Greetings!
Over $3M was stolen across three incidents this week, a relative breather compared to last week’s ecosystem pillaging. Let’s take the moment to shore up our defenses, dive into a strong set of research articles, and highlight some positive news.
A stage four cancer patient was drained of $32K after downloading a malicious Steam game. Fortunately, a group of security researchers noticed an absolutely appalling crime and got together to track down the malware operator, and enabled a prompt arrest with likely deportation. Interestingly, Valentin Lopez, aka “The Pope” has been linked to the same cryptocurrency theft ring behind the $230M crypto heist last year. Every single person who played a role in uncovering the crime, coordinating the investigation, and bringing the operator to justice deserves enormous respect and admiration. You are true heroes!
The big lesson here is to separate your banking/crypto machine from a daily driver where you play games and interact on social media.
Amid all these stories of hacks, it’s worth highlighting the unsung heroes and sponsors of this week’s edition - ChainPatrol. The good folks at ChainPatrol are doing simply amazing work protecting protocols’ brands, fighting the barrage of X phishing attacks, and quickly taking down scammers before they can do real damage.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
An important update about the newsletter. I will be adjusting the paid subscription rates to better support the ongoing research and time that goes into every issue. Starting next month, the premium tier will be increased to $99 per month or $999 per year. I’m deeply grateful to the sponsors and paid subscribers who have made it possible to keep this newsletter running for so many years.
In other news, happy 30th anniversary of the movie Hackers!
Let’s dive into the news!
News
‘I Was a Weird Kid’: Jailhouse Confessions of a Teen Hacker article on Bloomberg covers Noah Urban, Scattered Spider, and a previously undisclosed Crypto.com hack .
Self-Replicating Worm Hits 180+ Software Packages. Shai-Hulud malware continues its mass infection developers and their NPM packages including Crowdstrike, tinycolor, and others.
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens by Dirk-jan Mollema. Unrestricted access to all Azure accounts. What controls do you have to protect and monitor your cloud account?
Lazarus Group project by the Security Alliance offers a massive collection of DPRK IT worker personas and a fun presentation.
Crime
Crypto scammer reported to ICE after stealing cancer patient’s treatment fund.
United Kingdom National Charged in Connection with Multiple Cyber Attacks, Including on Critical Infrastructure and USA vs Thalha Jubair aka EarthtoStar document some of the wildest exploits of a Scattered Spider actors who stole $36M including buying Ubers Eats and Steam using ill gotten funds, social engineering US DoJ to look up his sealed indictment. Interestingly the bad actor was also involved in a video recorded robbery just a few months ago.
RCMP Busted TradeOgre: Canada’s Biggest Crypto Enforcement Yet. Interestingly RCMP chose to make the notice of fund seizure using an OP_RETURN message while seizing $40M. The enforcement action raised concerns over legitimate customers losing funds.
Suspect in Coinbase hack kept data for more than 10,000 customers on her phone, court filing alleges.
Crypto scammers allegedly tried to bribe X employees for account reinstatement.
Bitcoin, beatings, and a billionaire’s vendetta: Georgia’s Bachiashvili case.
FBI Asks SafeMoon Victims for Info Amid Restitution Efforts.
Project Brazen links KuCoin to billions in pig butchering scams.
Reported Physical Attacks On Bitcoin Holders Surge 169% This Semester.
Policy
Phishing
Scam/Phishing Alert: Fake GitHub Notification Email Impersonating Gitcoin Fund.
48% of Ethereum EIP-7702 uses linked to crime, says Wintermute.
Crypto whale loses $6M to sneaky phishing scheme targeting staked Ethereum.
DPRK Hackers Use ClickFix to Deliver BeaverTail Malware in Crypto Job Scams.
A rare recording of a live scammer call and an impromptu interview by zak.eth.
Someone lost $6.28M in stETH and aEthWBTC after signing multiple phishing “permit” signatures by Scam Sniffer.
