Recently, we’ve shipped a small but solid update to the Crypto Asset Tracing Handbook! 📘✨
📖Updated version on GitHub:
https://t.co/yizPo1auUU
🚀These additions expand the handbook’s coverage of cross-chain and laundering patterns — topics that many readers have been asking for:
1️⃣More bridge explorer links🔗:
• Squid
• Orbiter
• TeleSwap
2️⃣Two new case studies🔍:
• BTC Laundering Loops via Hyperunit
• Cross-Chain Source Analysis via Stargate Finance
If you’ve already read the handbook, this update makes it even more actionable. If you haven’t yet — now’s a great time to dive in.
🛡️We’ll keep refining the handbook over time to make on-chain tracing knowledge accessible to everyone in the crypto ecosystem.
🚨SlowMist TI Alert🚨
💸 @Ostium Loss: ~11,862,445 USDC
🔍 Root Cause: An authorized oracle signer was used to submit malicious price reports through a registered forwarder. The attacker provided validly signed but manipulated oracle data, which was accepted by the oracle verification mechanism. By repeatedly opening and closing trades with artificially favorable prices, the attacker generated artificial profits and drained funds from the OstiumVault.
📌 Attacker Address: 0xd1794196f0fc99c7f27970e661597d77d9a85869
📌 Victim Address: 0x20d419a8e12c45f88fda7c5760bb6923cee27f98 (vault)
📌 Vulnerable Contract: 0x0aebc4094b60ea4e21e937e80dafdd58c07c5ebb (OstiumPrivatePriceUpKeep impl) & 0xd456939e54f68ef9b0be62abb2ec4a37397cb814 (OstiumVerifier)
Impact: The attacker exploited compromised oracle privileges to submit manipulated price reports and execute repeated profitable trades, draining ~11.86M USDC from the vault.
Powered by https://t.co/Mz5jOnx997
Tx: https://t.co/aaJhZye5b1
✍️ Technical Analysis Published: Telegram Account Compromised, Wallet Swapped: How Does macOS Malware Break Through Your Defenses?
Our latest investigation reconstructs how a single malware sample chains together Telegram session theft, wallet database exfiltration, offline decryption and fake wallet applications into a complete account takeover workflow.
Our analysis shows:
1️⃣Stolen Telegram Desktop and Telegram for macOS session files can be restored on another Mac without re-entering a phone number, verification code or 2FA password
2️⃣For Telegram for macOS, even after server-side security mechanisms respond, cached chat history may remain accessible instead of being cleared by a forced logout
3️⃣Wallet databases can be paired with passwords collected from Keychain, browsers and Apple Notes for offline decryption, without interacting with the victim's device
4️⃣Fake Ledger and Trezor desktop apps are actually WKWebView-based loaders that replace trusted wallet interfaces with attacker-controlled phishing pages
The malware doesn't rely on a single technique—it combines authenticated sessions, encrypted wallet data and credential material into one attack chain.
💡 Defense tip: Protect your local Telegram session by enabling a Telegram Passcode and using a strong, unique password.
Full analysis and practical mitigation guidance👇
https://t.co/TCLrelsGd3
🚨SlowMist TI Alert🚨
💸 @dripsnetwork Loss: 24,882.99 DAI
🔍 Root Cause: Integer type conversion flaw in `DaiDripsHub`'s `give(address,uint128)` function. The function converts `uint128 amt` to `int128` without validating `amt <= type(int128).max`. Attackers pass `2^128 - reserveBalance` (exceeding int128 max), causing `int128(amt)` to become a negative value. `-int128(amt)` then becomes positive, flipping the transfer direction from "user pays" to "reserve withdraws to user," draining DAI.
📌 Attacker: 0x84da7a5e2315eb798f04b75554aeb15047269cce
📌 Victim Contract (DaiReserve): 0xf9bbb2df44cfe46e501cf91c99b2f8fef9d9d44a
📌 Vulnerable Contract (Hub Proxy): 0x73043143e0a6418cc45d82d4505b096b802fd365
📌 Attack Contract: 0x00c64b5a926ba1fcec30efad88c344c619f54f12
Summary: Missing input validation allows a crafted `give()` call to reverse fund flow, draining the reserve.
