Monday, December 29, 2025

The holidays are for shipping gifts, not shipping keys. The calendar flips, the standards drop, and attackers price that risk in.

The Web2 Weak Link In Web3 Security (11 min read)
Most “Web3 hacks” don’t break contracts - they rot the web layer and let users sign their own losses. Attackers go after DNS, dashboards, SaaS logins, and admin consoles because they’re soft, familiar, and barely watched. Inside real products, access control drifts, legacy routes linger, and trusted integrations become ladders to sensitive actions. A serious Web2 review doesn’t produce advice, it produces attack stories engineers can’t ignore. If your security strategy stops at Solidity, you’re guarding the vault while the lobby burns.

Christmas Heist | Analysis of Trust Wallet Browser Extension Hack (5 min read)
This wasn’t a smart-contract failure - it was a poisoned browser extension quietly vacuuming seed phrases while pretending to do analytics. A malicious commit slipped into Trust Wallet v2.68, iterated every wallet, decrypted mnemonics at unlock, and exfiltrated them via a fake metrics domain dressed up as PostHog traffic.

Don't underestimate TON: how incorrect gas estimations lead to critical issues (10 min read)
TON doesn’t fail loudly - it fails asynchronously and leaves you holding the bag. Its granular fee model and message bouncing mean state consistency depends on having enough balance to fail correctly, not just succeed optimistically. When contracts can’t afford to send a bounce, reverts turn into silent amputations and balances evaporate without a trace. In TON, underestimating fees isn’t inefficiency - it’s protocol-level self-harm.

The Biggest Lessons 10 Security Leaders Taught Us on Season 1 of The Web3 Security Podcast (8 min read)
Ten senior security operators said the same quiet thing in different ways: the code is rarely the problem by itself. Real losses start off-chain, in humans, infra, deployments, front ends, and incentives nobody wants to own. Audits matter, but they don’t save systems that can’t absorb mistakes or respond under pressure. AI just accelerates both sides of the arms race, spraying noise while sharpening phishing at scale.

Essential Security Tactics to Implement After the Bybit Hack (3 min read)
Bybit didn’t get hacked by some exotic exploit. It was socially engineered through a multisig that looked secure until humans touched it. Signers approved transactions they didn’t truly understand, trusting interfaces and routine instead of verifying intent. That’s not a tooling problem, it’s operational rot.

Stealka Malware Turns Game Mods Into Wallet Vacuums. A new Windows infostealer masquerading as cheats and cracks is harvesting browser data and draining over 80 crypto wallets by riding in through GitHub repos and fake Roblox sites.

Address Poisoning Still Works at Scale. A user vaporized nearly $50M in USDT by copying a lookalike address, after which the funds were swapped and laundered via Tornado Cash, with SlowMist calling it one of the most painful self-inflicted losses seen on-chain.

Fake Coinbase Rep Gambles Stolen Crypto Into Oblivion. A New York scammer posing as a Coinbase employee stole millions from users by redirecting them to “safe” wallets, then promptly incinerated the funds on online betting platforms, proving that social engineering plus impulse addiction is still a lethal combo.

AI Trading Clubs Were Just WhatsApp Exit Scams. U.S. Securities and Exchange Commission charged a web of fake funds and trading platforms that dangled “AI-generated signals,” funneled victims into imaginary exchanges, then double-dipped with bogus withdrawal fees before disappearing with $14M.

Fake Grubhub Emails Push a Holiday Crypto Rug. Messages sent from a legitimate Grubhub subdomain promised a 10x Bitcoin return, showing how compromised email infrastructure turns brand trust into instant exit liquidity.

Principal Security Engineer, Detection and Response, Circle, Dublin, Ireland

Security Engineer, LayerZero Labs, Vancouver, Canada

Lead Security Engineer, SecOps, Coinhako, Vietnam

Protocol Security Engineer, Monad Foundation, Remote

Senior Security Engineer - Security Technology Delivery, Cloudflare, Lisbon, Portugal

Security Operations Engineer, FalconX, Bangalore, India (Remote)

Two years ago, Levana Protocol didn’t get drained in a blaze of glory - it bled out slowly while everyone mistook the losses for “organic trader PnL”. An oracle manipulation ran for nearly two weeks, exploiting stale prices, network congestion on Osmosis, and a conveniently timed DDoS that kept updates from landing when they mattered. The real damage only surfaced when gas spiked and the exploit suddenly got loud, ripping another 5% out of LPs before the plug was finally pulled. Audited, monitored, and still helpless, Levana learned the hard way that when your oracle, network, and off-chain bots fall out of sync, attackers don’t rush - they wait.

Scam compounds, Chinese triads, and AI-powered fraud rigs have turned cybercrime into a $15T global machine. Tools once reserved for intelligence agencies are now rentable on Telegram by the hour.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.