Blockscope @blockscopeco - Twitter Profile

5 months ago

First major hack of 2026, as @Truebitprotocol was drained for $26.2 million through an overflow in unverified bytecode. The same attacker hit Sparkle weeks prior. Old code keeps bleeding - the archives have clearly become a shopping list. https://t.co/KD7zoVv7kL

RektHQ's tweet photo. First major hack of 2026, as @Truebitprotocol was drained for $26.2 million through an overflow in unverified bytecode.

The same attacker hit Sparkle weeks prior. Old code keeps bleeding - the archives have clearly become a shopping list.

https://t.co/KD7zoVv7kL https://t.co/81FT6Plc5c

9

76

16

22

12K

Blockscope

@BlockscopeCo

5 months ago

4/ Exploiter addresses: 1. 0x6aecb6ee5d7fa4f5b7b5553ed0173442f0ee5ccb 2. 0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50 3. 0x3b58192943ee6f9ae92d54dd1ef378cfd519862a 4. 0x62afdd1bd84f6b152572404be90679ae58eb4862 Exploit Tx: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014 Tx. hash for on-chain communication: 0x46f7539cfe46b3e925d69b9bc62fc31c8f06305c8d155bdb5a4c528f3dfb1277

0

1

0

1

269

Blockscope

@BlockscopeCo

5 months ago

1/ @Truebitprotocol appears to have been exploited for roughly $26M. As of now, the team hasn’t posted an incident update on their official socials, but we’re have seen large outflows from protocol-linked contracts plus on-chain communications consistent with a compromise. Exploiter: 0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50

BlockscopeCo's tweet photo. 1/ @Truebitprotocol appears to have been exploited for roughly $26M. As of now, the team hasn’t posted an incident update on their official socials, but we’re have seen large outflows from protocol-linked contracts plus on-chain communications consistent with a compromise.

Exploiter: 0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50

6

12

3

771

Blockscope

@BlockscopeCo

5 months ago

@Truebitprotocol 3/ The activity also suggests the attack was initiated/planned back in November, when the suspected exploiter was funded via https://t.co/cwHBV7pFyA (likely as part of the setup phase).

BlockscopeCo's tweet photo. @Truebitprotocol 3/ The activity also suggests the attack was initiated/planned back in November, when the suspected exploiter was funded via https://t.co/cwHBV7pFyA (likely as part of the setup phase). https://t.co/Jo0SWEU470

0

2

1

0

448

Who to follow

Tracy Leparulo

@tracyleparulo

Founder of @futurist_conf : Canada’s Largest Web3 Event just got bigger 🔮🚀 2 Shows Next Year: 🇨🇦 Toronto: May 13, 2025 🇺🇸 Florida: Nov 5-6, 2025

ETHToronto 🇨🇦

@ETH_Toronto

July 21-22, 2026 A free gathering for Web3 developers in the birthplace of Ethereum 🇨🇦 Part of @Futurist_conf, @Ethereum_Women, and @canadacryptowk 🚀

Blockchain Futurist Conference

@Futurist_conf

Canada's Largest Web3 and AI Conference 🚀 Running 9 years strong ✨ Next shows: 🇨🇦 Toronto: July 21-22, 2026 🇺🇸 Fort Lauderdale: November 17-18, 2026

Blockscope

@BlockscopeCo

5 months ago

@Truebitprotocol 2/ The stolen funds are currently consolidated into two wallets holding ~$13M each.

0

1

0

210

Blockscope

@BlockscopeCo

5 months ago

We are actively monitoring the situation and, so far, have identified dozens of theft-related addresses. The tracer below maps EVM outflows from victim wallets, already totaling hundreds of transactions. Thanks to @zachxbt for early alerts. We’ve also observed onward movement into centralized exchanges. For example, 0x463452c356322d463b84891ebda33daed274cb40 has made deposits to multiple CEX deposit addresses like ChangeNow, HTX, KuCoin. Please refer to the images below. If you believe you’ve been affected, we can help with tracing, attribution, and preparing evidence for exchange escalation.

BlockscopeCo's tweet photo. We are actively monitoring the situation and, so far, have identified dozens of theft-related addresses.

