🍿 Code Is Law

Peak interest, we have movies about web3 security now. “Documentary exposing a historic crime spree in crypto, where hackers steal hundreds of millions and claim they've broken no laws." It kicks off with the DAO hack. (Amazon Prime)

👇🏽 Paxos $300 Trillion Oopsie

The biggest fat finger in financial history, Paxos accidentally minted $300 trillion of PYUSD, an amount exceeding 2.5 times the global GDP. The error was rectified within 22 minutes, costing only $2.66 in gas. (Rekt)

Quantum Computing Threatens Bitcoin’s Core Security

A write up from Nic Carter outlines how quantum computing poses an existential risk to Bitcoin by undermining the elliptic curve discrete log problem, which is foundational to its cryptographic security. The article explains Bitcoin’s key creation and signature protocols, building mathematical and real-world intuition for why these are hard to reverse—until quantum advances could make brute-forcing feasible and trigger urgent protocol reassessment. (Murmurations II)

Iran’s Shadow Banking Network Leverages Crypto to Evade Sanctions

Nominis reveals how Iran’s regime operates a sophisticated shadow-banking network, combining shell companies, offshore banks, trade-based money laundering, and stablecoins—primarily Tether on TRON—to move billions globally, bypassing sanctions. Detection is difficult due to complex jurisdictions and adaptive tactics, challenging regulators to deploy real-time behavioral analytics and coordinated global intelligence. (Nominis)

DPRK Deploys EtherHiding to Evade Detection

Google Threat Intelligence reports that North Korea’s UNC5342 cyber group has adopted “EtherHiding,” a malware delivery method that leverages public blockchains to store and retrieve malicious payloads. This tactic offers unprecedented resilience to takedown efforts, enabling covert attacks that target cryptocurrency and tech sectors via sophisticated social engineering campaigns. (Google)

↑ Cool But…The Techniques Described Were Documented from ClearFake

The ClearFake campaign embedded malicious JavaScript (often browser update fake overlays) and payloads inside smart contracts and blockchain transactions (BNB Smart Chain, Ethereum). Loader scripts executed on victim browsers made read-only blockchain calls (eth_call) to smart contracts that stored or pointed to Base64-encoded second-stage payloads. (Bridewell)

ERC 7518 for Secure & Interoperable RWA Tokenization QuillAudits explores ERC 7518, a standard designed to enhance the security and interoperability of Real-World Asset (RWA) tokenization. The article details how this standard facilitates seamless integration of physical assets onto the blockchain, addressing challenges in the evolving RWA landscape. (QuillAudits)

ERC-7518: Dynamic Compliant Interop Security Token

For those looking to go deeper the draft standard from [Ethereum.org](http://Ethereum.orghttps://eips.ethereum.org/EIPS/eip-7518)

Almanax AI Outperforms Traditional Code Auditors

A new benchmark from Almanax compares its AI Security Engineer—using GPT-5 and Claude 4.5—with standard static analysis tools across EVM, Solana, Aptos, and Web2 codebases. (Almanax)

Sherlock AI Embeds Smart Security in Development Workflow

Sherlock AI is a new auditing assistant that integrates with GitHub to provide real-time vulnerability detection and remediation feedback for smart contract developers. By leveraging expert-informed heuristics and machine learning, the system enables teams to identify and address critical bugs before audits, reducing costs, improving launch timelines (Sherlock)

A few notable hacks from Rekt and other sources…

A potential ongoing situation at Hyperliquid?…

First PeckSheild flags a $21 million exploit due to a private key leak.

But…that was followed up with an issue opened on Hyperliquid’s Github by CaNCaNCode:

Hyperliquid SDK Faces EIP-712 Cross-Chain Replay Risk

If valid this would allow valid signatures to be maliciously reused on different chains if relayers do not enforce strict domain separation. The report urges server-side validation, chain-specific nonces, and enhanced runtime checks to prevent unauthorized transactions and protocol breaches. (Github)

The issue has been closed, so we’ll wait and see if anything reemerges here.

