company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Clickbait

Infostealer

loading..
loading..
loading..

183 Million Gmail Passwords Exposed in Massive Leak

A massive leak of 183 million email credentials is causing panic online, but Google says your Gmail account wasn't hacked.

27-Oct-2025
4 min read

No content available.

Related Articles

loading..

DeFi

A technical breakdown of the $128M Balancer DeFi exploit, detailing the precisio...

**Balancer Protocol** suffered a **catastrophic security breach** resulting in approximately **$128 million** in losses across multiple blockchain networks. The exploit targeted Balancer's V2 Composable Stable Pools through a sophisticated manipulation of a **precision rounding vulnerability** in the protocol's swap calculation mechanisms. This incident represents one of the **largest DeFi exploits** of 2025 and has profound implications for decentralized finance security paradigms, particularly given that Balancer's V2 implementation had undergone **eleven security audits** prior to this attack. The breach triggered **systemic risk concerns** throughout the DeFi ecosystem, necessitating emergency network halts and hard forks on affected chains like Berachain to mitigate further damage and recover user funds. ## Background Overview Balancer operates as a **decentralized exchange (DEX)** and **automated market maker (AMM)** on the Ethereum blockchain, functioning as critical **liquidity infrastructure** within the DeFi ecosystem. Unlike traditional AMMs with fixed token ratios, Balancer introduced **flexible liquidity pools** allowing custom token compositions with customizable weights. The protocol's **composable vault architecture** enables complex interactions between interconnected pools, a design feature that would ultimately amplify the impact of this exploit. The platform is governed by the **BAL token**, which had a market capitalization of approximately **$65 million** immediately preceding the incident. At the time of the exploit, Balancer held approximately **$770 million in total value locked (TVL)** across its various pools and integrated protocols, representing one of the substantial liquidity sources in the DeFi landscape . ### Historical Security This November 2025 incident represents the **latest in a series of security breaches** affecting the Balancer protocol: - **June 2020**: Exploitation of deflationary token handling mechanisms resulted in **$500,000** in losses through a flash loan attack - **August 2023**: A critical vulnerability in "boosted pools" led to nearly **$1 million** in losses despite prior warnings - **September 2023**: DNS hijacking attack compromised the protocol's frontend, stealing approximately **$238,000** from users The 2025 exploit **dwarfs all previous incidents** combined, highlighting both the increasing value locked in DeFi protocols and the escalating sophistication of attack vectors targeting complex financial smart contracts . ## Root Cause Analysis The fundamental vulnerability exploited in this attack resided in Balancer's handling of **small-number precision** during swap operations. Specifically, the protocol's `_upscaleArray` function utilized **downward rounding (mulDown)** when scaling token balances for internal calculations. While this approach typically maintains mathematical consistency in standard operating conditions, it created a critical attack vector when processing transactions with specific boundary values . When token balances and input amounts fell within a precise numerical range (approximately **8-9 wei**), the rounding operation introduced **significant relative precision errors**. These microscopic discrepancies, while seemingly insignificant in isolation, could be systematically amplified to create substantial financial impacts through carefully engineered transaction sequences . ### Invariant Value Manipulation In Balancer's stable pool implementation, the **invariant value D** serves as the mathematical foundation determining pool equilibrium and **Balancer Pool Token (BPT)** pricing. The calculation of D depends directly on properly scaled balance arrays, making it exceptionally sensitive to precision inconsistencies . The attacker discovered that by inducing precision loss through specific swap patterns, they could artificially **suppress the computed D value**, consequently distorting the internal BPT price. This manipulated price no longer reflected the true underlying asset ratios, creating temporary but exploitable arbitrage opportunities within the same transaction batch . ### Access Control Considerations While precision rounding served as the primary attack vector, preliminary analyses from on-chain investigators also identified potential **authorization flaws** in Balancer's V2 vault implementation. Specifically, the `manageUserBalance` function may have contained insufficient access control checks, potentially allowing callers to bypass ownership verification when manipulating internal balances . This secondary vector potentially complemented the primary precision attack by enabling more sophisticated manipulation of pool states during the exploitation process, though the