Greetings!

Almost $11M were stolen this week across four incidents. The majority of losses came from the Yearn Finance compromise where an attacker exploited an integer underflow to steal $9M. The key lesson is that this was yet another legacy codebase that had not been audited for years and contained a deep vulnerability in its math logic. As I mentioned in my recent talk, this is emerging as a real threat to many protocols and to the broader ecosystem that relies on them. Simply isolating or derisking these codebases may not always be feasible, so the practical path forward may require reauditing them with modern tools, improved techniques, and highly experienced auditors that simply did not exist when much of this code was written.

Another incident this week involved an exploit class I also highlighted in the same DSS talk. The USDP initialization hijacking allowed attackers to insert a malicious backdoor, resulting in a one million dollar theft. Attackers are becoming more sophisticated in how they place these backdoors, which is creating ideal conditions for a future watering hall contract scenario.

And just as we were getting a break from two mass supply chain attacks, the web2 world delivered another reminder of its fragility. The mass React compromise is one of the most severe exploitation campaigns in recent memory. Please patch your instances immediately!

Enjoy reading BlockThreat? Each edition takes more than ten hours of careful research and preparation every week. Consider sponsoring an upcoming issue or becoming a paid subscriber to unlock the premium section with detailed analyses of hacks, vulnerabilities, special reports, and a fully searchable newsletter archive.

Let’s dive into the news!

News

• Who Has Security? - A list of blockchain companies with in-house security. You can’t fully outsource security and internal ownership is key to long-term success.

• CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation. Easy to exploit vulnerability in React resulted in thousands of compromised hosts running cryptominers.

• Cloudflare outage on December 5, 2025. Another week, another Cloudflare outage knocking out major wallets and exchanges.

• Ledger researchers flag Android chip flaw enabling full device takeover, exposing smartphone-based web3 wallets to physical attack.

• AI agents find $4.6M in blockchain smart contract exploits by Anthropic.

• Hats Finance is shutting down.

Crime

• How We Caught Lazarus’s IT Workers Scheme Live on Camera by Mauro Eldritch (BCA) and Heiner García (NorthScan).

• Exclusive Look Inside a Compromised North Korean APT Machine Linked to The Biggest Heist in History.

• Crypto sleuth ZachXBT claims British threat actor tied to $243 million Genesis creditor theft ‘likely arrested’. Danish Zulfiqar aka Danny was linked to the $243M Genesis theft and Kroll SIM swaps.

• Operation Olympia. Europol and partners shut down ‘Cryptomixer’. The service was responsible for laundering €1.3B in BTC since 2016.

• United States, United Kingdom, and Australia Jointly Target Russian Cybercrime Infrastructure: Media Land and Aeza Group by Slowmist.

• Binance post confirming insider trading sends ‘year of the yellow fruit’ meme token even higher.

• Tracing firms say Binance’s claims of improving financial crime left out key crime stats.

• Police arrest two Ukrainian men after Vienna killing linked to crypto wallet theft.

• Gunmen Steal $85,800 in Trinidad Crypto Ambush as Attacks on Holders Rise.

Policy

• Operation Choke Point 2.0: Biden’s Debanking of Digital Assets by US House Committee on Financial Services. The report documents systematic discouragement and disruption of banking relationships with crypto industry.

• Connecticut issues cease-and-desist to Kalshi, Robinhood, and Crypto.com over ‘illegal sports wagering’.

• UK Passes Bill Formally Recognizing Crypto as a New Category of Property.

Phishing

• Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered by SlowMist.

• Report of a massive $27M theft from a user Babur on Solana and Ethereum by Slowmist.

• Pepe memecoin website exploited, redirecting users to malware.

Scams

• Scam Telegram: Uncovering a network of groups spreading crypto drainers by Tim.

Media

• Investigating DeFi hacks with ‘Code is Law’ co-director James Craig and Wildcat Finance co-founder Laurence Day.

Contests

Research

• The state of off-chain security in Ethereum and a primer on how to improve it — 1TS Initiative by Matta (The Red Guild).

• How Fuzzing the Aligned Layer Batcher Uncovered a Critical DoS Vulnerability in a Core Ethereum ZK Library​ by Fuzzing Labs.

• How I found a critical vulnerability in @zora’s ERC20Z contract via a little known Uniswap v3/v4 property by 0xKaden.

• Unbundling at the Relay Level for frontrunning protocol hacks by meridian.

• Blockchain Interoperability Part-1 : Interoperability Problem And Bridges by Charan Nomula.

• Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts.

• Detection of Crowdsourcing Cryptocurrency Laundering via Multi-Task Collaboration.

• AtomGraph: Tackling Atomicity Violation in Smart Contracts using Multimodal GCNs.

• Large Language Model based Smart Contract Auditing with LLMBugScanner.

Tools

• coq-of-solidity - a tool to automatically translate Solidity smart contracts to the Rocq proof system. This allows to formally verify the correctness of the smart contracts.

• Antidrain by Zun. Claim airdrops, recover staked tokens & rescue NFTs from compromised wallets. Powered by EIP-7702, execute atomic batch operations before sweeper bots can react.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content