BlockThreat - Week 17, 2025
Ripple | VOXEL | Loopscale | BTCM | Term Labs | Impermax | LIFE | Aventa
Greetings!
Almost $9M was stolen this week across 14 incidents! We saw price oracle manipulation, key theft, precision loss, arbitrary external calls, and even the rarer storage manipulation vulnerabilities—all making an appearance.
But let’s focus on a ticking time bomb: the rise in supply chain attacks. These are becoming disturbingly frequent and have the potential to wreck the entire ecosystem. This week, it was Ripple’s turn. The xrpl.js
Node package was backdoored by what appears to be a compromised employee. Fortunately, the change was caught early and flagged by Aikido.
Last month, Coinbase’s Agent Kit repo was similarly targeted through a compromised contributor who inserted key-stealing code. In December 2024, Solana’s NPM library was backdoored. We may feel lucky that damage was limited in those cases—but tell that to AdsPower users who lost $4.7M just months ago.
We’ve already witnessed our first >$1B breach due to poor key management practices—Bybit. Unless we begin to seriously lock down our code repositories and dependencies, it’s only a matter of time before another wallet or exchange gets wiped out.
Let’s learn from the infamous XZ Utils/OpenSSH incident, which nearly led to mass compromise of internet-facing servers via a sophisticated supply chain backdoor. Here are some essential controls you should implement now:
Pin dependency versions to prevent silent, backdoored updates.
Continuously monitor and test dependencies using tools like GitHub Dependabot, OSS Review Toolkit, and similar.
Require peer reviews for all commits and deploys.
Harden your CI/CD pipelines with automated tests and anomaly scanning—both in your code and in your dependencies.
Minimize the number of privileged admins who can push packages outside the regular process. Treat them with the same caution as your key-signing infrastructure.
I get it—it’s not the glamorous side of blockchain security. But you must lock down your code repos and dependencies. Starting now!
Speaking of locking things down and staying paranoid, BlockThreat is proud to have a very special sponsor and a friend this week: Opsek. Pablo and Louis are exactly who you should be talking to if you want to tune up not just your operational security—but the most critical, vulnerable layer of your organization: your people.
Is your team safe from sophisticated threat actors?
More than 98% of stolen funds in the Web3 ecosystem are hacked without breaking code but by breaking people. Opsek will train your team to become paranoid, and harden your complete operational security stack.
You are already a target, don't get rekt.
Link: https://opsek.io/
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
For detailed post-mortems, indicators on this week’s smart contract exploits including Loopscale, BTCM, Term Labs, Impermax, LIFE, Aventa, and others see the premium section below.
Let’s dive into the news!
News
XRP supply chain attack: Official NPM package infected with crypto stealing backdoor by Charlie Eriksen (Aikido).
Grafana GitHub Actions Security Incident. Another Github Actions exploit used to leak secrets. Please check your 3rd party dependencies and rotate keys.
ZKsync reclaims $5 million worth of hacked tokens following 10% bounty offer. Interestingly the return was facilitated under the SEAL’s Safe Harbor Agreement which more protocols should adopt.
Bitget's VOXEL Meltdown by Rekt. When market bots break, traders profit. Not the exchange is attempting to claw back highly profitable trades.
FBI Releases Annual Internet Crime Report. The report notes a spike in the number of IC3 cryptocurrency related complaints in 2024 with $9.3B in losses.
Inflection Point: Global Implications of Scam Centres, Underground Banking and Illicit Online Marketplaces in Southeast Asia by UN Office on Drugs and Crime. Great coverage of massive scam centers involved in pig butchering, crypto investment and other scams. The most concerning point is the human trafficking aspect of these operations forcing workers into call centers.
Crime
LAPD Seizes Stolen Bitcoin Miners Worth $2.7 Million in Cargo Theft Investigation.
Illegal Crypto Mining ‘Powerful Tool’ for Cybercrime Syndicates: UN Report.
They Stole a Quarter-Billion in Crypto and Got Caught Within a Month.
Prosecutors seek 8-year sentence for Mango Markets’ exploiter Avi Eisenberg.
Policy
Phishing
A Bitcoin wallet lost $330.7M. Attacker swapped stolen assets to Monero causing a massive price spike.
North Korean Hackers Targeting Crypto Developers With U.S. Shell Firms.
Another day another DPRK IT worker caught. Full set here by Cookie Connoissuer.
A sophisticated social engineering attack results in a theft of $40M.
Reports of a malicious Solidity extension for VS Code impersonating a legitimate one.
Crypto Drainers: How They Operate and a Case Study of Medusa and Its Broader Ecosystem by AMLBot.
Hackers abuse Zoom remote control feature for crypto-theft attacks.
‘I’m sick’ — Scammers use AI, fake ID of crypto influencer to steal $4M.
Scams
Malware
Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals.
Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers.
Media
Defi Security Summit Webinar - Operational Security in Web3: a review of major OpSec incidents with Louis Marquenet, Pablo Sabbatella, and Peter Kacherginsky moderated by Isaac Patka.
The UNBOUNDED Podcast - The True Cost of Sovereignty: Diverter on Bitcoin Privacy & Samourai Wallet.
Soneium Builders Workshop Special Edition 9: TimeLock Vaults with Foundry: A Test-Driven Journey.
Safe Tx Hashes with Patrick Collins (Cyfrin).
Research
0ffbeat - 0xProfiles of Daniel Von Fange, Bernhard Mueller, g, riptide, cmichel, GNSPS, Rappie, alpharush, Noah, M4rio, and many others.
ThorChain: A Crypto Money Laundering Hub? by Neftune Security.
Transitioning from EVM to SVM: Key Concepts for Solana Security Assessments by Dimaz Wijaya (Sigma Prime).
eXch.cx, Crypto Money Laundering and the Bybit Hack by Nefture Security.
Choosing an Audit Competition: How to Spot Snake Oil by Luna Tong (Zellic).
SlowMist: Emergency Response Guide for Stolen Funds — On-Chain Messaging (BTC Edition).
Insecurity Through Obscurity: Veiled Vulnerabilities in Closed-Source Contracts. A great way to reverse engineer and deobfuscate some of the more tricky to analyze MEV bots.
Mining Characteristics of Vulnerable Smart Contracts Across Lifecycle Stages.
DMind Benchmark: The First Comprehensive Benchmark for LLM Evaluation in the Web3 Domain.
Fishing for Phishers: Learning-Based Phishing Detection in Ethereum Transactions.
Foundry best practices by Pandit.
Tools
Foundry MCP Server by PraneshASP.
Using Cursor to verify proxies, implementation and storage variables.
Solidity HTTP - You love foundry so much, now you can browse the internet with it by Recon.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.