BlockThreat - Week 2, 2025
Moby | Orange Finance | Unilend | IPC | Mosca | Alienbase | FortuneWheel | WTO
Greetings!
We’re kicking off the second week of 2025 with nearly a dozen exploits that have collectively netted attackers around $2.7M. Low-TVL, unaudited projects on BSC continue to fall victim to hacks, often losing $10K at a time. However, it’s the two private key compromises that deserve additional discussion—and even a bit of celebration.
On January 8, Moby Trade protocol on Arbitrum suffered a significant breach when an attacker used stolen private keys to upgrade several vaults. Just as the attacker was preparing to drain $2.5M, Tony Ke from SEAL 911 intervened. Exploiting a vulnerability in the attacker’s own unprotected contract, Ke managed to recover nearly $1.5M. While the attacker still escaped with $1M and any funds collected via user approvals, this incident highlights the growing importance of proactive incident response. Whitehats and their bots are increasingly playing a crucial role in mitigating the impact of exploits.
Orange Finance faced a similar attack on the same day. Despite having its upgrade admin account protected by a multisig, a misconfiguration allowed a single compromised key to perform an unauthorized upgrade. The fact that two Arbitrum-based projects were compromised on the same day using the same vector raises questions: coincidence or a coordinated effort?
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
This week brings an intriguing collection of research articles, including a Cosmos engineer’s simulation of an alleged exploit linked to the Terra downfall, insights into 0-day vulnerabilities in a popular wallet and a hashing algorithm implementation, and a wealth of audit tips from some of the industry’s top security researchers.
On the phishing front, scammers and wallet security apps are locked in a cat-and-mouse game to outwit transaction simulation mechanisms. One such successful bypass led to a $460K theft from an unfortunate user who didn’t receive adequate warnings.
In other news, the U.S. government arrested operators of Sinbad and Blender, multiple DeFi security companies announced acquisitions, more regulators departed their posts, and the relentless wave of drainers continues to plague the ecosystem.
Let’s dive into the news!
News
The federal government just got the greenlight to sell $6.5 billion in Bitcoin seized from Silk Road.
Chainalysis Buys Israeli Fraud Detection Startup Alterya for $150M.
Analysis of the 2024 Blockchain Security and Anti-Money Laundering Annual Report: Security Landscape, Phishing and Scam Techniques, DPRK & Money Laundering Tools, and AML Trends & Data by SlowMist.
2024 Web3 Security Report by PeckShield.
Telegram snitched on 2,000 users to US authorities in 2024, report.
CoinSwitch launches $70M recovery fund for WazirX hack victims.
Crime
Russian nationals arrested by US, accused of running crypto mixers Blender and Sinbad.
New York Attorney General wants to serve crypto thieves via NFT after $2.2m heist.
Dutch police arrest law student behind multi-million euro crypto scheme.
Judge pushes Mango Markets exploiter sentencing to April 10.
Policy
US regulator plans to toughen customer protection on crypto accounts.
Gemini agrees to a $5M penalty as part of proposed CFTC order.
U.S. Enforcement Chief Behind CFTC Crypto Cases Exits Before Trump Arrives.
Phishing
DPRK's Willo Impersonation Campaign by Zero Shadow.
New Web3 attack exploits transaction simulations to steal crypto.
String of X hijacks continues as hackers access accounts of Litecoin, Foresight Ventures, and others.
Fake CrowdStrike job offer emails target devs with crypto miners.
‘Money we don’t have to spare’: Spoofed website causes Toronto man to lose $100K.
Scams
Bad math homework by Rekt. A dive into Solv protocol double and sometimes triple counting BTC deposits in its TVL calculations.
Squid Game Season 2: A Window Into Popular Culture and Crypto Scams by TRM.
Bitten by bitcoin scam: Victim talks about experience as law enforcement faces rash of crypto fraud.
Malware
Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages.
CrowdStrike Warns of Phishing Scam Targeting Job Seekers with XMRig Cryptominer.
PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner.
Research
Blockchain Engineer Alleges Attack Triggered Terra’s $50 Billion Downfall. The reveal includes a video demonstrating an attack on the Cosmos hub with the same effect that caused UST depeg.
Poseidon Hash Collision vulnerability in iden3's implementation by Marius Van Der Wijden.
BitsLab’s ScaleBit flags 'alarming' Uniswap Wallet vulnerability.
Signature Replay Attacks by Joran Honig.
Top findings in GameFi protocols by gkrastenov.
Unusual Money by Rekt. A deep dive into the USD0++ depeg.
MEV resources by The Daily Ape.
Leader Rotation Is Not Enough: Scrutinizing Leadership Democracy of Chained BFT Consensus.
Knowledge Migration Framework for Smart Contract Vulnerability Detection.
Leveraging Large Language Models and Machine Learning for Smart Contract Vulnerability Detection.
Privacy-Preserving Smart Contracts for Permissioned Blockchains: A zk-SNARK-Based Recipe Part-1.
Tools
EVM Trackooor: Tracking Anything and Everything on EVM Chains by Zellic.
Node Snapshots by Allnodes. A large collection of blockchain node snapshots to quickly sync your nodes to a variety of EVM chains.
Similar Contracts Search by Etherscan.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.