Extropy Security Bytes: weeks 32–33, 2025

Welcome to our weekly security roundup, where we explore the latest developments and incidents impacting the Web3 landscape. offering insights into various challenges, from sophisticated social engineering to smart contract vulnerabilities and broader cybersecurity concerns. Our aim is to provide a comprehensive and informative overview for the community and highlight key learnings to help improve the web3 security landscape.

The past two weeks have offered no shortage of high-profile hacks, breaches, and eyebrow-raising security lapses. These incidents, while damaging for those involved, provide valuable lessons for developers, investors, and users who want to avoid becoming the next cautionary tale.

Abra’s $55 Million Lawsuit and Data Leak
Abra, once a respected crypto investment platform, now finds itself embroiled in a $55 million lawsuit from the Texas State Securities Board. Allegations include misleading investors about account safety and the company’s financial health. While regulators dig deeper, leaked internal communications suggest potential mismanagement and a disregard for basic security practices. Even before the lawsuit, Abra had faced service disruptions and client withdrawals, but the latest revelations point to a more systemic failure, one in which transparency was sacrificed for short-term stability.

BtcTurk’s $55 Million Security Breach
Turkey’s largest crypto exchange, BtcTurk, confirmed a major security incident that compromised hot wallet balances across ten cryptocurrencies, resulting in losses exceeding $55 million. The attack, traced to unauthorized access of their hot wallet infrastructure, raises uncomfortable questions about why such a large percentage of operational funds was left online. Although the exchange has promised to cover user losses and claims that cold wallet reserves remain untouched, this breach underscores the industry’s ongoing struggle to balance liquidity with robust key management.

The Qubic–Monero Mystery
In an unusual twist of the recent events, Qubic, a relatively unknown blockchain project, found itself indirectly implicated in a bizarre Monero (XMR) theft case. Investigators believe an attacker funneled stolen Monero into Qubic’s ecosystem, converting it into Qubic tokens before moving funds off-chain. While Qubic insists it was merely an unknowing conduit and not complicit in the laundering process, the episode has drawn attention to how smaller, lightly monitored projects can become attractive waypoints for illicit fund flows. Whether Qubic takes steps to harden its compliance and monitoring systems remains to be seen, but the case is yet another reminder that in the world of on-chain transactions, reputations can be damaged by proximity alone.

Evolve Bank & Trust’s Data Breach
Outside the crypto-native sphere but still relevant to Web3’s intersection with traditional finance, Evolve Bank & Trust disclosed a data breach stemming from the global Snowflake cloud security incident. Customer personal information, including account details, was exposed. While no crypto assets were stolen, the breach underscores the vulnerability of hybrid Web2–Web3 service providers that rely on centralized infrastructure. For projects that integrate with traditional banking partners, this incident is a clear signal to vet not only your own code but also the full supply chain of vendors and partners.

The Growing Sophistication of Social Engineering
Not all recent attacks came from advanced code exploits, some relied on old-fashioned human manipulation. Several DeFi teams reported incidents where core contributors were tricked into signing malicious transactions, often through convincingly spoofed communications on Discord and Telegram.

In one case, attackers even deepfaked a project founder’s voice to request an urgent fund transfer. These attacks highlight the growing sophistication of social engineering in the Web3 space, where multi-sig wallets and hardware keys are only as secure as the humans operating them.

Recommendations

1. Harden Off-Chain Infrastructure: Implement strict security controls for cloud services, admin dashboards, and APIs to mitigate external compromises. Many breaches originated from weak access control or misconfigured off-chain systems.
2. Mandate Multi-Signature Controls for Key Operations: For fund withdrawals, contract upgrades, or oracle updates, require multi-sig approval to prevent single-point failures from phishing or credential theft.
3. Adopt Continuous Smart Contract Monitoring: Post-deployment contract surveillance could have detected unusual transactions earlier in several incidents, reducing impact.
4. Enforce Secure Development Practices in ZK and DeFi Projects: Formal verification and extensive test coverage should be non-negotiable for high-value protocols.
5. Run Periodic Social Engineering Drills: Human operators remain a prime attack vector; simulated phishing campaigns can build stronger resistance.

Conclusion
This overview of recent security incidents highlights the continuous evolution of threats in the Web3 space. From external compromises and social engineering tactics to vulnerabilities in smart contract deployments and broader cybersecurity concerns, staying informed and adopting a proactive security posture remains crucial for all participants. As the ecosystem matures, the collective commitment to robust security measures will be key to fostering greater trust and enabling sustained innovation.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

• Website: security.extropy.io
• Email: info@extropy.io

Get in touch today — let’s build safer smart contracts together!