162 hack event(s)
Description of the event: SUNRAY FINANCE experienced a private key compromise, allowing the exploiter to gain control of the SUN and ARC tokens and sell them off, draining the funds from DEX pairs. So far, the attacker has stolen approximately $2.855 million.
Amount of loss: $ 2,855,000 Attack method: Private Key Leakage
Description of the event: According to on-chain detective ZachXBT on his personal channel, cryptocurrency exchange M2 was hacked, resulting in the theft of approximately $13 million from several on-chain hot wallets.
Amount of loss: $ 13,700,000 Attack method: Unknown
Description of the event: During a routine GM token burn, Aark Digital encountered a callback error due to a third-party contract modification. To resolve this, Aark Digital initiated a contract upgrade and GM delisting to adjust affected user balances. Users holding GM were required to convert GM to USDC. Aark Digital ran a script to process these conversions, receiving inputs like target user, amount, token address, and decimals from event data. While executing, a single user’s USD Value shifted erroneously from 0.498942 to 498,942 * (10 ^ 12), due to an incorrect balance update (not from a deployed contract error). Exploiting this security vulnerability, the attacker caused Aark Digital a loss of 1,499,841 USDC and 159.09 ETH.
Amount of loss: $ 1,900,000 Attack method: Incorrect Balance Update
Description of the event: Scroll-based DEX protocol Ambient Finance announced on X platform that their domain has been hijacked. Until further notice, please do not interact with the Ambient Finance frontend.
Amount of loss: - Attack method: DNS Hijacking Attack
Description of the event: According to the announcement from BingX, at around 4 AM Singapore time on September 20, BingX's security systems detected an unauthorized intrusion targeting one of their hot wallets.
Amount of loss: $ 45,000,000 Attack method: Unknown
Description of the event: Indonesian crypto exchange Indodax suffered an attack a few hours ago, with the hacker stealing various tokens from hot wallets. The total loss is approximately $22 million. According to the analysis by the SlowMist security team, the possibility that the hot wallet has been compromised can be ruled out. It is possible that the withdrawal system has been hacked.
Amount of loss: $ 22,000,000 Attack method: Unknown
Description of the event: Blast ecosystem DEX MonoSwap disclosed on Twitter that the platform has been hacked. Users are advised not to add liquidity or stake. If you have any staking positions, please withdraw them immediately to avoid financial loss.
Amount of loss: $ 1,300,000 Attack method: Malicious Software
Description of the event: On July 23, the dydx.exchange domain was discovered to have been compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address. Two users were affected, resulting in a loss of approximately $31,000.
Amount of loss: $ 31,000 Attack method: DNS Hijacking Attack
Description of the event: The cryptocurrency exchange WazirX posted preliminary investigation results of the cyber attack on Twitter, stating that one of its multisig wallets was compromised, resulting in a loss of over $230 million.
Amount of loss: $ 230,000,000 Attack method: Wallet Stolen
Description of the event: The Turkish cryptocurrency exchange BtcTurk has acknowledged that they suffered a hack that impacted ten hot wallets containing multiple cryptocurrencies. The exchange halted deposits and withdrawals while investigating, and said they are working with law enforcement. Furthermore, the exploiter sold substantial amounts of some cryptocurrencies, including Luna Classic, causing major price movements in those tokens.
Amount of loss: $ 90,000,000 Attack method: Network Attack
Description of the event: On June 14, NFT perpetual contract trading platform nftperp announced on Twitter that a critical bug had been found in the clearingHouse contract. All vulnerable contracts have been suspended until further notice. On June 15, nftperp stated that all funds lost due to the vulnerability had been successfully recovered. The developers are currently prioritizing the resumption of the contracts so trading and withdrawal can go live.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: Lykke, the zero-fee crypto exchange, was suspected to be exploited, which resulted in a loss of assets worth over $22.4 million. The root cause of the exploit is unknown at the moment, and the team has yet to acknowledge the occurrence of the exploit. The stolen assets include roughly 158 BTC from the Bitcoin network and over 2161 ETH from the Ethereum Mainnet, among other assets.
Amount of loss: $ 22,400,000 Attack method: Unknown
Description of the event: DEX Velocore experienced a security breach on June 2nd, 2024, resulting in financial losses approximating $6.8 million in ETH. The primary cause of the incident was faulty logic within the velocore__execute() function of the ConstantProductPool. When a user makes a swap on Velocore, the Vault contract makes an external call to this function to calculate the result of the swap.
Amount of loss: $ 6,800,000 Attack method: Contract Vulnerability
Description of the event: DMM Bitcoin, a Japanese cryptocurrency exchange, announced it lost 48 billion yen ($305 million) worth of bitcoin (BTC) due to a hack.
Amount of loss: $ 305,000,000 Attack method: Unknown
Description of the event: On May 14th, the decentralized trading protocol Equalizer Exchange within the Fantom ecosystem was suspected to have been attacked. The official team tweeted that they are investigating the incident and advised users not to interact with the Equalizer Exchange frontend. On May 15th, Equalizer Exchange announced that the domain has been restored.
Amount of loss: - Attack method: Unknown
Description of the event: Crypto detective ZachXBT stated on his Telegram channel that the Middle Eastern cryptocurrency exchange Rain appears to have been hacked, resulting in a loss of $14.8 million USD. The breach occurred on April 29, 2024, when Rain's BTC, ETH, SOL, and XRP wallets experienced suspicious outflows of funds, which were quickly transferred to instant exchanges and converted into BTC and ETH.
Amount of loss: $ 14,800,000 Attack method: Unknown
Description of the event: FixedFloat, a decentralized exchange, tweeted that they have encountered another attack, with hackers exploiting vulnerabilities in their third-party services. The company assured that both company and user funds remain unaffected.
Amount of loss: $ 3,000,000 Attack method: Third-party Vulnerability
Description of the event: Decentralized exchange (DEX) aggregator ParaSwap announced the discovery of a critical vulnerability affecting its approved aggregation smart contract Augustus V6. This vulnerability impacts users who have authorized the Augustus V6 contract. In response, ParaSwap has temporarily halted the V6 API and employed white-hat attack methods to ensure the safety of user funds. These funds have been securely transferred to a secure wallet starting with 0x66E90 and are slated to be returned to users promptly. Additionally, ParaSwap urges users to revoke authorization for the Augustus V6 contract to mitigate potential risks. Currently, it is known that 4 addresses have been affected by this vulnerability, resulting in a total loss of approximately $24,000. ParaSwap is taking measures to address and fix this vulnerability while ensuring the safety of user funds.
Amount of loss: $ 24,000 Attack method: Contract Vulnerability
Description of the event: BitForex, a cryptocurrency exchange headquartered in Hong Kong, has closed access to its platform after approximately $56.5 million in suspicious funds outflow occurred across multiple blockchains. Blockchain detective ZachXBT was the first to notice the withdrawals, noting that the exchange has halted withdrawals and has not responded to customer support inquiries. These fund outflows appear to be an exit scam rather than an external attack, especially considering the lack of communication and the exchange's questionable status. The company faced regulatory scrutiny in Japan in mid-2023 for operating without a license and was accused of inflating trading volumes. Its CEO resigned in January, promising a transition to a new team.
Amount of loss: $ 56,500,000 Attack method: Rug Pull
Description of the event: According to on-chain data, the cryptocurrency exchange FixedFloat appears to have been exploited, resulting in the theft of approximately $26.1 million worth of Bitcoin and Ethereum. On February 18th, FixedFloat tweeted: "We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon. We will provide details on this case a little later."
Amount of loss: $ 26,100,000 Attack method: Third-party Vulnerability