Monday, September 22, 2025

Mid-September brought validator captures, rookie launch disasters, and phishing’s undead persistence - proving once again that DeFi innovation moves fast, and security moves never:

The good news: Rekt isn’t slowing down.

The bad news (depending on how much you liked our merch drops and secret channels): we’re hitting pause on Rekt Club.

Why? Because the battlefield changed. Blockchain security is where the real war is, and we’re throwing every resource into making Rekt not just a tabloid of your favorite disasters, but a structural player in the industry. Less autopsy, more architecture. Less hack-chasers, more agenda-setters.

If you’ve backed us already: respect.

We’ll keep delivering value for at least the next six months. Expect more than words on a screen—printed editions, merch, private events, and collabs with Stake Capital, Stable Summit, and friends like Nansen.

New subscriptions? Closed. Existing ones? Honored.

The Club may be on ice, but the mission is heating up.

Rekt doesn't die, it evolves...

Silent Sabotage: How Address Poisoning Puts Wallet Users at Risk (6 min read)
When your entire wallet security boils down to copy-paste muscle memory, one poisoned address in your history is all it takes to reroute your future straight into an attacker’s pocket.

Smart Contract Vulnerabilities in Upgradable Contracts (23 min read)
When “code is law” comes with an edit button, the law gets rewritten by whoever forgets to lock the door.

Yo Protocol's Unseen Dangers: Why Code Audits Aren't Enough (28 min read)
Centralization Risks, MEV Vulnerabilities, and Critical Bug Bounty Gaps in DeFi's Yield Optimizer.

Bug Analysis: Penalty Bypass - When the Donation Receiver Is the Attacker (4 min read)
JIT is DeFi’s dirtiest hustle: slide in liquidity right before a fat swap, skim the fees, and vanish in the same block, leaving the pool and its honest LPs holding nothing but the aftertaste of mempool manipulation.

How the U.S. Traced $110M Crypto Money Laundering Cases (9 min read)
Pig-butchering sweatshops, shell companies, and a Bahamian bank that couldn’t spell AML - the feds just pieced together $110M worth of digital blood money.

Fantom flirts with death spiral. A $50M whale loan teeters on liquidation, gas fees explode, and cascading sells nearly choke the network into oblivion.

Insider leaks 10,000 Coinbase accounts in $400M breach. Names, addresses, bank data, and IDs were siphoned by a rogue TaskUs employee in one of the largest breaches.

Browser attacks are the new frontline for enterprise hacks. From MFA-busting phishing kits to ClickFix clipboard traps, OAuth scams, and hijacked extensions, attackers now hit business apps where employees live: inside the browser.

New ModStealer malware drains crypto wallets across Mac, Windows, and Linux. Distributed through fake job ads, it hides as a background agent, stealing private keys, seed phrases, and browser wallet data.

‘The Lord told us to’: Denver pastor and wife found liable for $3.3 million crypto fraud scheme. The Regalados pitched low-risk, high-profit crypto to their flock, then spent investor funds on luxury trips, jewelry, and a Range Rover.

• MetaMask’s Kipuka: a tool that transparently runs npm installs (or other package manager commands) in containers/VMs to block malicious npm packages from harming dev machines.

• ScamDetect: a platform-agnostic framework for detecting smart contract malware & phishing via static bytecode + opcode + (future) GNN + WASM support.

• TraceLLM: joint trace-and-contract-code analysis using LLMs to map out attack paths inside transactions for Ethereum smart contracts.

•  DeriW: On-chain derivatives protocol with zero gas fees, built as a Layer-3 on Arbitrum’s Orbit, boasting ~80,000 TPS, millisecond matching, UBPK + zk-proof privacy, Pendulum AMM zero-slippage LP yields up to ~80%

One year ago, Shezmu learned that “code is law” sometimes comes with fine print in disappearing ink. A September vault upgrade left the doors wide open, letting an attacker mint ShezUSD like it was Monopoly money and walk off with $4.9M. But instead of a clean getaway, the exploit turned into a standoff - Shezmu threatening lawsuits, the hacker demanding a bigger bounty. In the end, the attacker returned the loot for a 20% cut, proving that in DeFi, sometimes negotiation saves your bags faster than audits ever will.

When the FBI’s biggest informant was also its biggest problem: Popoff ran stings, stole millions, and sold the Bureau its own fix. What started as a cybercrime takedown ended as an inside job scandal. Justice blurred, trust shattered, and a federal agent’s career burned in the fallout.

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.