EthSecurity

HongCoin was a 2016 ICO project. It didn’t reach its funding goal, but the contract held all the investors' ETH and was supposed to auto-refund them. A bug in the refund function quietly broke that, and the funds got stuck. The way out was an admin function with an integer overflow vulnerability ; calling it with a specific input resets a holder's balance and unblocks the refund check. tested it end-to-end and shared the path with the team that successfully executed the 41 unlock transactions earlier this week. HongCoin: https://etherscan.io/address/0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9#code @EthSecurity

BullX is officially dead. They just announced on Discord that the app will go on "Pause" starting June 1st. (We all know what that means) If you’re still one of the last 0.2% still using BullX, withdraw everything immediately. This project ran aggressive airdrop campaigns, farmed massive volume, and generated over $200 million in lifetime fees, only to deliver absolutely nothing in return. An absolute robbery. @EthSecurity1

Breaking: 31 npm packages from @RedHat have been compromised. 100,000+ weekly downloads affected. The upstream CI/CD pipeline was compromised, with all packages published via GitHub Actions OIDC. The payload: ⚠️ Reads GitHub Actions runner process memory to extract masked secrets ⚠️ Sweeps credentials across AWS, GCP, Azure, K8s, Vault, and npm ⚠️ Self-propagating worm that republishes backdoored packages using stolen npm tokens, bypassing 2FA ⚠️ Persists on dev machines via Claude Code settings hijack and VS Code task injection ⚠️ Exfiltrates data through GitHub API commits, blending in with normal git operations @EthSecurity1

Fluid lost 125k FLUID and 51.9k GHO due to a key compromise. A wallet was able to claim rewards from multiple Fluid Merkle distributors using empty-proof Merkle claims, then swap funds and route ETH into Tornado Cash. Exploiter: https://debank.com/profile/0x4925120CbE5A78Bf08F26f6E8cdF820f4c1D3dfB/… @EthSecurity1

- Why Maintaining Privacy on Chain Matters in Bug Bounty Hunting - link - Attackers using EIP-7702 smart wallets to obfuscate exploits from block explorers - link - DePIN Security Best Practices - link @EthSecurity1

- US woman helping DPRK infiltration nets 8.5 years in prison. - link - Zombie dApps: Abandoned Web3 Sites Revived as Wallet Drainers - link - Stop using Google search for crypto sites unless you enjoy playing Russian roulette with your wallet -link @EthSecurity1

There is an ongoing incident involving Gravity Bridge on Ethereum. Over ~$5.4M affected so far. Root cause: Suspected bridge contract key may have been compromised; the attacker submitted fraudulent batch withdrawals with valid signatures. Vulnerable contract: https://etherscan.io/address/0xa4108aa1ec4967f8b52220a4f7e94a8201f2d906 @EthSecurity1

Bitcoin Depot breach exposes data of nearly 27,000 crypto users _ link Following the Frozen: An On-Chain Analysis of USDT Blacklisting and Its Links to Terrorist Financing - link @web3privacyy

Sui Mainnet Halt of May 28, 2026: An Address Balance Gas Underflow Post-Mortem https://exvul.com/blog/sui-mainnet-halt-may-2026-gas-underflow @EthSecurity1

leaked a internal note is Funny AF https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure @web3privacyy

- Solodit Checklist Explained (9): Replay Attack - link - Deep Mental Models for Solidity ABI Encoding: Part 0 and Part 1 @EthSecurity1

DxSale legacy liquidity lockers on BNB Chain suffered loss for ~$7.3M+. • Affected legacy locker: 0xeb3a9c56d963b971d320f889be2fb8b59853e449 • Exploiter / final handoff wallet: 0xC4574DDEF299e7E563971e200433e592EeaaFA69 • Drainer / EIP-7702 delegate: 0xc2efbd94aedff1555b97ddcb216646dfc01e4718 • Attack txs: bscscan.com/tx/0x16a932b7e… bscscan.com/tx/0x23e331a81… @EthSecurity1

a few hours ago, at least 297 wallets were drained across EVM chains. The funds were consolidated at the following address: 0x43D49AeF7aAf0Dcf015b20057C5364E092D66615 and were later distributed via @FixedFloat. Nearly $500k was stolen. I suspect a massive private key leak associated with a wallet provider. https://intel.arkm.com/visualizer/entity/0x43D49AeF7aAf0Dcf015b20057C5364E092D66615?flow=all&positions=%7B%7D&sortDir=desc&sortKey=time&usdGte=0.1 @EthSecurity1

