Extropy Security Bytes: w34 2025

Welcome to our weekly security roundup, where we track the latest threats shaping the Web3 landscape. This week’s incidents range from ransomware abusing cloud storage and MEV bot misconfigurations to large-scale fund manipulation, network-level exploits, and address poisoning scams.

Together, they highlight how attackers continue to target weaknesses across infrastructure, protocols, and users, underscoring the need for stronger security awareness at every layer of the ecosystem.

Kraken Suspends Monero Deposits After Qubic Pool Hashrate Surge

The Monero network experienced instability after the Qubic mining pool briefly claimed a majority of the hashrate (peaking near 2.6 GH/s). This caused a six-block reorganisation and about 60 orphaned blocks, raising fears of a potential 51% attack. While debate continues over whether it strictly qualifies as one, Kraken temporarily suspended Monero deposits to reduce reorg risk, though trading and withdrawals remained unaffected. The event highlighted how hashrate concentration in proof-of-work systems creates both technical risks and public confidence issues.

Impact

Due to Kraken halting deposits, Monero faced higher reorg/censorship risks, short-term volatility, and reputational damage over decentralisation.

Lessons Learned

Exchanges should use dynamic confirmation windows tied to reorg/orphan rates, while PoW communities need policies to prevent pool concentration, more real-time hashrate transparency, and clear crisis communication.

Crypto24 Ransomware Uses Google Drive for Data Theft

The Crypto24 ransomware group has been targeting large enterprises in finance, manufacturing, entertainment, and tech across the US, EU, and Asia. Their attack chain involves enabling hidden admin accounts, using “living off the land” commands for reconnaissance, and installing two malicious Windows services: WinMainSvc (a keylogger disguised as a Microsoft tool) and MSRuntime (the ransomware loader). What makes this campaign stand out is its use of advanced EDR (Endpoint Detection and Response) evasion techniques, including tampering with kernel callbacks and driver hooks to blind popular security tools. In some cases, they even used legitimate software uninstallers to quietly remove defenses. Stolen data was exfiltrated through Google Drive via normal web traffic, making detection more difficult, before encryption began and backups were deleted.

Impact

Multiple confirmed enterprise intrusions, with attackers achieving persistence, disabling defences, moving laterally, exfiltrating data via cloud services, and encrypting systems with minimal detection.

Lessons Learned

Strengthen EDR with kernel-level protections, monitor for tampering and suspicious services, restrict unmanaged OAuth access to cloud storage, baseline traffic to services like Google Drive, and prepare playbooks for rapid isolation in case of ransomware spread.

Coinbase MEV Bot Exploited in $300K Drain

A wallet configuration change at Coinbase mistakenly approved ERC-20 token transfers to 0xProject’s Settler contract, which isn’t designed to hold allowances. MEV bots quickly detected this misstep and exploited it by draining approvals across hundreds of tokens, swapping them through AMMs, and consolidating the proceeds into ETH. Coinbase confirmed that only a corporate fee wallet was affected (not customer funds) and immediately revoked the allowances while migrating funds to a new wallet.

Impact

Roughly $300K drained from Coinbase’s corporate fee wallet, along with reputational damage from a basic operational mistake despite no customer losses.

Lessons Learned

Approvals should be treated as high-risk and tightly controlled. Teams should adopt least-privilege approval practices, auto-revoke stale allowances, deploy bots to front-run their own errors with emergency revocations, and add automated checks to prevent deployments that mistakenly grant approvals to public executors.

Radiant Capital Hacker Grows $53M Theft into $95M

The attacker who stole $53M from Radiant Capital in October 2024 (via compromised developer wallets) is now actively trading their stolen assets. On August 20, the hacker sold nearly 9,631 ETH for about $44M in DAI, then repurchased ETH on price dips, effectively increasing their holdings. As a result, their stash grew to around 17,000 ETH plus $25M in DAI, totaling almost $95M. By timing sales and buybacks, the attacker turned the initial theft into an even larger fortune.

Impact

The stolen funds ballooned from $53M to about $95M, widening victim losses and complicating recovery efforts, while showcasing how attackers exploit market opportunities.

Lessons Learned

Treat hackers as active portfolio managers after thefts, monitor their wallets in real time, coordinate with exchanges for freezes or blacklists, and consider sanctions or legal actions. Projects should also enforce strong key management with HSM/MPC and require multi-sig + timelocks for any treasury movements.

Address-Poisoning Scams Cost Users $2.2M in a Week

Attackers launched a large-scale address-poisoning campaign by sending small “dust” transactions from lookalike addresses, tricking victims into copy-pasting the wrong recipient. One victim lost 140 ETH (~$636K), another nearly $880K, and several others smaller amounts, pushing weekly losses above $1.6M. Alongside this, attackers deployed malicious signature traps (e.g., approve/permit requests), which drained an additional $600K, including a $165K loss from a phishing approval targeting BLOCK/DOLO.

Impact

Over $2.2M stolen in just one week, proving address poisoning and malicious signatures are highly effective, repeatable attack vectors.

Lessons Learned

Wallets and dapps should implement stronger safeguards such as address books, whitelists, warnings for new or lookalike recipients, and signature previews. Users should avoid copy-paste habits, enable phishing protection, and regularly revoke unused token approvals.

This week’s incidents underscore how diverse and persistent Web3 threats have become, from ransomware using cloud services for exfiltration, to misconfigured MEV bots, opportunistic trading of stolen funds, network-level attacks, and ongoing address poisoning scams. Staying ahead requires constant vigilance, stronger operational security, and smarter contract design. As the ecosystem evolves, collective resilience and proactive defence will be critical to protecting users and sustaining innovation.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards

- Website: security.extropy.io

- Email: info@extropy.io