Web3 Wavefronts - Digestible News on Crypto, DeFi and AI

Illicit cryptocurrency addresses received an estimated $154 to $158 billion in 2025, a near 162% year-over-year increase, with stablecoins accounting for about 84% of that volume. Sanctions-related flows rose and nation-state-aligned actors, notably DPRK-linked groups, stole roughly $2 billion including a single exploit that cost an exchange about $1.5 billion. Criminal operations combined credential theft and compromised infrastructure with transaction signing and withdrawal authorization, then used mixers, cross-chain swaps, OTC desks, money brokers, and weak-control jurisdictions to launder proceeds while repeatedly reusing the same liquidity hubs, stablecoin pairs, and counterparties. Physical coercion and in-person intimidation of traders and executives increased and incidents were sometimes timed to price movements. Investigators and analytics providers pooled signals, improved attribution and tracing, and law enforcement reported record seizures in 2025 through faster tracing and legal actions to freeze assets. Entity risk scores became dynamic as addresses flipped to high risk when new attribution data appeared. Guidance for exchanges and custodians includes hardening key and withdrawal controls with multi-party signing, staged approvals, velocity limits, emergency rotation plans, continuous monitoring of stablecoin corridors, stress testing of hot wallet scenarios, and rehearsed playbooks with prearranged law enforcement contacts. Guidance for funds and enterprise treasuries includes segmenting wallets by function and risk, using hardware-backed signing, granting just-in-time access, screening counterparties and flows against sanctions lists with real-time alerts, prearranging emergency contacts, and practicing on-chain incident response playbooks. Guidance for individuals and developers includes training for phishing and social engineering, preferring hardware wallets and multisig, minimizing hot wallet balances, using allow lists, spend limits, time locks, session isolation, and independent verification of transfer requests. Entity-aware analytics, graph enrichment, dynamic watchlists, fast preplanned holds, legal orders, and participation in shared intelligence programs were associated with improved recovery and seizure outcomes. Three measurable signals to track through 2026 are the velocity of sanction-related flows across stablecoin corridors, the operational tempo of DPRK-linked intrusion campaigns, and the ratio of value recovered through seizures versus value stolen. Source: https://web3businessnews.com/crypto/secure-digital-assets-crypto-crime/

Tether froze about 182 million USDT across five TRC-20 addresses on the Tron network on January 11, 2026, using contract-level blacklist admin calls that took effect upon on-chain confirmation. Analytics services and block monitors flagged the addresses and immobilized balances within minutes, and exchanges and Tron infrastructure continued processing blocks and trades without visible disruption. Each affected wallet held between about 12 million and 50 million USDT, and the blacklist entries are visible in Tron event logs and indexers that parse contract events. Tether reported having frozen about 3.3 billion USDT across more than 7,200 wallets since 2023 and cooperating with more than 310 agencies across 62 countries; Tron currently hosts roughly 82.5 billion USDT and USDT's market capitalization remained near 187 billion. The freeze produced no peg stress, liquidity remained stable across major venues, there was no observed spillover into large DeFi pools on Tron or Ethereum, settlement and exchange connectivity operated normally, and Tron gas costs did not spike. The public record does not cite a specific trigger for the action and there is no confirmed attribution for the five addresses; historically, similar issuer-led freezes have followed risk alerts tied to sanctions, fraud investigations, or suspected laundering. Recommended operational measures included integrating blacklist detection at deposit, withdrawal, and liquidation points, aligning KYC/AML/sanctions screening with issuer processes, maintaining failover settlement paths and alternative assets, instrumenting real-time address risk scoring, and adding routing checks to flag counterparties linked to newly frozen clusters. The event demonstrated that large issuer-led freezes can occur without immediate market disruption while creating operational requirements for builders, operators, and institutional users to handle sudden immobility at the contract layer. Source: https://web3businessnews.com/crypto/tether-freezes-182m-tron-wallets/

