2055 hack event(s)
Description of the event: Vercel CEO Guillermo Rauch stated on X that the company is currently conducting a full investigation into a security incident. The incident originated from a compromise of Context.ai, an AI platform used by a Vercel employee. This breach led to the attacker gaining access to the employee’s Google Workspace account associated with Vercel. From there, the attacker carried out a series of actions that further escalated access within the environment. Vercel clarified that all customer environment variables are fully encrypted at rest. However, the platform allows some variables to be explicitly marked as “non-sensitive.” The attacker was able to enumerate these and leverage them to gain additional access. The company noted that the speed of the attacker’s actions and their understanding of Vercel’s architecture were beyond expectations.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: LayerZero issued a statement saying that on April 18, KelpDAO suffered an attack resulting in approximately $290 million in losses. The incident is initially assessed to have been carried out by a highly sophisticated nation-state actor, suspected to be the TraderTraitor subgroup of North Korea’s Lazarus Group. The attack was completely isolated to KelpDAO’s rsETH configuration and was caused by its use of a single DVN (Decentralized Verifier Network) setup. The LayerZero protocol itself was not exploited, and no other cross-chain assets or applications were affected. The core of the attack involved the hacker compromising downstream RPC infrastructure used by LayerZero’s DVN. The attacker obtained the RPC node list used by the DVN, then infiltrated two independent RPC nodes. They replaced the op-geth binary and used a custom payload to forge messages. This setup allowed the attacker to display false data only to the DVN, while showing correct data to other observers, including LayerZero Scan. The attacker then launched a DDoS attack against the uncompromised RPC nodes, forcing a failover to the poisoned RPC nodes. As a result, the DVN accepted the falsified messages, enabling the attack to succeed. After the attack was completed, the attacker removed the malicious binaries, logs, and configuration files. LayerZero has since decommissioned all affected RPC nodes, replaced them, and confirmed that the DVN has returned to normal operation.
Amount of loss: $ 292,000,000 Attack method: RPC Poisoning Attack combined with DDoS-induced Failover
Description of the event: Vitalik Buterin stated on X that the DNS registrar for eth.limo has been attacked. He advised users to temporarily avoid accessing vitalik.eth.limo or any other eth.limo-related pages until official confirmation is given that the issue has been resolved and services are back to normal.
Amount of loss: - Attack method: DNS hijacking
Description of the event: According to CertiK, a security incident occurred in the NEAR ecosystem DeFi protocol Rhea Finance. The attacker created multiple fake token contracts and added liquidity to newly created pools, allegedly misleading the protocol’s oracle and validation layers, thereby extracting at least approximately $7.6 million in assets from the related pools.
Amount of loss: $7,600,000 Attack method: Oracle Manipulation Attack
Description of the event: According to The Block, Grinex, an exchange registered in Kyrgyzstan with ties to the Russian crypto market, has suspended withdrawals and trading following a large-scale cyberattack. A statement on the exchange’s website said that more than 1 billion rubles (approximately $13.1 million) were stolen, describing the attack as a “coordinated operation aimed at undermining Russia’s financial sovereignty,” requiring resources and capabilities exclusive to “hostile states” to carry out.
Amount of loss: $ 13,100,000 Attack method: Infrastructure Compromise
Description of the event: Blockchain security firm Blockaid reported that its system has detected a front-end attack on the decentralized exchange CoW Swap, and that cow.fi has been flagged as a malicious site. Blockaid warned that users who have previously connected their wallets to CoW Swap should immediately revoke any related contract approvals via their wallets or security tools, and refrain from interacting with cow.fi until the issue is resolved to prevent potential asset loss. Subsequently, CoW DAO issued a statement confirming that the CoW Swap front end (swap.cow.fi) is currently experiencing issues. The team is actively investigating and advised users to temporarily avoid using the platform for trading. On April 16, it was reported that CoW Swap announced on X (formerly Twitter) that it has regained control of the cow.fi domain and has been operating normally on cow.finance for some time. The platform is now gradually transitioning back to its original domain.
