BlockThreat - Week 33, 2025
BtcTurk | Coinbase | Kraken | Odin.Fun | Monero | DPRK IT Workers
Greetings!
BtcTurk has once again suffered a serious incident with this week’s hot wallet compromise resulting in the loss of $51.7M. This follows a $54M hack in June 2024 and an earlier 2018 incident where its user database was leaked on RaidForums. Two major $50M-plus losses in just over a year point to a troubling pattern and highlight a clear lack of fundamental security controls in their wallet infrastructure.
Speaking of unfortunate hacks, Coinbase inadvertently granted ERC-20 spending approval rights to 0x project’s permissionless Settler contract which is explicitly flagged in their documentation as off-limits. MEV bots immediately swooped in to drain some $550K in various tokens from their fee-collection wallet in mere hours. The news is concerning as Coinbase is about to open up DEX trading to millions of its retail customers.
A special thanks to this week’s sponsor Coinspect.
Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.
Link: https://www.coinspect.com/wallets/
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Let’s dive into the news!
News
Hashrate Heist or Hype? by Rekt explores Qubit’s attack on the Monero chain.
Crime
A deep dive into DPRK IT worker operation after a compromise of one of their machines thread by ZachXBT. 30+ identities including Upwork and LinkedIn accounts, extensive used of Google tools, wallets, telegram channels and plenty of other indicators. A treasure trove of intelligence!
Meet Gerardo Salgado aka Tammy Hans (the old one) a DPRK IT Worker who infected himself with Contagious Interview malware a thread by Narcass3.
Someone just dropped almost 1.4k email address list used by North Korean IT workers by StyyK.
Crypto crasher Do Kwon admits guilt over failed not-so-stablecoin that erased $41 billion.
Former Pump.fun Employee Pleads Guilty, Awaits Sentencing for $2 Million Solana Theft.
Treasury Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion and Cyber Criminals. The target exchange, Grinex, is a rebrand of an earlier sanctioned Garantex exchange.
XSS.IS Silenced! Inside the investigation that shut down one of cybercrime's most feared bazaars by Luca Stivali (Red Hot Cyber).
U.S. seizes $2.8 million in crypto from Zeppelin ransomware operator.
Italian Carabinieri Leverage Chainalysis to Dismantle Illicit Crypto Exchange. The report had an interesting note about Chainalysis writing custom bruteforcing scripts to help recover private keys from fragmented seed phrases.
How Chainalysis Helped Uncover an NCA Officer’s Theft of Seized Bitcoin.
Crypto Investors Accused of Kidnapping in Soho Townhouse. A bizarre kidnapping scheme fueled by crypto excess.
Four people who ransomed Brazilian mother for Bitcoin arrested.
Phishing
A detailed breakdown of a successful phishing attack using a malicious Cursor extension by zak.eth. Interestingly a similar Cursor extension bundled detailed notes on the malware campaign and expected revenues.
$636k was lost to a poison address scam where a user sent 140 $ETH to a lookalike address a thread by Web3 Antivirus.
North Korean Hackers Try to Get Hired at Binance Every Day—Here’s How They're Spotted.
Scams
Malware
Media
bountyhunt3rz - Episode 23 - 0xjuann & 0xspearmint.
Core Memory - How North Korea Infiltrated American Companies With Fake Tech Workers.
Research
Crypto Asset Tracing Handbook by Slowmist.
The Complete Guide to Securing Web3 Projects by Optimum.
How to Hack a Web3 Wallet (Legally): A Full-Stack Pentesting Guide by 0xaudron (Valkyri).
ScamDetect: Towards a Robust, Agnostic Framework to Uncover Threats in Smart Contracts.
Beyond Zero Knowledge: How Fully Homomorphic Encryption Enables Private Shared State by Sam Wong (OpenZeppelin).
Hunting Crits: Aragon's LockToVote Plugin • Ventral Digital by Patrick Drotleff (Ventral Digital).
How AI-Powered Defense Stopped a $Millions Crypto Scam in Real-Time by Ninja_Dev.
The Invariant Testing Bootcamp was added to the Recon Book.
Top 15 Security Tips for BNB Chain Developers by Paul (Cantina).
Safer Safe Explainer by DeFi Wonderland.
How to Hack a Web3 Wallet (Legally): A Full-Stack Pentesting Guide by 0xaudron (Valkyri).
Tools
Save 90% on Report Writing - Guaranteed or Your Money Back! Zero Cool is a new AI tool on the block for DeFi auditors.
AWS Security Scanner by punishell. A tool to scan for AWS security misconfigurations using the AWS CLI and report issues by severity.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.
Hacks
Bebop
Date: August 12, 2025
Attack Vector: Function Parameter Validation
Impact: $20,000
Chain: Arbitrum
Indicators:
Arbitrum: 0x59537353248d0b12c7fcca56a4e420ffec4abc91
References:
https://x.com/SuplabsYi/status/1955230173365961128
https://x.com/SuplabsYi/status/1955601118891057517
https://docs.bebop.xyz/bebop/bebop-api-jam/jam-api-endpoints/manage-approvals
Exploit:
https://arbiscan.io/tx/0xe5f8fe69b38613a855dbcb499a2c4ecffe318c620a4c4117bd0e298213b7619d