BlockThreat - Week 34, 2025
The Com | EIP-1967 | iOS | North Korea
Greetings!
About $91.4M was stolen across 12 incidents this week, with the majority of losses stemming from a single phishing attack against a user who fell victim to an impersonated exchange and wallet support. Hopefully these bad actors meet the same fate as their predecessors who tried similar tactics exactly a year ago.
Meanwhile, it looks like someone has taken notes from the recent EIP-1967 proxy hijacking spree and is now actively hijacking contracts on Base. A reminder to always initialize contracts atomically in the same transaction as the create.
Woo X published a detailed post-mortem on the July 24 incident, detailing how Lazarus compromised a developer machine and moved laterally through the environment before draining $14M from nine user accounts. It’s a useful case study for building stronger threat models and defenses.
And speaking of threat models, a new iOS 0day is being actively exploited against select users. Combined with the recently posted $20M bounty for zero-click mobile exploits, this should be on your radar especially if you rely on managed wallet infrastructure. What additional defensive layers can you add to ensure you sleep well at night, even if a signer or two is compromised?
A special thanks to this week’s sponsor Coinspect.
Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.
Link: https://www.coinspect.com/wallets/
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Let’s dive into the news!
News
Secret Backdoor: SEAL Issues Advisory on Domain Hijackings. Please don’t expose your users by using easy to hijack “discount” registrars.
New zero-day startup offers $20 million for tools that can hack any smartphone. Consider listed price in your threat model. Would an attacker spend $20M to gain access to a few of your multisig signers’ phones or laptops?
Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks. The exploit requires no user interaction, triggered simply by sending a specially crafted image to a vulnerable device.
DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft.
Mid-Year 2025 Crypto Crime Report by Blockscope Research.
U.S. Government Wallet Adds $332,000 Ether From Coinbase After DeFi Hack Seizure. Funds are tied to the massive $57M compromise of Uranium Finance back in 2021.
Qubic community, Monero’s 51% attacker, votes to target Dogecoin next. That one is going to be tricky since Dogecoin benefits from Litecoin’s merge mining so the latter would become a target as well.
Trillion Dollar Security - Phase 2. The next phase of Ethereum Foundation’s effort to secure the ecosystem starting with UX and wallet related threats. One such effort is Walletbeat, a wallet security ranking directory.
Crime
APT Down - The North Korea Files by Saber and cyb0rg featured in Phrack 72. Yet another leak and a deep dive into a toolbox of a North Korean threat actor including analysis of backdoors, rootkits, access, etc.
Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft.
African authorities dismantle massive cybercrime and fraud networks, recover millions. Operation Serengeti 2.0 targeted illegal crypto mining centers among other criminal enterprises.
US bill proposes 21st-century privateers to take on cybercrime.
Kroll faces class-action suit as FTX creditors allege daily scam emails.
Justice Department Announces Seizure of Over $2.8 Million in Cryptocurrency, Cash, and other Assets. The seizure comes from the operator of Zeppelin ransomware who was trying to launder funds through the recently seized ChipMixer.
Legislated Sanctions Evasion: How the Garantex Rebrand, Grinex, and the Ruble-Backed Token, A7A5 Have Shaped Russia’s Shadow Crypto Economy by Chainalysis.
Scammer Poses as UK Police, Steals $2.8M in Bitcoin From Hardware Wallet.
Policy
Phishing
Someone lost ~$1.54M due to signing EIP-7702 phishing batch transactions by Scam Sniffer.
$582K Stolen from Two Wallets Over the Weekend using silent approvals by Web3 Antivirus.
Invisible Prompts by Rekt. Fake extensions, prompt injections, supply chain compromises and other perils of the brave new AI world.
Reports of a malicious VSCode Cursor AI extension campaign targeting cryptocurrency holders by vx-underground.
Threat Intelligence: Clickfix Phishing Attack by SlowMist.
Scams
At least 94% of the new Kanye token is insider owned -87% of the new Kanye token was owned by a single multisig (now dispersed to multiple wallets) by Conor (Coinbase).
As he builds US power, Justin Sun fights to control his story by Molly White (Citation Needed).
Malware
The Ghost in the Machine: The Complete Dossier on TA-NATALSTATUS and the Cryptojacking Turf War by Abhishek Mathew (CloudSEK).
DNSFilter Research Finds Bad Actors Using Fake CAPTCHAs for Malware Attempts by DNSFilter.
Infostealer targets Russian crypto developers by Paul McCarty (Safety).
Media
The Web3 Security Podcast - Security lessons from the oldest bug bounty program w/ Fredrik Svantes (Ethereum Foundation).
Research
Why does Safe (Gnosis Safe) initialization emit two Upgraded() events with different implementation addresses when initializing a proxy token contract. The story of yet another proxy hijacking campaign now on Base.
How does the EVM dispatch smart contract functions? by Trash Pirate.
Pectra's Impact On Smart Contract Security by Toon Van Hove (Sigma Prime).
Weaponizing image scaling against production AI systems by Kikimora Morozova, Suha Sabi Hussain (Trail of Bits). Not strictly web3 but interesting nonetheless.
The solution to crypto’s Lazarus problem could be simpler than expected. Guardian nodes with a timelock allows good actors to cancel a malicious proposal before it is executed.
You’re Probably Using WebViews Wrong: Common Security Pitfalls for Mobile Developers by Bryce and Philip (Zellic).
Move for Solidity Developers IV: Cross-Contract Call by CertiK.
Emergency EIP-7702 Wallet Recovery by Bahador Gh.
Ethereum Crypto Wallets under Address Poisoning: How Usable and Secure Are They?.
Tools
Echidna Enters a New Era of Symbolic Execution by Gustavo Grieco.
Open-sourcing Wake AI: the first structured framework for AI-driven security analysis by Wake Framework (Ackee).
Walletbus: Connect shell terminal to your browser for web3 wallets like metamask.
VSDeer - Extension Security Scanner for VS Code, Cursor & Windsurf.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.
Hacks
Unkn_664201
Date: August 18, 2025
Attack Vector: Reward Manipulation
Impact: $3,000
Chain: BSC
Indicators:
Ethereum: 0x48234fb95d4d3e5a09f3ec4dd57f68281b78c825
References:
https://x.com/TikkalaResearch/status/1957500585965678828
Exploit:
https://bscscan.com/tx/0x81fd00eab3434eac93bfdf919400ae5ca280acd891f95f47691bbe3cbf6f05a5