BlockThreat - Week 13, 2025

NickLFranklin | Abracadabra | SIR | Hyperliquid | Jelly | Alkimiya

Apr 02, 2025

∙ Paid

Greetings!

A tough week in blockchain security. More than $20M was stolen across five protocols this week. We’ll dive into a few case studies shortly, but first, we need to cover something even more concerning—the latest DPRK campaign.

DPRK’s Long Game: A Security Researcher Turned Threat Actor

It’s time to update your project’s threat models. Last week, it was revealed that a fairly well-known blockchain security researcher, Nick L Franklin, was actually a North Korean threat actor. His goal? Not just to infiltrate projects but also to compromise security researchers themselves.

For over a year, “Nick” built trust within the community—regularly posting analyses of recent compromises and engaging with researchers. Only recently did he begin exploiting these connections by sharing malware-laced vulnerability reports. Here are some key takeaways from this latest threat:

DPRK actors are playing an even longer game. We already knew they were patient, but this level of dedication is unprecedented. Be cautious—trust is their weapon.
DPRK has smart contract exploitation capabilities but uses them selectively—such as in the original Radiant Capital compromise last January. The next smart contract exploit could be DPRK-linked.
OpenZeppelin, Hyperliquid, 1inch, and others appear to be on DPRK’s target list. “Nick” inquired about them, confirming previous warnings from Tay. A potential mass supply chain attack through OpenZeppelin is particularly concerning, lock down those dependencies.
Security researchers including SEAL team are now targets. Just as DPRK targets traditional infosec pros, they’re now actively targeting blockchain security researchers—likely to gain early insights into unpatched vulnerabilities. Our community is collaborative, but be wary of unsolicited PoC reviews or vulnerability reports.

If you ever feel bad about being deceived by these actors, know that even experienced researchers—including myself—have been caught off guard. Stay vigilant!

Exploits in DeFi: New Attack Techniques Emerging

Several high-profile exploits shook DeFi this week. Here are some of the most notable:

SIR Trading ($355K loss): This hack leveraged the newly introduced EVM transient storage feature. The attacker exploited a collision between the pool address and transfer amount, using a vanity address to overwrite the amount. A clever and novel technique.
Abracadabra ($13M loss): Hit by a complex borrowing/liquidation exploit resembling past Euler and KyberSwap compromises. Stolen funds remain scattered across multiple addresses and haven’t been laundered yet. Abracadabra is offering a massive 25% bounty—let’s see if the attacker takes it.

Detailed breakdowns of these and other exploits—Hyperliquid/Jelly, Alkimiya, and more—are available in the premium section.

Before we dive into the news, a special thank you to this week’s sponsor—Recon. You’re likely already familiar with their groundbreaking research on invariant testing by Nican0r and the team, who in fact is featured in the tools section below.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back.

See our portfolio: https://getrecon.xyz/#services.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Let’s dive into the news!

News

DeFi security researcher implicated in $50M Radiant Capital hack. The Nick L. Franklin personae was developed for over a year with regular posts about DeFi compromises until it all came crashing down with a malware laced phishing attempt of the 1inch co-founder. Further investigation revealed that Nick L. Franklin was linked to the $58M Radiant Capital hack in October, 2024, asking for technical support for the hack, and actively trying to infiltrate other DeFi projects.
From One North Korean To Four North Koreans To Five Threats by blackbigswan. The Nick L. Franklin saga continues with a whole squad of fake identities, job hunts, exploits, phishing, rug pulls, and other attacks.
Chainalysis Sued For Deception In Celsius Scam.
Infini takes legal action after $50 million stablecoin exploit.

Crime

US Marshals arrest Veer Chetal ‘Wiz,’ third suspect in $240M Genesis creditor crypto scam. Veer was part of the gang responsible for the massive social engineering heist last year. Congrats ZachXBT!
Exposing pDai exploiter's identity by Martin.
DOJ Seizes USD 8.2M Tied to Pig Butchering Scheme by TRM.
Binance suspends employee for allegedly profiting off of insider information.
Binance kicks out a MOVE market maker caught inflating the token.
Darkweb actors claim to have over 100K of Gemini, Binance user info. These usually consist of recycled emails from past compromises.
T3 FCU Freezes Nearly $9 Million Linked to Record-Breaking Bybit Hack, Bringing Crime Unit’s Total to Over $150 Million.
Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup by Hayato Sasaki (JPCERT).

Phishing

SEAL Releases Advisory on ELUSIVE COMET. A threat actor enticing victims to install malware during Zoom calls by presenting themselves as legitimate media entities such as Aureon Press, The OnChain Podcast.