Amount of loss: $ 1,200,000 Attack method: Supply-chain attack
Description of the event: Based on monitoring by CertiK Alert, the Hyperbridge gateway contract fell victim to an exploit. The attacker utilized forged messages to manipulate administrative permissions of the Polkadot token contract on the Ethereum network. By unauthorized minting and liquidating 1 billion tokens, the attacker realized a profit of roughly $237,000. On April 16, it was reported that according to an official announcement from Hyperbridge, its token gateway was attacked on April 13. The estimated losses have been revised from approximately $237,000 to about $2.5 million, mainly affecting incentive liquidity pools on Ethereum, Base, BNB Chain, and Arbitrum.
Amount of loss: $ 2,500,000 Attack method: Message Forgery & Admin Privilege Tampering
Description of the event: The DeFi project Dango released an update three hours after disclosing a security incident last night, stating that the white-hat hacker has fully returned the stolen funds and received a bug bounty. User funds were not affected. The founder of Dango said that fixes will be deployed, additional security measures will be implemented, and preparations are underway to restart the blockchain. According to the earlier announcement, the attacker exploited a logic flaw in the insurance fund to steal USDC collateral. The vulnerability arose because the insurance fund allowed anyone to make donations but failed to verify that the donation amount was positive. Thanks to rate limits on the cross-chain bridge, the attacker was only able to bridge $410,000 worth of USDC to Ethereum, while the remaining $1.49 million stayed on Dango and was successfully recovered. The vulnerability has now been fixed and does not affect other trading system functions such as order matching, PnL settlement, or liquidation.
Amount of loss: $ 1,900,000 Attack method: Smart contract business logic vulnerability
Description of the event: An employee device at Zerion was compromised through an AI-driven social engineering attack, allegedly linked to a DPRK-associated advanced persistent threat (APT) group. The attacker successfully obtained the employee’s logged-in sessions, account credentials, and private keys to company hot wallets used for internal testing and operations, and subsequently transferred approximately $100,000 from multiple internal hot wallets. No user funds were affected in this incident, and Zerion’s products, mobile applications, and backend infrastructure were not compromised. The attack was limited to an employee device and internal company hot wallet systems. Following the incident, the team proactively took down the web application and carried out full credential rotation, device security reviews, and infrastructure hardening measures to prevent further risk exposure.
Amount of loss: $ 100,000 Attack method: AI-enabled Social Engineering Attack
Description of the event: Decentralized perpetual futures trading platform Denaria announced on X that it suffered a smart contract attack yesterday, resulting in a loss of approximately $165,000. The team is currently working with Linea and auditing partners to investigate the incident and will release a full post-mortem report as soon as possible.
Amount of loss: $165,000 Attack method: smart contract attack
Description of the event: According to ExVul monitoring, a TMM/USDT reserve manipulation attack occurred on the BSC (BNB Chain), resulting in a loss of approximately 1.665 million USDT. The attacker utilized flash loans from Lista DAO Moolah, Venus, Aave V3, PancakeSwap Vault, and Uniswap PoolManager to manipulate the TMM/USDT trading pair. By burning TMM to a dead address, the attacker reduced the pair's reserve to just 1 TMM, subsequently swapping 850 million TMM for approximately 272 million USDT. After repaying all flash loans, the attacker transferred a net profit of roughly 1.665 million USDT to associated addresses.
Amount of loss: $ 1,665,000 Attack method: Reserve Manipulation Attack
Description of the event: DeFi lending protocol HypurrFi tweeted that the hypurr.fi domain has been hijacked. The team has migrated its infrastructure to hypurrfi .com. The protocol itself, user funds, and team infrastructure remain unaffected.
