Greetings!

We’ve been dreading weeks like this for a while. Nearly $100 million stolen across 10 attacks—a brutal reminder of the relentless pace of crypto exploits. Multiple hot wallet compromises, wallet supply chain attacks, and an exhausting number of price oracle exploits. Let’s start with the worst hack of the year.

The Phemex Heist: A Masterclass in Coordination

Alarm bells rang on January 23rd at 11:55 AM UTC when PeckShield detected large outflows—one token after another—on Ethereum, all within seconds. As the Ethereum drains unfolded, Solana, Bitcoin, Sui, Ripple, and others were hit just minutes later. In total, 16 blockchains were drained in parallel, a staggering display of coordination that pointed to a well-prepared, professional actor.

Then came the laundering—executed with the same speed and precision as the exploit itself. The attacker rapidly hopped between chains, swapping and obfuscating assets, prioritizing the liquidation of freezable tokens first.

Kudos to Phemex for maintaining transparency throughout the incident—an approach that will help elevate industry security standards. Two key timestamps from the preliminary report stand out:

• The attack was detected 25 minutes before draining began at 11:30 AM UTC.

• Deposits and withdrawals were halted at 3:13 PM UTC.

That’s 25 minutes to assemble a war room, triage the incident, assess severity, and initiate containment—longer than the average 15-minute response time for most DeFi projects, yet still not enough. It’s frustrating, but I hope Phemex rebuilds and fortifies their security program to better protect their hot wallets in the future.

As for threat actor attribution, only North Korean-linked groups have executed such a coordinated and devastating attack in the past. But we’ll need more data points to confirm.

More Hacks & A Glimmer of Hope

There were many more incidents this week—details of which you’ll find in the premium section—including:

• $8M NoOnes hot wallet hack

• $4.7M AdsPower wallet supply chain attack

• A clever Odos exploit

• …and many others.

But I want to leave you on a more positive note.

Deep inside the dark forest of blockchain security, it’s not just the predators who lurk. The good guys are there too—turning the same techniques against careless attackers.

On January 18th, Bitfinding, a group specializing in intercepting hacks in progress, noticed storm clouds forming over Paribus on Arbitrum. Without hesitation, they deployed an exploit in just 3.2 seconds—executing a white-hat attack to safeguard funds until their rightful owners could reclaim them.

A rare win in the battle for blockchain security. Hats off to the heroes! Maybe there’s still hope for the future of intrusion prevention after all.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Kidnapped co-founder of Ledger released as French police hunt for perpetrators. Interestingly kidnappers accepted ransom in USDT which was quickly frozen with the help of SEAL 911.

• Trump Frees Silk Road Creator Ross Ulbricht After 11 Years in Prison. Ross may still have access to $47M worth of BTC not seized from the Silk Road.

• ZachXBT's address cashes out nearly $4 million on memecoin.

• ThorChain paused lending and savers withdrawals due to failed design.

• Web3 Hack Postmortem 2024 by ChainLight. A detailed look at major security incidents in the past year, post-incident responses, money laundering, and other critical lessons.

• Remedy CTF 2025 is over. Congratulations Chainlight, A-Team, and Kimchi Premium!

Crime

• Understanding the Use of Cryptocurrencies By Cartels by TRM.

• Crypto market maker CLS Global admits to wash trading on Uniswap after FBI investigation.

• US Sentences Indian Man For Laundering Cryptocurrency Worth $20 Million.

Policy

• OFAC ‘overstepped’ on Tornado Cash sanctions, court orders reversal.

• Unpacking Trump's Executive Order on Digital Financial Technology by TRM.

Phishing

• Analysis of Web3 Phishing Techniques by SlowMist.

• Blockchain Sleuth ZachXBT Uncovers $29 Million SUI Token Exploit.

• Nasdaq’s official X account was seemingly hacked to promote a fake memecoin.

Scams

• Crypto Mining Scams: A Multi-Billion Industry.

• Trump Casino by Rekt.

• The pastor who gave the benediction at Trump’s inauguration just launched his own memecoin.

Malware

• TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for Ransomware.

Media

• Learn how to debug bytecode with huff and forge! by libevm.

• Solidity Development with Foundry: Cast, Anvil, Chisel, and Forge by Ethereum Engineering Group.

Research

• DeFi Liquidation Vulnerabilities by Dacian.

• What is a Smart Contract Audit: Lessons from OpenZeppelin’s 1000+ Audits.

• OWASP Smart Contract Top 10.

• Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform by hackermondev.

• Solana: Signature Verification Flow (Part-1) by BountyHunt3r.

• Learn Yul by andreitoma8.

• Yul Puzzles by RareSkills.

• Reduce The Risk of Cyber Attacks: Isolated Dev Environments by Patrick Collins (Cyfrin).

• BotDetect: A Decentralized Federated Learning Framework for Detecting Financial Bots on the EVM Blockchains.

• Formal Model Guided Conformance Testing for Blockchains.

• BRC20 Snipping Attack.

• Blockchain Security Risk Assessment in Quantum Era, Migration Strategies and Proactive Defense.

• Mapping the DeFi crime landscape: an evidence-based picture.

• Using slither to identify contract entry points by nisedo.

• Bug bounty hunter mindset by Daniel Von Fange. Focus on the “impact”.

• Ethereum Validator Lifecycle: A Deep Dive by Sergey Boogerwooger, Dmitry Zakharov.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content