Comprehensive Decentralized Perpetual Contracts Security Audit Guide

SlowMist published a deep-dive security audit guide for decentralized perpetual contracts designed to help auditors adopt an adversarial mindset beyond code correctness. The guide covers system architecture (order/position management, keeper-execution, oracle design), key mechanisms (funding fees, liquidation, ADL), attack surfaces (price manipulation, PnL miscalculation, rounding precision), and an audit checklist spanning oracle pricing, margin controls, LP solvency, and governance. Minor logical deviations in perp DEX infrastructure can cascade into insolvency, liquidation failure, or catastrophic economic exploits. (SlowMist)

SEAL Launches Comprehensive Web3 Security Frameworks Initiative

Security Alliance (SEAL), a not-for-profit collective of security specialists, unveiled "Frameworks"—a vendor-neutral, community-driven security standards hub consolidating battle-tested infosec practices with cutting-edge Web3 research. The open-source resource addresses critical gaps in blockchain security education by providing comprehensive guidelines spanning fundamentals, governance, risk management, and security controls for development teams across project lifecycles. SEAL's mission distills existing resources and original content into an accessible, one-stop shop designed for contributors from both Web2 and Web3 backgrounds. The initiative includes specialized frameworks on security awareness (threat recognition and risk signals), certifications with standardized evaluation criteria, and operational best practices. SEAL invites community contributions via published contribution guidelines. (Security Alliance)

AWS GuardDuty Uncovers Advanced Cryptomining Campaign

Kyle Koeller at AWS identified an ongoing cryptocurrency mining campaign since November 2, 2025, targeting Amazon EC2 and ECS using compromised IAM credentials. Threat actors deployed crypto miners within 10 minutes of initial access, utilizing novel persistence techniques including ModifyInstanceAttribute to disable API termination, complicating incident response. The campaign employed the malicious Docker Hub image yenik65958/secret (100,000+ pulls) containing SBRMiner-MULTI, deployed across 50+ ECS clusters and 14 auto scaling groups scaling up to 999 instances each. (AWS)

Fireblocks Addresses Sha1-Hulud 2.0 Supply Chain Threat

Fireblocks identified and responded to suspicious activity from the Sha1-Hulud 2.0 npm worm supply chain attack affecting hundreds of packages. An unauthorized party accessed support ticket data from a third-party provider. Fireblocks contained the issue through credential rotation and infrastructure hardening, confirming no customer funds were compromised. (Fireblocks)

Forta Network Advances ML-Powered Threat Detection

Forta revealed machine learning models detecting phishing scams across Ethereum with 88% precision on known scams from May-June 2023. The ML-powered detection bot uses EasyEnsembleClassifier with LGBM integration, monitoring transaction patterns and address behavior in real-time. The system integrates into wallet providers and blockchain explorers for transaction screening. (Forta)

A few notable hacks from Rekt and other sources…

GlassWorm Malware Expands to macOS With Trojanized Crypto Wallet Replacements

Koi Security researchers discovered a fourth wave of GlassWorm targeting macOS developers through malicious VSCode extensions on OpenVSX, departing from previous Windows-only campaigns. The AES-256-CBC-encrypted payloads execute after 15-minute delays via AppleScript and LaunchAgents for persistence. GlassWorm now targets 50+ browser crypto extensions, developer credentials (GitHub, NPM), keychain passwords, and hardware wallet apps like Ledger Live and Trezor Suite, replacing them with trojanized versions. The mechanism currently fails due to empty file returns, suggesting wallet trojans remain under development. Three malicious extensions accumulated 33,000+ downloads despite publisher verification warnings. The campaign maintains Solana-based command-and-control infrastructure with overlapping attack infrastructure across waves. (Bleepingcomputer)

Unleash Protocol Suffers $3.9M Exploit

Unleash Protocol, an IP asset finance platform built on Story Protocol, disclosed unauthorized activity on December 30, 2025 resulting in approximately $3.9 million in user fund losses. An externally owned address gained administrative control of Unleash Protocol smart contracts, enabling unauthorized withdrawals and transfers of user assets. The exploiter bridged stolen funds to Ethereum mainnet and deposited 1,337.1 ETH (~$3.9M at time of writing) into Tornado Cash for obfuscation. The protocol initiated a comprehensive investigation into the root cause and access vector while notifying affected users and implementing containment measures. Security researchers flagged the incident as a critical infrastructure compromise affecting the IP money market ecosystem. (Unleash Protocol on X)

Trust Wallet Browser Extension v2.68 Security Incident: $7M User Loss

The Trust Wallet CEO, provided a transparent update on the December 25, 2025 browser extension v2.68 security incident affecting ~2,596 compromised addresses. Approximately $7 million in user losses occurred within 24 hours. Trust Wallet confirmed internal investigations are underway and identified measures to prevent further losses. The firm addressed a surge of 5,000 reimbursement claims against confirmed compromised addresses, implementing strict wallet ownership verification to filter fraudulent or duplicate claims and accurately compensate affected users. (Eowyn Chen on X)