The tracer below maps EVM outflows from victim wallets, already totaling hundreds of transactions. Thanks to @zachxbt for early alerts.

We’ve also observed onward movement into centralized exchanges. For example, 0x463452c356322d463b84891ebda33daed274cb40 has made deposits to multiple CEX deposit addresses like ChangeNow, HTX, KuCoin.

Please refer to the images below. If you believe you’ve been affected, we can help with tracing, attribution, and preparing evidence for exchange escalation.

1

14

8

4

4K

BlockscopeCo retweeted

Stablecoin Monitor

@StablecoinData

6 months ago

1/ Stablecoin Monitor just got a major upgrade: we now track not only dozens of stablecoins, but also the entities behind them; Issuers, owners, bridges, protocols, DAOs, and more. Visit: https://t.co/j5kZtdqSDm

StablecoinData's tweet photo. 1/ Stablecoin Monitor just got a major upgrade: we now track not only dozens of stablecoins, but also the entities behind them; Issuers, owners, bridges, protocols, DAOs, and more.

Visit: https://t.co/j5kZtdqSDm https://t.co/wx9OSDHVf1

2

6

5

0

312

Blockscope

@BlockscopeCo

6 months ago

A victim, attributed to the ENS name markpascall.eth, lost approximately $1.05M in assets in a suspected private key compromise. The incident came to light after @zachxbt flagged the activity. The stolen funds were consolidated and swapped for ~330 ETH, which was then funneled into Tornado Cash. Exploiter address: 0x4f8affe6cd269d1f8352d0542432de6975c3912d

BlockscopeCo's tweet photo. A victim, attributed to the ENS name markpascall.eth, lost approximately $1.05M in assets in a suspected private key compromise.

The incident came to light after @zachxbt flagged the activity. The stolen funds were consolidated and swapped for ~330 ETH, which was then funneled into Tornado Cash.

Exploiter address: 0x4f8affe6cd269d1f8352d0542432de6975c3912d

1

2

0

451

Blockscope

@BlockscopeCo

6 months ago

2/ In mid-September, the exploiter front-ran the contract's initialization, inserting a malicious proxy to seize Admin privileges. The backdoor remained dormant and undetected for 78 days. Using the Blockscope AI Investigator, we analyzed the root cause transaction to visualize exactly how the injection occurred.

BlockscopeCo's tweet photo. 2/ In mid-September, the exploiter front-ran the contract's initialization, inserting a malicious proxy to seize Admin privileges. The backdoor remained dormant and undetected for 78 days.

Using the Blockscope AI Investigator, we analyzed the root cause transaction to visualize exactly how the injection occurred.

0

3

0

227

Blockscope

@BlockscopeCo

6 months ago

1/ Just yesterday we were discussing CPIMP attacks, and now we have a live example: @USPD_io has been exploited for ~$1M via a malicious backdoor proxy planted over 2 months ago. All the drained funds were swapped to ETH. The exploiter currently holds ~$1.05M at this address: 0x083379bdac3e138cb0c7210e0282fbc466a3215a This wasn't a flash loan attack but a sophisticated "sleeper" job.

BlockscopeCo's tweet photo. 1/ Just yesterday we were discussing CPIMP attacks, and now we have a live example: @USPD_io has been exploited for ~$1M via a malicious backdoor proxy planted over 2 months ago.

All the drained funds were swapped to ETH. The exploiter currently holds ~$1.05M at this address: 0x083379bdac3e138cb0c7210e0282fbc466a3215a

This wasn't a flash loan attack but a sophisticated "sleeper" job.

1

6

3

2

814

Blockscope

@BlockscopeCo

6 months ago

2/ On further analysis of counterparties, we identified a distinct obfuscation flow from last year: • Funds were received from Mixers & Exchanges. • Assets moved through intermediaries performing repeated $ETH ⇄ $WETH swaps. • Swapped funds were sent to fresh addresses before final exchange deposits. This layering was clearly designed to mask origins and sever exposure links.