precise interaction between these vulnerabilities remains under investigation by security researchers . ## Attack Methodology ### Strategic Reconnaissance The attacker demonstrated methodical preparation and a deep understanding of Balancer's core mechanics. According to Coinbase's Conor Grogan, the exploit was initiated from an address funded with **100 ETH originating from Tornado Cash**, indicating deliberate operational security measures. This funding pattern suggests that the attacker potentially had prior experience with sophisticated exploits, possibly recycling funds from previous attacks. The attacker specifically targeted **Balancer V2 Composable Stable Pools** across multiple blockchain networks, suggesting a comprehensive reconnaissance effort to identify the precise vulnerability conditions and optimal exploitation parameters before executing the main attack sequence. ### Exploitation Sequence The attack unfolded through a meticulously orchestrated sequence of transactions designed to extract value while minimizing detection risk systematically: *Table: Attack Transaction Pattern* | **Transaction Phase** | **Function Called** | **Purpose** | **Vulnerability Exploited** | |-----------------|---------------------|-------------|-----------------------------| | Initialization | `batchSwap` | Entry point via Vault contract | Access control potential issues | | Balance Adjustment | `onSwap` | Modify pool balances to boundary conditions | Precision boundaries | | Precision Trigger | `_upscaleArray` | Induce rounding errors | Downward rounding at 8-9 wei | | BPT Manipulation | Internal D calculation | Artificially suppress BPT price | Invariant sensitivity | | Arbitrage Execution | Multiple swaps | Extract value from price discrepancies | Compounded precision loss | 1. **Boundary Conditioning**: The attacker first executed swaps to adjust pool balances to the precise numerical boundary (8-9 wei) where the rounding vulnerability became exploitable . 2. **Precision Loss Trigger**: Through specifically crafted small-amount swaps, the attacker triggered the precision rounding error in the `_upscaleArray` function, systematically introducing calculated discrepancies into the pool's balance accounting . 3. **Invariant Manipulation**: The precision errors propagated into the calculation of the invariant value D, causing artificial contraction that distorted BPT pricing mechanisms. The attacker repeatedly exploited this mechanism to compound the pricing discrepancy . 4. **Arbitrage Execution**: With BPT prices artificially suppressed, the attacker executed precisely sequenced swaps within the same batch transaction to extract value from the manipulated pools before the system could correct the price distortion . ### Funds Extraction The attacker employed sophisticated **cross-chain fund movement** to obfuscate the trail of stolen assets. Initial fund consolidation occurred through rapid transfers to newly created wallets controlled by the attacker, followed by systematic laundering through privacy tools like **Tornado Cash** and decentralized exchanges for asset conversion . The scale and sophistication of the extraction process suggest the involvement of **experienced threat actors** with established cryptocurrency money laundering capabilities, with some analysts speculating potential connection to North Korean hacking groups who have historically targeted DeFi protocols . ## Cross-Chain Impact Analysis The Balancer exploit manifested across multiple blockchain networks, reflecting the protocol's established presence throughout the decentralized finance ecosystem: *Table: Loss Distribution Across Blockchain Networks* | **Blockchain** | **Approximate Losses** | **Significance** | |----------------|------------------------|------------------| | Ethereum | $99-100 million | Primary exploitation target | | Berachain | $12.8-12.9 million | 2nd most impacted chain | | Arbitrum | $6.8 million | Significant sidechain impact | | Base | $3.9 million | Growing ecosystem affected | | Sonic | $3.4 million | ~2% of network's total TVL | | Optimism | $1.58 million | Moderate losses | | Polygon | $232,000 | Relatively minor impact | The **disproportionate impact** on smaller blockchain ecosystems like Sonic, where losses represented approximately **2% of the network's total value locked (TVL)**, highlights the systemic risks posed by cross-chain protocol vulnerabilities. For emerging ecosystems with smaller total liquidity, such exploits can potentially destabilize the entire network's financial infrastructure . ## Emergency Response Action ### Protocol-Level Countermeasures The Balancer team initiated **crisis management procedures** within hours of detecting the exploit, though communication delays reportedly fueled community uncertainty . Their response included: - **Selective Pool Pausing**: The engineering team paused all identifiable vulnerable pools that could be safely suspended without triggering additional losses . - **White-Hat Bounty Offer**: Balancer extended a **20% bounty offer** for the return of stolen funds within a 48-hour window, attempting to negotiate with the attacker under "white-hat" principles . - **Forensic Investigation**: The team engaged multiple blockchain security firms including PeckShield and Nansen to conduct comprehensive technical analysis of the exploit mechanism . ### Ecosystem-Wide Containment The exploit triggered **emergency responses** across affected blockchain ecosystems: - **Berachain Network Halt**: Validators on the Berachain blockchain coordinated a deliberate **network halt** to execute an emergency hard fork aimed at recovering approximately **$12 million** in user funds affected by the same Balancer vulnerability . - **Protocol Integrations**: Multiple DeFi protocols built atop Balancer's infrastructure, including **Beets Finance**, reported consequent losses exceeding **$3 million**, triggering temporary suspensions of lending and bridging functions across the ecosystem . - **User Protection Measures**: Blockchain analysts universally recommended users immediately withdraw liquidity from Balancer V2 pools and revoke token approvals through tools like **Revoke.cash** to prevent potential secondary exploitation . ## Broader Implications for DeFi Security ### Audit Effectiveness Reassessment A particularly alarming aspect of this exploit was Balancer V2's extensive audit history, having undergone **eleven security audits** since 2021 by various reputable firms . This reality highlights fundamental limitations in current smart contract auditing methodologies: - **Scope Limitations**: Audits typically examine code under expected operating conditions, potentially missing edge-case behaviors at numerical boundaries like the 8-9 wei range exploited in this attack . - **Composability Complexities**: The interconnected nature of Balancer's composable vault architecture created emergent vulnerabilities that might not manifest in isolated component testing . - **Growing Protocol Complexity**: As DeFi protocols evolve toward increasing sophistication, the attack surface expands exponentially, making comprehensive security assessment progressively challenging . ### Systemic Risk Considerations The Balancer exploit underscores several critical systemic risks within the decentralized finance landscape: - **Composability Amplification**: The very **composability** that enables DeFi's innovative potential—protocols seamlessly integrating with one another—also serves as an **attack vector multiplier** when fundamental infrastructure components fail . - **Cross-Chain Contagion**: Vulnerabilities in widely deployed cross-chain protocols can trigger **simultaneous liquidity crises** across multiple blockchain ecosystems, as demonstrated by the nearly simultaneous exploitation across seven different networks . - **Market Confidence Erosion**: The incident triggered an immediate **11-15% price collapse** in Balancer's native BAL token and contributed to broader market unease, highlighting the fragile confidence underpinning DeFi economic structures . ### Regulatory and Institutional Implications The scale and frequency of major DeFi exploits increasingly attract regulatory scrutiny. Authorities in the United States and other major economies are actively developing regulatory frameworks for decentralized finance, with incidents like the Balancer breach likely accelerating these efforts . For institutional participants considering DeFi exposure, such repeated security failures reinforce perceptions that decentralized financial systems remain fundamentally **experimental and high-risk**, potentially limiting mainstream adoption until more robust security paradigms emerge . The November 2025 Balancer exploit represents a watershed moment for decentralized finance security, demonstrating that even extensively audited, time-tested protocols remain vulnerable to sophisticated attack vectors. The precision rounding vulnerability exploited in this attack highlights the mathematical complexities inherent in DeFi infrastructure and the challenges of anticipating all potential edge cases in smart contract design. Moving forward, the DeFi ecosystem must prioritize several key security enhancements: 1. **Advanced Testing Methodologies**: Development of more sophisticated testing frameworks capable of identifying numerical edge cases and precision vulnerabilities across complex mathematical operations. 2. **Runtime Monitoring**: Implementation of real-time monitoring systems capable of detecting anomalous invariant behaviors and automatically pausing suspicious operations. 3. **Decentralized Crisis Response**: Establishment of formalized emergency response protocols across major DeFi protocols to enable quicker reaction to active exploits. 4. **Risk Management Infrastructure**: Development of better risk management tools and insurance mechanisms to protect users from inevitable smart contract failures. As DeFi continues its maturation trajectory, the lessons from the Balancer exploit will undoubtedly influence the design of next-generation protocols, audit methodologies, and risk management practices. While the financial losses are substantial, the technical insights gained from thoroughly analyzing this incident will ultimately contribute to building more robust and secure decentralized financial infrastructure.

