Greetings!

The cryptocurrency industry may have just experienced its Stuxnet moment. On June 18th, a pro-Israel threat actor compromised a hot wallet belonging to Nobitex, Iran’s largest crypto exchange. Coming amidst escalating conflict between Israel and Iran, the attack was overtly political with $90 million in stolen assets were sent to wallets with addresses like 1FuckiRGCTerroristsNoBiTEXXXaAovLX. Just as Stuxnet used code to sabotage Iran’s nuclear ambitions, this breach signals a turning point: crypto infrastructure is no longer just financial plumbing, but a strategic national asset and a legitimate target in geopolitical conflict. As blockchain systems become further entangled in the global power structure, a new paradigm is emerging where code is power. And where there is power, there will be adversaries. Nobitex may be the first prominent casualty in a new frontier, where exchanges, validators, and even entire chains become proxy battlefields in an evolving, asymmetric cyberwar. Western platforms like Coinbase, Kraken, Gemini, and others would be naive to think they are immune.

This week also highlighted a troubling trend in phishing and user-targeted attacks. It began with a compromise of CoinMarketCap, where a malicious JavaScript payload with a drainer was injected via a third-party dependency. Soon after, Cointelegraph was also compromised, displaying a crypto drainer popup to unsuspecting users. Last week’s edition focused on the growing threat of supply chain compromises, it’s disheartening to see this already well-known attack vector being exploited yet again to target end users directly. Theft from users is particularly damaging as it erodes the trust that underpins our ecosystem. And without trust, this industry cannot grow.

Speaking of user trust be sure check out the excellent work to uplevel wallet security by this week’s sponsor, Coinspect.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Everyone in blocksec fucks up. It’s part of building in a fast-moving, adversarial, and still-maturing ecosystem. But lately, I’ve noticed a troubling trend: instead of learning from each other’s failures, parts of the community are turning on one another. One recent flame war erupted when a security firm raised valid concerns about the quality of a private audit of a recently compromised protocol. What could’ve been a constructive conversation quickly devolved into public finger-pointing, with the attacker gleefully fueling the drama through onchain taunts. Two more conflicts followed with one involving a private key compromise at a security company and another where a malicious insider exploited a privately disclosed vulnerability. All of these incidents sparked even more accusations, distrust, and taunting.

These incidents are reminders that no one is immune to mistakes. But how we respond matters more than who screwed up. We’re still a small, young industry, and infighting only weakens us while giving attackers exactly what they want. The true villains here are not the audit firms that sometimes should have known better, but the ones who exploit, steal, and burn trust to the ground.

It inevitable that we’ll keep fucking up. But if we own our mistakes, support each other through them, and stay focused on the shared mission of securing the ecosystem, we’ll come out stronger.

Before we dive into this week’s flood of phishing attacks and DeFi hacks, a quick word from our sponsor — Oak Security, a trusted auditor behind some of the ecosystem’s most unique protocols and a long-time supporter of this newsletter.

Oak Security has operated in Web3 Security since 2017, providing security services throughout a project's lifecycle. audits. This includes audits, penetration testing, operational security training, and advisory services. Our signature blinded process emphasizes redundancy: Every line of code is reviewed by multiple auditors with a multi-disciplinary background in parallel.

Link: https://www.oaksecurity.io/

Let’s dive into the news!

News

• Iranian crypto exchange Nobitex hacked for over $90 million by pro-Israel group.

• No, the 16 billion credentials leak is not a new data breach. The massive leak is likely a compilation of multiple password dumps.

• ‘Sherlock missed it’: Cork hacker slams audit firms in on-chain messages. More drama around the Cork Protocol compromise with the attacker joining the flame war against audit companies.

• Fuzzland Security Incident Disclosure & Community Advisory. Reveals a malicious insider at Fuzzland that executed the $2M UniBTC hack in 2024.

• Asymmetry team shut down their tBTC oracle to address a vulnerability.

Crime

• United States returns over $680,000 in stolen cryptocurrency using civil asset forfeiture. The stolen funds came from the 2023 compromise of Safemoon where $8.9M were stolen. As a reminder, a MEV bot operator frontran the exploit transaction and offered to return stolen funds for a “bounty”. The $680K comprises about half of what is explicitly called out as an extorted ransom.