Powered by https://t.co/Mz5jOnx997
Tx:
https://t.co/Ea31eupMUX
https://t.co/uJEuuVr6PP
🚨SlowMist TI Alert🚨
💸 @Lumi_Finance Loss: ~ $264k
🔍 Root Cause: A vulnerability in Lumi smart accounts allowed token approvals to be performed as a side effect during UserOperation validation. Due to improper validation logic, an attacker-controlled paymaster could trigger approval operations during the validation phase and obtain ERC20 allowances from multiple smart accounts without explicit user intent.
📌 Attacker: 0xce1a3bb0b98d0d90c7dd0620ab86c9a771888d88
📌 Victim: Multiple Lumi smart accounts affected by unintended token approvals during UserOp validation
📌 Malicious contract: 0x56362412ae17cac443aafbab4289946ad958e8a1
The attacker abused a flaw in Lumi smart account UserOperation validation logic to obtain token allowances from multiple wallets through validation-time side effects. The attacker then used the malicious sweeping contract to batch drain approved ERC20 tokens, swapped the stolen assets into ETH, and transferred the proceeds to the attacker-controlled address.
Powered by #SlowMist.AI
Tx:
https://t.co/hTWqj4KerO
https://t.co/0ZOGhMtWIq
Every stolen asset leaves an on-chain trail—but reconstructing that trail across multiple wallets, blockchains, bridges, and mixers isn't easy.
That's why we built TrackAgent — an AI-powered On-Chain Intelligence Agent purpose-built to trace stolen crypto assets. It is now integrated into our Free Stolen Asset Assessment Service.🚀
Instead of simply retrieving blockchain data, TrackAgent continuously traces stolen funds, reconstructs complex fund flows, correlates attacker addresses, and combines on-chain intelligence with security threat intelligence to support real-world investigations.
🔍 Key capabilities:
🌐 Supports 31 blockchains
🌉 Cross-chain & laundering path analysis
🔗 Multi-address correlation
🛡️ Threat intelligence-powered investigation
📊 Over 12,000+ stolen asset cases have been submitted to SlowMist over the past four years. By bringing AI into our investigation workflow, we're making preliminary analysis faster while enabling our analysts to focus on the cases that need deeper investigation.
🤝 We're excited to bring AI-powered on-chain investigation to more victims and the broader Web3 community.
❓Need help after a crypto theft?
Submit your case through our Free Stolen Asset Assessment Service to receive a TrackAgent-powered on-chain assessment and support from the SlowMist security team.
👉 https://t.co/8RC3kEZv3J
📖 Read more:https://t.co/zJtz0Ygj76
5/ 🔐 2026 Mid-year Blockchain Security & AML – Key Takeaways
In H1 2026, blockchain security & AML saw three major trends:
1️⃣ Attacks shifted from code vulnerabilities to trust exploitation
2️⃣ Threats became more intelligent and persistent
3️⃣ Security evolved from incident response toward proactive risk governance
The ecosystem faced growing risks across developer supply chains, endpoint devices, browser extensions, and AI Agents. Attackers increasingly leveraged social engineering, supply chain poisoning, AI-driven techniques, and sophisticated laundering strategies, while regulators continued strengthening AML, stablecoin, and VASP frameworks.
The future of Web3 security depends not only on innovation, but also on stronger threat intelligence, risk identification, compliance frameworks, and proactive defense capabilities.
SlowMist continues to advance AI-driven security and compliance solutions:
✅ Pre-incident: Security audits, training, and risk prevention
✅ During incidents: Threat intelligence, monitoring, and real-time detection
✅ Post-incident: On-chain tracing, forensics, and emergency response
Through AI-powered capabilities including SlowMist Agent Security Skill, @MistTrack_io Skills, and MistEye Security Gate, SlowMist helps developers and enterprises strengthen AI Agent security, detect emerging risks such as prompt injection and supply chain poisoning, and build more resilient blockchain ecosystems.