Show description: Researchers name a Go-based botnet GoBruteforcer and report it brute forces FTP, MySQL, PostgreSQL and phpMyAdmin instances to compromise Linux hosts that support blockchain and crypto infrastructure. Researchers estimate more than 50,000 publicly reachable servers are vulnerable and report that a number of servers have been incorporated into the botnet. Operators run automated scans using a small, stable pool of usernames and passwords and exploit default credentials, copy-pasted example usernames, and AI-generated configuration snippets that recommend predictable names. Operators target legacy stacks such as XAMPP and open FTP services with out-of-the-box settings for initial access. After successful access, compromised hosts download a Go payload, register with a command server, and begin parallel scanning of other IP ranges. Post-compromise actions include adding backdoor accounts, exfiltrating databases, and fetching additional modules for spam, proxying, or targeted cryptocurrency theft. Researchers found tooling that queries TRON and Binance Smart Chain balances, a dataset of roughly 23,000 TRON addresses, and on-chain activity consistent with repeated small thefts. Targets include exchanges, custodial backends, analytics platforms, token dashboards and other blockchain applications, and attack runs rotate among blockchain databases, phpMyAdmin and WordPress stacks to evade static blocklists. Potential impacts include theft of user records, disclosure of private keys or seed phrases stored insecurely, wallet draining, infrastructure loss, hosting sanctions and regulatory scrutiny. Recommended defensive actions include removing unnecessary internet-facing databases and admin panels; replacing default and weak credentials with strong, unique passwords managed by a password manager; auditing AI-generated and template configurations and rotating secrets; disabling unused services and updating or retiring legacy stacks; binding database services to private interfaces and restricting access behind VPNs or allow-listed IPs; enforcing host and network firewall rules, rate limiting and account lockout policies; and enabling multi-factor authentication. Monitoring and response recommendations include logging and telemetry for failed logins, unexpected user creation, new outbound connections and internal scanning behavior; automated alerting for suspicious patterns; regular patching; removal of unneeded plugins and modules; credentials and secrets reviews; an incident response runbook for brute-force and wallet probing scenarios; and verification of backups and recovery plans. Researchers expect operators to rotate credential lists and targets while reusing the same automated playbook, and defenders can reduce risk by eliminating defaults, restricting access and hardening admin panels. Source: https://web3businessnews.com/crypto/gobruteforcer-crypto-server-attacks/

A PMLA court in Mumbai has summoned businessman Raj Kundra to appear on January 19, 2026, after the Enforcement Directorate filed a supplementary complaint in the GainBitcoin matter. The ED alleges Kundra received and retained 285 Bitcoins traced to addresses linked to GainBitcoin, promoted by Amit Bhardwaj, and valued the holdings at over 150 crore rupees in its complaint. The ED invoked Section 3 of the Prevention of Money Laundering Act alleging concealment, possession, acquisition, and use of proceeds of crime and described Kundra as a beneficial owner while challenging a claimed mediator role. Investigators named Rajesh Ram Satija, a businessman based in Dubai, as a co-accused and are examining five flats in Mumbai's Juhu area registered to actor Shilpa Shetty for potential links to laundering, including pricing, payment trails, and whether transactions were arranged below market or routed through intermediaries. The ED's complaint emphasizes wallet attribution, provenance of the coins, exchange touchpoints, conversion of crypto proceeds into real-world assets, and alleged non-disclosure of wallet addresses, and indicates reliance on on-chain analytics, exchange KYC outputs, device and server forensics, and banking or payments records to establish custody links. The court appearance on January 19 will set deadlines for further filings, potential bail or protection applications, and requests for attachment or freezing of assets while the matter proceeds. Source: https://web3businessnews.com/crypto/raj-kundra-gainbitcoin-pmla-case/