BlockscopeCo's tweet photo. 2/ On further analysis of counterparties, we identified a distinct obfuscation flow from last year:

• Funds were received from Mixers & Exchanges.
• Assets moved through intermediaries performing repeated $ETH ⇄ $WETH swaps.
• Swapped funds were sent to fresh addresses before final exchange deposits.

This layering was clearly designed to mask origins and sever exposure links.

0

2

0

256

Blockscope

@BlockscopeCo

6 months ago

1/ Earlier today, @zachxbt reported the likely arrest of threat actor Danish Zulfiqar ("Danny"), linked to the $243M Genesis theft and Kroll SIM swaps. Blockscope analyzed the suspected seizure address: 0xb37d617716e46511E56FE07b885fBdD70119f768 Current holdings sit at ~$18.58M (primarily $ETH & $DAI), showing specific consolidation patterns consistent with Law Enforcement seizures.

BlockscopeCo's tweet photo. 1/ Earlier today, @zachxbt reported the likely arrest of threat actor Danish Zulfiqar ("Danny"), linked to the $243M Genesis theft and Kroll SIM swaps.

Blockscope analyzed the suspected seizure address: 0xb37d617716e46511E56FE07b885fBdD70119f768

Current holdings sit at ~$18.58M (primarily $ETH & $DAI), showing specific consolidation patterns consistent with Law Enforcement seizures.

1

4

1

0

847

Blockscope

@BlockscopeCo

6 months ago

Great catch on the incident. To be precise, this fits the pattern of a CPIMP or Proxy vulnerability rather than a flaw specific to x402. This risk exists for any agentic layer communicating with uninitialized contracts. Have you confirmed any loss of funds? Our initial check shows admin roles were indeed swapped, but no funds have moved yet.

BlockscopeCo's tweet photo. Great catch on the incident. To be precise, this fits the pattern of a CPIMP or Proxy vulnerability rather than a flaw specific to x402. This risk exists for any agentic layer communicating with uninitialized contracts.

Have you confirmed any loss of funds? Our initial check shows admin roles were indeed swapped, but no funds have moved yet.

0

5

1

0

166

Blockscope

@BlockscopeCo

6 months ago

In a major win for blockchain forensics, @Europol, working with German and Swiss authorities, has successfully shut down Cryptomixer, a service responsible for laundering over €1.3 billion in Bitcoin since 2016. The operation led to the seizure of €25 million in cryptocurrency and the dismantling of critical infrastructure in Zurich. For those in crypto compliance and investigation, the most significant outcome is the seizure of 12 terabytes of operational data, along with the domain https://t.co/r1KvNLE6tl. This "treasure trove" of logs likely contains years of transaction history and user patterns, previously thought to be untraceable. This data will be instrumental in unmasking historical illicit activity related to ransomware groups and darknet markets for years to come. Read the official announcement here: https://t.co/5rd6mhTOzB

BlockscopeCo's tweet photo. In a major win for blockchain forensics, @Europol, working with German and Swiss authorities, has successfully shut down Cryptomixer, a service responsible for laundering over €1.3 billion in Bitcoin since 2016. The operation led to the seizure of €25 million in cryptocurrency and the dismantling of critical infrastructure in Zurich.

For those in crypto compliance and investigation, the most significant outcome is the seizure of 12 terabytes of operational data, along with the domain https://t.co/r1KvNLE6tl. This "treasure trove" of logs likely contains years of transaction history and user patterns, previously thought to be untraceable. This data will be instrumental in unmasking historical illicit activity related to ransomware groups and darknet markets for years to come.

Read the official announcement here: https://t.co/5rd6mhTOzB

0

5

2

0

270

Blockscope

@BlockscopeCo

6 months ago

@yearnfi 2/ Tracer visualizes the entire complex transaction, consisting of the yETH mint, flash loans, multiple swaps, and Tornado Cash deposits, with the remaining funds moving to a new holding wallet.

