Greetings!

More than $2.6M was stolen from DeFi projects across eight incidents this week. However, we’re focusing on a much more troubling case: a malicious insider breach at Coinbase—a sobering case study for anyone in security. But first a quick word from this week’s sponsor - Recon.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back. Use promo code BLOCKTHREAT for a 5k discount on your first engagement.

See our portfolio: https://getrecon.xyz/blockthreat

In a May 14 SEC 8-K filing, Coinbase disclosed it had received a $20M ransom demand from a threat actor who had obtained a significant amount of sensitive customer data and internal documentation. The company traced the breach to customer support agents based in India who were bribed by these actors.

The leaked data includes customer names, the last four digits of Social Security numbers, masked bank account numbers, government ID images, account balances and transactions, and internal documentation. According to Brian Armstrong, Coinbase began notifying affected customers as early as April 11, 2025. Unfortunately, the stolen data has already been used in targeted social engineering attacks.

The exact financial impact to users hasn’t been disclosed, but Coinbase announced plans to spend up to $400M on customer reimbursements and incident remediation—pointing to a likely impact in the hundreds of millions.

In DeFi, $100M+ hacks are surfaced almost instantly. Even attacks over $100K often draw rapid, public investigations by the community. Not so in CeFi. According to ZachXBT, scammers were using highly detailed personal info to target Coinbase customers as far back as December 2024. Reports of widespread customer theft steadily increased, culminating in the ransom email that finally triggered public disclosure. If these attacks had been going on for months, why did it take a ransom demand to bring them to light? How many customers would have been saved with an earlier guidance on the incident and customer support scams?

The ransom email reportedly arrived right after the S&P 500 listing announcement—a moment when companies have a strong incentive to avoid negative news. It’s worth noting that Uber’s CISO was recently criminally charged and sentenced for concealing a breach. Instead of risking the same, Coinbase went public—then offered a $20M bounty for information leading to the attackers’ arrest, along with a video statement from Brian Armstrong.

Was this a publicity move? Maybe. The DoJ is already investigating, and it’s likely they’ll be the ones to catch the perpetrators. Still, public contributions could help.

As ZachXBT noted, the most likely culprits include scammer groups in India and individuals linked to APT groups like The Com and Scattered Spider (aka 0ktapus). Recent arrests show these actors are often US or EU-based, in their late teens or early 20s, and specialize in social engineering. I personally received one of these “Coinbase security” calls. The flawless American accent and young-sounding voice were striking.

Expect to see more names and arrests in the Crimes section of this newsletter. Until then, stay extra vigilant—both online and offline.

Key takeaways from the incident

• Security incidents happen. Disclosing them—and your response—is a sign of maturity that helps the broader ecosystem.

• Outsourcing support is fine, but only with strict access controls and monitoring.

• Assume a malicious insider already works for you. What controls do you have to detect and stop them? Can your project survive a single bad actor?

• Train employees regularly on phishing and social engineering threats.

Oh and be sure to check this week’s sponsor to brush up on your opsec practices:

Is your team safe from sophisticated threat actors?

More than 98% of stolen funds in the Web3 ecosystem are hacked without breaking code but by breaking people. Opsek will train your team to become paranoid, and harden your complete operational security stack.

You are already a target, don't get rekt.

Link: https://opsek.io/

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Let’s dive into the news!

News

• Announcing the Trillion Dollar Security Initiative by Ethereum Foundation. The project will be led by Fredrik Svantes, Josh Stark with support by samczsun, Mehdi Zerouali, and Zach Obront. Consider contributing by filling out the form in the link above.

• Blockchain Security Standards Council Publishes First Four Security Standards.

• Coinbase data breach exposes customer info and government IDs. In the recent 8K filing, Coinbase estimated $180 - $400M in remediation and compensation costs. The disclosure of the hack came as a result of a ransom demand of a threat actor to pay $20M to conceal the incident.

• Sonic Labs secures court order to liquidate Multichain Foundation to recoup losses from $210 million exploit.

• World's first CPU-level ransomware can "bypass every freaking traditional technology we have out there" — new firmware-based attacks could usher in new era of unavoidable ransomware.

• Q1 2025 Crypto Hacks Report: Breakdown of Tactics, Targets, and Timing by Global Ledger.

Crime

• Alabama Man Sentenced to 14 Months in Connection with Securities and Exchange Commission X Hack that Spiked Bitcoin Prices.

• North Korean IT Workers Are Being Exposed on a Massive Scale. Although they have been branching out to remote civil engineering gigs as well.

• Exposing DPRK’s Cyber Sindicate and Hidden IT Workforce by DTEX.

• False Complaints: Criminals Working To Free Frozen Funds by Zero Shadow.

• The New Era of Organized Crime by vxdb. The story of Malone Lam aka Greavys and his multi-million crypto crime spree. Additional 12 individuals were recently charged in RICO conspiracy related to the case.