Sharwa Finance Attack Post-Mortem Reveals Key Flaws

Sharwa Finance’s post-mortem details a $146,000 hack exploiting their swap function, which missed slippage protection and Chainlink oracle checks. Attackers manipulated WBTC prices and bypassed lending limits, highlighting the need for post-swap validation and robust price feeds. Thanks to collaboration with Binance and auditors, 80% of initial losses were recovered, prompting major security upgrades and ongoing platform commitment. (Sharwa Finance via X)

Typus Finance Hacked for $3.44 Million Typus Finance suffered a $3.44 million loss due to critical oracle vulnerabilities in its TLP contract. The attacker drained SUI, USDC, xBTC, and suiETH, highlighting the severe risks associated with oracle module exploits in DeFi protocols. (Typus Finance)

Total 2025 hack events: 162

The total amount of money lost by blockchain hackers is about: $2,685,069,362

Singapore Crypto License: 2025 Founder’s Playbook Hacken's guide outlines the 2025 regulatory landscape for crypto businesses seeking a Singapore license. It details compliance requirements, application processes, and strategic considerations for founders navigating the city-state's evolving digital asset framework, emphasizing Singapore's role as a key Web3 hub. (Hacken)

GENIUS Act 2025: Stablecoin Compliance Checklist Hacken provides a compliance checklist for stablecoin projects in response to the GENIUS Act 2025. The article details key regulatory requirements and best practices for stablecoin issuers to ensure adherence to the new legislation, focusing on security, transparency, and market stability. (Haken)

TransCrypts Tackles Digital Identity with Blockchain

Pantera Capital highlights its investment in TransCrypts, a platform that uses zero-knowledge proofs and IPFS storage to automate and secure recurring digital verifications. By integrating directly with HR and payroll providers, TransCrypts addresses inefficiencies and risks in legacy identity systems, empowering individuals with verifiable, user-owned digital records across multiple industries. (Pantera Capital)

Adding All Flavors: A Hybrid Random Number Generator for dApps and Web3

A paper introduces a hybrid random number generation solution for dApps and Web3, addressing limitations of existing on-chain and off-chain methods. It leverages IoT devices with trusted execution environments as randomness sources and cryptographic tools for aggregation, requiring only one honest source for unbiased results. The approach aims to reduce on-chain computation costs, enhancing practical effectiveness. (ArXiv)

💾 Throwback —> Ransomware as a Service using Smart Contracts and IPFS

This study from 2020 demonstrates how blockchain (Ethereum) and IPFS can enable “Ransomware as a Service,” automating affiliate payouts, victim payments, and encrypted file delivery with minimal online presence and strong anonymity. The paper shows how decentralized architecture, resilient storage, and smart contracts make takedown efforts difficult, urging security researchers to prioritize countermeasures as criminal abuse accelerates. (ArVix)

🍿 Code Is Law

Peak interest, we have movies about web3 security now. “Documentary exposing a historic crime spree in crypto, where hackers steal hundreds of millions and claim they've broken no laws." It kicks off with the DAO hack. (Amazon Prime)

👇🏽 Paxos $300 Trillion Oopsie

The biggest fat finger in financial history, Paxos accidentally minted $300 trillion of PYUSD, an amount exceeding 2.5 times the global GDP. The error was rectified within 22 minutes, costing only $2.66 in gas. (Rekt)

Quantum Computing Threatens Bitcoin’s Core Security

A write up from Nic Carter outlines how quantum computing poses an existential risk to Bitcoin by undermining the elliptic curve discrete log problem, which is foundational to its cryptographic security. The article explains Bitcoin’s key creation and signature protocols, building mathematical and real-world intuition for why these are hard to reverse—until quantum advances could make brute-forcing feasible and trigger urgent protocol reassessment. (Murmurations II)

Iran’s Shadow Banking Network Leverages Crypto to Evade Sanctions

Nominis reveals how Iran’s regime operates a sophisticated shadow-banking network, combining shell companies, offshore banks, trade-based money laundering, and stablecoins—primarily Tether on TRON—to move billions globally, bypassing sanctions. Detection is difficult due to complex jurisdictions and adaptive tactics, challenging regulators to deploy real-time behavioral analytics and coordinated global intelligence. (Nominis)

DPRK Deploys EtherHiding to Evade Detection

Google Threat Intelligence reports that North Korea’s UNC5342 cyber group has adopted “EtherHiding,” a malware delivery method that leverages public blockchains to store and retrieve malicious payloads. This tactic offers unprecedented resilience to takedown efforts, enabling covert attacks that target cryptocurrency and tech sectors via sophisticated social engineering campaigns. (Google)

↑ Cool But…The Techniques Described Were Documented from ClearFake

The ClearFake campaign embedded malicious JavaScript (often browser update fake overlays) and payloads inside smart contracts and blockchain transactions (BNB Smart Chain, Ethereum). Loader scripts executed on victim browsers made read-only blockchain calls (eth_call) to smart contracts that stored or pointed to Base64-encoded second-stage payloads. (Bridewell)