BlockscopeCo's tweet photo. @yearnfi 2/ Tracer visualizes the entire complex transaction, consisting of the yETH mint, flash loans, multiple swaps, and Tornado Cash deposits, with the remaining funds moving to a new holding wallet. https://t.co/NpjaYdB7wz

0

4

1

0

247

Blockscope

@BlockscopeCo

6 months ago

@yearnfi was exploited a few hours ago, resulting in an estimated total loss of ~$9M. The root cause appears to stem from a vulnerability that allowed the exploiter to mint an excessive supply of yETH tokens. Tx: 0x53fe7ef190c34d810c50fb66f0fc65a1ceedc10309cf4b4013d64042a0331156 Approximately, ~1K ETH ($3.11M) has already been washed via Tornado Cash, while the majority of the remaining traced funds (~$6.1M) are currently sitting in the exploiter's wallet: 0xa80D3F2022F6Bfd0B260bF16D72CaD025440C822 Notably, although the exploiter minted a massive amount of tokens, they were only able to successfully sell and launder a portion of the supply. We are actively investigating the case and will provide updates shortly. Image 1: Minting yETH Image 2: Tornado Cash Deposits Image 3: Funds holding

BlockscopeCo's tweet photo. @yearnfi was exploited a few hours ago, resulting in an estimated total loss of ~$9M. The root cause appears to stem from a vulnerability that allowed the exploiter to mint an excessive supply of yETH tokens.
Tx: 0x53fe7ef190c34d810c50fb66f0fc65a1ceedc10309cf4b4013d64042a0331156

Approximately, ~1K ETH ($3.11M) has already been washed via Tornado Cash, while the majority of the remaining traced funds (~$6.1M) are currently sitting in the exploiter's wallet: 0xa80D3F2022F6Bfd0B260bF16D72CaD025440C822

Notably, although the exploiter minted a massive amount of tokens, they were only able to successfully sell and launder a portion of the supply. We are actively investigating the case and will provide updates shortly.

Image 1: Minting yETH
Image 2: Tornado Cash Deposits
Image 3: Funds holding

1

6

3

1

382

Blockscope

@BlockscopeCo

7 months ago

@GANA_PayFi @zachxbt 3/ The remaining balance of roughly $1.049M was transferred to a separate address: 0xd10Ed57534Dc63f2ea9dC0cB0096086F3CC8fA4d, which eventually deposited the totality of the funds into Tornado Cash as well.

BlockscopeCo's tweet photo. @GANA_PayFi @zachxbt 3/ The remaining balance of roughly $1.049M was transferred to a separate address: 0xd10Ed57534Dc63f2ea9dC0cB0096086F3CC8fA4d, which eventually deposited the totality of the funds into Tornado Cash as well. https://t.co/8M1R6wnXK7

0

2

0

214

Blockscope

@BlockscopeCo

7 months ago

1/ Yesterday, @GANA_PayFi (Gana Payments) was exploited for approximately $3.147M on BSC. The exploiter drained the project liquidity across multiple transactions. Credit to @zachxbt for the initial alert. Primary Exploiter: 0x2e8A8670B734E260ceDBC6d5a05532264aae5C38

BlockscopeCo's tweet photo. 1/ Yesterday, @GANA_PayFi (Gana Payments) was exploited for approximately $3.147M on BSC. The exploiter drained the project liquidity across multiple transactions.

Credit to @zachxbt for the initial alert.

Primary Exploiter: 0x2e8A8670B734E260ceDBC6d5a05532264aae5C38 https://t.co/vC8ucQ4SZn

2

6

3

0

513

Blockscope

@BlockscopeCo

7 months ago

2/ Approximately two-thirds of the stolen funds (~$2.1M) were bridged to the Ethereum Mainnet using deBridge and Stargate, and subsequently deposited into Tornado Cash. Involved Addresses: • 0x7a503e3ab9433ebf13afb4f7f1793c25733b3cca • 0x98fc13632ff112e4667fc4f21ae980571f122b5a

BlockscopeCo's tweet photo. 2/ Approximately two-thirds of the stolen funds (~$2.1M) were bridged to the Ethereum Mainnet using deBridge and Stargate, and subsequently deposited into Tornado Cash.

Involved Addresses:
• 0x7a503e3ab9433ebf13afb4f7f1793c25733b3cca
• 0x98fc13632ff112e4667fc4f21ae980571f122b5a

0

2

0

226

Blockscope

@BlockscopeCo

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users