⬢ GM Security — 2026-06-19: $45.0M across 30 incidents

Daily crypto security briefing

2026-06-19 13:25 UTC · last 72h · 30 items · $45.0M reported losses · 47 sources

Last 24 hours

• [SCAM · NEW] @zachxbt: A short story about Indian scammers who called the cops on themselves: — ~$475K (@zachxbt)
• [ADVISORY · NEW] @GoPlusSecurity: 🚨GoPlus Security Alert: (@GoPlusSecurity)
• [ADVISORY · NEW] @CertiK: "Auditing the code is necessary, but no longer sufficient." (CertiK)
• [EXPLOIT · NEW] @PeckShieldAlert: #PeckShieldAlert The @Humanityprot exploiter-labeled address has bridged 130 $ETH ($220.6K) from #Ethereum to #BNBChain… — ~$221K (@PeckShieldAlert)
• [EXPLOIT · NEW] Microsoft found malware that hijacks crypto wallets and spreads through USB sticks (CoinDesk)
• [ADVISORY · NEW] North Korea’s crypto hack spree draws fresh G7 warning (crypto.news)
• [ENFORCEMENT · NEW] Ireland flags crypto as major threat in anti-money laundering push (crypto.news)
• [ENFORCEMENT · NEW] Ex-Celsius CEO Mashinsky gets U.S. CFTC ban in final resolution with regulator (CoinDesk)
• [ADVISORY · NEW] @HalbornSecurity: Securing blockchain infrastructure for institutional adoption means auditing at every layer, not just the smart contrac… (@HalbornSecurity)
• [ADVISORY · NEW] @HalbornSecurity: Quantum computing is an approaching threat to blockchain security. 🔐 (@HalbornSecurity)
• [NEWS · DEVELOPING · day 3] @spreekaway: https://t.co/MzmtARehtY (@spreekaway)
• [ADVISORY · DEVELOPING · day 3] @spreekaway: That's right: ZERO. https://t.co/yex0V1k3wi (@spreekaway)

Earlier · 24–72h

• [EXPLOIT · NEW] @Phalcon_xyz: .@aztecnetwork was attacked again. Like the Sunday, June 14, 2026 exploit, this attack appears related in nature, but t… — ~$2.3M (@Phalcon_xyz)
  also: @MistTrack_io · @PeckShieldAlert
• [ADVISORY · NEW] Rockwell Automation FactoryTalk Historian Site Edition (CISA Cybersecurity Advisories)
• [EXPLOIT · DEVELOPING · day 5] @Phalcon_xyz: Correct: this is not the same bug as the previous one, though both are circuit public input binding issues and the exec… (@Phalcon_xyz)
• [NEWS · DEVELOPING · day 4] Live markets: price action turns panicky in Saylor's STRC as bitcoin drops below $63,000 (CoinDesk)
• [EXPLOIT · NEW] @CertiKAlert: #CertiKInsight 🚨 — ~$42.0M (@CertiKAlert)
  also: @CertiKAlert · @CertiKAlert
• [EXPLOIT · NEW] @PeckShieldAlert: #PeckShieldAlert The @UXLINKofficial exploiter-labeled address has swapped ~14.6M $DAI for 8,298.6 $ETH. — ~$5K (@PeckShieldAlert)
• [EXPLOIT · NEW] @HalbornSecurity: Multisig doesn't protect you if your keys share the same machine. 🔑 (@HalbornSecurity)
• [ENFORCEMENT · NEW] Florida Man 'Bitcoin Rodney' Pleads Guilty Over $1.8 Billion HyperFund Crypto Fraud — ~$1.80B (Decrypt)
• [ADVISORY · NEW] @Beosin_com: ⚡ A single integer truncation bug nearly cost Thetanuts Finance over $2M. — ~$2.0M (@Beosin_com)
• [SCAM · DEVELOPING · day 6] Steam Workshop wallpapers found spreading crypto malware (Protos)
• [NEAR-MISS] LittleBoyPlus BNB Chain exploit (~$377K) (web search (coverage))
  ~$377K (610 BNB) drained via zero-value transferFrom minting bug in LBPHashrate._update per SlowMist
• [NEAR-MISS] DIP token / Etherisc pool exploit (~$111K) (web search (coverage))
  ~111K USDC drained from a missing return statement in _transfer() enabling AMM reserve manipulation
• [NEAR-MISS] StakeDAO Arbitrum deployer-key compromise (web search (coverage))
  Compromised deployer key minted 5.4T unbacked vsdCRV (~$91K cashed out), forcing Beefy/Curve vault pauses to avoid contagion
• [NEAR-MISS] ORE Solana staking program bug (web search (coverage))
  Bug let attacker improperly claim ~25.5 SOL ($2.1K); small loss but forced contract migration
• [ADVISORY · DEVELOPING · day 2] @CertiK: Passkeys remove seed phrases, but not security risks. (CertiK)
• [NEWS · DEVELOPING · day 5] @pcaversaccio: ok guys, talk is cheap as you all know. let's move forward here; some very preliminary thoughts on how such a browser c… (pcaversaccio)
• [NEWS · DEVELOPING · day 5] @tayvano_: > beautiful simple clean (@tayvano_)
• [NEWS · DEVELOPING · day 6] @tayvano_: Boeing never told the USG that they cannot prevent their airplanes from falling out of the sky. (@tayvano_)
• [ADVISORY · DEVELOPING · day 6] @tayvano_: The Fed, Iran Trade, and Why BTC Looks Cheap Right Now https://t.co/sAVrcjp96K (@tayvano_)
• [NEWS · DEVELOPING · day 6] @tayvano_: unc1069 / sapphire sleet / whatever you want to call them (@tayvano_)
• [ADVISORY · DEVELOPING · day 5] @pcaversaccio: you can fully destroy perfect onchain privacy by leaking metadata (IP, user-agent, timezone, language settings, etc.).… (pcaversaccio)

🧠 Deep reads

• Seeing the Full Picture: Why Pre- and Post-Designation Exposure Changes Everything in Sanctions Screening (Chainalysis)

💡 Security thought-spark

Bug-bounty math: a $50k Immunefi bounty is cheap insurance against a $5M exploit. Is yours live, well-scoped, and actually paid out on time?

Full data: https://gmsecurity.net/briefing.json. Feedback or a source to add? [email protected]. George Donnelly offers Web3 development & security consulting.