Greetings!

More than $12.5M was stolen this week across seven incidents. But before diving into a few intriguing case studies, we need to revisit a fascinating indictment by the U.S. Department of Justice. The case involves Andean Medjedovic, a Canadian hacker responsible for two massive DeFi exploits totaling $65M—Indexed Finance and KyberSwap.

The indictment reads like a spy thriller: brazen hacks, undercover agents, informants, extortion, and a near capture. If you need a refresher, Andy was behind the $16M Indexed Finance compromise in 2021. His identity was exposed due to a series of OPSEC mistakes, forcing him to spend the last three years as a fugitive from Canadian authorities. Now, we’ve learned he funded his life on the run through a years-long hacking spree that included KyberSwap, HXA Coin, QAN Platform, and more. If US DoJ’s ability to recover fugitives is even slightly better than their Canadian counterparts, then Andy may soon be joining Avi and SBF at MDC Brooklyn.

One of the week’s most interesting exploits was a $12.3M attack on Ionic (aka Midas) on Mode chain. Unlike purely technical hacks, this one involved a sophisticated month-long social engineering effort. The attacker convinced the team to add a fake LBTC token into the protocol, then quickly minted $24M worth of it and used it as collateral to drain the protocol. But here’s where it gets interesting—Mode chain intervened, freezing the attacker’s address. However, they were quickly reminded of the same L1 to L2 transaction backchannel that recently caught Soneium off guard.

Lastly, I’m tracking an attacker tearing through multiple no-source MEV contracts across various chains, all exploiting the same Insufficient Access Control vulnerability. Most individual hits are under $5K, but one already reached $188K. Just another reminder that vulnerabilities can be found—with or without source code.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Tornado Cash Developer Alexey Pertsev Released From Jail to Prepare for Appeal. Alexey was sentenced to more than 5 years in prison in 2024.

• Canadian Man Charged in $65M Cryptocurrency Hacking Schemes. The indictment links Andean Medjedovic to at least two hacks involving KyberSwap and Indexed Finance. The connection was further confirmed through onchain tracking by TRM.

• Critical zero-day exploit across entire Apple line. Update now!

• Adversarial Misuse of Generative AI by Google Threat Intelligence Group. We are not the only ones exploring the use of LLMs for bug hunting.

• XRP Ledger's hour-long halt sparks debate over consensus tradeoffs.

Crime

• Lebanon man sentenced to 20 years for stealing $37 million in cryptocurrency.

• Blood on the Blockchain by Rekt. A deep dive into the kidnapping of a Ledger co-founder, a $10M ransom, severed finger, and a 48-hour manhunt.

• Pakistan police officer remanded over USDT theft and kidnapping.

• 35% Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim Payments by Chainalysis.

Policy

• Biden-appointed federal judge slams FDIC over Coinbase FOIA lawsuit: 'It’s almost laughable’.

• US SEC scales down crypto enforcement unit while task force gears up: report with one of its top crypto litigators reassigned to IT likely downstairs into Storage B. Yeaaaahhh.

• SEC crypto task force signals major shift in regulation, looks to let projects offer tokens in legal way.

• Coinbase demands action from US bank regulators in a move to clarify crypto banking rules.

Phishing

• More than $300M were stolen from Coinbase users according to research by ZachXBT. Rekt’s report dives into many techniques used by scammers to target Coinbase users, threat actors behind the attacks, and a few past hacks.

• Preventing account takeover on centralized cryptocurrency exchanges in 2025 by Trail of Bits.

• Reports of realtime face-altering AI used by DPRK IT workers for interviews.

• The 23-year-old who infiltrated a North Korean laptop farm by HUMINT.

• More than $10M were drained from 9K+ user wallets in January according to Scam Sniffer.

• Crazy Evil Gang Targets Crypto with StealC, AMOS, and Angel Drainer Malware.

• An approval phishing exploit of chickengenius.eth results in the theft of $394K worth of LINK tokens.

• JuperDAO X account compromised. Just another high profile compromise in the never ending stream of hacks on X.

• DeepSeek Phishing Sites Pursue User Data, Crypto Wallets.

• Phishing attackers target Phantom wallet users with fake update pop-ups.

Scams

• An investigation into how @wheres29 used stories of real cancer-stricken babies to launch multiple crypto rug pulls by okHOTSHOT.

• Reports of threat actors hijacking bitly links to push crypto scams by VX Underground.

• De-Rugged? Space Warriors Club by Rug Pull Finder.

• AlleyCat - The Gambling Deployer! by Rug Pull Finder.

