Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: defi (3 articles)Clear

Attacker drains Ethereum MEV bot JaredFromSubway using fake-token honeypot

An attacker drained the well-known Ethereum trading bot JaredFromSubway by patiently baiting it into a trap rather than exploiting a software bug. Over several weeks, the attacker deployed 66 fake token contracts and sham liquidity pools mimicking WETH, USDC, and USDT, structured so the bot's automated logic treated them as profitable opportunities and granted token-spending approvals to attacker-controlled contracts. Later trades left those approvals active, and a single transaction then swept the bot's real funds. Security firms estimate the loss near $7.5 million, while the operator claims around $15 million. It is a reminder that standing token approvals in automated systems are dangerous even when the underlying contracts are sound.

Check
If you run automated trading or other systems that grant token or spending permissions, review where standing approvals exist, whether they are scoped, and whether they are revoked after each use.
Affected
Operators of automated on-chain trading bots and similar systems that grant token-spending approvals based on automated logic; attackers can manipulate that logic with fake but convincing opportunities to win lasting permissions.
Fix
Scope and time-limit token approvals, revoke them immediately after use, validate counterparties beyond surface-level profitability signals, and monitor for unusual approval grants so automated systems cannot be tricked into arming attackers.

Lazarus RemotePE memory-only RAT targets DeFi and crypto firms - DPAPILoader + RemotePELoader chain, Hell's Gate, ETW patching

NCC Group's Fox-IT has documented RemotePE, a previously private cross-platform RAT used by the North Korea-linked Lazarus Group against DeFi, financial, and cryptocurrency organizations. The chain starts with social engineering on Telegram (impersonating a trading-firm employee with fake Calendly and Picktime meeting links), then drops DPAPILoader (Iassvc.dll) which uses Windows DPAPI to decrypt RemotePELoader. That loader fetches RemotePE entirely in memory from aes-secure[.]net, evading EDR via Hell's Gate and ETW patching. RemotePE itself is a C++ RAT supporting six command categories. Fox-IT believes the toolset is reserved for high-value, long-dwell access leading to large-scale financial theft. Activity dates from mid-2023.

Check
Hunt for Iassvc.dll on Windows endpoints (especially DeFi-adjacent developer machines). Search EDR for outbound traffic to aes-secure[.]net. Review Telegram and Calendly social-engineering reports from your finance and crypto teams.
Affected
Financial-services, DeFi, and crypto firms - Lazarus' primary targets. Initial access via Telegram impersonation of trading-firm employees and fake Calendly / Picktime meeting links.
Fix
Block aes-secure[.]net at egress. Train finance and developer teams against Telegram-initiated meeting requests with crypto/trading themes. Deploy EDR rules detecting Hell's Gate syscall patterns and ETW patching.

THORChain drained for ~$10.8M in coordinated multi-chain exploit across BTC, ETH, BNB Chain, and Base

On-chain investigator ZachXBT flagged a coordinated exploit against THORChain's cross-chain liquidity pools on May 15, 2026, with PeckShield confirming losses of approximately $10.8 million across four blockchains - around 36.85 BTC plus $7 million in assets from Ethereum, BNB Chain, and Base. The attacker funneled funds into two main addresses (BTC bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 and ETH 0xd477b69551f49C0519F9B18c55030676138890Bd). THORChain responded with a global emergency halt of trading and signing - a controversial move given the protocol's permissionless positioning. No official post-mortem has been released. The RUNE token dropped 12-14% on the news; the same protocol was previously used by North Korean operators to launder $175 million.

Check
If your organization custodies or trades THORChain liquidity, RUNE, or assets bridged through THORChain in the May 14-15 window, reconcile on-chain balances against the two known exploiter addresses and check for any user funds in affected pools.
Affected
THORChain liquidity providers, aggregators routing through THORChain, custodians holding RUNE, and wallets that bridged BTC, ETH, BNB Chain, or Base assets through the protocol on May 14-15. DeFi exposure is highest for cross-chain aggregator front-ends.
Fix
Block transfers to the two attacker-controlled addresses (BTC bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 and ETH 0xd477b69551f49C0519F9B18c55030676138890Bd), monitor RUNE deposits to centralized exchanges for laundering attempts, and pause front-end integrations with THORChain until a post-mortem and patched release are published.