In the latest newsletter, we break down real DNS attacks, compare registrars, and give a step-by-step to keep your domains from being hijacked.


https://web3secnews.substack.com/p/the-hidden-dns-threats-that-could

Last week we published a newsletter on DNS security in Web3. Wish I didn't have to write a follow-up so soon.

We're obsessing over smart contract security while leaving our front doors wide open.

Attackers don't need to find re-entrancy bugs when they can just call GoDaddy support and say "I forgot my password."

The pattern is always the same - bulletproof contracts, trash domain security.

https://x.com/web3sec_news/status/1965411113929245061

Evoq Finance was drained for $390k on BSC (recently)

Another DeFi protocol falls victim to a critical vulnerability. Let's break down what went wrong and how attackers pulled off this massive exploit.

• https://x.com/guardrailai/status/1966186162600685974?89277

#security #investigation

Heading to token2049?

let's catchup over DM & meet irl

https://x.com/__Raiders/status/1970050203010179411

Super excited for octant.app Epoch 9 as the allocation window just opened!

Vote for us, any support is appreciated :)

https://x.com/__Raiders/status/1975979395996123576

Support us and be part of Ethereum’s privacy-first future through the Octant public allocation.

https://octant.app/project/9/0xd4165c58B83CFDbfd8Dcf8b34F22340F5Cd105E9

Smart contracts run billions in value.

master reading them to find the bugs others miss as a SR, and monitor them to catch suspicious activities onchain as a project.

we need to onboard more people & security is beyond source code your dev writes.

Thoughts?
https://x.com/__Raiders/status/1979102530039640322?t=4A4w0mMA5Q3VRvXqZTNMoQ&s=19

Incredibly thankful for all the support, fellow creators, and everyone who donated to our project Web3Sec 🙏

https://x.com/__Raiders/status/1981273644707029437

Web3 Security Weekly

- One fake Zoom meeting = $27M gone
- One phishing email = 2.6B npm downloads compromised
- NuGet packages cloned with Cyrillic look-alikes
- CoinDCX halts Web3 trading after cyberattack in India
- North Korean hackers hiding malware on-chain (EtherHiding)

https://x.com/web3sec_news/status/1984271626880614909

Security has a half-life, many projects & SRs are not fully aware of this....

Just like radioactive decay, your protocol's security coverage can deteriorate every single day.

> Day 1 post-audit: 100% coverage

> Month 6: New attack vectors discovered globally

> Year 1: Dependencies updated 47 times, new exploit classes emerge

> Year 2: That audit is now blind to entire vulnerability categories

Read more!
https://x.com/__Raiders/status/1986436098277712142

Today, we build AI auditors.

Tomorrow, we'll build tools to outsmart them.

Money is flooding into automated security, AI that catches bugs faster than humans. Soon, it'll flow into exploits that evade those same AI watchers.

It's the eternal cycle: every defense creates its own attack vector.

The plumbing arc is coming for Web3 auditors.

https://x.com/__Raiders/status/1987797970629365869

Detection Is Not Victory (But Neither Is Prevention Alone), hear me out..

The security industry celebrates catching hackers. But skilled attackers choose when to be visible. The traces they leave aren't mistakes, they're decisions.

https://x.com/__Raiders/status/1988624652487544851

Domain & DNS Security Guide for Web3

What's inside for you?
1. Complete DNSSEC implementation playbook
2. Registry lock procedures (your nuclear option)
3. Email security via MX hardening (one compromised MX = total org takeover)
4. Web3-specific incident response

https://x.com/__Raiders/status/1988977682135343422

Your security team sees what they built. Hackers see what they'll break.

Microsoft paid $1.6M in bug bounties last quarter. Amazon dropped $55k in a single private event. Meanwhile, Web3 protocols lose $128M because they relied solely on audits and internal reviews.

The difference?

https://x.com/__Raiders/status/1992825454479491426

‼️ Is your inbox actually private? If you use Gmail, probably not anymore.

A recent "update" to Gmail's smart features means many users were automatically opted in to data analysis. Google is now scanning your private messages and attachments to fuel features across Meet, Chat, and Drive.

https://x.com/__Raiders/status/1994308356711043485

Excited to share that digibastion.com has received grant the Ethereum Foundation Support in Q3.

Operational security remains critical for users holding funds in hot wallets.

We're building advanced scanners like DNS hijacking, supply chain malware scanner, quick source soce security scanners, phishing checkers to significantly improve the security experience for the Ethereum ecosystem

https://x.com/__Raiders/status/1996300329454043560

I'm coming to Abu Dhabi next week for Solana Breakpoint - would love to catch up! We could grab coffee, talk security and either play some badminton. Let me know what you're up to and who's coming in below.

https://x.com/__Raiders/status/1997720726221234305

Hot take I keep hearing: "Never rely on AI for security, it's 100% hackable."

100% is a bold claim. But here's the thing: neither do human-only audits guarantee 100% security. Every audit report comes with a disclaimer "no liability, no responsibility" for a reason.

The uncomfortable truth? Security isn't a checkbox. It's not something you "complete" before launch and move on.

https://x.com/i/status/2002008774438264982

The XZ Utils backdoor was caught because a Microsoft engineer noticed a 500ms latency increase in SSH connections. That's it. A half-second delay exposed an attacker who spent three years building maintainer trust - weeks away from compromising virtually every Linux server globally.

Most supply chain attacks aren't caught by security tools. They're caught by someone noticing something feels off.

Full breakdown of 7 years of attacks + defenses 👇

https://web3secnews.substack.com/p/npm-supply-chain-attacks-how-hackers