Report of a crypto phishing campaign using Booking by matta.
Malware
WhiteCobra's Playbook Exposed: Critical Mistake Reveals 24-Extension Campaign Targeting VS Code and Cursor by Yuval Ronen (Koi Security).
BlockBlasters: Infected Steam game downloads malware disguised as patch by Arvin Lauren Tan (G Data). This is the same malware used to steal $32K from the cancer patient discussed above. Additional indicators and victims.
Media
Mixers, Bridges, and Dusting Attacks: An On-Chain Detective on Crypto Criminals’ Key Mistakes and video recording (Russian).
Arbitrage Profits at Decentralized Exchanges by CBER Forum.
Contests
Research
The Notorious Bug Digest #5: Post EIP-7702 Pitfalls, JIT Penalty Rebates, and Manipulation of Recursive Functions by OpenZeppelin.
The Vulnerability Exposing Tangem Cards to Brute-Force Attacks by Donjon (Ledger).
Threat Contained: marginfi Flash Loan Vulnerability by Felix Wilhelm (Asymmetric Research).
How a Single Logic Slip in a Perp DEX Earned us a $50,000 Bounty by VulSight.
Vulnerabilities in Liquity forks Part 1 and Part 2 by VulSight.
Yo Protocol's Unseen Dangers: Why Code Audits Aren't Enough by Barış Parlan.
Red Flags and Green Flags of Yield Bearing Stablecoins by Paweł Kuryłowicz (Composable Security).
How the U.S. Traced $110M Crypto Money Laundering Cases by BlockSec.
How to Manage Crypto Keys Without Losing Sleep by Oak Security.
Building Our Own Post-Quantum FIDO Token by Ruben (Neodyme).
Use mutation testing to find the bugs your tests don't catch by Guillermo Larregay (Trail of Bits).
Kocher's Timing Attack: A Journey from Theory to Practice by Martín Ochoa (ZKSecurity).
SlowMist Founder Cos Shares at HKU: Blockchain Security — Offense, Defense, and Practices.
Finding Ways To Break Smart Contracts (Auditing: Part 2) by phil.
Fellowship of Ethereum Magicians - A simple L2 security and finalization roadmap.
Travel eSIMs secretly route traffic over Chinese and undisclosed networks: study.
AP2 Transaction Security Model and Potential Risk Analysis by GoPlus Security.
Sui Transaction Lifecycle by Wang Security.
Evolving Supply Chain Attacks: Why dApps Avoided a Major Breach by Franco Riccobaldi (Coinspect).
Who Got Rugged? by Rekt is a valuable lesson on the dangers of misconfigurations during deployments.
EVM – Cosmos Convergence Research From Security Base Part 1, Part 2, and Part 3 by CertiK.
ExDoS: Expert-Guided Dual-Focus Cross-Modal Distillation for Smart Contract Vulnerability Detection.
From Paradigm Shift to Audit Rift: Exploring Vulnerabilities and Audit Tips for TON Smart Contracts.
Commit-Reveal$^2$: Securing Randomness Beacons with Randomized Reveal Order in Smart Contracts.
Timestamp Manipulation: Timestamp-based Nakamoto-style Blockchains are Vulnerable.
Automated Attack Synthesis for Constant Product Market Makers.
Tools
Meet EDB - The first source-level smart contract debugger by William Cheung. Repo here. Additional demoes.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Premium Content
The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.
Hacks
LyraDepositWrapper
Date: September 16, 2025
Attack Vector: Function Parameter Validation
Impact: $1,000,000
Chain: Ethereum
Indicators:
Ethereum: 0x62005500af4cfb0077ac0090002f630055ba001d
References:
https://x.com/TenArmorAlert/status/1968138774551969874
Exploit:
https://etherscan.io/tx/0xc2bab117b6cb95e12c14eb57deb2cdd592370e2eb614e6d37502dea1480db0ba