Greetings!
More than $26M were stolen this week across six incidents with the majority of losses coming from Bunni ($8.4M) and Venus ($13.5M) user compromises.
Let’s start with a more positive story this time. A user fell into DPRK’s trap after joining a compromised Zoom call, where a malicious client handed over control of their wallets. Normally this would have been yet another grim statistic, but not this time. The attacker’s greed and the swift response of Venus Protocol turned the tide. Within minutes Venus hit the pause button freezing the attacker in place while still holding the compromised collateral. A new governance proposal was initiated approving a plan to force liquidate the stolen funds in under 12 hours. The result was a full recovery and a rare happy ending to what is usually a disastrous story.
It’s rare to see novel exploit vectors in DeFi, but the Bunni V2 incident is unfortunately one such example. On September 2, 2025 the protocol lost $8.4M across Ethereum and Unichain due to a subtle flaw in its Liquidity Distribution Function (LDF) rebalancing logic. The mechanism was designed to round conservatively in favor of the protocol, but attackers discovered that by repeatedly forcing pool balances to extreme states (as little as 26 wei) they could accumulate tiny rounding advantages. Iterated over multiple cycles and those small discrepancies compounded into millions.
Amid all these stories of hacks, it’s worth highlighting the unsung heroes and sponsors of this week’s edition - ChainPatrol. The good folks at ChainPatrol are doing simply amazing work protecting protocols’ brands, fighting the barrage of X phishing attacks, and quickly taking down scammers before they can do real damage.
In other news, Justin Sun was caught red handed moving massive amounts of WLFI tokens to exchanges and was promptly blacklisted for market manipulation by World Liberty Financial ($100 million total). Despite Sun’s pleas for leniency, mounting a case is tricky when you’re dealing with the U.S. president’s family.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
An important update about the newsletter. I will be adjusting the paid subscription rates to better support the ongoing research and time that goes into every issue. Starting next month, the premium tier will be increased to $99 per month or $999 per year. I’m deeply grateful to the sponsors and paid subscribers who have made it possible to keep this newsletter running for so many years.
Let’s dive into the news!
News
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift. Bad actors were able to access emails and other sensitive data from Google, Palo Alto, Cloudflare, Tenable, Qualys, Bugcrowd, PagerDuty, and many others.
Eth.limo - Legal Update & Full Summary. Another victim of the Tornado Cash saga with costly legal proceedings, subpoenas, and courts.
Paradigm’s Reth Client Bug Briefly Freezes Ethereum Mainnet Nodes.
Ethereum Layer 2 Kinto shuts down in wake of $1.6 million July exploit.
Coinbase thinks vibe-coding 50% of its platform is a good idea.
Threat Intelligence Report: August 2025 by Anthropic. Includes details on the use of AI by DPRK IT workers and next generation of malware.
Crime
How North Korean hackers are using fake job offers to steal cryptocurrency.
Arkham Finds $5B in Bitcoin Tied to Movie2K Still Unmoved Since 2019.
French Police Detain Seven Following Latest Crypto Kidnap Attempt.
Phishing
Phished Founder, Liquidated Thief by Rekt. A rollercoaster of a $13M theft and recovery through a swift governance action by Venus Protocol.
Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms by Aleksandar Milenkoski (SentinelOne), Sreekar Madabushi (Validin) & Kenneth Kinion (Validin).
Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook by DomainTools.
ScamSniffer August 2025 Phishing Report. $12M+ stolen.
Reports of a virulent DPRK fake interview campaign using Willo by Tay.
Hackers are using the ‘classic EIP-7702’ exploit to snatch WLFI.
Dark Web Offers Exploits, AT&T Access, Ledger Scam Kit, and 100K Stolen Cards by SOC Radar.
Profile 0xAstroBee (@AzurbalaMutant, 1148423802) a serial scammer by NFT_Dreww.eth
I just got drained for $996,000 by Alexander Choi. The attack involved a series of fake founder calls related to Spark ecosystem.
Scams
Billionaire Justin Sun begs Trump-backed World Liberty Financial to unfreeze $100 million crypto stash. More details on what happened.
ZachXBT says over 100 crypto influencers accepted promo deals without disclosing paid ads.
Malware
From PowerShell to Payload: Darktrace’s Detection of a Novel Cryptomining Malware by Darktrace.
Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials by Kush Pandya (Socket).
Ethereum smart contracts used to push malicious code on npm by Lucija Valentić (Reversing Labs).
Media
Web3 Security Podcast - How to secure $70 billion in DeFi: Aave's approach to Web3 security with Ernesto Boado (BGD Labs)
CBER Forum - A Structural Model of Automated Market Making with David Cao, Brett H. Falk, Leonid Kogan, Gerry Tsoukalas.
CBER Forum - A Structural Analysis of MEV Boost Auctions with Mallesh Pai.
bountyhunt3rz - Episode 25 - adrian hetman.
Rekt - Episode 1 with Benjamin Samuels
Contests
Wintermute Alpha Challenge write up by Drun.
Research
Launching the Learn EVM Attacks Explorer by Lior Abadi (Coinspect). A curated collection of Foundry attack scripts from real world exploits, bug bounty reports, and theoretical vulnerabilities on EVM chains.
Position Spoofing Post Mortem by Panoptic.
The Dark Side of Upgrades: Uncovering Security Risks in Smart Contract Upgrades.
Blockchain Forensics: Attribution Techniques and the Role of OSINT.
Safer cold storage on Ethereum by Trail of Bits.
“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development by Calif.
DevSecOops handbook by The Red Guild.
Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more by Darius Houle (Trail of Bits).
Large Language Models for Cryptocurrency Transaction Analysis: A Bitcoin Case Study.
Time Tells All: Deanonymization of Blockchain RPC Users with Zero Transaction Fee (Extended Version).
Performance analysis of common browser extensions for cryptojacking detection.
Interaction-Aware Vulnerability Detection in Smart Contract Bytecodes.
TraceLLM: Security Diagnosis Through Traces and Smart Contracts in Ethereum.
Token Risk Scanning for Traders: Glider Flags 20+ on-chain risks others miss by Hexens.
DNS Security in Web3: Attacks & Monitoring Setup Explained by Chirag Agrawal.
Tools
A step closer to isolation —devcontainer-wizard by The Red Guild.
dApp Observatory by Coinspect. Track supply chain risks for popular web3 apps.
Bridge WTF - cross-chain analytics dashboard.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.
Hacks
OlaXBT
Date: September 01, 2025
Attack Vector: Key/Signer Compromise
Impact: $2,000,000
Chain: Ethereum
Indicators:
Ethereum: 0x0738c5bf93f5ac20bc01637e4a094df1e4cbd9ef
Ethereum: 0xec75a0bb45a07f6e23760c7fe8fcb2408a74348c
References:
https://x.com/olaxbt_terminal/status/1962494096578420981
https://x.com/olaxbt_terminal/status/1962858131605835800
https://x.com/CertiKAlert/status/1962439772280094975
https://x.com/zeroshadow_io/status/1962565116576096605