2048 hack event(s)
Description of the event: Based on monitoring by CertiK Alert, the Hyperbridge gateway contract fell victim to an exploit. The attacker utilized forged messages to manipulate administrative permissions of the Polkadot token contract on the Ethereum network. By unauthorized minting and liquidating 1 billion tokens, the attacker realized a profit of roughly $237,000
Amount of loss: $ 237,000 Attack method: Message Forgery & Admin Privilege Tampering
Description of the event: The DeFi project Dango released an update three hours after disclosing a security incident last night, stating that the white-hat hacker has fully returned the stolen funds and received a bug bounty. User funds were not affected. The founder of Dango said that fixes will be deployed, additional security measures will be implemented, and preparations are underway to restart the blockchain. According to the earlier announcement, the attacker exploited a logic flaw in the insurance fund to steal USDC collateral. The vulnerability arose because the insurance fund allowed anyone to make donations but failed to verify that the donation amount was positive. Thanks to rate limits on the cross-chain bridge, the attacker was only able to bridge $410,000 worth of USDC to Ethereum, while the remaining $1.49 million stayed on Dango and was successfully recovered. The vulnerability has now been fixed and does not affect other trading system functions such as order matching, PnL settlement, or liquidation.
Amount of loss: $ 1,900,000 Attack method: Smart contract business logic vulnerability
Description of the event: Decentralized perpetual futures trading platform Denaria announced on X that it suffered a smart contract attack yesterday, resulting in a loss of approximately $165,000. The team is currently working with Linea and auditing partners to investigate the incident and will release a full post-mortem report as soon as possible.
Amount of loss: $165,000 Attack method: smart contract attack
Description of the event: According to ExVul monitoring, a TMM/USDT reserve manipulation attack occurred on the BSC (BNB Chain), resulting in a loss of approximately 1.665 million USDT. The attacker utilized flash loans from Lista DAO Moolah, Venus, Aave V3, PancakeSwap Vault, and Uniswap PoolManager to manipulate the TMM/USDT trading pair. By burning TMM to a dead address, the attacker reduced the pair's reserve to just 1 TMM, subsequently swapping 850 million TMM for approximately 272 million USDT. After repaying all flash loans, the attacker transferred a net profit of roughly 1.665 million USDT to associated addresses.
Amount of loss: $ 1,665,000 Attack method: Reserve Manipulation Attack
Description of the event: DeFi lending protocol HypurrFi tweeted that the hypurr.fi domain has been hijacked. The team has migrated its infrastructure to hypurrfi .com. The protocol itself, user funds, and team infrastructure remain unaffected.
Amount of loss: 0 Attack method: Domain Hijacking
Description of the event: GoPlus has issued a security alert regarding a suspected cyberattack on Adobe, involving the potential leak of approximately 13 million users' data. Affected users may face heightened risks, including phishing emails or calls impersonating Adobe customer support, precision social engineering scams leveraging leaked ticket information, and credential stuffing attacks.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: According to ZachXBT, the Trust Wallet Discord vanity URL (discord[.]gg/trustwallet) has been hijacked and currently directs users to a phishing server. Users are advised to avoid using links from official channels—including the official website, Telegram, and blogs—to join the Discord at this time.
Amount of loss: 0 Attack method: Infrastructure Hijacking
Description of the event: According to The Block, the Solana-based decentralized exchange Drift Protocol has been hit by a major exploit, with losses totaling at least $200 million. Some estimates suggest the figure is closer to $270 million, making it the second-largest DeFi security breach in the Solana ecosystem, trailing only the Wormhole bridge hack. The attack targeted multiple Drift vaults, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. On-chain data reveals that the attacker swapped the stolen assets for USDC via Jupiter, then bridged them to Ethereum to purchase ETH. As of 17:45 UTC, the attacker held approximately 19,913 ETH (worth roughly $42 million). Drift stated they are currently investigating the "abnormal activity" and have advised users to suspend all deposits. Subsequently, according to PeckShield's statistics, Drift Protocol suffered losses exceeding $285 million in the attack.
Amount of loss: $ 285,000,000 Attack method: Unknown
Description of the event: A spokesperson for Galaxy Digital disclosed that the company recently contained a cybersecurity incident. Unauthorized access was strictly limited to an isolated development and testing environment; production systems, trading platforms, and customer accounts remained unaffected. The company quickly detected and contained the intrusion. The affected area was a standalone R&D environment unrelated to core infrastructure, resulting in a loss of less than $10,000 in corporate testing funds. Following a review, it was confirmed that no customer funds or account information were accessed or at risk, and all platforms and services remain fully operational. Galaxy stated they will continue to review the incident and provide updates as appropriate.
Amount of loss: $ 10,000 Attack method: Unknown
Description of the event: According to BlockSec monitoring, an unknown contract on the BSC (BNB Smart Chain)—suspected to be the LML/USDT staking protocol—has been exploited for approximately $950,000. Analysis indicates the vulnerability stems from a pricing design flaw: claimable rewards are calculated based on TWAP (Time-Weighted Average Price) or snapshot prices, allowing the attacker to sell reward tokens at manipulated spot prices. The attacker first pushed up the price of LML by executing trades through a path that included a zero-address recipient. Subsequently, they invoked the claim function via an address where tokens had been previously deposited, directly capturing the rewards during the exploit.
