BlockThreat - Week 3, 2025
Sony | UniLend | The Idols NFT | PIKA | BIGO | GraFun
Greetings!
This week saw a handful of hacks totaling just under $700K in losses. A notable trend is emerging in on-chain exploitation: the BSC chain has essentially become a hunting ground for bad actors targeting small TVL projects. These attackers even send messages congratulating one another for being the first to discover and exploit vulnerabilities.
Despite this trend, the majority of losses still originate from the Ethereum mainnet, which continues to attract serial exploiters. For example, the $200K UniLend hack not only caused significant damage but also inspired several copycat attacks.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
In other news, Sony experienced a hard lesson in decentralization. Their attempt to censor tokens and transactions on their sequencer backfired when it became evident that transactions could still be submitted directly through L1.
Oh and be sure to check out a great new podcast for bug hunters in the Media section below. Let’s dive into the news!
News
Sony's Soneium blockchain faces backlash over alleged blacklisting of memecoins on launch day. Interestingly, folks were still able to include transactions into the L2 thanks to OP Stack’s censorship resistance feature.
US, Japan and S. Korea urge crypto industry to take action against North Korean hackers.
Crime
Illicit Volumes Portend Record Year as On-Chain Crime Becomes Increasingly Diverse and Professionalized by Chainalysis.
Chat Log Investigation: Actor Wang Xing’s Kidnapping Incident by SlowMist.
Marko Polo Traffer Team Blockchain Analysis by Zero Shadow.
$1.1M Penalty Slammed on Mosaic Exchange in Crypto Fraud Scandal.
FBI Foils 'Goons' Who Plotted to Kidnap Jeweler and Steal $2 Million in Crypto.
‘A thief and a crooked cop’: L.A. deputy committed crimes for crypto mogul, feds say.
Policy
Helium founder says company will defend itself 'vigorously' against SEC lawsuit. The last SEC lawsuit of the outgoing administration.
SEC Imposes $38 Million Penalty on Digital Currency Group for Negligence.
South Korea’s Upbit exchange hit with business suspension penalty.
Phishing
Crypto industry alarmed as 7 million OpenSea email users’ leak resurfaces.
Reports of malware in Google sponsored links when searchign for Homebrew packages.
Malware
Research
Logic Meets Magic: LLMs Cracking Smart Contract Vulnerabilities.
SoK: Design, Vulnerabilities, and Security Measures of Cryptocurrency Wallets.
Cybersecurity Best Practices for Hedge Funds Dealing with Crypto Assets.
How To Define Invariants by Nican0r (Recon).
Sampled Public Audit Reports by OtterSec. Unlike other repos this one has coverage for Cosmos, Solana, and other chains.
How to: Get to Know iPhone Privacy and Security Settings by EFF.
The Fuzzing Book by Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler. This book addresses this problem by automating software testing, specifically by generating tests automatically
Media
Bountyhunt3rz Podcast - Episode 2 - 100proof. riptide & 100proof discuss bounty negotiation tactics, human behavior, incentives, acting in good faith, and why bounty hunters must be paid. 100proof treats listeners to a detailed walkthrough of a juicy bug he found in Morpho.
Bountyhunt3rz Podcast - Episode 1 - deadrosesxyz. riptide & deadrosesxyz discuss hunting for bugs on the blockchain including techniques, secrets and tools of the trade, integrating LLMs into your workflow, getting paid, traits of a bounty hunter, and how bulgarian teenagers are taking over the space
Tools
Weird ERC721 Tokens by abarbatei.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.