loading..   04-Nov-2025
loading..   10 min read
loading..

Ivy League

Massive Penn data breach exposes 1.2 million donors' wealth secrets as hackers d...

The University of Pennsylvania’s email systems were weaponized against its own community, sparking panic and raising alarming questions about campus cybersecurity. ### "We Got Hacked" In the early hours of October 31, 2025, a wave of offensive and fraudulent emails flooded the inboxes of University of Pennsylvania students, alumni, and staff. The messages, bearing ominous subject lines like “We got hacked (Action Required),"** were sent from what appeared to be legitimate university accounts, including the Graduate School of Education (GSE) and other senior staff addresses. The emails contained vulgar language, brutally criticizing the university’s admissions policies and security practices. One section read, **"We love breaking federal rules like FERPA (all your data will be leaked)"** . The closing plea was stark: **"Please stop giving us money"** , making the attack’s apparent aim to disrupt alumni donations unmistakably clear. ### 1.2 Million Victims and a Treasure Trove of Data The initial email spam was just the tip of the iceberg. Within days, a hacker claiming responsibility alleged the theft of a massive database containing information on 1.2 million students, alumni, and donors. The stolen data is reported to be a goldmine for identity thieves and a nightmare for the university, potentially including : * Donation history to Penn * Estimated donor net worth * Personal demographic details, including names and race The hackers bragged to cybersecurity outlet BleepingComputer that they had gained access to Penn’s **VPN, Salesforce data, Qlik analytics, and SAP business intelligence systems**. They claimed the attack wasn’t politically motivated but was a direct assault on Penn’s **"vast, wonderfully wealthy donor database. ### Containment and Contradiction The university’s response has been a mix of urgent damage control and seemingly conflicting statements. * **Official Statements:** Penn spokespersons have consistently labeled the emails **"fraudulent"** and **"highly offensive,"** apologizing for the harm caused and assuring the community that their incident response team is actively addressing the situation . * **Internal Confusion:** An internal communication from Elizabeth Cooper, an IT help desk manager at Penn’s Annenberg School for Communication, revealed that **"ASC has not been hacked,"** suggesting the breach was limited to a mailing list "beyond our control" . * **Public Contradiction:** Meanwhile, **CBS News Philadelphia** reported that the university told them **"it was not hacked,"** creating confusion about the true nature of the security incident. The attack vector was identified as `connect.upenn.edu`, a Penn mailing list platform hosted on **Salesforce Marketing Cloud**. The hackers claimed that after losing access to a compromised employee account, they still had access to this marketing system, which they used to send emails to approximately **700,000 recipients**. ### A Rejected White House Compact This cyberattack did not occur in a vacuum. It comes just weeks after the University of Pennsylvania was among seven schools that **publicly rejected** the Trump administration’s **"Compact for Academic Excellence in Higher Education. This compact would have required universities to : * Abolish affirmative action in hiring and admissions. * Discipline departments that punish conservative ideas. * Marginalize transgender and gender non-conforming students. * Cap international undergraduate enrollment. Penn President J. Larry Jameson rejected the compact, writing that its **"one-sided conditions conflict with the viewpoint diversity and freedom of expression"** central to universities. While the hackers claim their motive was financial, the timing has fueled speculation about a potentially politically charged backdrop to the breach. ### Are You at Risk? The university has advised recipients of the fraudulent emails to : - **Mark them as phishing/spam.** - **Avoid clicking on any links or attachments.** - **Simply delete the message.** As of now, the hackers have stated that the stolen database **"has not yet been leaked"** but threatened they **"may release it in a month or two."** The University continues to investigate, leaving 1.2 million individuals awaiting answers about the safety of their personal information. ***This story is still developing.***