Foreign Hacker Extradited to South Korea After $170M Bitcoin Theft Via Malware

A 29-year-old foreign hacker was extradited to South Korea after deploying the MSAuto malware to steal over 1.7 billion won (~$170 million USD) in cryptocurrency from Korean residents. From 2014 to January 2023, the attacker distributed counterfeit Windows activation software 2.8 million times, exploiting users without legitimate antivirus protection. The malware employed address-hijacking techniques to automatically redirect cryptocurrency transfers to hacker-controlled wallet addresses, compromising approximately 3,100 addresses. Eight South Korean victims lost 16 million won collectively. South Korean police traced the stolen assets across domestic exchanges and six foreign jurisdictions, identifying seven additional accomplices. The suspect was apprehended in a third country, and through international police cooperation, was extradited after four years and four months of investigation. He currently faces custody proceedings in South Korean court. (Joongang)

Total 2025 hack events: 202

The total amount of money lost by blockchain hackers is about

$2,940,996,855

How Crypto Regulation Changed in 2025: A Global Review

Elliptic released its Global Crypto Regulation 2025 report documenting major regulatory movements including MiCA implementation, the GENIUS Act, and framework shifts from enforcement toward structured guidance. The analysis explores regulatory convergence and divergence across jurisdictions, providing strategic insights for companies navigating 2026. (Elliptic)

FBI Takes Down E-Note Crypto Laundering Platform; Russian Operator Indicted

The U.S. Department of Justice dismantled E-Note, an unlicensed cryptocurrency exchange allegedly operating since 2010 to launder illicit ransomware proceeds and account takeover funds. Federal prosecutors indicted Russian national Mykhalio Petrovich Chudnovets on conspiracy to launder monetary instruments, carrying a 20-year maximum sentence. The FBI traced over $70 million in criminal proceeds flowing through E-Note and associated money-mule networks since 2017, primarily targeting U.S. healthcare and critical infrastructure organizations. Law enforcement seized servers, mobile applications, and domains including e-note.com and e-note-ws, recovering customer databases and transaction records spanning a decade. The coordinated operation involved German, Finnish, and Michigan State Police authorities, effectively disrupting the financial infrastructure that cybercriminal groups depended upon for converting cryptocurrency into usable cash. (Justice Dept.)

Comprehensive Decentralized Perpetual Contracts Security Audit Guide

SlowMist published a deep-dive security audit guide for decentralized perpetual contracts designed to help auditors adopt an adversarial mindset beyond code correctness. The guide covers system architecture (order/position management, keeper-execution, oracle design), key mechanisms (funding fees, liquidation, ADL), attack surfaces (price manipulation, PnL miscalculation, rounding precision), and an audit checklist spanning oracle pricing, margin controls, LP solvency, and governance. Minor logical deviations in perp DEX infrastructure can cascade into insolvency, liquidation failure, or catastrophic economic exploits. (SlowMist)

SEAL Launches Comprehensive Web3 Security Frameworks Initiative

Security Alliance (SEAL), a not-for-profit collective of security specialists, unveiled "Frameworks"—a vendor-neutral, community-driven security standards hub consolidating battle-tested infosec practices with cutting-edge Web3 research. The open-source resource addresses critical gaps in blockchain security education by providing comprehensive guidelines spanning fundamentals, governance, risk management, and security controls for development teams across project lifecycles. SEAL's mission distills existing resources and original content into an accessible, one-stop shop designed for contributors from both Web2 and Web3 backgrounds. The initiative includes specialized frameworks on security awareness (threat recognition and risk signals), certifications with standardized evaluation criteria, and operational best practices. SEAL invites community contributions via published contribution guidelines. (Security Alliance)

AWS GuardDuty Uncovers Advanced Cryptomining Campaign

Kyle Koeller at AWS identified an ongoing cryptocurrency mining campaign since November 2, 2025, targeting Amazon EC2 and ECS using compromised IAM credentials. Threat actors deployed crypto miners within 10 minutes of initial access, utilizing novel persistence techniques including ModifyInstanceAttribute to disable API termination, complicating incident response. The campaign employed the malicious Docker Hub image yenik65958/secret (100,000+ pulls) containing SBRMiner-MULTI, deployed across 50+ ECS clusters and 14 auto scaling groups scaling up to 999 instances each. (AWS)

Fireblocks Addresses Sha1-Hulud 2.0 Supply Chain Threat

Fireblocks identified and responded to suspicious activity from the Sha1-Hulud 2.0 npm worm supply chain attack affecting hundreds of packages. An unauthorized party accessed support ticket data from a third-party provider. Fireblocks contained the issue through credential rotation and infrastructure hardening, confirming no customer funds were compromised. (Fireblocks)