📄 Full report:
https://t.co/3uApOBHS47
🚨 SlowMist presents the 2026 Mid-year Blockchain Security & AML Report!
1/ In H1 2026, blockchain security entered a new phase. AI-driven scams, supply chain attacks, and cross-chain infrastructure exploits expanded the attack surface beyond smart contracts, while global regulation around stablecoins, #AML, and VASPs continued to mature.
📊 Stats:
🔺 182 security incidents, ~$956M in losses (vs. 121 incidents / ~$2.373B in H1 2025)
🔹 By ecosystem: #Ethereum $134M > #BSC $36.35M > #Arbitrum $4.93M
🔹 By project type: #DeFi 116 incidents / ~$490M > Cross-chain bridges 20 incidents / ~$346M (Kelp DAO: ~$292M single loss)
🔹 By attack vector: 85 contract & logic vulnerabilities > 17 private key/credential compromises > 12 supply chain attacks
⚠️Note: Data is calculated using token prices at the time of each incident. Due to price fluctuations, undisclosed incidents, and the exclusion of individual user losses, actual losses are likely higher.
Full report 👇
https://t.co/3uApOBHS47
4/ 🕵️♂️ Cybercrime Organizations & Privacy Trends in H1 2026
🔺 Lazarus Group: Continued to dominate crypto-related cybercrime activities, adopting increasingly sophisticated laundering strategies combining privacy protocols, cross-chain bridges, DeFi, BTC UTXO fragmentation, mixers, and OTC networks. Supply chain attacks and social engineering remained key attack methods.
🔺 Drainer-as-a-Service (DaaS): Wallet theft operations became more industrialized. Emerging services such as Lucifer Drainer, Rublevka Team, and StepDrainer provided automated phishing infrastructure, affiliate models, multi-chain support, and AI-themed lures, lowering barriers for attackers.
🔺 Privacy Protocols: Major privacy protocols recorded nearly $974M in cumulative inflows in H1 2026. Tornado Cash remained dominant (~$691M), while Railgun, Hinkal, and Privacy Pools explored broader privacy use cases, including DeFi interactions, asset management, and compliance-oriented privacy.
📊 Cybercrime operations are becoming more specialized, while privacy technologies continue to evolve. The future of blockchain security will require stronger tracing capabilities, behavioral analysis, and a balanced approach between privacy protection and regulatory compliance.
4/
These three Security Skills mark an important milestone in SlowMist’s AI Agent security suite.
Deeply integrated with OKX Onchain OS, they make it easy for developers to embed security into AI Agent workflows.
Huge thanks to @OKX for the support 🙌
Try all three Skills now on
https://t.co/y1htEXoSt7 , and join us in building a safer, more trustworthy on-chain AI ecosystem.
🚀 SlowMist has officially launched three security Agent Skills on @OKX AI !
🔹 SlowMist Agent Security Skill — Comprehensive protection for Agent interactions and execution
🔹 MistTrack Skill — On-chain address risk analysis and AML tracing
🔹 MistEye Skill — AI Agent security detection and dependency risk identification
All Skills can be accessed through the OKX Onchain OS standardized interface, enabling on-chain automated settlement with near-instant execution.
Ready to try them? 🧵👇
We're closely monitoring the Ill Bloom wallet weak randomness risk alert from @coinspect .
Please check whether any of your historical wallet addresses are affected👉 https://t.co/cTRltZCfyB
Thanks to @coinspect for the responsible disclosure. Stay safe!
Today we are publishing the first Ill Bloom findings: affected-address checker + on-chain analysis to help users identify exposed addresses and protect their assets.
🔗 https://t.co/NLod0LR3cd
⚠️ We will never ask for seed phrases, private keys, signatures, or approvals, or ask users to send funds to "recover" or protect a wallet.
Our founder @evilcos will share practical insights on AI and Web3 security during Keynote 2. We look forward to seeing everyone interested in AI + Web3 at the forum! 👋