Extropy Security Bytes: W36 2025

Welcome to week 36 of our security roundup.

From multimillion-dollar protocol exploits to North Korean recruiter scams, this week in crypto security proved that attackers are as creative as ever. Exploits, social engineering, and novel malware delivery techniques all converged, leaving developers, investors, and projects scrambling to respond.

Venus Protocol Exploit: $12M Drained, Attacker Returns Funds

Venus Protocol on BNB Chain faced a major scare when an attacker siphoned off $12 million in assets through a smart contract exploit. The incident triggered immediate panic across DeFi circles, with many fearing another high-profile lending collapse as stablecoin liquidity drained from the platform in minutes.

In a surprising twist, the attacker later began communicating with the Venus team through on-chain messages.

After initial silence, they agreed to return the stolen funds in exchange for a “negotiated resolution.”

The dialogue led to the safe return of assets, leaving the community divided: was this a white-hat stress test, a soft form of ransom, or simply an opportunist backing down once they had leverage? The unusual resolution highlighted how DeFi exploits often blur the line between attack and bounty.

While Venus ultimately recovered, the exploit reignited debate over DeFi’s reliance on bug bounties and audits. Critics argue that insufficient incentives push researchers toward public exploits instead of responsible disclosures.

For Venus, the return of funds was a lucky break, but it underscored how vulnerable liquidity providers remain — and how much protocol trust still hinges on attacker goodwill.

SuperRare Loses $730K in Private Key Hack, Bug Bounty Debate Rekindled

NFT marketplace SuperRare confirmed it lost $730,000 after attackers compromised private keys tied to its infrastructure. Though user wallets were spared, the breach raised sharp concerns about lingering weaknesses in key management practices across the industry.

The hack also revived the long-running dispute over bug bounty programs. Security researchers argue that underfunded or unclear bounty setups discourage white-hat disclosures, leaving vulnerabilities unpatched until bad actors strike. The SuperRare case was seen by many as another failure of incentives.

Beyond the dollar value, the reputational cost was steep. For platforms built on trust, incidents like this show that security must be continuous and proactive, from key custody to monitoring — rather than reactive when losses are already confirmed.

Nemo Protocol Exploited for $2.4M, Developer Floats AI-Based Safeguards

Decentralized lending platform Nemo Protocol lost $2.4 million in a sophisticated exploit that manipulated collateral pricing. In the aftermath, the protocol’s developer suggested AI-driven monitoring as a future safeguard, envisioning automated systems that could detect abnormal patterns in real time.

The proposal sparked mixed reactions. Some praised the forward-looking idea, while others warned that AI can introduce new risks, from adversarial manipulation to opaque decision-making.

Regardless, the exploit revealed how thinly stretched current monitoring frameworks are in protecting DeFi liquidity pools.

North Korean Hackers Lure Crypto Workers With Fake Job Offers, Steal Millions

Reuters revealed a large-scale campaign dubbed Contagious Interview, where North Korean hackers posed as recruiters on LinkedIn and Telegram to infiltrate crypto firms. Victims were tricked into downloading malicious “skills test” software or recording video assessments, which compromised their systems and wallets.

Targets ranged from coders to executives, with more than 230 individuals approached between January and March.

Losses included drained Ethereum and Solana wallets, with some victims reporting thousands stolen. Experts warn that these campaigns are both persistent and systemic, tied to Pyongyang’s effort to fund its weapons program through cryptocurrency theft.

Ethereum Smart Contracts Weaponized in NPM Supply Chain Attack

Researchers at ReversingLabs uncovered two malicious NPM packages — colortoolsv2 and mimelib2 — that disguised their activity by querying Ethereum smart contracts.

Instead of embedding malicious code directly, the packages used blockchain calls to retrieve hidden URLs that downloaded second-stage malware.

By embedding malware instructions inside smart contracts, attackers managed to bypass traditional security tools, which rarely flag blockchain interactions as suspicious. The operation was further masked by fake GitHub repositories that looked legitimate, complete with fabricated commits, inflated stars, and convincing documentation.

The discovery highlights how attackers are expanding beyond conventional methods, combining social engineering with blockchain’s inherent trust signals to target developers.

Ethereum Smart Contracts Used Again to Mask Malware Payloads

In a related incident, security researchers reported a fresh round of malicious packages on NPM that tapped Ethereum smart contracts to fetch concealed malware payloads.

This technique builds on past supply chain attacks that used trusted platforms like GitHub Gists or Google Drive to host malicious links. By shifting to Ethereum smart contracts, adversaries added a crypto-specific twist that further obscures detection. The incident underscores the dangers of assuming that open-source activity — commits, stars, or active repos — guarantees legitimacy.

Lessons Learned

Week 36 exposed the full spectrum of crypto’s security challenges:

• DeFi exploits remain inevitable: From Venus to Nemo, protocol vulnerabilities continue to result in multimillion-dollar losses, whether or not attackers return the funds.
• Private key management is still a weak link: SuperRare’s compromise proves that without advanced key custody solutions, even established platforms remain exposed.
• State actors weaponize social engineering: North Korea’s fake recruiter scams reveal that not all threats are technical, sometimes the weakest link is the human one.
• Supply chain attacks are evolving fast: The dual NPM incidents show how attackers exploit both developer trust and blockchain infrastructure itself to hide malware.

The common thread is trust, in code, in platforms, in recruiters, and even in blockchain interactions. Each of these incidents shows how quickly that trust can be subverted. The challenge for the crypto industry in the coming months is to rethink verification and defense mechanisms across every layer of the ecosystem.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards

- Website: https://security.extropy.io

- Email: info@extropy.io