• Monero: Why It May Fall Short as a Money Laundering Tool by Nefture Security.

• ZachXBT slams Bitcoin bridge Garden Finance for laundering hacked funds.

• $124 million armored truck crypto money laundering operation busted — Australian perps apprehended, could face life in prison.

• DOJ moves to seize $225 million in crypto stolen by scammers.

• France hit by 10th crypto ‘wrench attack’ of 2025 as kidnappers target 23-year-old near Paris.

• TikTok crypto trader freed after kidnappers realized he’s broke.

• Authorities saw open Bitcoin ATM to recover scammed money — almost $32,000 seized from machine.

• BitoPro exchange links Lazarus hackers to $11 million crypto heist.

• Teen in $245M Bitcoin heist loses bond after new $2M crypto theft.

• South Korean crypto CEO acquitted of $650 million fraud charges, months after stabbing incident.

Phishing

• Trezor issues phishing alert after attackers abuse support contact form to send scam emails.

• Cointelegraph Website Hacked in Fake Airdrop Phishing Attack.

• CoinMarketCap briefly hacked to drain crypto wallets via fake Web3 popup.

• Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion by Huntress.

• The Discord Invite Loop Hole Hijacked for Attacks by CheckPoint Research

• Beginner’s Guide to Web3 Security: Common Hardware Wallet Pitfalls by Liz (SlowMist).

• Latest physical ledger phishing campaign report by PixOnChain.

• Tricking the Neo Tokyo hacker to return stolen NFTs by Firestorm. Here is the backdoored contract used in the recovery. Nice!

Scams

• The $50M Crypto Scam Nobody Is Talking About by darwizznft.

• Crypto casino Luckio under fire for shady code, $500K influencer deals. Multiple allegations of casino’s Proov Protocol being unfair.

• How 'MapleStory N' Is Fighting Back Against Thousands of Hackers.

Malware

• Famous Chollima deploying Python version of GolangGhost RAT by Vanja Svajcer (Cisco Talos). A new variant of the malware family used in fake job interviews targeting crypto industry.

• DPRK IT Worker-Related Account Takeover by blackbigswan (Ketman). A deep dive into take over of Keeper-Wallet (Waves Wallet).

• Resurgence of the Prometei Botnet by Unit 42 Palo Alto. Yet another cryptojacking campaign.

Media

• bountyhunt3rz - Epsiode 17 - lonelysloth.

• DSS Webinar - Web 3 Security in Argentina.

• Offbeat - 0xProfiles - Riley Holterhus.

Research

• Historical web3 contest payouts analysis by wellbyt3.

• Advanced Foundry Cheatcodes Series Part 1 Part 2 Part 3 Part 4 by Three Sigma.

• Permanent Chain Split in Movement Full Node: Anatomy of a $6,710 Critical Vulnerability That Required a Hard Fork by Yunus Emre Sarıtoprak.

• Subgroup Pitfalls in zk-Proofs and Real-World Exploits by Hexens.

• What Are BLS Signatures and How Do They Work? by Sylvain Pelissier (Zellic).

• Pairing-Based Cryptography Demystified: A Deep Dive into Elliptic Curves by Fuzzing Labs.

• Unexpected security footguns in Go's parsers by Vasco Franco (Trail of Bits).

• Blockchain Address Poisoning.

• zkMixer: A Configurable Zero-Knowledge Mixer with Anti-Money Laundering Consensus Protocols.

• Consensus Power Inequality: A Comparative Study of Blockchain Networks.

• A theory of Lending Protocols in DeFi.

• Explain First, Trust Later: LLM-Augmented Explanations for Graph-Based Crypto Anomaly Detection.

• Cross-Chain Arbitrage: The Next Frontier of MEV in Decentralized Finance.

Tools

• Quimera by Gustavo Grieco. Data-driven exploit generation for Ethereum smart contracts using LLMs and Foundry

• Solodit MCP Server by Lyuboslav Lyubenov. A Model Context Protocol (MCP) server for searching and retrieving Solodit vulnerability reports.

• PoC of Ethereum Proxy Contract Analysis & Exploitation Pipeline by Thomas EDET. Detects common issues in EIP1967 transparent proxy initialization.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content