Monday, January 5, 2026

Welcome to 2026.

After $4B in losses in 2025, the first week of January opens with a familiar pattern: broken governance, off-chain trust failures, and money laundering that still moves faster than accountability.

This week:

• A multisig governance failure that unlocked $3.9M in minutes
• Post-mortems from Hacken and SlowMist on where 2025 actually went wrong
• Malware, AI scams, and human error doing most of the damage again

The year changed. The threat model didn’t.

Governance isn’t boring plumbing - it’s the master key. When it breaks, everything downstream opens at once.

Unleash Protocol’s multisig turned into a master-admin backdoor. An attacker seized governance control, pushed an unauthorized contract upgrade, and quietly drained $3.9M across WIP, USDC, WETH, stIP, and vIP without touching the underlying protocol stack. Funds were bridged to Ethereum and laundered in neat 100 ETH chunks through Tornado Cash, with PeckShield and CertiK tracing the flow.

The Hacken 2025 Yearly Security Report (50 min read)
Hacken’s Security Report 2025 cuts through the excuses: over $4B lost in one year, with most damage coming from operational failures, not exotic exploits. More than half the losses trace back to North Korean actors, while leaked keys, bad access control, and human error did the rest. The takeaway is brutal and simple - Web3 didn’t lose money because it was complex, it lost money because it wasn’t grown up.

SlowMist: 2025 Q4 MistTrack Stolen Funds Analysis (30 min read)
SlowMist’s Q4 MistTrack data shows theft is still overwhelmingly human-driven: 300 victim reports, phishing as the top vector, and nearly $50M lost in a single address-poisoning mistake. Social engineering, fake interviews, browser autocomplete hijacks, and quiet permission changes did most of the damage, not zero-days. MistTrack helped freeze or recover ~$1M, but the takeaway is blunt: attackers win by blending into “normal” workflows, and security fails the moment trust replaces verification.

2025 Blockchain Security and AML Annual Report (21 min read)
SlowMist’s annual report paints a grim picture: fewer hacks, far bigger losses, and attackers operating like mature businesses. Phishing, key theft, supply-chain poisoning, and social engineering did most of the damage, while DPRK-linked groups and Southeast Asian scam factories industrialized laundering through mixers and service platforms. Regulation finally caught up with freezes, seizures, and cross-border crackdowns, but the verdict is clear - security and compliance are no longer features, they’re survival requirements.

Explained: The Trust Wallet Hack (December 2025) (3 min read)
This wasn’t a wallet bug but a supply-chain breach: attackers leveraged the Sha1-Hulud npm worm to steal Trust Wallet’s source access and Chrome Web Store API key, then shipped a malicious extension update that exfiltrated private keys. The poisoned v2.68 build was live for ~48 hours over Christmas, draining ~$8.5M from ~2,520 users. No on-chain logic failed - the damage came entirely from compromised build and release infrastructure.

A Developer’s Guide to FHEVM Security (25 min read)
FHEVM hides data but shifts risk to integrity: unchecked encrypted math can under-charge, loose ACLs can leak data, and async decryption callbacks can be replayed. Silent failures, transient permissions, and premature disclosure mean contracts can “work” while breaking core assumptions. Confidentiality survives only if permissions are minimal, arithmetic is guarded, and async flows are strictly one-time.

Love, Lies, and One Lost Bitcoin. AI deepfakes simulate real relationships long enough to drain wallets without ever touching a private key.

GlassWorm Malware Is Back - Now Hunting Mac Devs. Trojanized VSCode/OpenVSX extensions quietly replace crypto wallets, steal keychains and credentials, and turn developer machines into long-lived access points.

Crypto exchange employee jailed for BTC-backed espionage. A South Korean staffer took roughly $487K in Bitcoin from North Korea to recruit an army captain to steal military secrets, using a hidden camera and a USB attack that was ultimately intercepted and traced on-chain.

Losses Fell, Scams Didn’t. PeckShield counted ~$76M stolen across 26 December incidents, with the biggest damage coming from address poisoning and a multisig private-key leak.

Flow enters recovery phase two after $3.9M exploit. The foundation advanced validator-approved on-chain remediation while flagging that a centralized exchange allowed a single account to dump ~150M FLOW and exit with over $5M before the network halt, raising AML and market-integrity concerns.

• Hacken audited Bybit’s Proof of Reserves, verifying on-chain reserves across multiple chains and reviewing loan-liability accounting and completeness. The assessment confirmed collateral ratios exceeding 100% across all in-scope assets, validated wallet ownership and reserve coverage, and concluded that Bybit remained fully solvent.

• Quantstamp audited Kiln’s Minitel transaction-verification tool, a client-side TypeScript application for validating blockchain transaction hashes. The review reported 11 findings, including 5 high-severity issues, with the majority fixed and the remainder acknowledged, and focused on hardening input validation, mitigating XSS and URL-tampering risks, improving dependency hygiene, and addressing the absence of unit tests.

• Hacken audited BasePerpToken, completing a smart contract security assessment with zero vulnerabilities found. The review confirmed fixed supply with no additional minting, no privileged roles embedded in the contract, and adherence to Solidity best practices, while flagging non-blocking risks around centralized initial minting, missing architectural documentation, and absent test coverage (0%), alongside recommendations for multisig custody and automated emergency safeguards.

• Halborn audited Mutuum Finance’s EVM staking contracts. The assessment identified one high-severity issue and several low and informational findings, all of which were either fixed or consciously accepted, including a critical first-depositor share-manipulation risk that was fully remediated before deployment. The final report confirmed improved safeguards around staking math, cooldown parameters, reward distribution logic, and oracle price handling, with no unresolved high-risk issues remaining in scope.

• Cantina audited Byzantine Finance’s Atlas.sol delegation and batch-call contracts, reviewing the EIP-7702 execution model and uncovering five total issues across severity levels. All findings - spanning signature replay risks, missing token receiver hooks, EIP-1271 compatibility gaps, EIP-712 UX issues, and gas inefficiencies - were fully fixed.

Two years ago, Radiant Capital didn’t get ambushed - it got front-run by time itself. A newly launched USDC market on Arbitrum was exploited for roughly 1,900 ETH, hitting a known weakness that exists in freshly opened, low-liquidity markets. The attacker had been waiting for the governance proposal to pass and struck seconds after activation, before normal safeguards had time to take effect. Audited and live, Radiant was reminded that forks don’t inherit fixes, and new markets are where attackers always show up first.

A suburban house, 40 laptops, and a fake remote workforce quietly funding a weapons program. North Korean operators didn’t hack companies - they clocked in, collected paychecks, and routed millions home through an American middleman.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.