Amount of loss: $ 950,000 Attack method: Price Manipulation & Oracle Arbitrage Exploit
Description of the event: Steakhouse Financial disclosed yesterday that it was targeted by a phone-based social engineering attack against its provider, OVH Cloud. The attacker modified the DNS A records of the main website and app subdomains to point to a malicious IP address and attempted to initiate a 5-day domain transfer. These changes have now been reverted, and the DNS records have been cleared. The team is currently working with OVH Cloud to fully resolve the issue. All vaults and smart contracts were not affected, and depositor funds remain safe. No other service accounts were compromised.Users are advised not to interact with the official website or emails until the issue is fully resolved. A detailed post-incident report will be released as soon as possible. Earlier today, Steakhouse Financial further stated that during the period when the website’s DNS records were cleared, vaults remained accessible directly via Morpho, with all functions — including deposits and withdrawals — operating normally. A confirmation will be provided once the frontend is fully restored.
Amount of loss: - Attack method: Social Engineering
Description of the event: Huma Finance issued a warning on X stating that the official X account of its partner Arf, @arf_one, has been compromised. Please refrain from interacting with any posts from that account until it has been fully secured.
Amount of loss: 0 Attack method: Account Compromised
Description of the event: Socket has detected an active supply chain attack targeting version 1.14.1 of the core npm package, axios. The attacker injected malicious code into axios by introducing a malicious dependency that first appeared today. Developers using axios are advised to pin their versions immediately and review their project lockfiles.
Amount of loss: 0 Attack method: Supply Chain Attack
Description of the event: According to monitoring by BlockSec Phalcon, a suspicious transaction targeting an unknown contract (Stake) on the BSC chain has been detected, resulting in a loss of approximately $133,000. The attacker exploited a spot price dependency vulnerability within the Stake contract. By manipulating the price of TUR in the TUR-NOBEL pool and subsequently staking TUR, the attacker triggered reward calculations based on the artificially inflated price. They then claimed the amplified rewards through a referral account and ultimately profited by swapping the stolen TUR for USDT.
Amount of loss: $ 133,000 Attack method: Oracle Manipulation
Description of the event: According to The Block, DeFi lending protocol Moonwell is facing a governance attack on its Moonriver deployment, where an unknown attacker spent approximately $1,800 to acquire 40 million MFAM tokens and managed to buy, propose, and pass a initial vote within just 11 minutes. The attacker is seeking to transfer administrative control of seven lending markets, the comptroller, and the oracle to a malicious contract, which would enable the extraction of roughly $1.08 million in user funds. Although the proposal reached a quorum early on, "No" votes have since taken the lead, and while the voting is set to continue until March 27, the final outcome remains dependent on the remaining votes and community coordination.
Amount of loss: 0 Attack method: Governance Attack
Description of the event: SlowMist's CISO 23pds warned on X: "A major supply chain attack has hit LiteLLM (97M monthly downloads) via PyPI. Simply executing pip install litellm allows attackers to steal sensitive data: SSH keys, cloud logins (AWS/GCP/Azure), K8s configs, Git credentials, API keys, shell history, crypto wallets, and DB passwords."
Amount of loss: - Attack method: PyPI Supply Chain Attack
Description of the event: According to BlockSec Phalcon's monitoring, the BCE-USDT pool on PancakeSwap (BSC chain) was exploited a few hours ago, resulting in a loss of approximately $679,000. The root cause lies in a vulnerability within the BCE token's burn mechanism. The attacker deployed two malicious contracts to bypass buy/sell restrictions and trigger the token burn, ultimately extracting about $679,000 from the pool by manipulating its reserves.
Amount of loss: $ 679,000 Attack method: AMM Reserve Manipulation
Description of the event: According to Decrypt, Bitcoin ATM operator Bitcoin Depot disclosed in a filing with the U.S. Securities and Exchange Commission that it experienced a security breach on March 23. Approximately 50.9 BTC, valued at around $3.665 million, was stolen by attackers. The hackers infiltrated the company’s IT systems and obtained credentials for its digital asset settlement accounts, enabling unauthorized fund transfers. Bitcoin Depot stated that it has activated its incident response procedures, engaged external cybersecurity experts to investigate the attack vector and secure remaining assets, and notified law enforcement authorities. The company also noted that its customer platform and user data were not affected by the breach.
Amount of loss: $ 3,665,000 Attack method: Credential Compromise
Description of the event: PeckShield alerted on X that Resolv Labs’ stablecoin, $USR, has seen multiple suspicious large-scale minting events. A total of $80 billion worth of USR has been minted so far.
Amount of loss: $ 25,000,000 Attack method: Contract Vulnerability
Description of the event: The DeFi protocol Neutrl announced on platform X that its frontend appears to have been compromised and that the team is conducting an urgent investigation. Out of an abundance of caution, the official advisory recommends that users refrain from interacting with the website until further updates are released. Additionally, Neutrl urged users to immediately revoke Permit2 approvals for relevant addresses via Revoke.cash. Users were also reminded to check and revoke approvals granted to other suspicious addresses to mitigate potential asset risks.Subsequently, Neutrl's preliminary investigation revealed that the DNS provider hosting the application's domain was subjected to a social engineering attack, resulting in the redirection of the domain by the attackers.
Amount of loss: - Attack method: DNS Hijacking