Greetings!

This week was a bloodbath. More than $57.5M was stolen across nine incidents with breached custodial staking providers, hacked frontends, backdoored supply chains, phished of individuals, chain reorged, bridges exploited, and plenty of DeFi protocol drained. All elements of our ecosystem were hit in one of the worst weeks this year.

But one exploit in particular could have caused losses in the billions were it not for an early discovery by the community. An NPM supply chain attack that compromised several extremely popular packages (billions of downloads per week) allowed attackers to inject a backdoor designed to drain users’ wallets. By sheer luck and plenty of onchain mockery the attack was detected early enough and community mobilized which left attackers with under $1k in profit from what could easily have been a Safe/Bybit-scale exploit. The biggest takeaway is that they will be back. So please implement proper package freezing and review into your dev pipelines.

Speaking of near catastrophes, the massive $41.5M Kiln/SwissBorg compromise is a stark reminder of the risks of trusting a third-party managed treasury or staking provider. In general, it’s sensible to let professional teams manage assets; however, it does not absolve one of prudent monitoring and in depth discussions about what security controls can be added to minimize risk. Since the incident, Kiln initiated an exit of all of its Ethereum validators.

Another interesting exploit this week was the Yala LayerZero OFT bridge hijack, which took advantage of a temporary deployment that used a known “local key.” Attackers raced to configure a recently deployed bridge on Solana to a malicious OFT contract on Polygon and started minting legitimate $YU tokens.

The last but not least, mass bridge compromises are back with the $3M Shibarium Bridge hack. One positive outcome was that a large portion of the attackers’ funds were blacklisted or locked out. However, how do you compromise 10(!) of 12 signer keys unless they’re stored and managed in the same place defeating the whole point?

Amid all these stories of hacks, it’s worth highlighting the unsung heroes and sponsors of this week’s edition - ChainPatrol. The good folks at ChainPatrol are doing simply amazing work protecting protocols’ brands, fighting the barrage of X phishing attacks, and quickly taking down scammers before they can do real damage.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

An important update about the newsletter. I will be adjusting the paid subscription rates to better support the ongoing research and time that goes into every issue. Starting next month, the premium tier will be increased to $99 per month or $999 per year. I’m deeply grateful to the sponsors and paid subscribers who have made it possible to keep this newsletter running for so many years.

Let’s dive into the news!

News

• The Great npm Heist That Wasn't by Rekt. A deep dive into a massive supply chain attack which luckily yielded almost no losses and plenty of mockery.

• DuckDB npm Account Compromised in Continuing Supply Chain Attack by Peter van der Zee Sarah Gooding (Socket).

• XMR experienced an 18 block reorg.

Crime

• Indian Call Center Scammers partner with Chinese Money Launderers by Gary Warner.

• California man sentenced to over four years for laundering $37 million in stolen crypto.

• US Treasury Sanctions 19 Southeast Asian Entities in $10B Cyber Scam Crackdown.

• After posting their goodbye note on BreachForums, Scattered Lapsus$ Hunters provided proof of access to FBI NICS (background check) and Google LERS (Law Enforcement Request System)

Policy

• US Government To Bring PATRIOT Act to Digital Assets.

• Burwick Law can now serve Pump Fun lawsuits via X. This was in response to Solana’s Yakovenko apparently dodging 9 attempts of serving him with the lawsuit targeting Pump Fun and those who enabled it.

Phishing

• THORSwap issues bounty offer tied to more than $1M exploit of THORChain founder's wallet. As was pointed out by ZachXBT, it is ironic that DPRK is attacking the very organization they are using for laundering funds.

• Lazarus Group Attacks in 2025: Here’s Everything SOC Teams Need to Know by Any.Run.

• Someone lost ~$1.54M due to signing EIP-7702 phishing batch transactions by Scam Sniffer.

• A report by Nick Bax on bad actors using Microsoft Teams in a fake meeting/podcast phishing campaign.

• You Didn't Get Phished — You Onboarded the Attacker.

Scams

• Intern Polymarket decided to make money on memecoins using the official Polymarket account.

• Aqua Scam Alert: "Rug Pull" is Becoming More Sophisticated.

• The problem in RWA Metrics by 0xngmi.

Malware

• Off Your Docker: Exposed APIs Are Targeted in New Malware Strain by Yonatan Gilvarg (Akamai). The latest iteration of the cryptominer malware.

• AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan by Sean Shirley (LevelBlue). A deep dive into a nasty crypto and credential stealer.

• New ModStealer malware hunts crypto wallets with fake recruiter ads, evades antivirus detection.

Media

• Web3 Security Podcast with Anto Joseph hosted by Jack Sanford (Sherlock).

• How North Korea pulled off the world's biggest robbery by 7 News Spotlight.

Research

• How to Survive Supply-Chain Attacks by Caue Obici (OtterSec).

• How Sui Move rethinks flash loan security by Nicolas Donboly (Trail of Bits).

• Safe StableSwap-NG Deployment: How to Avoid Risks from Volatile Oracles by Viktor Yurov, Dmitry Zakharov (MixBytes).

• Securing Cosmos Appchains: A Trust-Aligned Guide to ABCI, Determinism, and IBC Integrity by Paul (Cantina).

• Auditing Step By Step: Part 1 by phil.

• Incident Post-Mortem: Reth Mainnet State Root Mismatch.

• How to drain an entire lending protocol when a new asset is accepted as collateral by Kankodu.

• Network-level Censorship Attacks in the InterPlanetary File System.

• Insecurity Through Obscurity: Veiled Vulnerabilities in Closed-Source Contracts.

• XChainWatcher: Monitoring and Identifying Attacks in Cross-Chain Bridges.

• SEASONED: Semantic-Enhanced Self-Counterfactual Explainable Detection of Adversarial Exploiter Contracts.

• Permission denied - The story of an EIP that sinned.

• SoK: Root Cause of $1 Billion Loss in Smart Contract Real-World Attacks via a Systematic Literature Review of Vulnerabilities.

• A Secure Sequencer and Data Availability Committee for Rollups (Extended Version).

• I Know Who Clones Your Code: Interpretable Smart Contract Similarity Detection.

Tools

• safe-tx-hashes-util by pcaversaccio now supports transaction simulation when reviewing Safe multisig transactions.

• SuiSource MCP Server by Alexey Posikera. A Model Context Protocol (MCP) server that can be used to fetch information about Sui projects and its packages, as well as download a package bytecode and decompile it using the Revela decompiler.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.

Hacks

Kiln, SwissBorg

Date: September 08, 2025
Attack Vector: API Key Theft
Impact: $41,500,000
Chain: Solana

Indicators:

Solana: tyfwg3hvvxwms2kxek8cdujcsxeyks65eeqpd9p4mk1

References:

https://x.com/SolanaFloor/status/1965116689907089782
https://x.com/swissborg/status/1965123506477359471
https://x.com/CertiKAlert/status/1965122507687755803
https://x.com/shoucccc/status/1965126091334713838
https://swissborg.com/blog/joint-statement-kiln-x-swissborg-regarding-sol-incident
https://www.kiln.fi/post/kiln-responds-to-infrastructure-issue-with-validator-exit-funds-remain-protected
https://protos.com/swissborg-ceo-blames-41m-loss-on-staking-partner-kiln/
https://www.theblock.co/post/370141/kiln-exits-ethereum-validators
https://rekt.news/swissborg-rekt

Exploit:

https://solscan.io/tx/5DCPDEVrnVdM4jHgxYGtuuzvSubg15sSpkBCxexfuApRAfXEmNfokiTyj6bxE52QNGVbPnwm9L3YzcEoMHHEpLV