𝗛𝗢𝗪 𝗗𝗢 𝗬𝗢𝗨 𝗛𝗔𝗖𝗞 𝗧𝗛𝗘 𝗣𝗘𝗡𝗧𝗔𝗚𝗢𝗡 𝗔𝗡𝗗 𝗚𝗘𝗧 𝗖𝗔𝗨𝗚𝗛𝗧 𝗕𝗬 𝗔 $𝟮𝟱𝟬 𝗧𝗥𝗔𝗡𝗦𝗔𝗖𝗧𝗜𝗢𝗡. – Kai West was 25, British, and running the dark web's biggest stolen data marketplace under the name IntelBroker – His victim list reads like a who's who. Apple. AMD. Cisco. Nokia. General Electric. Europol. The US Pentagon. – And a database containing the personal information of every member of the US Congress. – He sold everything in Monero only. Untraceable by design. For 2 years nobody could touch him. – Then in January 2023 an FBI agent reached out to buy $250 worth of stolen data and talked him into accepting Bitcoin just this once – That $250 went into a wallet tied to his real Coinbase account. Registered with his actual UK driver's license. His real name and his real face. – The FBI spent the next 2 years quietly building the case. Matching his YouTube watch history to posts on his hacker forum. Piecing everything together. – He even had a fake LinkedIn saying he worked at the UK equivalent of the FBI. They publicly said they had never heard of him. – In January 2025 he stepped down from running the forum. Said he was "too busy." – He was arrested in France 3 weeks later. – $25 million in damage. 40+ companies. 2 years of running the biggest stolen data operation on the dark web. Brought down by $250 and one moment of trusting the wrong coin. The most untraceable hacker on the internet forgot that Coinbase needs your ID. @EthSecurity1

StakeDAO deployer appears compromised on Arbitrum. The attacker first executed an unauthorized LZ setPeer, then minted 5,446,744,073,709 vsdCRV and is now swapping to ETH via MetaMask Router. Attacker: arbiscan.io/address/0xef3c… Mint tx: arbiscan.io/tx/0x7489ec5f5… LZ setPeer tx: arbiscan.io/tx/0xf97ddff0d… @EthSecurity1

#SKP / SKP-USDT on #BNB Chain was exploited for ~$212,195 after SKP's transfer-side market hook called sync() on the Pancake pair mid-swap and let the attacker drain nearly all pool USDT. Root cause: SKP's _transfer(address,address,uint256) could enter _runSpecialPairFlow(...), which conditionally called IPairLike(PANCAKE_PAIR).sync() during the token transfer path. That reserve refresh locked the pair at 205,184,395.144168 USDT versus 0.000000004 SKP immediately before the router's follow-up swap. Attacker EOA : 0x83b9e7edc5b3127e4853a4f4945b92aa88eef0c8 funded executor: 0xe924853dcdfcb89292335042ab10d68c7315d7c1 with SKP and entered the callback-driven attack path. @EthSecurity1

How to Run a War Room: A Playbook for Crypto Protocols - link Cosmos Security: An Otter's Guide - link Under the Hood of Solana Program Execution From Rust Code to SBF Bytecode - link @EthSecurity1

Ekubo Hacked for 17 WBTC Target: 0xe0e0e08a6a4b9dc7bd67bcb7aade5cf48157d444 TX : https://etherscan.io/tx/0x770bc9a1f7c32cb63a5002b9ceb5c7994cd3af0fc6b2309cb32d3c46f629daa0 ROOTCAUSE: Ekubo Core lock/pay accounting was abused through repeated withdraw-then-pay callbacks. The attacker withdrew 0.2 WBTC per iteration @EthSecurity1

trustedvolumes Hacked for ~$5.87M. Root Cause:A distinct vulnerability was exploited in a TrustedVolumes-controlled custom RFQ swap proxy, 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756. Public attribution indicates this is a different vulnerability from the March-2025 1inch Fusion V1 incident. @EthSecurity1

Wasabi wallet 5$M, kelpDao 280$M, polkadot bridge exploited and dumped 1 $B $DOT And So on @EthSecurity1