Extropy Security Bytes: w6 2025

Welcome to this week’s Web3 security roundup, covering the latest hacks, exploits, and social engineering scams from 1st-8th Feb 2025. This week saw major security breaches across multiple platforms, from centralized exchanges to Web3 infrastructure tools and high-profile social media accounts. Key incidents include the $73M Phemex hack, the Ionic Money fake collateral exploit, a supply chain attack on DogWifTools, and social engineering scams draining millions from Coinbase users. We also saw another surge in meme coin-related fraud, with scammers hijacking social media accounts — including those of UFC, Jupiter DEX, and even former Malaysian Prime Minister Mahathir Mohamad — to promote fraudulent tokens. Let’s break down the details.

Ionic Money:

The attack resulted in the loss of approximately 8.5 million USD. The fundamental vulnerability was Ionic Money’s failure to properly verify the authenticity of the collateral token contract before establishing the lending pool. This allowed the attacker to mint counterfeit tokens and use them to drain the platform of its funds.

This is not the first time the project has been compromised, noting that Ionic Money is the re-branded version of Midas, which had previously been hacked twice.

Here’s a technical summary:

•Fake Collateral: The attack centred on the use of a counterfeit LBTC token as collateral on the Ionic Money platform. The attackers, impersonating members of Lombard Finance, persuaded Ionic Money to list this fraudulent token.

• Lack of Verification: Ionic Money failed to verify whether the LBTC token was an officially deployed contract when setting up the lending pool. This lack of proper verification was a key factor in the exploitation.
• Minting of Fake Tokens: The attackers exploited the absence of a legitimate Bascule contract for the LBTC token, allowing them to mint an unlimited supply of the fake token at will.
• Borrowing Against Fake Collateral: Using the fraudulently minted LBTC tokens, the attackers then deposited these tokens as collateral on the Ionic Money platform. This allowed them to borrow real assets from various liquidity pools.
• Withdrawal of Funds: By borrowing against the fake collateral, the attackers were able to withdraw funds from all liquidity pools, effectively draining the platform’s assets.
• Exploitation of _confirmDeposit: The attack exploited a flaw in the _confirmDeposit function, which failed to verify the authenticity of the token contract, thus enabling the fake LBTC to be used as collateral.
• Rapid Execution: The exploit was carried out quickly, with the attackers rapidly minting the fake tokens, depositing them, borrowing against them, and then withdrawing the funds
• Funds Laundering: The stolen funds were then transferred through Tornado Cash, a cryptocurrency mixer, to conceal the trail.

DogWifTools:

DogWifTools is a tool for launching and promoting memecoins on the Solana blockchain. It automates token bundling and simulates high trading activity. The tool is often used to disguise supply control in memecoin scams. Ironically, the attack affected hackers, it is estimated that approximately $10 million was drained.

The DogWifTools hack involved a supply chain attack where the attack compromised the project’s GitHub repository. This allowed the attacker to inject a Remote Access Trojan (RAT) into legitimate builds of the software.

The RAT specifically targeted Windows users, while macOS users were not affected. Here’s a more detailed breakdown:

• Compromised GitHub: The attacker gained access to the DogWifTools private GitHub repository, likely by extracting a GitHub token through reverse engineering of the software
• Malware Injection: Instead of immediately releasing malicious updates, the attacker waited for the DogWifTools developers to release new versions. The attacker then downloaded the legitimate updates, reverse-engineered them, and injected the RAT
• Targeted Users: This malicious activity affected Windows users of DogWifTools versions 1.6.3 through 1.6.62.
• Data Theft: The trojanised application downloaded a file (updater.exe) which targeted users’ cryptocurrency wallet private key
• Intrusive Permissions: DogWifTools requested “very intrusive permissions” on user’s computers, allowing the hacker to access sensitive data, including ID photos, which could be used to compromise accounts on cryptocurrency exchanges
• Financial Losses: Users reported that the trojanised application drained their wallets, both hot and cold, and that they lost access to their cryptocurrency exchange accounts. Blockchain investigators estimated that over $10 million was drained from users’ wallets

Update on AdsPower hack:

AdsPower is a Singapore-based developer of an anti-detect browser. The browser is designed to allow users to manage multiple online profiles and associated crypto wallets, while creating unique browser fingerprints for each profile to avoid detection.

The AdsPower hack was an off-chain attack that exploited a vulnerability in the company’s IT infrastructure, resulting in the theft of approximately $4.7 million in cryptocurrency from five users. Here’s a technical summary of the attack:•

• Attack Vector: The attackers compromised the legitimate distribution channels for AdsPower’s software. Specifically, they replaced the download for the cryptocurrency wallet browser plugin with a malicious version. This occurred on January 21st, 2025.
• Malware: The malicious plugin was designed to steal sensitive data, specifically mnemonic phrases and private keys associated with the users’ crypto wallets.
• Compromised Distribution: The attackers didn’t directly modify the application code, instead they compromised the channel through which users download the software. This meant that even if users were careful about where they obtained the plugin from, they were still at risk if the legitimate source was compromised.

More social engineering scams:

Coinbase:

Coinbase users have been complaining about being locked out of their accounts and funds being locked. It has been reported that users are losing $300M+ per year to social engineering scams.

