishing attacks. First $37k via Permit2 phishing by Scam Sniffer.
Reports of a new Telegram vulnerability, EvilLoader, used to spoof APKs.
Bypassing MetaMask’s security filter with a binary notation by Jason Doyle.
Scams
Plant a red flag by Rekt. A report on the disappearance of the Xeggex exchange and its links to past rugs like Cryptsy and Altilly.
Andrew Tate struggles to pump memecoin amid Florida criminal inquiry.
Malware
New PyPI Malware ‘set-utils’ Exfiltrates Ethereum Private Keys Through Blockchain Transactions by Socket.
Infostealer Campaign against ISPs by Splunk. A malware campaign by an Eastern European threat actor to spread cryptomining and infostealer malware.
Threat Actors Leverage YouTubers to Attack Windows Systems Via SilentCryptoMiner.
Contests
HTB CTF - Solidity Shenanigans: Hacking StarGazer by Fuzzing Labs.
Secureum Race Runner by KupiaSec. A browser extension that helps security researchers simulate Secureum races in a realistic environment. Secureum hosts excellent smart contract security challenges at https://ventral.digital/posts/, but their live races fill up quickly. This tool lets you practice these challenges as if you were in a real race.
Media
Research
Sepolia Pectra fork incident recap by Marius Van Der Wijden.
Across V3: Cross Chain Action Vulnerability Disclosure by zachobront.
First depositor attack on Hipo Finance on TON network by Saksham (Zokyo).
Solana Attack Vectors by ImmuneBytes. Account reloading attack.
Protecting DeFi Platforms against Non-Price Flash Loan Attacks.
BitVM: Unlocking Arbitrary Computation on Bitcoin Through Circuit Abstractions by Katat Choi (ZKSecurity).
ERC-20 Tokens: Innovation or Exploitation? What We Learned at ETHDenver by GoPlus Security.
How to Recover Your Browser Wallet Extension from a Sudden Failure? by Lisa & Aro (SlowMist).
Subverting Web2 Authentication in Web3 Bruno Halltari and Caue Obici (OtterSec)
Decode Sui Coin Standard by Senn.
Tools
Safe Watcher - a bot that monitors one or more Safe addresses for critical activities throughout the entire transaction lifecycle.
EVM Debugger by Rumblefish. Detailed opcode, stack, memory debugging. Also includes function stack trace and source navigation.
Cryo-MCP - an MPC server enabling your LLMs to query blockchain data using Cryo by z80.
Solana Program Account Scanner by Crytic. Visualize account relationships.
Echidna Coverage Reporter by Simon Busch. A TypeScript tool to parse and analyze Echidna code coverage reports for Solidity smart contracts.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.