BlockThreat - Week 29, 2025
BigONE | CoinDCX | Arcadia Finance | Tornado Cash | Silk Road 2.0
Greetings!
It has been a rough week, folks. Almost $75 million were stolen across six separate incidents. Most of the losses came from hot wallet compromises at two exchanges: BigONE with $27 million and CoinDCX with $44.2 million. A key pattern in both cases is that the attackers did not go after the private keys directly. Instead, they took control of the infrastructure responsible for managing those keys. Another shared issue was the delay in notifying users. CoinDCX waited nearly a full day to make a public statement, while BigONE took about half a day. But you cannot quietly move millions onchain without being noticed, so it was the blockchain security community that first flagged these hacks.
Sometimes being too secure can backfire. In the case of Arcadia($3.6M stolen) strict safeguards designed to protect the protocol made it harder to respond during the attack. The cooldown mechanism disabled the ability to pause the protocol after it had been paused and then unpaused due to what appeared to be a false alarm. This created a window for the attacker to exploit a critical vulnerability and drain funds without interruption. Although circuit breakers existed, they could only be triggered after the cooldown period ended. In this situation, security controls intended to prevent abuse ended up turning defense into a liability.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Let’s dive into the news!
News
Tornado Cash Trial Begins with Discussions around Motions In Limine and Data Custodians and Tornado Cash Trial Day 2: Prosecution and Defense Tell Different Stores about Roman Storm. One witnesses, Andre Marcus Quiddaoen Llacuna, testified that he used Tornado Cash to launder proceeds from an NFT rug pull, a move that ultimately proved futile, as he still faces up to 20 years in prison.
‘Existential Threat’: Bitcoin Proposal Would Freeze Satoshi’s Quantum-Vulnerable Coins.
Mid-Year Crypto Crime Report - H1 2025 by Blockscope.
2025 Crypto Crime Mid-year Update: Stolen Funds Surge as DPRK Sets New Records by Chainalysis.
The state of cross-chain crime 2025 by Elliptic.
2025 H1 Report: Crypto Exploits and Security Breaches by QuillAudits.
State of Code Security in 2025 by Wiz. Exposed secrets and keys, broken CI/CD, permissions, and other familiar flaws from tradsec.
Crime
North Korea Laundered $1 Billion of Crypto in 4 Months. How Industry Leaders Can Change Crypto Freezes and Recovery by ZeroShadow.
Former National Crime Agency officer jailed for over 5 years for stealing bitcoin now worth $5.9 million. Paul Chowles stole bitcoin from the Silk Road 2.0 operator, Defcon. It’s an odd repeat of two corrupt agents stealing funds from the original Silk Road just a few years earlier.
Following the Frozen: An On-Chain Analysis of USDT Blacklisting and Its Links to Terrorist Financing by BlockSec.
How Crypto Money Launderers Unfreeze Flagged Funds on Exchanges by Nefture Security.
FBI Tracks 1,610 BTC to Armenian Hacker in Explosive Ransomware Case.
Seven crypto ATMs seized and two arrested on suspicion of running illegal cryptoasset exchange by British FCA and the Metropolitan Police Service.
Abacus Dark Web Market Possible Exit Scam with the Bitcoin Payments They Hold.
DEA, FBI seize $10 million in cryptocurrency 'directly linked to the Sinaloa cartel'.
Policy
Trump administration ends Polymarket investigations without charges.
GENIUS Act Passes: Who Are the Winners, Losers, and What Comes Next?
Phishing
Report of a Trezor phishing campaign by Pablo Sabbatella (OpSek).
New North Korean malware targets crypto startups via fake Zoom invites by Ray Fernandez (Moonlock).
Dark Partners: Multi-Platform Crypto Theft via Fake AI, VPN, and Software Sites by Wes (Alphahunt).
Multiple reports of wallet drains on Solana. Nova issued a statement that their project does not have any apparent vulnerabilities.
Scams
13 Billion RMB Vanished: The Collapse of the Xinkangjia DGCX Scam by Lisa and Keywolf (SlowMist).
Malware
Old Miner, New Tricks - H2miner Resurfaces with Lcrypt0rx Ransomware by Akshat Pradhan (Fortinet).
CryptoJacking is dead: long live CryptoJacking by Himanshu Anand (C/Side).
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader by Kirill Boychenko (Socket).
Media
bountyhunt3rz - Episode 21 - danielvonfange.
Electi Security - Block 7 Guest speaker: DevDacian - Smart Contract Heuristics & Auditor Branding.
Wallet Security with Patrick Collins and Xavier Hendrickx. A good discussion on present and future wallet security trends.
Summercon 2205 - Cracking DePIN: Decentralized Devices, Centralized Disasters.
How Echidna inflated 100s of Millions in Voting Power: Writing and Breaking Properties by Alex (Recon).
Research
Tokens missent to the 1inch Aggregation Router? Forget about them by Carnontec. About $520K worth of missent funds were quietly drained.
The Reentrancy Riddle — Dissecting The Legendary Bug That Changed Ethereum Forever by Shashank Mudgal.
Decoding Solidity Metadata by jmcph4.
Safe: Ownership Infra Layer For Onchain Applications by c4lvin and JW (Four Pillars).
LLAMA: Multi-Feedback Smart Contract Fuzzing Framework with LLM-Guided Seed Generation.
Measuring CEX-DEX Extracted Value and Searcher Profitability: The Darkest of the MEV Dark Forest.
Inside ZKStack's Crosschain Architecture — Part I: A Deep Dive into Merkle Tree Hierarchies by Andrianna Polydouri & Yuguang Ipsen (OpenZeppelin).
Tools
Halmos v0.3.0 released. Additions include stateful invariant fuzzing(!), coverage reports, more solver support, and more.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.