Blockchain Threat Intelligence

Blockchain Threat Intelligence

Share this post

Blockchain Threat Intelligence
Blockchain Threat Intelligence
BlockThreat - Week 11, 2025

BlockThreat - Week 11, 2025

wkeyDAO | H2O | Berally | MAID | Garantex | LockBit | Trezor

Mar 17, 2025
∙ Paid
4

Share this post

Blockchain Threat Intelligence
Blockchain Threat Intelligence
BlockThreat - Week 11, 2025
Share

Greetings!

Only about $1M was stolen this week across four incidents, with the majority of funds lost due to a simple price misconfiguration on wkeyDao.

Slow weeks like these are a good time to catch your breath and dive into the latest research in blockchain security. Pay particular attention to a series of EIPs in the upcoming Petra upgrade, which introduce some concerning security risks. From EIP-7702, which could wipe out entire wallets, to EOF, which reintroduces potential reentrancy exploits, the evolving threat landscape demands constant vigilance.

On a more ironic note, DPRK hackers fell victim to a malicious Tornado Cash UI, losing $3.1M of their stolen funds—no honor among thieves. Meanwhile, authorities made a string of high-profile arrests tied to Garantex exchange, LockBit ransomware, and other operations.

On the downside, the latest DPRK-led phishing tactics are more aggressive than ever. Check out the Phishing section below to ensure your project doesn’t become their next target.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

  • U.S. intel vets helped crypto firm soar, unaware of infamous hacker behind it. The report reveals Morgan Marquis-Boire, a security professional ostracized from the community for a series of violent sexual assaults, is behind Unciphered, a crypto wallet recovery service.

  • Trezor discloses potential vulnerability in older Safe 3 crypto wallets following white hat research by rival Ledger.

  • DPRK got rugged for $3.1M by a malicious Tornado Cash UI by ZachXBT.

  • Unknown attacker causes headaches during Pectra upgrade on Sepolia.

  • THORChain at crossroads: Decentralization clashes with illicit activity.

Crime

  • Alleged Co-Founder of Garantex Arrested in India by Krebs On Security.

  • Cryptocurrency Founder And CEO Convicted Of Wire Fraud And Money Laundering In Connection With Marketing And Sale Of AML Bitcoin.

  • Argentina seeks arrest of U.S. crypto figure tied to Melania and Milei cryptocurrencies. In the meantime, LIBRA co-creator Hayden Davis caught cashing out millions.

  • UK CPS authorizes charges against NCA officer over alleged theft of bitcoin now worth $4.2 million.

  • Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court.

  • Man arrested, accused of being the getaway driver in Amouranth home invasion case.

  • MTI Co-Mastermind Clynton Marks Arrested Over Unanswered Questions.

  • The Wiretap: A $60 Million Bitcoin Seizure Shows Cops Are Still Chasing Down Silk Road Dealers.

Phishing

  • A victim lost $1.82M worth of cUSDCv3 due to phishing transaction signatures by Scam Sniffer.

  • Analysis of LinkedIn Recruitment Phishing by 23pds & Thinking (SlowMist).

  • I just got a scam attempt by a Linkedin "recruiter" by swader.eth.

  • X accounts of Kaito and founder Yu Hu hacked to spread unfounded reports of token supply issues.

  • Crypto founders report deluge of North Korean fake Zoom hacking attempts.

  • Meteora says co-founder’s X account hacked after ‘parasitic’ memecoin post.

Malware

  • Captain MassJacker Sparrow: Uncovering the Malware’s Buried Treasure by Ari Novick (CyberArk). The report uncovers a clipboard hijacking malware campaign to replace crypto addresses with the ones controlled by attackers.

  • Exposed Jupyter Notebooks Targeted to Deliver Cryptominer by Tara Gould (Cado).

  • Lookout Discovers New Spyware by North Korean APT37 by Lookout. The malware, KoSpy, appears to target South Korean Android users

Media

  • Bountyhunt3rz - Episode 7 - riproprip.

  • Smart Contract Security and On-Chain Fraud Prevention with AI - DSS Monthly Webinar

Research

  • GammaSwap Bug Bounty Write-up by Arz.

  • Total network shutdown caused by receipts exceeding max size by 100proof. Exploiting NEAR using action receipts.

  • Debugging Hardhat smart contract project with Tenderly by Caliber.

  • Using Cursor to explain smart contract logic thread by GuiseppeDeLaZara.

  • Attacking & Fuzzing Polkadot Node – Triggering Denial-of-Service via Gossamer RPC Flaws​ by Fuzzing Labs.

  • Arbitrary CPI Attacks in Solana by ImmuneBytes.

  • Solidity EOF reentrancy possibility in transfer by pcaversaccio.

  • A thread on abusing EIP-7702 to drain whole wallets by Daniel Von Fange.

  • ERC-7699: ERC-20 with Transfer Reference Extension by Yiğit Yektin (2077 Research).

  • Passkeys Explained: How to Use Them Safely by Hilary (Cantina).

  • Common security vulnerabilities in APTOS by Spearbit.

  • Building a Bitcoin Wallet from Scratch: Two Months of Solo Development Insights by Tristan Bietsch.

  • Control Flow Graph reconstruction for EVM bytecode by Franck Cassez.

  • Verified Control Flow Graphs for EVM Bytcode by Franck Cassez.

  • What's the significance of Custom Storage Layouts? by LearnEVM. A nice discussion in the recently introduced Solidity feature.

  • Slow is Fast! Dissecting Ethereum's Slow Liquidity Drain Scams.

  • Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis.

Tools

  • Daily Warden. Active and upcoming security contests.

  • evm-dis by franch44. An EVM bytecode disassembler/assembler which can generate control flow graphs. Used in the ByteSpector tool. Coupled with evm-dis-app by aodhgan for the front-end.

  • Introducing Multi-Sim: A new standard for verifying transactions by Gnosis Guild.

  • Add halmos docs as context to Cursor by karma.

  • BlockSec Launches Safe{Wallet} Security Monitoring Solution.

  • CRADLE Intelligence Hub by Prodaft. Batteries included collaborative knowledge management solution for threat intelligence researchers.


Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.


Premium Content

This post is for paid subscribers

Already a paid subscriber? Sign in
© 2025 Peter Kacherginsky
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share