zeroShadow

Most teams are defending their protocols with yesterday's news. That’s because today’s available data forces a choice you shouldn’t have to make. The data is either "fast" but lacks real depth, or is "deep" but arrives far too late to matter. In reality, most of what’s available today isn't fast enough to stop a nation-state actor at the moment of impact, and it’s not as deep as the marketing claims. In this space, if your intelligence doesn’t move at block-speed and isn’t defensible under scrutiny, you’ve already lost. We aren't just pointing out the gap; we’re closing it. Starting today, we are offering access to our real-time Threat Intelligence Platform — free for one year. (sign up by March 15th with the link in the comments) For the first time, you can plug directly into a secure, live stream of zeroShadow intelligence. It is the same human-vetted data our investigators use to track illicit activity and persistent threats, delivered through an architecture that actually moves as fast as the attackers do. Here is the value we’re bringing to your stack: • True Block-Speed Intel: Real-time attribution delivered while it’s still actionable, not hours after the bridge is crossed. • Regulator-Aligned Screening: OFAC+ and OFSI+ extend official lists by tracing sanctioned assets beyond common obfuscation, aligning your screening with investigative methods used by regulators and law enforcement. • Active Investigative Depth: Direct output from our investigations into nation-state actors (DPRK), drainer networks, and laundering infrastructure. • Uncompromised Privacy: A secure way to query threat intel without ever exposing your raw data or your strategy. • Compliance Precision: Dedicated tools that allow CCOs to manage Web3 risk with the rigor of traditional finance. We are proud to go to market with @lifiprotocol, @1inch, and @megaeth, who are already using this intel to secure their ecosystems. Register with the link in the comments before March 15th to receive our “Core Data Cars"—including our proprietary zS Investigation leads and OFAC+/OFSI+ tracking—free for one full year.

Learning brings the world onchain We want to see more education about blockchain and DeFi within universities, and are proud to support @1inch , @fund_defi and the other companies that are bringing attention to this need.

"How do you respond when millions disappear in seconds?" Join us in the warroom this Thursday as @zeroshadow_io answers this, and other security related questions in our final partner-security series. Wen: Thursday, 4pm CET Wat: Into the Warroom Wer: x.com/i/spaces/1nxeL…

This is a must read from 1inch It shows how easy it is for even a security-focused person to fall victim to fake videocall DPRK thefts and highlights how our investigators were able to help. Thank you, 1inch, for giving this story the spotlight it deserves.

Most teams are defending their protocols with yesterday's news. That’s because today’s available data forces a choice you shouldn’t have to make. The data is either "fast" but lacks real depth, or is "deep" but arrives far too late to matter. In reality, most of what’s available today isn't fast enough to stop a nation-state actor at the moment of impact, and it’s not as deep as the marketing claims. In this space, if your intelligence doesn’t move at block-speed and isn’t defensible under scrutiny, you’ve already lost. We aren't just pointing out the gap; we’re closing it. Starting today, we are offering access to our real-time Threat Intelligence Platform — free for one year. (sign up by March 15th with the link in the comments) For the first time, you can plug directly into a secure, live stream of zeroShadow intelligence. It is the same human-vetted data our investigators use to track illicit activity and persistent threats, delivered through an architecture that actually moves as fast as the attackers do. Here is the value we’re bringing to your stack: • True Block-Speed Intel: Real-time attribution delivered while it’s still actionable, not hours after the bridge is crossed. • Regulator-Aligned Screening: OFAC+ and OFSI+ extend official lists by tracing sanctioned assets beyond common obfuscation, aligning your screening with investigative methods used by regulators and law enforcement. • Active Investigative Depth: Direct output from our investigations into nation-state actors (DPRK), drainer networks, and laundering infrastructure. • Uncompromised Privacy: A secure way to query threat intel without ever exposing your raw data or your strategy. • Compliance Precision: Dedicated tools that allow CCOs to manage Web3 risk with the rigor of traditional finance. We are proud to go to market with @lifiprotocol, @1inch, and @megaeth, who are already using this intel to secure their ecosystems. Register with the link in the comments before March 15th to receive our “Core Data Cars"—including our proprietary zS Investigation leads and OFAC+/OFSI+ tracking—free for one full year.

