Greetings!

We are closing out the year with nearly $13M stolen across five incidents. The most severe was the complete compromise of the Trust Wallet browser extension.

According to the recently published post mortem, Trust Wallet’s GitHub repository had been compromised since November(!) by the infamous Shai Hulud worm. After sitting on stolen GitHub secrets and Chrome Web Store API key the attackers finally struck, uploading a malicious extension that exfiltrated users’ private keys. More than $8.5M has already been stolen from thousands of victims. Supply chain attacks of this nature are likely to become a recurring theme in 2026. As I have warned before, it is long past time to lock down repositories and, critically, to rotate compromised credentials immediately rather than weeks later.

Another particularly rare exploit happened this week involving Flow blockchain. An attacker waited until the very end of the year to exploit an infinite mint vulnerability in chain’s execution layer, draining $3.9M. Flow operators later chose to roll the chain back to a pre-hack checkpoint. This is a blunt and largely ineffective mitigation, as it negatively impacts every legitimate user who transacted after the attack while the attacker had already bridged the stolen funds out of the ecosystem. A far more effective response would have been to isolate or filter attacker’s transactions, as demonstrated in the recent Balancer incident, where chains such as Polygon, Gnosis, Berachain, and others assisted in recovery without disrupting normal network activity. This incident highlights the need for Flow to develop a comprehensive and well rehearsed incident response plan.

In the premium section of the newsletter, you will find detailed coverage of the Polymarket compromise, Trust Wallet post mortems and backdoor analysis, the Flow blockchain infinite mint vulnerability, and more.

As we are quickly approaching the end of the year with about $2.8B stolen across 363 incidents from various DeFi protocols, blockchains, and centralized exchanges it’s easy to call 2025 one of the more challenging years that I’ve seen in about 8 years of following this industry. And yet, we must continue fighting the good fight and make this industry succeed for every family out there that can’t afford basic needs because their savings were devalued by failed economies, assets stolen by corrupt institutions with no chance of lifting themselves out of poverty without access to global financial markets. Crypto has a chance of solving this and many more hardships by enveloping the world in an unstoppable global financial network where people can safely transact with anyone anywhere. As a blockchain security industry we can pave the road for this future to arrive sooner by creating a safe and trustworthy environment for billions of users that will be coming onchain soon.

Have a safe new year and many more adventures together. Let’s dive into the news!

News

• Trust Wallet confirms extension hack led to $7 million crypto theft.

• Gnosis executed hard fork to recover the funds lost in Balancer hack.

• T-Mobile USA has leaked all its customers' phone numbers. Google support calls here they come.

• Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances.

• MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know by Wiz.

• 2025 Blockchain Security and AML Annual Report by SlowMist.

• Cyfrin 2025 Wrap-Up: Web3 Security Audits & Developer Education.

• The Hacken 2025 Yearly Security Report.

• Hack3d: The Web3 Security Report 2025 by CertiK.

Crime

• Coinbase CEO announces first arrest in India over insider data breach: ‘More still to come’.

• Brooklyn Man Charged with Stealing nearly $16 Million by Presenting Himself as Cryptocurrency Exchange Rep and Scamming Users. It took just a few months after ZachXBT’s investigation.

• Former Exchange Employee Sentenced to 4 Years for Selling Military Secrets to North Korea for Bitcoin.

• Former Pump.fun Dev Sentenced to Six Years in Prison for $2 Million Solana Fraud.

• ‘Someone’ is taking advantage of HTX’s reserves.

Phishing

• The OpSec Wakeup Call by Pablo Sabbatella (Opsek).

• Another victim of address poisoning attack lost $450K in tBTC.

Media

• Unchained - How Crypto Users Get Rekt and How You Can Stay Safe with Pablo Sabbatella and Isaac Patka.

• Lume - The Hacker Who Stole $1.5 Billion In 2 Minutes.

Research

• The Death of the Audit Contest? by alix40.

• USCSA: Evolution-Aware Security Analysis for Proxy-Based Upgradeable Smart Contracts.

• Blockchain Interoperability Part-2 : All About Atomic Swaps by TheMj0ln1r.

• King Of Bug Bounty Tips. A currated collection of tips from well known (web2) bug hunters.

• Awesome Move Security by Monethic.

• Radiant: Concolic Execution for Solana Programs by Inversive Labs.

Tools

• heimdall-eval by Jon Becker. A structured approach to evaluating and benchmarking Heimdall's decompilation accuracy and CFG generation quality.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content

The content presented below is intended for personal, non-commercial use only and is protected by copyright laws. Any unauthorized distribution, reproduction, or inclusion of this content in public or commercial products, databases, publications, and other mediums is strictly prohibited without the express written permission of the author.

Hacks

Polymarket

Date: December 24, 2025
Attack Vector: Authentication Bypass
Chain: Polygon