Fireblocks agreed to acquire TRES Finance for roughly $130 million in a mix of cash and equity. The deal follows Fireblocks' October purchase of Dynamic for about $90 million. TRES provides accounting, reconciliation and audit-ready reporting for digital assets and connects to more than 280 blockchains, exchanges, banks and custodians. TRES serves over 200 organizations, including Alchemy, Bank Frick, Dune, Finoa, M2 and Wintermute. TRES was founded by Tal Zackon and Eilon Lotem, has raised about $18.6 million and employs roughly 58 people across Israel, Europe and the United States. Fireblocks will bring the TRES team into its organization. The purchase price represents a premium to TRES' last private valuation and is structured as a cash and equity split. Fireblocks raised a $550 million Series E at an $8 billion valuation in 2022 and processes trillions in annual digital asset transfers. Fireblocks' integration plan centers on connecting TRES' data models to existing policy controls and transaction routing so activity can be tagged, classified and reconciled as it happens. TRES' features include real-time treasury and position visibility across wallets and venues; automated reconciliation between on-chain activity and off-chain ledgers and bank accounts; cost basis and revenue recognition data; and audit trails and attestations for auditors and regulators. The combined stack aims to deliver custody through reporting in a single platform and to align records with ERPs and general ledgers. MiCA rules in Europe and evolving U.S. agency guidance increase expectations for record keeping and disclosures, and TRES standardizes records and ties transactions to wallets, venues and fiat rails to support auditor and controller validation. Adoption and competitive outcomes will depend on integration speed, depth of reconciliation and ERP connectors, customer migration from multi-vendor setups, and regulatory developments. Source: https://web3businessnews.com/crypto/fireblocks-tres-acquisition-130m/

Brooklyn prosecutors indicted Chen Zhi on charges that he led a forced‑labor crypto fraud network and charged him with conspiracy to commit wire fraud and conspiracy to commit money laundering; investigators say the operation stole millions from at least 250 U.S. victims and traced about $14 billion in bitcoin and other assets to the broader network, including a publicly cited loss of about $400,000 by a single victim. Cambodian authorities detained Chen, revoked a citizenship linked to his businesses, and extradited him to China, leaving the Brooklyn indictment active while U.S. officials seek custody or cooperation; investigators are preserving evidence, pursuing co‑conspirators, and pursuing asset measures and forfeiture. Public filings and law‑enforcement statements describe workers confined in compounds who were forced to run romance and investment scams, shepherd victims into fake trading dashboards that displayed fabricated gains, and obstruct withdrawals by demanding fees and rerouting deposits into wallets and bank accounts controlled by the network. Authorities report proceeds moved through controlled wallets, shell companies, OTC brokers, online gambling fronts, property purchases, and crypto mining operations using rapid wallet hops, cross‑platform transfers, high‑risk exchanges, mixers, and cross‑chain swaps to obscure provenance. U.S. and U.K. officials imposed sanctions on Chen and affiliated entities and reported at least $100 million in property freezes including London real estate and other accounts under court orders. Law enforcement combined indictments, cross‑border arrest and extradition efforts, asset restraints, sanctions, wallet tracing, financial records, travel data, and on‑site evidence to build the case and to preserve assets for potential forfeiture. Officials allege beatings, confinement, and payments to officials that enabled movement of people and funds inside the compounds. Authorities and industry officials advised Web3 operators to strengthen adaptive KYC and AML controls, implement adaptive risk scoring and cross‑chain wallet analytics, integrate rapid screening for sanctioned entities and politically exposed persons, prepare playbooks for rapid freezes and law enforcement requests, preserve chain evidence during incident response, monitor exposure to high‑risk regions and counterparties, and tighten oversight and AML controls for OTC flows and third‑party vendors. Prosecutors can continue to pursue co‑conspirators, seek additional forfeiture, and expand sanction designations, and any U.S. trial or custody transfer depends on whether Chinese authorities agree to transfer custody or cooperate on evidence sharing; exchanges and service providers are advised to update transaction monitoring and counterparty screening and to treat linked funds and counterparties as high risk. Source: https://web3businessnews.com/crypto/chen-zhi-global-crypto-fraud/

