Greetings!

Tornado Cash remains at the center of regulatory battles, with developers and researchers facing mounting legal risks across borders. Roman Storm was convicted of unlicensed money transmission, a charge in direct conflict with recent federal precedent affirming that noncustodial DeFi developers should not be treated as money transmitters. At the same time, Turkey nearly repeated the Tigran Gambaryan playbook by detaining Federico Carrone, an incident defused only after swift international pressure. Together, these cases highlight the escalating legal dangers anyone working in the crypto privacy space.

Google just released a detailed report on the tactics used by a DPRK threat actor to breach the backend infrastructure of cryptocurrency projects, including the Safe Wallet compromise. Some high level TTPs:

• Initial vector is social engineering to execute malicious docker container.

• Social engineering occurred over Telegram and LinkedIn (job offer).

• Installed credential stealing malware.

• Bypassed cloud MFA through admin access and stolen cookies

• Injected malicious JS to subvert key signing by the quorum.

Key technical controls that failed in the two case studies:

• Failed endpoint detection.

• Unsecure cloud credentials.

• Unsecure processes for code review and CI/CD pipelines.

It’s time to train up personnel to recognize the latest social engineering tactics and harden infrastructure before these gaps are exploited.

Speaking of user security be sure to check out this week’s sponsor Coinspect.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Let’s dive into the news!

Contests

• Wintermute Alpha Challenge 2025. Challenge your abilities to analyze DeFi exploits, onchain execution, and markets.

News

• Roman Storm Found Guilty of Unlicensed Money Transmission Conspiracy.

• Developer Arrested Over Tornado Cash Research. Federico Carrone was released after 24 hours following an overwhelming international intervention from UAE, UK, US, all around European Union, Argentina and the Catholic Church. A good ending to what could have been a Tigran Gambaryan style incident.

• AIxCC finals: Tale of the tape. Discusses various approaches to AI automatic bug finding and patching for DARPA’s AI Cyber Challenge competition.

• Coinbase Base network halts for 44 minutes due to ‘unsafe head delay’.

• Cracking the Vault: how we found zero-day flaws in authentication, identity, and authorization in HashiCorp Vault by Yarden Porat (Cyata).

• Cloud Threat Horizons Report by Google Cloud Security has an interesting section North Korea’s Social Engineering Leading to Cloud Compromises and Cryptocurrency Thefts. It has detailed TTPs used by a DPRK threat actor tracked as UNC4899 (TraderTraitor) to social engineer their way into crypto projects’ infrastructures such as Safe/Bybit, DMM Bitcoin and many others.

• Cursor Remote Code Execution Vulnerability (CVE-2025-54135).

• Coinbase's Base network resumes normal block production after temporary halt.

Crime

• FT3: Fraud Tools, Tactics, and Techniques Framework by Stripe. An ATT&CK-style security framework, specifically designed to enhance understanding of the tactics, techniques, and procedures (TTPs) used by actors in fraudulent activities.

• How North Korean IT workers leverage AI and vulnerable Americans to infiltrate US companies.

• Leak Reveals the Workaday Lives of North Korean IT Scammers by Matt Burgess (Wired).

• This man used a Coinbase-like URL — Now he’s facing a major lawsuit.

• Meta Removes 6.8 Million WhatsApp Accounts Linked to Pig Butchering Scam Rings.

• WNBA sex toy incidents started by Crypto meme coin group.

Policy

• Six months of crypto policy: The good, the bad, and the lingering questions by Peter Van Valkenburgh (Coin Center).

• SEC-Ripple enforcement case to end after motion to drop appeals.

Phishing

• MetaMask Security Report: July 2025 by Luker (Metamask).

• Reports of a malicious VSCode extension from juan-blanco designed to load additional payloads from a C2 server.

• Threat Intelligence: Uncovering a Web3 Interview Scam by Joker & Ccj (SlowMist).

• North Korean Hackers Are Using Fake Job Offers to Breach Cloud Systems, Steal Billions in Crypto.

• The address 0x2d98...6695 has fallen victim to a phishing attack, resulting in a loss of 3.05M $USDT by Peckshield.

• An EIP-7702 upgraded address lost $66k to phishing using batch transfers disguised as Uniswap swaps by Scam Sniffer.

• Aave Users Targeted by Google Ads Phishing Scam After $60B Milestone.

• 15,000 Fake TikTok Shop Domains Deliver Malware, Steal Crypto via AI-Driven Scam Campaign.

Scams

• Abracadabra by Rekt. Follows the story of Abra Global with many locked out international customers.

• CrediX Finance Faces 4.5M Exploit (Exit Scam Analysis) by QuillAudits.

• Solana Labs and Jito Labs served Pump Fun lawsuit.

