Blockchain Security Brief
The weekly record of web3 darkest hours

Monday, September 29, 2025

Top Exploits

Late September brought airdrop Sybils, admin coups, and counterfeit bridges - proving once again that DeFi doesn’t need enemies when insiders, keys, and cross-chain trust keep doing the heavy lifting:

  • Mathematics doesn’t lie, but MYX sure did. One entity gamed the airdrop with 100 wallets, pocketing $170M, while bots pumped $6-9B in phantom daily volume to lure in retail. A perfectly timed unlock let insiders dump into the frenzy, and $73M in shorts got liquidated in the squeeze. Token hit $19 before crashing 52% to $9, leaving retail rekt and MYX proudly defending the scam as “legitimate participation.” (Read more)

  • One delegateCall was all it took to hijack UXLINK’s treasury: admin keys swapped, vault emptied, and trillions of tokens minted like confetti. Roughly $41M walked across chains before poetic justice struck — the exploiter got phished, losing 542M tokens to Inferno Drainer. (Read more)

  • Less than a day after its Binance Alpha debut, Griffin AI’s tokenomics imploded when an attacker tricked LayerZero into trusting a fake contract. Five billion $GAIN minted, 2.8% dumped for $3M, and 97% still hanging like a guillotine over the market. The founder took rare full responsibility, but apologies don’t fix bridges that double as counterfeit presses. (Read more)

  • Seedify’s SFUND bridge collapsed in a textbook cross-chain hijack, as attackers exploited a transfer mismatch to siphon $1.7M straight through the cracks. Another week, another bridge casualty, joining Yala’s $7.6M bleedout in proving that bridges remain DeFi’s weakest arteries. Audit your ramps, or watch them rerouted by thieves.

Rekt Audit Broker

The big city sleeps, but the code never does. Neither do the crooks.

GET AUDIT QUOTES NOW

Rekt Audit Broker connects protocols with top-tier security firms. One request, multiple bids. Faster audits, fairer pricing, trusted partners.

Audits are cheaper than funerals.

Deep Dives

Explained: The Yala Hack (3 min read)
An attacker used temporary deployment keys to plant a backdoor, spun up a fake bridge 40 days later, and over-minted 30M $YU - returning most but cashing out $7.6M through Tornado, leaving Yala scrambling to burn the counterfeit tokens.

Signature Verification Risks in Solana (6 min read)
By relying on offset-based instructions for Ed25519 checks, Solana lets signatures validate the wrong data with the right key - a structural flaw that keeps resurfacing unless developers enforce strict offset validation and message integrity checks.

Supply-Chain Guardrails for npm, pnpm, and Yarn (10 min read)
Three back-to-back npm compromises proved just how brittle open-source dependencies remain - from phished maintainers to worms in the registry - and this guide lays out concrete guardrails to stop poisoned packages before they hit production.

A Beginner’s Guide to Manually Guided Fuzzing (13 min read)
Unlike blind fuzzing that throws random inputs at contracts, MGF uses defined flows and invariants, letting developers systematically test state changes, catch edge cases, and expose critical vulnerabilities before attackers do.

Secure Protocol Upgrades with Governance Alignment (6 min read)
Every upgrade is both a feature and a failure mode. Without strict governance, proxy validation, and rollback readiness, one misstep in protocol evolution can brick systems or hand control to a single actor.

Other Security Stories

DPRK hackers weaponize ClickFix. A tailored campaign lured crypto job candidates with fake interview “mic fixes,” deploying BeaverTail and InvisibleFerret binaries across Windows, macOS and Linux to steal keys and exfiltrate data.

Phishing breaks out of the inbox. Attackers now sling lures over LinkedIn, WhatsApp, SMS, and Google ads, bypassing email security and dropping AiTM kits that steal sessions, sync creds, and turn one compromised account into a company-wide breach.

Thai police dismantle $15M crypto scam ring. The “Lungo Company” duped 870 Koreans with romance scams, fake lotteries, and worthless tokens, then laundered the loot through chain-hopping, parasite exchanges, and OTC brokers across Pattaya’s shadow economy.

Elliptic flags industrial-scale pig butchering. Romance fraud rings now launder billions through self-hosted wallets, mule accounts, and cross-chain bridges, running scams with the polish of real finance while blockchain forensics exposes the blood trail.

Lazarus levels up in 2025. North Korea’s APT kingpin infiltrates firms with fake IT hires, booby-trapped job interviews, and poisoned open-source code, stealing millions and hijacking supply chains while PyLangGhost, OtterCookie, and InvisibleFerret do the dirty work.

Security Events

ETSI Security Conference 2025
October 6-9, 2025 | Sophia Antipolis, France
Europe’s flagship on cyber standards. Quantum-proofing, AI defenses, and global threat talks for the policymakers and protocol wonks.

Global Cyber Conference (GCC) 2025
October 22-23, 2025 | Zurich, Switzerland
CISOs, academics, and regulators trade notes on cross-border threats, privacy wars, and ethical AI in security ops.

InfoSec World 2025
October 27-29, 2025 | Location: Lake Buena Vista, Florida, USA
The “business of security” summit. 2,500 pros deep on zero-trust, insider threats, and AI-driven defenses, with hands-on labs and CISO-led panels.

DeFi Security Summit 2025
November 20-21, 2025 | La Rural, Buenos Aires, Argentina
Premier DeFi and smart-contract security conference (audits, bounties, fuzzing, incident post-mortems).

WEB3SEC 2025
December 8, 2025 | Honolulu, Hawaii, USA
Academic/industry workshop dedicated to blockchain security research and practices.

Black Hat Europe 2025
December 8-11, 2025 | London, UK
Deep-dive trainings and talks, smart-contract and cross-chain exploit research.

Rekt Flashback

One year ago, Bedrock proved that skipping audits is like skydiving without a parachute. An upgrade turned Ethereum into a uniBTC money printer, draining $2M across eight chains before the team even rolled out of bed. Dedaub spotted the flaw, 125 exploiters piled in, and Bedrock took four hours to pause contracts - an eternity in DeFi time. What should have been a foundation turned into quicksand, leaving everyone asking whether Bedrock was ever solid to begin with.

Memes and Videos

How the NSA Hacked Huawei: Operation Shotgiant

The NSA’s crown jewel op turned into a Huawei heist. Operation Shotgi cracked routers, stole source code, and wired the world for surveillance. What started as protecting America blurred into backdooring the backbone of global telecom, with espionage scaled, trust eroded, and the Cold War rebooted in code.

Source: Cybernews

Source: beaniemaxi

Want to partner with us?

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.

Keep Reading

No posts found