On January 5, 2026, at PAOCC headquarters in Camp Crame, Quezon City, the Philippine Anti Organized Crime Commission, led by Undersecretary Benjamin Acorda Jr., and Detective Superintendent Brad Marden of the Australian Federal Police signed an agreement to deliver cryptocurrency investigation training to Philippine law enforcement. The training curriculum links blockchain analysis, transaction tracing, illicit finance detection, and evidence preservation to legal process and regional cooperation and includes classroom instruction, hands-on labs, live case clinics, device forensics, and a train-the-trainer track. A memorandum of understanding is under review to formalize joint operations, information sharing, and tasking across cybercrime, drug trafficking, and money laundering, and coordination points include the January 2026 National Anti Crime Coordinating meeting and the June 2026 ASEANAPOL gathering to refine tasking, legal templates, and early case selections. Modules will cover blockchain fundamentals, tracing across chains and services including bridges and custodial endpoints, detection of cross-chain laundering and privacy services, analysis of transaction traces and on-chain events for DeFi exploits and smart contract theft, AI-assisted fraud patterns, and device forensics to link signing events and preserve chain of custody. The program will produce a standardized investigation playbook with documented attribution steps, chain-of-custody procedures, reproducible documentation, and evidence continuity from analytics platforms to courtroom exhibits, and will incorporate partnerships with registered virtual asset service providers and legal templates for subpoenas, MLAT requests, and freezing orders. Agencies identified operational metrics under consideration, including time to first tracing report, percentage of illicit funds identified, and days from referral to charge, and plan to use shared tooling and playbooks to speed case building and asset recovery and to coordinate earlier preservation and freezing actions across jurisdictions. AFP support will extend to regional forums, including co-hosting the Pacific Organised Crime Summit in Fiji from May 17 to 22, 2026, and coordination with partners such as Five Eyes, INTERPOL, UNODC, and ASEANAPOL. The agreement signals that exchanges, custodians, and analytics vendors will receive standardized evidence packages and preservation requests, and firms are advised to update incident response and compliance playbooks, maintain current contact lists and escalation tiers, log activity in formats suitable for legal use, and rehearse cross-chain tracing handoffs. Immediate priorities are finalizing the MOU, delivering a repeatable investigation curriculum, and launching pilot cohorts across PAOCC and partner agencies to build sustained investigative capabilities. Source: https://web3businessnews.com/crypto/paocc-afp-crypto-training-ph/

Kontigo detected unauthorized access over the weekend and announced the incident on January 5 via X, reporting that attackers drained about $340,900–$341,000, primarily in USDC, from 1,005 customer wallets and that CEO Jesus A. Castillo had a personal account compromised. Engineers identified and isolated the vulnerability, disabled the affected access path, rotated credentials and keys, tightened access policies, added rate limits, withdrawal checks and session controls, and traced fund flows to support recovery efforts. Kontigo completed full reimbursement from corporate funds and reported that impacted wallets now reflect restored balances; the company said attackers have been identified and that services remained available while additional monitoring and customer support addressed residual tickets. Kontigo reported it is conducting a deeper internal review. The company is YC-backed, founded in 2023, reported more than one million monthly active users, reported processing over $1 billion, reported roughly $30 million in annualized revenue, and closed a $20 million seed round on December 22, 2025, led by FoundersX Ventures; it is expanding dollar accounts, remittances, and merchant payments across multiple Latin American markets, including Venezuela. Kontigo previously faced scrutiny tied to frozen intermediary accounts, and cross-border dollar flows in Latin America are subject to AML and sanctions oversight. Expected follow-ups include a detailed post-mortem, third-party security reviews, published upgrades to authentication, session security and key management, and verification of reimbursement and legal or recovery steps against the attackers. Source: https://web3businessnews.com/crypto/kontigo-stablecoin-hack-repay/