Greetings!

This week felt like a bucket of cold water after last week’s relative calm. More than $51M was stolen across 10 incidents, many of them entirely preventable had projects paid closer attention to the well known attack vectors that threat actors continue to exploit time and time again.

The most severe incident this week was the multisig hijacking of UXLINK, where attackers stole a massive $44.4M after taking control of the project’s contracts across multiple chains. The multisig had been configured with a 2/x threshold but lacked basic safeguards such as guardians, timelocks, or any kind of governance review process. On September 22, the attackers exploited this weak setup to reassign themselves as owners with a threshold of 1 and proceeded to pillage the protocol.

In an ironic twist, the attackers themselves later fell victim to an Inferno Drainer attack, losing 542M freshly stolen UXLINK. No honor among thieves, indeed.

Some critical lessons from the compromise:

• Avoid weak thresholds. A 2/x setup is far too low. For anything beyond a few hundred thousand dollars, raise the threshold to at least 5/x.

• Add timelocks. There’s no reason to allow immediate upgrades or parameter changes on multisigs. A multi-day timelock provides a critical buffer to detect and stop malicious activity.

• Use guardians. Guardians serve as the last line of defense, even if all core developers are compromised and a malicious transaction is about to be executed.

Speaking of preventable hacks, Griffin AI fell victim to yet another LayerZero OFT hijack. If that sounds familiar, it’s because just two weeks ago Yala suffered the exact same fate where a temporary bridge deployment was configured with a malicious token.

Just because you aren’t paying attention to active attack vectors doesn’t mean attackers aren’t. They absolutely are and they will reuse the same techniques until projects finally close the door. So pretty please with a sugar on top, lock down your OFTs and don’t give attackers the keys to print money.

The premium portion of the newsletter contains detailed write ups and indicators for the remainder of 10 hacks this week including UXLINK, Griffin AI, Hyperdrive, Linea, Seedify, Ideal Protocol, dTrinity, Cool, and others.

Amid all these stories of hacks, it’s worth highlighting the unsung heroes and sponsors of this week’s edition - ChainPatrol. The good folks at ChainPatrol are doing simply amazing work protecting protocols’ brands, fighting the barrage of X phishing attacks, and quickly taking down scammers before they can do real damage.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

An important update about the newsletter. I will be adjusting the paid subscription rates to better support the ongoing research and time that goes into every issue. Starting next month, the premium tier will be increased to $99 per month or $999 per year. I’m deeply grateful to the sponsors and paid subscribers who have made it possible to keep this newsletter running for so many years.

Let’s dive into the news!

News

• Circle rarely freezes stolen funds but wants reversible transactions.

Crime

• Thai Police Bust $15M Crypto Scam Ring Targeting Hundreds of Koreans - Decrypt.

• Eurojust coordinates action to halt cryptocurrency fraud of over 100 million euros across Europe.

• $8M in Crypto Stolen in Armed Kidnapping; Suspects Arrested in Texas.

Policy

• Crypto Exchange KuCoin Hit With Record Anti-Money Laundering Penalty in Canada.

Phishing

• The UXLINK exploiter address appears to have signed a malicious `increaseAllowance` approval to a phishing contract by Scam Sniffer.

• X/Twitter seems to have been compromised at some point in the last 24 hours by Dark Web Informer.

• Report of a phishing campaign stealing X accounts through fake a16z DMs and Google Calendar spoofing by Zak.eth.

• DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception by Eset. One of the more interesting revelation is a close collaboration between fake recruiters and DPRK IT workers who share intelligence gathered through the interviews of legitimate developers.

• GitHub notifications abused to impersonate Y Combinator for crypto theft.

• New advanced X account takeover attack targets crypto community.

Scams

• Parabolic Mirage by Rekt. Sybil and market manipulation of MYX Finance.

• DeFi protocol Hypervault vanishes after $3.6 million suspected rugpull.

Malware

• Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys by Kirill Boychenko (Socket). Mass supply chain attacks continue. Did you pin your dependencies yet?

Media

• DSS Webinar - Trillion Dollar Security with Rajeev, Uri, Fredrik and Mehdi.

• Web3 Security Podcast - Validator sniping: How to harvest IP addresses to redirect MEV | Sebastian Bürgel (Gnosis).

• Scamurai - Ep. #5 Social engineering, AI and security in crypto with Stefan Beyer.

• SEC-T 0x11: Simon Gerst - Attacking and defending GitHub Actions.

• Thinker - Hunting the $477,000,000 FTX Hacker.

• Decrypt - Catching Criminals On-chain with Elliptic’s Matt Price.

• Network Chuck - You need to learn MCP Right Now! A detailed walkthrough on teaching LLMs to interface with security tools using custom MCP servers.

Research

• Blockchain Forensics series by SomaXBT:

  • The Crypto Threat Landscape: Threats and Exploits Targeting Crypto Users.

  • Blockchain Forensics: A Practical Guide to Tracing Stolen Funds.