• Xinbi: The $8 Billion Colorado-Incorporated Marketplace for Pig-Butchering Scammers and North Korean Hackers by Elliptic. The telegram-based marketplace has since been taken down.

• Armed gang tries to kidnap crypto CEO's daughter, grandson in central Paris. In a terrifying video victims were seen fighting attackers. The incident is latest in a series of physical attacks on crypto community in France. France’s interior minister with meet with crypto leaders to address the crime wave.

• Crypto High-Rollers Go Big on Bodyguards to Deter Kidnappers.

• Europol raids $24 million ‘mafia crypto bank’. The raid led to the arrest of 17 individuals and seizure of €4.5M.

• South Korean Woman Jailed for Stealing $500,000 in Crypto From Sleeping Boyfriend.

• Hong Kong police arrest 12 suspected of laundering $15 million through crypto exchange shops.

• Haishling NFT Founder Accused of Stealing Millions from Investors and Bitcoin Mining Venture.

Policy

• Roman Storm Re-Petitions Court To Compel FinCEN Communications.

• UK crypto firms told to report every user and transaction or risk stiff penalties.

Phishing

• Curve Finance Hit by DNS Record Attack, Warns Users to Avoid Main Site.

• Wallet drainers just got deadly efficient by WiiMee.eth. First instance of drainers abusing smart accounts introduced in Petra update.

• A few hours ago I hacked a group of crypto scammers impersonating

  Coinbase Support by NanoBaiter.

• Reports of a phishing campaign targeting security researchers with fake requests for security audits.

• Reports of a phishing campaign abusing expired Discord links.

• The Fake Ledger That Stole Everything. Counterfeit hardware wallets install an app used to drain wallets.

• ZKsync X hacker posts false SEC probe in apparent effort to crash token.

• Zoom/Telegram Deepfake Attack Vector Rises: Crypto Founders Targeted.

Scams

• Crypto’s $3.2 Trillion Scam: Just 489 People Behind Massive Telegram Pump-and-Dump.

• Tether Freeze Gap Becomes Laundering Loophole for Criminals by AMLBot. The 44 minute delay doesn’t sound so bad compared to USDC.

Malware

• Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer by G Data.

Media

• bountyhunt3rz - Episode 13 - 0xsimao.

• Project Glitch: Samczsun on Crypto Security & SEAL's Mission. A deep dive into the web3 security challenges and future.

• 0xProfiles - Patrick Collins.

• ‘You build your own wall’: OfficerCIA on the ethics and fallout of web3 security.

Contests

• Zero Trust. Social-engineering games based on real-world attacks.

• RACE #40 Of The Secureum Bootcamp Epoch∞ write up by patrickd (Ventral). Another great race with a focus on multisig signing and opsec.

Research

• The Crypto OpSec Bible by Omar.

• Wonderland Handbook. A curated guide to our best practices, processes, and technical insights including multisig, internal reviews, and others.

• Key Management Standard, version 1 by Mark Nesbitt (Turnkey), Akshar Rawal (Coinbase), John Kemp (BSSC) developed as part of the Blockchain Security Standards Council.

• Secure dApps Against UI Spoofing (Part 1): Decoding Transactions by Valentina Rivas (Cyfrin).

• Secure dApps Against UI Spoofing (Part 2): Simulating Transactions by Valentina Rivas (Cyfrin).

• Web2: The Hidden Layer of DeFi Risk by Guardian.

• Nitron Exploit Post-Mortem: What Happened, What Was Lost, and What’s Next.

• Project Glitch - How Samczsun is bridging the old web to the dark forest.

• Comprehensive Update: SlowMist’s Solana Smart Contract Security Best Practices.

• The cryptography behind passkeys by Joop van de Pol (Train of Bits).

• Solana: The hidden dangers of lamport transfers by Nicola Vella (OtterSec).

• Enumerating All 69,788,231 Ethereum Contracts by Rainier Wu (Zellic).

• Chrome Extension Security by Neplox. A comprehensive view at attack vectors.

• Understanding and Characterizing Obfuscated Funds Transfers in Ethereum Smart Contracts.

• DMind Benchmark: Toward a Holistic Assessment of LLM Capabilities across the Web3 Domain.

• FIRST: FrontrunnIng Resilient Smart ConTracts.

• Timestamp Manipulation: Timestamp-based Nakamoto-style Blockchains are Vulnerable.

• BM-PAW: A Profitable Mining Attack in the PoW-based Blockchain System.

• Detecting Sybil Addresses in Blockchain Airdrops: A Subgraph-based Feature Propagation and Fusion Approach.

• Correlating Account on Ethereum Mixing Service via Domain-Invariant feature learning.

Tools

• DNS Monitor Bot by wavey0x. A simple to configure, pre-built Cloudflare Worker that monitors DNS records for any list of user-specified domains and sends notifications via Telegram when changes are detected.

• Alloy 1.0 - Rust toolkit for the EVM.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content