Greetings!

Over $3M stolen this week across six incidents. The bulk of the losses came from the Morpho hack, which lost $2.6M due to an exploit introduced during a front-end upgrade. A misconfiguration in how users were prompted to sign transactions led one user to unknowingly sign an unlimited permit to a multicall contract—allowing anyone to drain it. Fortunately, a known whitehat MEV bot frontran the attacker.

This incident is a stark reminder: even in the world of smart contract exploits, we often overlook trust assumptions in the underlying infrastructure—including the websites that generate complex transactions for users to sign.

The remaining exploits targeted a range of systems—from vulnerable MEV bots to a nine-year-old contract left exposed and carelessly exploitable just last week. Details on each hack are available in the premium section.

One under-the-radar vulnerability report worth highlighting: Supremacy intern Yi discovered a critical flaw in Ping.pub, the Cosmos blockchain explorer. Yi found a way to compromise the hosting server including skeleton SSH keys. If we want to avoid another Wallet/Bybit hack, it’s crucial we give Web2 infra the attention they deserve.

Also notable this week: a spike in phishing campaigns targeting crypto developers via malicious npm, Python, and VS Code packages, as well as code repositories like SourceForge. Be vigilant and lock down your dependencies.

Before we dive into the news, a special thank you to this week’s sponsor—Recon.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back.

See our portfolio: https://getrecon.xyz/#services.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Let’s dive into the news!

News

• ZKasino exploiter saw $27M liquidated on Hyperliquid trade.

• Ethical hacker intercepts $2.6M in Morpho Labs exploit.

• $124M Stolen — The March 2025 Crypto Crime Report by Nefture.

• 2025 Q1 BSC Security Report by HashDit.

Crime

• The FBI Hijacked and Ran a Dark Web Money Laundering Operation Called ‘ElonmuskWHM’.

• Hayden Davis still making millions from LIBRA, MELANIA memecoins.

Policy

• Trade War Theater by Rekt.

• The US Is Turning a Blind Eye to Crypto Crimes.

• Thailand targets foreign crypto P2P services in new anti-crime laws.

• Block Agrees to $40M NYDFS Penalty Over Lackluster Compliance Program.

Phishing

• PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks.

• Leaking crypto secrets through poisoned MCPs specifically targetting Base-MCP by superoo7.

• Your BTC can be swiped by spoofers without them even contacting you.

• The whale, the hack and the psychological earthquake that hit HEX.

Scams

• Spanish police arrest six over $20M AI-powered investment scam.

Malware

• Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses.

• Malicious Python Packages Attacking Popular Cryptocurrency Library To Steal Sensitive Data.

• Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign by Yuval Ronen (ExtensionTotal).

• Attackers distributing a miner and the ClipBanker Trojan via SourceForge by AMR (Kaspersky).

Media

• Bountyhunt3rz - Episode 10 - rootrescue.

Research

• Rooting Cosmos’ Ping.pub explorer by Yi.

• The Pectra Holesky Incident by Eitan Seri-Levi (Sigma Prime).

• Ethereum Liquid Staking: Validator Deposit Risks & Mitigation by Ilya Teterin, Dmitry Zakharov (MixBytes).

• Tolk Security Audit: Evolution from FunC to Tolk and Security Challenges by ExVul.

• Critical Wallet Bugs Expose Users to Silent Crypto Drains by Franco Riccobaldi (Coinspect).

• Sweet Betrayal by Rekt. Governance takeover of PancakeSwap protocol.

• How to use AI (specifically LLMs) in your web3 security workflow by Tumelo_Crypto.

• Massive update to the Recon Book including invariant testing tutorials and exercises.

• Enhancing Smart Contract Vulnerability Detection in DApps Leveraging Fine-Tuned LLM.

• SmartBugBert: BERT-Enhanced Vulnerability Detection for Smart Contract Bytecode.

• Generative Large Language Model usage in Smart Contract Vulnerability Detection.

• Commit-Reveal$^2$: Randomized Reveal Order Mitigates Last-Revealer Attacks in Commit-Reveal.

• Hollow Victory: How Malicious Proposers Exploit Validator Incentives in Optimistic Rollup Dispute Games.

• Security Vulnerabilities in Ethereum Smart Contracts: A Systematic Analysis.

• SolRPDS: A Dataset for Analyzing Rug Pulls in Solana Decentralized Finance.

• Exploring Vulnerabilities and Concerns in Solana Smart Contracts.

• ECDSA Cracking Methods.

• Automated Attack Synthesis for Constant Product Market Makers.

Tools

• Halmos-helpers library v0.1.0 by Ihor Hanich. A solidity library for quick and convenient preparation of solidity project for symbolic execution stateful checks under the halmos engine.

• The Rekt Security Intelligence Terminal.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content