  • Blockchain Forensics: Attribution Techniques and the Role of OSINT.

  • Blockchain Forensics: Advanced Blockchain Forensics Techniques and Additional Resources.

• Inside Ethereum’s Engine: How the Execution Layer Actually Works by Ezequiel Perez (OpenZeppelin).

• SP1 and zkVMs: A Security Auditor’s Guide by Kirk Baird (Sigma Prime).

• Supply Chain Attacks: Prepare for Next Week by Franco Riccobaldi (Coinspect).

• Supply-Chain Guardrails for npm, pnpm, and Yarn by Franco Riccobaldi (Coinspect).

• Supply chain attacks are targeting Web3: What the September npm hack reveals by Chirag Agrawal (Guardrail).

• Supply chain attacks are exploiting our assumptions by Brad Swain (Trail of Bits).

• Device hardening & factory reset guides by OpSek.

• How to Setup an Ethereum Node Part 1 and Part 2 by Trash Pirate.

• How we trained LLM to find reentrancy vulnerabilities in smart contracts by seth (Unvariant).

• MCP Security: TOP 25 MCP Vulnerabilities by Adversa AI.

• First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails by Idan Dardikman (Koi Security).

• Moving from EVM to Move Part 1 by VulSight.

• Commit-Reveal2: Securing Randomness Beacons with Randomized Reveal Order in Smart Contracts.

• When Priority Fails: Revert-Based MEV on Fast-Finality Rollups.

• BlockScan: Detecting Anomalies in Blockchain Transactions.

• Bribers, Bribers on The Chain, Is Resisting All in Vain? Trustless Consensus Manipulation Through Bribing Contracts.

• Unaligned Incentives: Pricing Attacks Against Blockchain Rollups.

• Decoding TRON: A Comprehensive Framework for Large-Scale Blockchain Data Extraction and Exploration.

• Generic Adversarial Smart Contract Detection with Semantics and Uncertainty-Aware LLM.

Tools

• Introducing V12 by Zellic. An autonomous Solidity auditor designed to find critical bugs consistently and automatically.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.

Hacks

UXLINK

Date: September 22, 2025
Attack Vector: Multisig Hijacking
Impact: $44,400,000
Chain: Arbitrum, Ethereum, BSC

Indicators:

Ethereum: 0x6385eb73faE34bF90Ed4c3d4c8aFBC957FF4121C
Ethereum: 0xeff9cefdedb2a34b9e9e371bda0bf8db8b7eb9a7
Ethereum: 0x7277c705b5b1963b602cb4e3ab8e188d925bed00
Ethereum: 0xac77b44a5f3acc54e3844a609fffd64f182ef931
Ethereum: 0x64ab9377a2b3bbb61dd79f8997e7f8c1cc1a4de8
Ethereum: 0x5210bfdf0cfe6471322d597d16cf440f5ac59309
Ethereum: 0x714dda349ef43326791f923e8389a21d11378c67
Ethereum: 0xd7aa2bd9e9407f682a379bed346088b0849b6434
Ethereum: 0xdde8cb0c5b05784093c9027519ba3d1f0326d303
Ethereum: 0xf35dde49a1bbe7a8883a8f35d48fb33c20a69b39
Ethereum: 0xa3ce95ac672b62ed75afbe6f50285c28ef717a44
Ethereum: 0x0313706aabffef64fa7168c1f272f4fc15bec8b1
Ethereum: 0x7e1f34418e2da204a8eabdb29eddf7c09a494a3f
Ethereum: 0xaade027d63ea859a4993961a8a8cc5aae3f020f3
Ethereum: 0x2ef43c1d0c88c071d242b6c2d0430e1751607b87
Ethereum: 0x000086ed37d35c731553fe7e85e6535d320d0000

References:

https://x.com/lookonchain/status/1970330298568319083
https://x.com/CyversAlerts/status/1970167036002132425
https://x.com/exvulsec/status/1970187483498553732
https://x.com/UXLINKofficial/status/1970181382107476362
https://x.com/UXLINKofficial/status/1970318681931669825
https://x.com/UXLINKofficial/status/1970323705856495980
https://x.com/P3b7_/status/1970209897129353546
https://x.com/tayvano_/status/1971296769167515992
https://research.blockscope.co/uxlink-exploit-analysis
https://rekt.news/uxlink-rekt

Phished:

https://x.com/realScamSniffer/status/1970322013597450609
https://x.com/evilcos/status/1970332831890248173
https://arbiscan.io/tx/0xa70674ccc9caa17d6efaf3f6fcbd5dec40011744c18a1057f391a822f11986ee
https://protos.com/uxlink-goes-from-bad-to-worse-to-weird-after-hacker-loses-stolen-tokens/

Exploit:

https://arbiscan.io/tx/0x35edac40767f65d4d1382f0f55cda2f4db321313e16fe059079f0113f9cb5696
https://etherscan.io/tx/0x618e914f8c0afccaaf9be2d502730aa9c89f6cb0cc63aa6e700ef7e1d659b093