Greetings!

Only about $1M was stolen this week across four incidents, with the majority of funds lost due to a simple price misconfiguration on wkeyDao.

Slow weeks like these are a good time to catch your breath and dive into the latest research in blockchain security. Pay particular attention to a series of EIPs in the upcoming Petra upgrade, which introduce some concerning security risks. From EIP-7702, which could wipe out entire wallets, to EOF, which reintroduces potential reentrancy exploits, the evolving threat landscape demands constant vigilance.

On a more ironic note, DPRK hackers fell victim to a malicious Tornado Cash UI, losing $3.1M of their stolen funds—no honor among thieves. Meanwhile, authorities made a string of high-profile arrests tied to Garantex exchange, LockBit ransomware, and other operations.

On the downside, the latest DPRK-led phishing tactics are more aggressive than ever. Check out the Phishing section below to ensure your project doesn’t become their next target.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• U.S. intel vets helped crypto firm soar, unaware of infamous hacker behind it. The report reveals Morgan Marquis-Boire, a security professional ostracized from the community for a series of violent sexual assaults, is behind Unciphered, a crypto wallet recovery service.

• Trezor discloses potential vulnerability in older Safe 3 crypto wallets following white hat research by rival Ledger.

• DPRK got rugged for $3.1M by a malicious Tornado Cash UI by ZachXBT.

• Unknown attacker causes headaches during Pectra upgrade on Sepolia.

• THORChain at crossroads: Decentralization clashes with illicit activity.

Crime

• Alleged Co-Founder of Garantex Arrested in India by Krebs On Security.

• Cryptocurrency Founder And CEO Convicted Of Wire Fraud And Money Laundering In Connection With Marketing And Sale Of AML Bitcoin.

• Argentina seeks arrest of U.S. crypto figure tied to Melania and Milei cryptocurrencies. In the meantime, LIBRA co-creator Hayden Davis caught cashing out millions.

• UK CPS authorizes charges against NCA officer over alleged theft of bitcoin now worth $4.2 million.

• Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court.

• Man arrested, accused of being the getaway driver in Amouranth home invasion case.

• MTI Co-Mastermind Clynton Marks Arrested Over Unanswered Questions.

• The Wiretap: A $60 Million Bitcoin Seizure Shows Cops Are Still Chasing Down Silk Road Dealers.

Phishing

• A victim lost $1.82M worth of cUSDCv3 due to phishing transaction signatures by Scam Sniffer.

• Analysis of LinkedIn Recruitment Phishing by 23pds & Thinking (SlowMist).

• I just got a scam attempt by a Linkedin "recruiter" by swader.eth.

• X accounts of Kaito and founder Yu Hu hacked to spread unfounded reports of token supply issues.

• Crypto founders report deluge of North Korean fake Zoom hacking attempts.

• Meteora says co-founder’s X account hacked after ‘parasitic’ memecoin post.

Malware

• Captain MassJacker Sparrow: Uncovering the Malware’s Buried Treasure by Ari Novick (CyberArk). The report uncovers a clipboard hijacking malware campaign to replace crypto addresses with the ones controlled by attackers.

• Exposed Jupyter Notebooks Targeted to Deliver Cryptominer by Tara Gould (Cado).

• Lookout Discovers New Spyware by North Korean APT37 by Lookout. The malware, KoSpy, appears to target South Korean Android users

Media

• Bountyhunt3rz - Episode 7 - riproprip.

• Smart Contract Security and On-Chain Fraud Prevention with AI - DSS Monthly Webinar

Research

• GammaSwap Bug Bounty Write-up by Arz.

• Total network shutdown caused by receipts exceeding max size by 100proof. Exploiting NEAR using action receipts.

• Debugging Hardhat smart contract project with Tenderly by Caliber.

• Using Cursor to explain smart contract logic thread by GuiseppeDeLaZara.

• Attacking & Fuzzing Polkadot Node – Triggering Denial-of-Service via Gossamer RPC Flaws​ by Fuzzing Labs.

• Arbitrary CPI Attacks in Solana by ImmuneBytes.

• Solidity EOF reentrancy possibility in transfer by pcaversaccio.

• A thread on abusing EIP-7702 to drain whole wallets by Daniel Von Fange.

• ERC-7699: ERC-20 with Transfer Reference Extension by Yiğit Yektin (2077 Research).

• Passkeys Explained: How to Use Them Safely by Hilary (Cantina).

• Common security vulnerabilities in APTOS by Spearbit.

• Building a Bitcoin Wallet from Scratch: Two Months of Solo Development Insights by Tristan Bietsch.

• Control Flow Graph reconstruction for EVM bytecode by Franck Cassez.

• Verified Control Flow Graphs for EVM Bytcode by Franck Cassez.

• What's the significance of Custom Storage Layouts? by LearnEVM. A nice discussion in the recently introduced Solidity feature.

• Slow is Fast! Dissecting Ethereum's Slow Liquidity Drain Scams.

• Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis.

Tools

• Daily Warden. Active and upcoming security contests.

• evm-dis by franch44. An EVM bytecode disassembler/assembler which can generate control flow graphs. Used in the ByteSpector tool. Coupled with evm-dis-app by aodhgan for the front-end.

• Introducing Multi-Sim: A new standard for verifying transactions by Gnosis Guild.

• Add halmos docs as context to Cursor by karma.

• BlockSec Launches Safe{Wallet} Security Monitoring Solution.

• CRADLE Intelligence Hub by Prodaft. Batteries included collaborative knowledge management solution for threat intelligence researchers.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content