ERC 7518 for Secure & Interoperable RWA Tokenization QuillAudits explores ERC 7518, a standard designed to enhance the security and interoperability of Real-World Asset (RWA) tokenization. The article details how this standard facilitates seamless integration of physical assets onto the blockchain, addressing challenges in the evolving RWA landscape. (QuillAudits)

ERC-7518: Dynamic Compliant Interop Security Token

For those looking to go deeper the draft standard from [Ethereum.org](http://Ethereum.orghttps://eips.ethereum.org/EIPS/eip-7518)

Almanax AI Outperforms Traditional Code Auditors

A new benchmark from Almanax compares its AI Security Engineer—using GPT-5 and Claude 4.5—with standard static analysis tools across EVM, Solana, Aptos, and Web2 codebases. (Almanax)

Sherlock AI Embeds Smart Security in Development Workflow

Sherlock AI is a new auditing assistant that integrates with GitHub to provide real-time vulnerability detection and remediation feedback for smart contract developers. By leveraging expert-informed heuristics and machine learning, the system enables teams to identify and address critical bugs before audits, reducing costs, improving launch timelines (Sherlock)

A few notable hacks from Rekt and other sources…

A potential ongoing situation at Hyperliquid?…

First PeckSheild flags a $21 million exploit due to a private key leak.

But…that was followed up with an issue opened on Hyperliquid’s Github by CaNCaNCode:

Hyperliquid SDK Faces EIP-712 Cross-Chain Replay Risk

If valid this would allow valid signatures to be maliciously reused on different chains if relayers do not enforce strict domain separation. The report urges server-side validation, chain-specific nonces, and enhanced runtime checks to prevent unauthorized transactions and protocol breaches. (Github)

The issue has been closed, so we’ll wait and see if anything reemerges here.

Sharwa Finance Attack Post-Mortem Reveals Key Flaws

Sharwa Finance’s post-mortem details a $146,000 hack exploiting their swap function, which missed slippage protection and Chainlink oracle checks. Attackers manipulated WBTC prices and bypassed lending limits, highlighting the need for post-swap validation and robust price feeds. Thanks to collaboration with Binance and auditors, 80% of initial losses were recovered, prompting major security upgrades and ongoing platform commitment. (Sharwa Finance via X)

Typus Finance Hacked for $3.44 Million Typus Finance suffered a $3.44 million loss due to critical oracle vulnerabilities in its TLP contract. The attacker drained SUI, USDC, xBTC, and suiETH, highlighting the severe risks associated with oracle module exploits in DeFi protocols. (Typus Finance)

Total 2025 hack events: 162

The total amount of money lost by blockchain hackers is about: $2,685,069,362

Singapore Crypto License: 2025 Founder’s Playbook Hacken's guide outlines the 2025 regulatory landscape for crypto businesses seeking a Singapore license. It details compliance requirements, application processes, and strategic considerations for founders navigating the city-state's evolving digital asset framework, emphasizing Singapore's role as a key Web3 hub. (Hacken)

GENIUS Act 2025: Stablecoin Compliance Checklist Hacken provides a compliance checklist for stablecoin projects in response to the GENIUS Act 2025. The article details key regulatory requirements and best practices for stablecoin issuers to ensure adherence to the new legislation, focusing on security, transparency, and market stability. (Haken)

TransCrypts Tackles Digital Identity with Blockchain

Pantera Capital highlights its investment in TransCrypts, a platform that uses zero-knowledge proofs and IPFS storage to automate and secure recurring digital verifications. By integrating directly with HR and payroll providers, TransCrypts addresses inefficiencies and risks in legacy identity systems, empowering individuals with verifiable, user-owned digital records across multiple industries. (Pantera Capital)

Adding All Flavors: A Hybrid Random Number Generator for dApps and Web3

A paper introduces a hybrid random number generation solution for dApps and Web3, addressing limitations of existing on-chain and off-chain methods. It leverages IoT devices with trusted execution environments as randomness sources and cryptographic tools for aggregation, requiring only one honest source for unbiased results. The approach aims to reduce on-chain computation costs, enhancing practical effectiveness. (ArXiv)

💾 Throwback —> Ransomware as a Service using Smart Contracts and IPFS

This study from 2020 demonstrates how blockchain (Ethereum) and IPFS can enable “Ransomware as a Service,” automating affiliate payouts, victim payments, and encrypted file delivery with minimal online presence and strong anonymity. The paper shows how decentralized architecture, resilient storage, and smart contracts make takedown efforts difficult, urging security researchers to prioritize countermeasures as criminal abuse accelerates. (ArVix)