Greetings!

More than $11.2M were stolen this week across eleven incidents. Among the more notable exploits was the 0xc0ffee MEV bot hack which lost $218K due to an exposed uniswapV3SwapCallback method. These have been popping up a few times this year so be sure to check out Giovanni Di Siena’s article on hook security in the Research section on how to lock down these callbacks.

Garden Finance lost almost $11M after one of its solvers was compromised and private keys stolen. The irony here is that Garden Finance was previously implicated as a laundering venue for multiple Lazarus-linked hacks like Bybit, SwissBorg, and others. In a classic moment of frontier justice, ZachXBT refused to offer any support and even discouraged attackers from returning any of the illicitly obtained funds.

Oh an be on a lookout for phishing emails from LastPass!

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Let’s dive into the news!

News

• Our presence at the biggest security Latin American conference, Ekoparty by The Red Guild.

• Introducing Aardvark: OpenAI’s agentic security researcher. AI audit space is getting hot.

Crime

• A thread on US v Peraire-Bueno trial by Inner City Press.

• An unlikely couple, a doomed affair and their €64mn ransomware scam. An inside view of the CryLock (Cryakl) ransomware operators Vadim Sirotin and Elena Timofeeva.

• Interview with the Chollima III by Mauro Eldritch and Ulises (Bitso).

• Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs by Kaspersky. Details of a new GhostCall campaign targeting crypto community over telegram with macOS malware.

• Indiana Police Recover Stolen Bitcoin Mining Rigs—And $75K Worth of Frozen Turkeys.

• NBA Gambling Scandal: at least $400,000 in ETH seized.

• Royal Thai Police Arrest Fugitive Chinese National Behind Multi-Million Dollar Crypto Fraud Scheme by TRM.

• Chinese Man Arrested in Bangkok Over Alleged $14M Crypto Ponzi Scheme.

• CEO of collapsed Thodex exchange found dead in Turkish prison while serving 11,196-year sentence.

Phishing

• Possible CryptoChameleon Social Engineering Campaign Targeting LastPass Customers, Crypto Exchange Customers, Passkeys, and More. A new phishing campaign using requests for victim’s death certificate as a lure.

• Thread on malicious Merkl campaigns with high APRs and unverified Euler vaults by YAM. Attackers are using fake markets with high oracle prices to drain any supplied liquidity.

Scams

• House Of Cards by Rekt. A story of two stablecoins caught in the mutual backing loop. What could go wrong?

Malware

• Infostealers Disguised as Free Video Game Cheats by vxdb.

• From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign by Lab52.

Media

• bountyhunt3rz - Episode 29 - j4x.

• Governance Futures S.1 Ep.17 - Security, DAOs, and Human Error: Threat Modeling Web3 with Isaac Patka.

Contests

• N1CTF 2025 challenges

Research

• Uniswap V4 Hooks Security Deep Dive by Giovanni Di Siena (Solodit).

• Multisig Security Analysis by engn33r (Electisec).

• Securing the Blockchain: AI and Staying Ahead of the Curve + Ethena Yield Theft by Bountyhunt3rz.

• How you can be drained years after the protocol’s hack? thread by Ye in Web3 on the victims.

• Bad Vibes by Rekt. An excellent analysis on the future of AI-augmented code development, its risks and pitfalls. As the article mentions: “When will we see our first crypto exploit where we found out the root cause was due to vibe coding?”.

• New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel by Dan Goodin (Ars Technica).

• Oracle Infrastructure: The Backbone of Lending Protocols by Noveleader and Francesco (Castle Labs).

• Core Architecture and Positioning of DeFi’s Top Money Markets by Noveleader and Atomist (Castle Labs).

• Uniswap v1 explained: How it changed DeFi forever by M3D (Zealynx).

• Vibe Fuzzing Guide for Wake’s Manually-Guided Fuzzing by Naoki Yoshida (Ackee).

• Top 7 Findings in Off-Chain Components by Damian Rusinek (Composable Security).

• Detecting Various DeFi Price Manipulations with LLM Reasoning.

• FLAMES: Fine-tuning LLMs to Synthesize Invariants for Smart Contract Security.

• LLM-Powered Detection of Price Manipulation in DeFi.

• DeepTx: Real-Time Transaction Risk Analysis via Multi-Modal Features and LLM Reasoning.

Tools

• Multisig Security Checker by engn33r. Analyze your Safe multisig contract for security best practices.

• Localsafe.eth is officially launched. Enjoy always available IPFS or local hosted multisig without relying on large cloud infrastructure.

• Device hardening & factory reset guides by Opsek.

• Orb Explorer now includes Solana program source code.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.

Hacks

VaultManager

Date: October 27, 2025
Attack Vector:
Impact: $3,710
Chain: Ethereum