Amount of loss: 0 Attack method: Domain Hijacking
Description of the event: GoPlus has issued a security alert regarding a suspected cyberattack on Adobe, involving the potential leak of approximately 13 million users' data. Affected users may face heightened risks, including phishing emails or calls impersonating Adobe customer support, precision social engineering scams leveraging leaked ticket information, and credential stuffing attacks.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: According to ZachXBT, the Trust Wallet Discord vanity URL (discord[.]gg/trustwallet) has been hijacked and currently directs users to a phishing server. Users are advised to avoid using links from official channels—including the official website, Telegram, and blogs—to join the Discord at this time.
Amount of loss: 0 Attack method: Infrastructure Hijacking
Description of the event: According to The Block, the Solana-based decentralized exchange Drift Protocol has been hit by a major exploit, with losses totaling at least $200 million. Some estimates suggest the figure is closer to $270 million, making it the second-largest DeFi security breach in the Solana ecosystem, trailing only the Wormhole bridge hack. The attack targeted multiple Drift vaults, including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. On-chain data reveals that the attacker swapped the stolen assets for USDC via Jupiter, then bridged them to Ethereum to purchase ETH. As of 17:45 UTC, the attacker held approximately 19,913 ETH (worth roughly $42 million). Drift stated they are currently investigating the "abnormal activity" and have advised users to suspend all deposits. Subsequently, according to PeckShield's statistics, Drift Protocol suffered losses exceeding $285 million in the attack.
Amount of loss: $ 285,000,000 Attack method: Unknown
Description of the event: A spokesperson for Galaxy Digital disclosed that the company recently contained a cybersecurity incident. Unauthorized access was strictly limited to an isolated development and testing environment; production systems, trading platforms, and customer accounts remained unaffected. The company quickly detected and contained the intrusion. The affected area was a standalone R&D environment unrelated to core infrastructure, resulting in a loss of less than $10,000 in corporate testing funds. Following a review, it was confirmed that no customer funds or account information were accessed or at risk, and all platforms and services remain fully operational. Galaxy stated they will continue to review the incident and provide updates as appropriate.
Amount of loss: $ 10,000 Attack method: Unknown
Description of the event: According to BlockSec monitoring, an unknown contract on the BSC (BNB Smart Chain)—suspected to be the LML/USDT staking protocol—has been exploited for approximately $950,000. Analysis indicates the vulnerability stems from a pricing design flaw: claimable rewards are calculated based on TWAP (Time-Weighted Average Price) or snapshot prices, allowing the attacker to sell reward tokens at manipulated spot prices. The attacker first pushed up the price of LML by executing trades through a path that included a zero-address recipient. Subsequently, they invoked the claim function via an address where tokens had been previously deposited, directly capturing the rewards during the exploit.
Amount of loss: $ 950,000 Attack method: Price Manipulation & Oracle Arbitrage Exploit
Description of the event: Steakhouse Financial disclosed yesterday that it was targeted by a phone-based social engineering attack against its provider, OVH Cloud. The attacker modified the DNS A records of the main website and app subdomains to point to a malicious IP address and attempted to initiate a 5-day domain transfer. These changes have now been reverted, and the DNS records have been cleared. The team is currently working with OVH Cloud to fully resolve the issue. All vaults and smart contracts were not affected, and depositor funds remain safe. No other service accounts were compromised.Users are advised not to interact with the official website or emails until the issue is fully resolved. A detailed post-incident report will be released as soon as possible. Earlier today, Steakhouse Financial further stated that during the period when the website’s DNS records were cleared, vaults remained accessible directly via Morpho, with all functions — including deposits and withdrawals — operating normally. A confirmation will be provided once the frontend is fully restored.
Amount of loss: - Attack method: Social Engineering
Description of the event: Huma Finance issued a warning on X stating that the official X account of its partner Arf, @arf_one, has been compromised. Please refrain from interacting with any posts from that account until it has been fully secured.
Amount of loss: 0 Attack method: Account Compromised
Description of the event: Socket has detected an active supply chain attack targeting version 1.14.1 of the core npm package, axios. The attacker injected malicious code into axios by introducing a malicious dependency that first appeared today. Developers using axios are advised to pin their versions immediately and review their project lockfiles.
Amount of loss: 0 Attack method: Supply Chain Attack