Malware

• GreedyBear: 650 Attack Tools, One Coordinated Campaign by Koi Security. The report reveals a massive campaign of 150 weaponized Firefox extensions that stole $1M in cryptocurrency assets.

• Smart Contract Scams - Ethereum Drainers Pose as Trading Bots to Steal Crypto by Sentinel One. More than $900K stolen according to the report.

• Scammers mass-mailing the Efimer Trojan to steal crypto by Artem Ushkov (Kaspersky).

• Threat actor uses AI to create a better crypto wallet drainer by Paul McCarty (Safety). A deep dive into a malicious npm package loaded 1500 times.

• GitLab uncovers Bittensor theft campaign via PyPI by Gitlab.

• 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign by Kirill Boychenko (Socket).

Media

• Roman Storm Found Guilty: What Does the Money Transmission Conviction Mean? by Rage.

• Live on X with QuillAudits: Decoding 2025's biggest web3 hacks - lessons & trends by Guardrail.

• bountyhunt3rz - Episode 22 - mackenzie.

• Rektoff - Symbolic Execution for Software Security: Practical Guide with publicqi.

• Rektoff - Advanced Solana Vulnerabilities with r0bre.

• Rektoff - Fuzzing Solana Programs with Trident (by Ackee).

• Rektoff - Solana security audits: what to do & what not to do with David (Oshield).

• Zokyo - Differential Testing Workshop with Mahmoud Fathy.

• Zokyo - Oracle Security Workshop with Jose Zokyo.

• The Network Podcast - Using AI as you're learning to audit with Josselin Feist.

• Secure Your ZK Code: Best Practices for Devs & Auditors by rxyz.

• ERC-4626 Vaults & the Inflation Attack Vector by Akshay (QuillAudits).

• COSCUP 2025 Slide Decks hosted by DeFiHackLabs with coverage of Unphishable, use of AI in smart contract audits, and various ERC standards.

Research

• The Ultimate Web3 Security Checklist by Digibastion. A comprehensive checklist including personal, devops, mobile, browser, and other security topics.

• The Notorious Bug Digest #4: Deflationary Token Risks, ERC4626 Override Gaps, and Rust Shift Overflows by Ionut-Viorel Gingu & Jainil Vora (OpenZeppelin).

• AI Auditing Benchmark: A Primer by Antonio Viggiano.

• Secure Contract Development in TON: Top 9 Pitfalls in Tact & FunC by Paul (Cantina).

• Writing Verification-friendly Smart Contracts in Rust by Chandrakana Nandi (Certora).

• ERC721's _safeMint can be exploited to bypass supply limits and drain NFT collections by Wake Framework.

• The Real Minimal Proxy - Powered by EIP-7702 by ChainSecurity.

• Understanding Auto Market Makers for bug bounty by Thomas EDET.

• ZK Math 101: Rings and Fields by Ciara Nightingale (Cyfrin).

• Prompt to Pwn: Automated Exploit Generation for Smart Contracts.

• NATLM: Detecting Defects in NFT Smart Contracts Leveraging LLM.

• MultiCFV: Detecting Control Flow Vulnerabilities in Smart Contracts Leveraging Multimodal Deep Learning.

• UEChecker: Detecting Unchecked External Call Vulnerabilities in DApps via Graph Analysis.

• Measuring CEX-DEX Extracted Value and Searcher Profitability: The Darkest of the MEV Dark Forest.

• Slow is Fast! Dissecting Ethereum's Slow Liquidity Drain Scams.

• 4-Swap: Achieving Grief-Free and Bribery-Safe Atomic Swaps Using Four Transactions.

• AI Agent Smart Contract Exploit Generation.

• Phantom Events: Demystifying the Issues of Log Forgery in Blockchai

• Prompt injection engineering for attackers: Exploiting GitHub Copilot by Kevin Higgs (Trail of Bits).

Tools

• Introducing sol-azy: A CLI Toolkit for Solana Program Static Analysis & Reverse Engineering by Fuzzing Labs.

• Solana Analyzer by Scab24. A powerful static analysis tool for Solana smart contracts written in Rust. Detect vulnerabilities, security issues, and code quality problems in your Solana/Anchor projects.

• Buttercup is now open-source! by Trail of Bits.

• pbctf23-move-vm by publicql. Move Bytecode Symbolic Execution Engine.

• Token Risks API by Hexens. Automatically identifies concerning properties such as external calls in transfer functions, balance manipulation, etc using Glider.

• FACADE High-Precision Insider Threat Detection Using Contrastive Learning.

• ChromeAlone - A Browser C2 Framework by Praetorian.

• BonkFun Migration Sniper by FuzzLand.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content