loading..   03-Nov-2025
loading..   4 min read
loading..

RedTiger

Discord

RedTiger malware has compromised over 408,000 gamers by weaponizing Discord. Dis...

Security researchers have uncovered a dangerous new campaign in which cybercriminals are weaponizing **RedTiger**, an open-source red-teaming tool, into a sophisticated infostealer targeting gamers and Discord users. The malware represents a growing trend of attackers repurposing legitimate security tools for malicious operations, with evidence suggesting a particular focus on **French-speaking gaming communities**. ## Legitimate Tool Turned Threat RedTiger, developed initially as a **Python-based penetration testing** suite in 2024, bundles various security assessment tools including network scanners, OSINT utilities, and phishing toolkits. Like the notorious Cobalt Strike framework before it, RedTiger has now been adopted by malicious actors for unauthorized attacks. According to Netskope Threat Labs, whose October 2025 analysis serves as the basis for this report, the weaponized RedTiger infostealer is being distributed as **PyInstaller-compiled binaries** with filenames designed to appeal to gaming communities. Several samples include French warning messages, including one that reads "Attention, ton PC est infecté!" (Warning, your PC is infected!), indicating targeted campaigns against French-speaking users . *Table: RedTiger Infostealer at a Glance* | **Attribute** | **Description** | | :--- | :--- | | **Origin** | Open-source red-teaming tool (2024) | | **Primary Targets** | Discord users, gamers, cryptocurrency holders | | **Distribution** | PyInstaller binaries masquerading as game mods/cheats | | **Key Capabilities** | Discord token theft, browser data harvesting, cryptocurrency wallet theft | | **Data Exfiltration** | Two-stage process via GoFile cloud storage and Discord webhooks | ## Advanced Targeting & Data Harvesting ### Discord-Focused Attack Modules The RedTiger [infostealer](https://github.com/loxy0dev/RedTiger-Tools) demonstrates particularly advanced capabilities against Discord, employing multiple techniques to compromise accounts comprehensively: - **JavaScript Injection**: The malware injects custom JavaScript code into Discord's `index.js` file, allowing it to intercept API calls and capture events including login attempts, password changes, and payment transactions . - **Token Compromise**: It scans Discord's local storage files (`.ldb` and `.log`) using regex patterns to extract authentication tokens, which are then validated through API calls to harvest profile information, email addresses, multi-factor authentication status, and subscription details . - **Payment Data Theft**: By intercepting billing endpoints for services like Stripe and Braintree, the malware captures credit card information, PayPal details, and Discord Nitro purchase data . ### Comprehensive Data Harvesting Beyond Discord, RedTiger casts a wide net for valuable data through multiple vectors: - **Browser Data Theft**: The stealer targets popular browsers including Chrome, Firefox, Edge, and Opera GX to extract saved passwords, cookies, browsing history, and payment card information . - **Gaming & Financial Assets**: It actively hunts for game files related to Roblox, stealing account credentials through cookie extraction. Cryptocurrency wallets like MetaMask are also copied entirely, and the malware scans for `.TXT`, `.SQL`, and `.ZIP` files containing keywords like "passwords" . - **Surveillance Capabilities**: RedTiger can capture screenshots of the victim's desktop and take snapshots through the webcam using OpenCV and Pillow libraries, adding a disturbing privacy invasion dimension to the attacks . ### Data Exfiltration The malware employs a clever two-stage exfiltration process designed to maintain attacker anonymity: 1. **Compression and Upload**: All stolen data is compressed and uploaded to **GoFile**, a cloud storage service that allows anonymous uploads without requiring an account . 