Monday, December 8, 2025

If last cycle was about hackers outsmarting protocols, this one is about protocols outsmarting themselves - straight into the morgue.

Explained: The Upbit Hack (November 2025) (3 min read)
Upbit’s November 2025 hack exposed a fatal flaw in its digital-signature infrastructure: signing data so weak and predictable that attackers could allegedly reconstruct private keys from past transactions. The result was total compromise of a Solana hot wallet and a $36M drain timed suspiciously to the day of the exchange’s acquisition - and the anniversary of its last major hack. Investigators point to Lazarus-style operators leveraging off-chain weaknesses rather than on-chain bugs.

Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered (14 min read)
A single deceptive signature was all it took for a victim to unknowingly hand over full ownership of their Solana wallet - freezing their $3M+ in assets on the spot. No approvals to revoke, no buttons to click, no way to move funds: the attacker simply became the new “owner” in the eyes of the chain. From there, the thief scattered funds through dozens of wallets, CEX deposits, swaps, and cross-chain loops before vanishing into mixers. The remaining $2M in DeFi positions was recovered only thanks to emergency coordination across protocols.

Fraud vs. Phishing: Why Institutions Need Different Defenses for Different Threats (5 min read)
Phishing hits fast - one rushed signature or fake UI and the attacker is inside. Fraud moves slowly, hiding in normal-looking transactions, mule networks, and cross-chain laundering paths. Phishing is a human-interface attack; fraud is a financial-system attack. Stopping one requires protecting users at the moment of interaction, while stopping the other means screening counterparties and flows before funds move. Mix them up, and you leave holes big enough for both to walk through.

ERC-4337 Paymasters: Better UX, Hidden Risks (28 min read)
ERC-4337 gives smart wallets flexible ways to handle gas, but paymasters are where most teams slip. Underpriced gas, missing penalty math, and ERC-20 payments processed after execution all open doors for bundlers to siphon deposits or users to trigger griefing attacks. Many developers misunderstand EntryPoint’s validation and settlement model, leading to underfunded operations and unsafe token conversions.

Scam Telegram: Uncovering a network of groups spreading crypto drainers (42 min read)
A random search for a project’s support channel uncovered a sprawling network of botted Telegram groups impersonating every major DeFi protocol. Shared admins, cloned bots, recycled phishing scripts, and rotating domains tied these “support chats” into a single ecosystem funneling users into wallet-drainer sites - many running modern Inferno Drainer variants. Months of scraping and graph analysis exposed the cross-chat links, the social engineering patterns, and the laundering machinery behind them.

Lazarus Is Back to Spear-Phishing Everyone. North Korea’s Lazarus Group is leading a year-long surge in highly targeted spear-phishing attacks - fake invites, interviews, and near-perfect AI-generated emails - used to breach crypto firms and drain millions, with analysts warning that AI-powered deepfakes will make these attacks even harder to detect.

Fake MEV Bot Tutorials Are Back. Scammers use polished “how-to” videos and booby-trapped contracts that reconstruct hidden wallet addresses and drain every ETH the victim deposits.

Malicious Rust Package Targets Web3 Developers. A fake “EVM helper” crate on cratesio quietly shipped OS-specific malware to over 7,000 developer machines - masking itself as a harmless utility while executing hidden payloads across Windows, macOS, and Linux, with a second-stage loader triggered automatically through a popular Uniswap-related dependency.

Cybercrime-as-a-Service Goes Mainstream. The underground economy now runs on subscriptions - phishing kits, OTP bots, stolen log feeds, network access, and full-featured RATs all rentable on weekly or monthly plans - turning complex attacks into cheap, on-demand services for low-skill criminals.

Malicious npm Package Tries to Trick AI Security Scanners. A rogue npm module hid standard credential-stealing malware behind a prompt engineered to mislead AI-based scanners - a sign that attackers are now targeting the tools meant to detect them and pairing old-school exfiltration tricks with a new wave of malicious, subscription LLMs built to streamline cybercrime.

• Hacken audited Digital Oro International’s ERC-721 real-estate staking ecosystem, reporting 16 findings - including 1 critical and 2 high - with 14 resolved and 2 accepted. The review strengthened payout timing, transfer validation, and supply-limit enforcement, improved treasury accounting and admin-role controls, and highlighted key centralization risks across staking, raffle, and payout flows. The final report confirmed 78% test coverage and upgraded access-control consistency, CEI adherence, and documentation across DOI’s token, staking, treasury, and VRF-based raffle contracts.

• OpenZeppelin audited Linea’s burn-mechanism contracts, reporting 8 issues - including 2 medium-severity bugs fully fixed - and confirming bytecode parity for deployed vault, swap adapter, and L1 burner implementations.

• Quantstamp audited Strata’s Tranches update (ERC-4626 vault logic), completing the review on Nov 21, 2025. The assessment focused on new withdrawal-fee mechanics across JRT and SRT vaults, refinements to Accounting.sol and StrataCDO.sol, and added UX-facing sUSDe rate helpers. Only one informational issue was found - a recommended time delay for fee changes - and was fully fixed through a 24-hour activation delay, with all updated logic thoroughly tested and validated.

• Cantina audited Multiliquid V2, covering the uniformlabs/Multiliquid repo and reporting 15 total findings - 3 medium, 3 low, and 9 informational - with every medium and low issue fully fixed and only one informational item acknowledged. The audit resolved fee-calculation errors across RWA↔RWA and stablecoin flows, corrected protocol-fee logic, standardized USD conversions, tightened rounding behavior, removed deprecated/unused code paths, and improved slippage checks and delegate consistency.

• Halborn audited Blueprint Finance’s Glow Margin Vaults (Solana), identifying 10 issues - including 1 critical and 1 high - all of which were fully addressed. Fixes corrected fee-accounting logic, ensured performance fees apply only to real profit, tightened operator-permission checks, and resolved multiple Token2022, withdrawal-flow, and instruction-validation gaps, with all findings remediated or scheduled for upcoming releases.

One year ago, Clober DEX learned that DeFi doesn’t need a master hacker to wreck you - just one unreviewed callback in freshly shipped code. Half a million dollars drained through a reentrancy hole older than most protocols, all because someone pushed a post-audit change straight to production and prayed the audits would magically cover it. Trust Security and Kupia had already blessed the original contracts, but Clober’s last-minute edits turned those audits into fossils, leaving their Liquidity Vault wide open while the attacker waltzed out with 133 ETH. In the aftermath came the usual ritual: a Twitter panic, a bounty offer, finger-pointing between audit firms, and a protocol insisting its “core contracts” were totally fine as the money vanished across chains.

Aaron Swartz didn’t hack the future - he tried to free it, and the system crushed him for it. A 14-year-old prodigy who built the web we use, hunted like a criminal for downloading knowledge we already paid for. His fight against censorship, paywalls, and government overreach lit the fuse - and his death exposed the cost of defying the machine.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.