Forta Network Advances ML-Powered Threat Detection

Forta revealed machine learning models detecting phishing scams across Ethereum with 88% precision on known scams from May-June 2023. The ML-powered detection bot uses EasyEnsembleClassifier with LGBM integration, monitoring transaction patterns and address behavior in real-time. The system integrates into wallet providers and blockchain explorers for transaction screening. (Forta)

A few notable hacks from Rekt and other sources…

GlassWorm Malware Expands to macOS With Trojanized Crypto Wallet Replacements

Koi Security researchers discovered a fourth wave of GlassWorm targeting macOS developers through malicious VSCode extensions on OpenVSX, departing from previous Windows-only campaigns. The AES-256-CBC-encrypted payloads execute after 15-minute delays via AppleScript and LaunchAgents for persistence. GlassWorm now targets 50+ browser crypto extensions, developer credentials (GitHub, NPM), keychain passwords, and hardware wallet apps like Ledger Live and Trezor Suite, replacing them with trojanized versions. The mechanism currently fails due to empty file returns, suggesting wallet trojans remain under development. Three malicious extensions accumulated 33,000+ downloads despite publisher verification warnings. The campaign maintains Solana-based command-and-control infrastructure with overlapping attack infrastructure across waves. (Bleepingcomputer)

Unleash Protocol Suffers $3.9M Exploit

Unleash Protocol, an IP asset finance platform built on Story Protocol, disclosed unauthorized activity on December 30, 2025 resulting in approximately $3.9 million in user fund losses. An externally owned address gained administrative control of Unleash Protocol smart contracts, enabling unauthorized withdrawals and transfers of user assets. The exploiter bridged stolen funds to Ethereum mainnet and deposited 1,337.1 ETH (~$3.9M at time of writing) into Tornado Cash for obfuscation. The protocol initiated a comprehensive investigation into the root cause and access vector while notifying affected users and implementing containment measures. Security researchers flagged the incident as a critical infrastructure compromise affecting the IP money market ecosystem. (Unleash Protocol on X)

Trust Wallet Browser Extension v2.68 Security Incident: $7M User Loss

The Trust Wallet CEO, provided a transparent update on the December 25, 2025 browser extension v2.68 security incident affecting ~2,596 compromised addresses. Approximately $7 million in user losses occurred within 24 hours. Trust Wallet confirmed internal investigations are underway and identified measures to prevent further losses. The firm addressed a surge of 5,000 reimbursement claims against confirmed compromised addresses, implementing strict wallet ownership verification to filter fraudulent or duplicate claims and accurately compensate affected users. (Eowyn Chen on X)

Foreign Hacker Extradited to South Korea After $170M Bitcoin Theft Via Malware

A 29-year-old foreign hacker was extradited to South Korea after deploying the MSAuto malware to steal over 1.7 billion won (~$170 million USD) in cryptocurrency from Korean residents. From 2014 to January 2023, the attacker distributed counterfeit Windows activation software 2.8 million times, exploiting users without legitimate antivirus protection. The malware employed address-hijacking techniques to automatically redirect cryptocurrency transfers to hacker-controlled wallet addresses, compromising approximately 3,100 addresses. Eight South Korean victims lost 16 million won collectively. South Korean police traced the stolen assets across domestic exchanges and six foreign jurisdictions, identifying seven additional accomplices. The suspect was apprehended in a third country, and through international police cooperation, was extradited after four years and four months of investigation. He currently faces custody proceedings in South Korean court. (Joongang)

Total 2025 hack events: 202

The total amount of money lost by blockchain hackers is about

$2,940,996,855

How Crypto Regulation Changed in 2025: A Global Review

Elliptic released its Global Crypto Regulation 2025 report documenting major regulatory movements including MiCA implementation, the GENIUS Act, and framework shifts from enforcement toward structured guidance. The analysis explores regulatory convergence and divergence across jurisdictions, providing strategic insights for companies navigating 2026. (Elliptic)

FBI Takes Down E-Note Crypto Laundering Platform; Russian Operator Indicted

The U.S. Department of Justice dismantled E-Note, an unlicensed cryptocurrency exchange allegedly operating since 2010 to launder illicit ransomware proceeds and account takeover funds. Federal prosecutors indicted Russian national Mykhalio Petrovich Chudnovets on conspiracy to launder monetary instruments, carrying a 20-year maximum sentence. The FBI traced over $70 million in criminal proceeds flowing through E-Note and associated money-mule networks since 2017, primarily targeting U.S. healthcare and critical infrastructure organizations. Law enforcement seized servers, mobile applications, and domains including e-note.com and e-note-ws, recovering customer databases and transaction records spanning a decade. The coordinated operation involved German, Finnish, and Michigan State Police authorities, effectively disrupting the financial infrastructure that cybercriminal groups depended upon for converting cryptocurrency into usable cash. (Justice Dept.)