Rekt Security Weekly
The weekly record of web3 darkest hours
Monday, September 15, 2025
Top Exploits
Last week had supply chain scares, DeFi math fails, good old-fashioned phishing and plenty of panic:
Hackers pwned a dev's NPM account and laced popular libs with address-swapping malware. Targets? Your MetaMask, Phantom, even Ledger if you're sloppy with dApps. Epic scale, zero drains. Call it Web3's "trust no one" wake-up: Frontend is the new backend. (Read more)
Nemo Protocol on Sui lost ~$2.4M when unaudited overflow code was pushed onchain without multisig, making it the chain’s third major exploit in a month.
SwissBorg watched ~$41.5M in SOL vanish after staking partner Kiln’s API was compromised, handing hackers withdrawal keys like hotel towels. SwissBorg promised full reimbursement, but the incident exposed just how brittle “institutional-grade custody” looks when your partner gets owned. (Read more)
WLFI Wallets faced a phishing spree, with 272 addresses blacklisted and $10M+ saved — but the token still tanked 22% after the scare.
Deep Dives
Multi-chain Stablecoins: Security, Risks and Best Practices (7 min read)
Bridges mint dreams and drain treasuries. Multi-chain stablecoins promise reach, but every wrapped token carries the ghost of the next $100M exploit.
How Sui Move rethinks flash loan security (13 min read)
In Ethereum, flash loans trust you until they don’t, leaving exploits to clean up the mess. On Sui, Move kills the trust game. Repayment isn’t optional, it’s baked into the type system.
Top DEX Risks & How Uniswap Addresses Them (14 min read)
Billions bled from DeFi prove one thing: the AMM isn’t broken, the defenses are. From DAO-era reentrancy to oracle warzones and MEV ambushes, Uniswap keeps rewriting the rulebook to stay alive.
NPM Supply Chain Incident: When the Transaction Layer Becomes the Last Defense (5 min read)
A single tainted dependency turns every swap, stake, or send into a rigged game. When the stack itself can’t be trusted, the transaction layer becomes the only firewall that matters.
EVM – Cosmos Convergence Research From Security Base: Part 3 (13 min read)
Layered design promises flexibility, but every new consensus engine is a potential backdoor. BeaconKit and CometBFT show what’s possible - and how a single logic slip could stall an entire chain.
Other Security Stories
ModStealer slithers past antivirus. Fake recruiter ads spread cross-platform malware draining browser wallets and siphoning seed phrases straight to C2 servers.
SEC forms Cross-Border Pump-and-Dump Task Force. Promises to drag offshore manipulators into U.S. jurisdiction while pushing Trump’s ‘Golden Age’ crypto agenda.
Auditors warned Nemo. The team ignored it. $2.59M vanished.
Bubblemaps calls out $170M MYX Sybil attack. 100 wallets, one playbook, and airdrop ‘rewards’ that smell more like industrial farming than decentralization.
GPUGate malware slips through Google Ads and fake GitHub commits. A hardware-gated heist aimed at IT firms across Europe.
Audited Last Month
Auditors continued their crucial work, sharing August insights to guide September’s defenses:
QuillAudits completed 17 smart contract audits, uncovering 110 vulnerabilities (7 critical, 18 high-severity), securing protocols like Prep DEX and cross-chain RWAs.
Blog SlowMist reported 9 hacks in August, totaling ~$70.73M in losses, with $6.3M recovered or frozen. Phishing hit 15,230 victims for ~$12.16M.
Third straight PoR audit for KuCoin – Hacken verifies reserves are real, no smoke and mirrors. On-chain proofs show collateralization's legit, keeping the exchange's rep intact amid CeFi jitters.
Decentralized RWA trading hub MyStonks gets CertiK's nod on smart contracts and architecture.
OpenZeppelin: Decentralized ZK-proving network ZEROBASE's utility token audit wraps up. 13 low-severity issues fixed, no crits. Cross-chain OFT integration via LayerZero holds strong.
Rekt Flashback
One year ago, DeltaPrime on Arbitrum learned the oldest lesson in DeFi the hardest way: private keys don’t just open doors, they blow vaults wide open. A compromised admin wallet let an attacker rewrite proxy contracts like a crooked accountant cooking the books, draining $5.98M in USDC, WBTC, and ETH before breakfast. The whispers of Lazarus Group involvement gave the whole thing a Cold War aftertaste, but state actor or not, the exploit proved the same brutal point - one leaked key, and your protocol becomes a crime scene.
Memes and Videos
The Russian Spy Who Hacked Wall Street and Stole $93,000,000
Klyushin hacked Wall Street with stolen earnings and a GRU sidekick, raking in $93M before the FBI closed in. His empire ended not in profits, but in a prisoner swap - proof that in cybercrime, greed always writes the last line.
Source: Lotu
Source: pashovkrum
We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous.
We are all rekt.