Monday, November 17, 2025

DeFi got hit by its own assumptions this week. Arithmetic drift tore through Balancer, while Hyperliquid proved that market structure can be just as fatal as bad math. Two different failures, one shared lesson: the most expensive exploits now come from the places protocols never thought to look.

Explained: The Hyperliquid Hack (3 min)
A trader turned Hyperliquid’s own market mechanics against it, using $3 million in sacrificial capital to blow POPCAT’s price upward, bait liquidity, then pull the floor out and let 10x leverage do the killing. Nineteen wallets, a $20 million buy wall, and one violent unwind later, the attacker walked away liquidated - but Hyperliquid’s community vault ate $4.9 million in bad debt. No bug, no exploit, just a protocol designed to assume rational traders in a market built for predators.

Understanding the "Insecure Randomness" Vulnerability (6 min)
Randomness is the closest thing blockchains have to luck, and when it’s fake, everything built on it collapses. This breakdown shows how predictable entropy lets attackers rig lotteries, mint rare NFTs on command, and tilt validator elections, turning “fair chance” into a deterministic exploit path. When protocols use blockhashes and timestamps as dice, adversaries stop playing the game and start controlling it - a reminder that on-chain randomness isn’t random unless it’s cryptographically provable.

The Hacken 2025 TRUST Report: Web3 Security and Compliance (65 min)
Hacken’s latest TRUST Report makes one thing painfully clear: Web3 isn’t losing billions to bad code — it’s losing billions to bad opsec. With $3.6B stolen in 2025 and over half traced to North Korean crews, the report shows how poisoned dependencies, sloppy multisigs, and compromised developer environments now dwarf smart-contract bugs as the industry’s real failure points.

NFT Security Guide for Builders and Operators (7 min)
Spearbit’s latest guide tears into the messy underbelly of NFT security, showing how modern collections aren’t failing from memes or metadata drama - they’re failing from weak mint logic, upgrade traps, blind-signing phish kits, and sloppy off-chain pipelines masquerading as “Web3 infrastructure.” As NFTs evolve into access keys, revenue rights, and game economies, Spearbit maps the real threat surface: replayable signatures, mutable URIs without guardrails, overpowered admin keys, and reveal systems held together by Google Sheets and prayer.

Stablecoin Risks: How Poor Redeemability and Liquidity Erode Quality (8 min)
Stablecoins only work when users believe they can get a real dollar back for every synthetic one - and the moment that faith cracks, the peg follows. This piece breaks down how thin reserves, opaque backing, and shallow secondary-market liquidity turn “stable” assets into slow-motion bank runs waiting for a bad day. From redemption queues to manipulated prices on illiquid books, it shows why most stablecoins don’t collapse from volatility - they collapse from math, market depth, and the brutal physics of liquidity itself.

U.S. Launches New Strike Force to Combat $10 Billion Southeast Asian Scam Industry. A new federal task force and fresh OFAC sanctions are targeting Burma-based scam compounds and Chinese crime networks behind America’s fastest-growing fraud economy, as U.S. agencies claw back hundreds of millions in crypto from pig-butchering empires built on forced labor and industrialized deception.

Chrome Wallet Trojan Slips Into Top Search Results on Google. A fake “Safery” extension climbed to the No. 4 Ethereum wallet slot on the Chrome Web Store while quietly exfiltrating seed phrases through encoded Sui microtransactions. A supply-chain ambush disguised as a browser wallet, draining users the moment they typed their first word of recovery.

Australian Police Impersonation Scam Exploits Government Systems to Steal Crypto. Fraudsters filed fake reports through Australia’s official ReportCyber portal, then called victims posing as AFP officers to “verify” the case - a double-layer con that weaponized government infrastructure to pressure targets into handing over wallet access before the script finally broke under suspicion.

Kraken Ransomware Benchmarks Victim Machines Before Detonating Encryption. The reborn HelloKitty crew now stress-tests every system it hits - using throwaway files as makeshift bench rigs - to decide whether to fully lock a target or slice it apart with partial encryption, a calculated performance hack that lets the gang move fast, stay quiet, and maximize carnage across Windows, Linux, and ESXi environments before wiping their footprints clean.

EU Arrests Nine Linked to $689M Crypto Laundering Empire. A coordinated sweep across Cyprus, Spain, and Germany gutted a fraud ring that pushed victims into fake trading sites, washed hundreds of millions through cross-chain mixers, and left Europol warning that crypto crime is evolving faster than the agencies trying to contain it.

SEAL Anti‑Phishing Network: A new collaborative tool for wallet providers and security researchers, enabling real-time phishing report verification and shared threat intelligence across major wallets like WalletConnect, Backpack, and Phantom.

Certora × Cork Protocol × Hypernative Alliance: A newly announced security standard partnership combining formal verification, audit-automation and active on-chain monitoring tools - signalling a shift toward integrated vendor stacks for Web3 protocol assurance.

BitsLab Safe: BitsLab acquired Japan-based KEKKAI’s browser-extension plugin and relaunched it as “BitsLab Safe,” integrating AI-driven transaction risk analytics and real-time Web3 user protection at wallet level.

DeepTx: The project presents a system that uses multimodal features and LLM reasoning to flag malicious pending Web3 transactions before execution - hinting at future day-0 user protection tools.

PoCo – Proof‑of‑Concept Exploit Generator: An agentic framework announced in academic work that auto-generates executable exploit PoCs from vulnerability descriptions in smart-contract audits, speeding up audit cycles and increasing reproducibility of findings.

One year ago, Polter Finance’s unaudited fork of Geist turned into an $8.7 million oracle manipulation meltdown after a flash-loan drain warped BOO’s SpookySwap price, letting an attacker mint inflated collateral and vacuum the protocol while the team filed a suspiciously puffed-up $12 million police report, paused everything in panic, traced wallets to nowhere, and begged the exploiter on-chain. Another textbook reminder that in DeFi, copying code isn’t security, skipping audits isn’t speed, and “fork and pray” always ends the same way.

He patched the government, then hacked it. Max Butler went from FBI informant to the most wanted cybercriminal on the internet - a man who built a criminal empire out of code and control. This is the story of “Iceman,” the hacker who tried to own the underground and lost everything to it.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.