• FBI Warns: Valentine’s Day to Bring a Surge in Crypto Fraud—Don’t Get Trapped.

• Report of an impeding rug by Beraswap by pcaversaccio.

• Solana Meme Coin Dogwifhat Has No Deal With Las Vegas Sphere, Venue Says.

• I Almost Got Slaughtered in a Pig Butchering Crypto Scam by Nelson Wang (Unchained).

Malware

• Lazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam by Bitdefender.

• macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed by Phil Stokes & Tom Hegel (SentinelOne).

• Take my money: OCR crypto stealers in Google Play and App Store by Kaspersky. An analysis of the SparkCat crypto-stealing malware campaign.

• Detecting malicious VSCode extensions - an exploration by matta (The Red Guild).

Media

• DSS Monthly Webinar - Demystifying Smart Contract Security: Facts & Fallacies with Hari (Spearbit), Matthias (ChainSecurity), Michal (SigmaPrime), Josselin (Trail of Bits), Mooly (Certora) moderated by Rajeev (Secureum).

• Runtime Verification x Cantina | Demo + Q&A. Learn about the latest features of Symbolik with Raoul Schaffranek.

• Solana Tutorials by ZYJ Liu.

• Cosmos SDK Security with Alpin Yukseloglu.

Research

• Web3 Security Auditor's 2024 Rewind by Ionut-Viorel Gingu (OpenZeppelin).

• DOS in DeFi Liquidity Pools: The Initialization Vulnerability by Patrick Ventuzelo and Mathieu Troullier (Fuzzing Labs). A case study of Raydium CLMM Pool vulnerability.

• Starknet Security Update: potential full node vulnerability.

• AAVE and Compound Forking: Empty Pool Attacks by Tim Savon (MixBytes).

• PAT-tastrophe: How We Hacked Virtuals' $4.6B Agentic AI & Cryptocurrency Ecosystem by Shlomie Liberow. Git never forgets including your cloud secrets.

• Vyper and Python Smart Contracts on Blockchain – Full Course for Beginners by freeCodeCamp with Patrick Collins.

• Implementing Your First Smart Contract Invariants: A Practical Guide by Nican0r (Recon).

• Missing Encryption of Sensitive Data in Coinbase Wallet SDK version 4.0.0 - 4.3.0.

• CertiK - Uniswap V4: Hooks Security Considerations by CertiK.

• The Prague/Electra (Pectra) Hardfork Explained by Sergey Boogerwooger, Dmitry Zakharov (MixBytes).

• The Hacker’s Mindset by Securr.

• Security risks of the upcoming Petra upgrade by Arsen.

• Interesting limit in LLMs’ ability to find transfer logic bugs by banteg.

• The Ultimate Guide to Trusted Execution Environments (TEE) in Crypto by Olympix.

• Paradigm CTF 2023 - Black Sheep - Solution by Herman Junge using Huff.

• Block withholding resilience.

• Following Devils' Footprint: Towards Real-time Detection of Price Manipulation Attacks.

• Large Language Models for Cryptocurrency Transaction Analysis: A Bitcoin Case Study.

• Deanonymizing Ethereum Validators: The P2P Network Has a Privacy Issue.

• The Hitchhiker's Guide To Dark Pools In DeFi: Part Three by Emmanuel Awosika and Koray Akpinar (2077 Research). A great deep dive into Railgun.

• Top 5 Mixers in 2024 by Zero Shadown.

• Ethereum On-chain Privacy Projects Map by swayam.

• The Problems with Solana Data Indexing by Astralane.

• The Art of Writing Security Reports by Zokyo.

• The Hitchhiker's Guide to DFIR: Experiences From Beginners and Experts.

Tools

• sb-heists - a comprehensive framework for testing smart contract security patches against real-world exploits by Assert at KTH Royal Institute of Technology.

• Arachne - a scaffolding framework built to streamline the development of large-scale fuzzing suites. It offers a range of helper functions and a solid structure to minimize setup time, allowing users to begin fuzzing quickly and efficiently, while keeping the codebase maintainable. A great addition to Echidna and Medusa. Developed by Perimeter Security.

• Medusa v1.0.0. A major release introduces on-chain fuzzing, Slither integration, more evm cheatcodes support.

• Slither 0.11.0 released. Includes more detectors and printers as well as a beautiful storage viewer.

• Search CTF Writeups - Find and explore CTF solutions and writeups including many DeFi contests.

• LLM4Decompile - Reverse Engineering: Decompiling Binary Code with Large Language Models.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content