We're talking security with Pharos now, tune in!

Last week, Step Finance suffered a hack in its treasury wallets, putting over $30M at risk. Beyond the collaboration among teams such as @zeroshadow_io, @multisig, and @range_org, one key factor enabled the recovery of a portion of the funds: Kamino's withdrawal rate limit caps. There will always be another program bug, but with a secure-by-design system that can contain the damage, we can hopefully soon stop seeing millions of dollars wiped out in every hack. As a long-time proponent of rate limits, I was amazed to see them working in production on @solana, saving the team millions. Shout-out to @kamino and its security-first technical leadership here. More teams should use their example, and we would be one step closer to the ultimate goal: safe internet capital markets!

Thank you to Olympix for including us as a recommended Incident Response firm. Learn more about smart contract security with their 2025 analysis.

When funds get stolen, every second counts. @zeroshadow_io provides 24/7 support for recovering stolen assets for L1s, DeFi protocols, dapps & Web2 financial institutions. Learn how they cut incident response times while building client trust 🧵 blog.tenderly.co/case-studies/z…

Pharos is proud to announce key security partners ahead of the Mainnet launch! 🔐 @alibaba_cloud and @awscloud provide enterprise-grade cloud security with zero-trust networking and multi-cloud DDoS protection 🛡️ @exvulsec, @OpenZeppelin, and @zellic_io lead blockchain audits with comprehensive security assessments 🔍 Ant Skyward Security Lab led by @ppdonow conducts penetration testing for the Pharos platform. 👁️‍🗨️ @HypernativeLabs powers real-time on-chain monitoring for rapid incident response, alongside @zeroshadow_io for Web3 intelligence and leads incident response Together, these partnerships build institution-grade, finance-ready security from infrastructure to ecosystem

Change is coming, but crypto freezes and recovery are still complex. We're hosting another meeting at the end of February to discuss important updates. Please contact coalition@zeroshadow.io if you'd like to get involved. If you missed the first meeting, please check out our blog from last summer for some background information zeroshadow.io/blog/north-kor…

What’s Next? This week, we are finalizing integrations with @hypernativelabs and @zeroShadow_io to add an institutional-grade security layer to our architecture. With these pieces in place, we are shifting gears and adding pace. ⚙️

We have seen an increase in the number of hacks linked to this threat actor over the past couple of months. Please be extra vigilant, even for meetings with people you believe you know. If you feel like you have fallen victim to this threat actor in the past, or if something happens in the future, please let as many people as possible know to help prevent further hacks. zeroShadow are here to help. You can reach us through our website zeroshadow.io/contact Safer Together

Today @BitcoinVN flagged a high-volume wallet linked to THORChain. We traced it back to a BTC victim who’d been socially engineered by fake @Trezor support ➡️~$300M stolen. Within 20 minutes, zeroShadow tracked the outbound flows and froze over $1M before it could be swapped into XMR. The activity that could get through is likely increasing XMR's price. zeroShadow will continue to patrol the blockchain. Safe Together (2/2)

XMR has been spiking, but is it all for the privacy narrative? We don't think so (1/2)

Thanks to a tip from @Bitcoin_Vietnam about suspicious activity and a rapid response from the @zeroshadow_io team, over $1M+ of proceeds of this theft have been frozen today. If data sharing in crypto was normalised, substantially more than this could have been caught.

• 6 months • 73 separate protocol incidents • $934M+ in assets compromised The largest heists in the last 6 months were split between operational (UXLink) and smart contract (Balancer) incidents. The absence of a single dominant attack vector is the point. Operational losses are spread across supply chain compromise, key management failures, insider risk, malware, and human error. This is not a tooling problem. It is a control and governance problem. On the other hand, the data shows that contract-level exploits are less frequent, but when a vulnerability is present, the impact can be immediate and substantial. Our research team has compiled the following breakdown of the incidents from the second half of 2025 in crypto: *images taken with stats as of 5th December 2025