2. **Link Delivery**: GoFile generates a download link that is automatically sent to the attacker via a **Discord webhook**, along with victim metadata including IP address, geographic location, and hostname . RedTiger establishes persistence mechanisms across multiple platforms. On Windows systems, it adds itself to the startup folder to execute at login. While persistence capabilities exist for Linux and macOS, implementations are reportedly incomplete in current variants . ## Evasion and Anti-Forensic Features ### Advanced Evasion Techniques RedTiger incorporates multiple defense evasion mechanisms designed to avoid detection and analysis: - **Anti-Sandbox Detection**: The malware automatically terminates if it detects usernames, hostnames, or hardware IDs associated with sandbox environments. The predefined detection lists include entries such as "WDAGUtilityAccount," "SANDBOX," and numerous specific hardware identifiers used by analysis tools . - **Network Protection Bypass**: Some variants modify the system's hosts file to block connections to security vendors' websites, further complicating detection and remediation efforts . ### Forensic Obstruction To hinder security analysis and forensic investigation, RedTiger employs resource-based obstruction techniques: - **Process Spamming**: The malware launches approximately **400 processes** simultaneously across the system, creating significant noise and log pollution . - **File Spamming**: It creates **100 files** with random extensions and fills them with random alphanumeric strings, unpredictably consuming disk space and complicating forensic timelines . ## Distribution, Protection, and Recommendations ### Infection Vectors and Campaign Links While Netskope's [report](https://www.netskope.com/blog/redtiger-new-red-teaming-tool-in-the-wild-targeting-gamers-and-discord-accounts) doesn't explicitly document distribution methods, other security sources indicate RedTiger primarily spreads through: - **Malicious game mods**, "trainers," or performance boosters distributed via Discord channels and gaming forums . - **Fake utility software** and cheats promoted through YouTube videos and malicious download sites. This campaign aligns with a broader trend of attackers targeting gaming communities. Notably, this represents the second gamer-focused infostealer Netskope has tracked in October 2025, following a Python RAT that masqueraded as a Minecraft client called "Nursultan Client". ### Remediation Recommendations For gamers and Discord users, security experts recommend implementing these protective measures: - **Download Vigilance**: Avoid downloading executables, game mods, or "cheats" from unverified sources, especially those promoted through Discord channels or unofficial forums . - **Discord-Specific Protections**: If compromise is suspected, immediately revoke all Discord tokens, change your password, and perform a fresh installation of the Discord client from the official website . - **General Security Hygiene**: Clear saved passwords and browsing data from browsers, enable multi-factor authentication on all accounts, and run comprehensive malware scans using updated security software . The weaponization of RedTiger underscores an ongoing concerning trend in cybersecurity: the rapid adoption of legitimate red-teaming tools by malicious actors. As these tools become more accessible and feature-rich, they provide attackers with sophisticated capabilities without requiring advanced technical development. The targeting of gamers represents a strategic shift toward communities that may prioritize convenience over security, often downloading third-party software to enhance their gaming experience. With RedTiger's open-source nature allowing for easy modification, security researchers anticipate more variants and enhanced capabilities to emerge in the coming months . As one researcher noted, "Gamers' shared files and Discord reliance make them prime targets" for these increasingly sophisticated attacks . This campaign serves as a stark reminder that maintaining vigilance and implementing basic security practices remains crucial, regardless of how one uses their computer. *This technical analysis is based on threat intelligence reports from Netskope Threat Labs with corroborating information from multiple cybersecurity sources. All organizations and malware names referenced are trademarks of their respective owners.*

loading..   27-Oct-2025
loading..   6 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo

[email protected]

@ Copyright 2025 Secure Blink. All rights reserved.