The scammer’s address coinbase-hold.eth is 0xc8234dda2bc3758eb90224d0025871001e8ee7b9
bc1q4ks5gus8uv88vk8yage4r89kv8uxlgwhemz545 and is linked to 25 drained accounts.

The scammer calls the user from a spoofed phone number and uses personal information obtained from a private database to gain their trust. The scammer informed the victims that their accounts had multiple unauthorised login attempts. After which the scammer sends a spoofed email, which appeared to be from Coinbase with a fake Case ID further gaining trust. They instructed the victim to transfer funds to a Coinbase Wallet and whitelist an address while “support” verified their account security. The Coinbase site was cloned nearly 1:1 the scammers sent different prompts to the target via spoofed emails using panels.

More scam memecoins:

Jupiter Mobile:

Jupiter, a leading DEX aggregator on Solana, suffered from a hack that involved the compromise of their official X account. Here’s a technical explanation of the incident:

• Account Compromise: The attacker gained control of Jupiter’s official X account, which indicates a security vulnerability related to the platform’s social media account management, rather than on-chain vulnerabilities.
• Malicious Promotion: The compromised X account was then used to promote a scam meme coin called MEOW. The posts contained links and information designed to entice users to purchase the fraudulent token. This is a common social engineering tactic where a compromised account is used to promote a fraudulent scheme.
• Pump and Dump: The MEOW token experienced a rapid price surge, reaching a market cap of $30 million within seconds. This price inflation was driven by the fraudulent promotion on the Jupiter X account, and the impression of legitimacy provided by the compromised account. However, the token was then rug-pulled, with its market cap plummeting by over 98% shortly after. This indicates that the attackers were able to quickly drain liquidity from the token, thereby defrauding users.
• Multisig Security: Crucially, Jupiter’s exchange funds and programs were protected by multisignature protections. This security measure requires multiple approvals for access to the funds, which prevented the attacker from directly stealing assets from the exchange itself.
• Account Recovery: Jupiter was able to regain control of their official X account. They confirmed that no customer or treasury funds were ever at risk, and that no other communication channels were affected.

Former Malaysian PM on X:

A scam meme coin was promoted via the compromised X account of former Malaysian Prime Minister, Mahathir Mohamad. Hackers gained control of Mahathir Mohamad’s X account, which was then used to promote a fraudulent meme coin with the ticker symbol MALAYSIA. By using the former PM’s account, the scammers aimed to give the token an air of legitimacy and attract potential investors.

The promotion of the meme coin caused its price to surge rapidly. Data from GeckoTerminal showed the token’s market cap reached a peak of $3.4 million before sharply dropping. After the initial spike, the value of the MALAYSIA token quickly collapsed, with its market cap plummeting to $153,000.

Trump scam coin

A recent scam where fake nude images of Donald Trump were added to his old posts on X, using a vulnerability on the link-shortening service Bitly. Here’s how the scam unfolded:

• Bitly Exploit: Crypto scammers discovered a vulnerability on Bitly, a platform used to shorten URLs. They exploited this vulnerability to hijack old Bitly links associated with Donald Trump’s X account.
• Hijacked Links: The attackers took over Trump’s old Bitly links that were originally directed to legitimate content, such as his Instagram profile, or mentions of his appearances on the Sean Hannity show on Fox.
• Fake Nude Images: The hijacked Bitly links were redirected to new links that included fake nude images of Donald Trump, often accompanied by text such as “YUGE ASF”. These images were embedded in the new links to grab attention.
• Meme Coin Promotion: These newly created links redirected users to the scammers’ websites that promoted newly created meme coins, most notably one with the ticker symbol DJT. The goal of this was to pump the value of the meme coin.
• Pump and Dump: By attaching the meme coin to a celebrity figure, even in a fabricated and negative context, the scammers aimed to create hype and artificially inflate the coin’s price, so they could then sell their coins for a quick profit, leaving other investors with losses.

LinkedIn Jobs scams:

Lazarus Group, the North Korean-linked organisation has been targeting job seekers in the crypto industry to steal sensitive data and siphon funds.

Here’s how the Lazarus Group and other malicious actors may be tricking job seekers:

•Malware Distribution: Fake job listings are used to distribute malware. Job seekers are enticed by seemingly legitimate job offers to click on malicious links or download infected files attached to the job posting. This can lead to their systems being compromised, allowing hackers to steal sensitive data and cryptocurrency assets

• Targeted Attacks: Job listings are used to identify and target individuals within the cryptocurrency industry. Attackers create realistic job descriptions and post them on professional platforms to attract candidates with valuable skills and access to crypto assets.
• Compromised Systems: When a job seeker interacts with a malicious job listing, the attacker gains access to their computer or workplace systems. This allows the hacker to steal crypto assets or use the compromised system for further attacks.

This week’s attacks highlight the growing sophistication of social engineering scams, the vulnerabilities in multi-chain infrastructure, and the persistent risks associated with centralized exchanges and Web3 tools. The rise in meme coin scams underscores how attackers are leveraging celebrity accounts and trending narratives to exploit unsuspecting investors. As always, security best practices — such as multi-signature wallets, strong access controls, and continuous monitoring of contracts and repositories — remain critical in mitigating these threats. Stay vigilant, and we’ll be back next week with the latest security updates in Web3.