386 hack event(s)
Description of the event: dTRINITY disclosed on X that yesterday, the dLEND deployment on Ethereum suffered its first deposit inflation attack. This incident drained the dUSD liquidity in the lending pool, resulting in approximately $257,000 in bad debt.The protocol has been temporarily paused, and the team is actively working on remediation measures. They have committed to covering 100% of the losses using internal funds. Repayment of the bad debt will begin within 24 hours of the announcement, after which dLEND is expected to resume operations.Deployments of dTRINITY on Fraxtal and Katana were not affected, and user funds remain safe. Each deployment maintains isolated reserves, collateral, and lending pools across different chains.
Amount of loss: $ 257,000 Attack method: Deposit Inflation Attack
Description of the event: The Bitcoin staking protocol Solv Protocol stated on X that its BRO Vault experienced a limited exploit. Fewer than 10 users were affected, with a loss of 38.0474 SolvBTC (approximately $2.7 million). Other vaults and user funds were not impacted, and mitigation measures have already been implemented to prevent similar incidents. The team has committed to fully covering the losses of the affected users. They also told the attacker that a 10% white-hat bounty will be offered if the funds are returned promptly. The attacker can contact the team via direct message or by sending an on-chain message to a designated address.
Amount of loss: $ 2,700,000 Attack method: Contract Vulnerability
Description of the event: Bitcoin payment service provider Bitrefill disclosed on X that it suffered a cyberattack on March 1, 2026, resulting in a customer data breach. The attack originated from a compromised employee laptop, which allowed the attacker to access parts of the company’s databases and cryptocurrency wallets.The investigation indicates that the attack methods closely resemble those previously used by the North Korean DPRK Lazarus Group / Bluenoroff hacking organization in targeting crypto companies.Approximately 18,500 purchase records were affected, involving limited customer information such as email addresses, crypto payment addresses, and IP metadata. Among these, around 1,000 records contained customer names stored in encrypted form, which may also have been accessed.Bitrefill stated that customers do not need to take specific action but are advised to remain vigilant for any suspicious communications.The company added that the affected systems have been shut down and isolated, and it is working with security experts, on-chain analysts, and law enforcement agencies. Operations have now largely returned to normal.Bitrefill emphasized that it remains financially strong and profitable, capable of absorbing the losses from this incident, and will continue strengthening its cybersecurity measures, including internal access controls, monitoring, and incident response mechanisms.
Amount of loss: - Attack method: Endpoint Compromise via Social Engineering
Description of the event: Scroll alerted on X that the X account of co-founder @shenhaichen has been compromised. They are actively working to recover the account and advise users not to interact with any links or direct messages.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to an announcement from Paradex, the internal systems of the Mithril trading bot were compromised by an attacker, resulting in the exposure of approximately 57 user subkeys. While these subkeys do not allow withdrawals, they grant trading permissions and are commonly used to connect third-party applications and trading bots. Paradex has suspended all XP transfers and revoked all subkeys associated with Mithril. The affected users are limited to accounts that had previously authorized the Mithril bot. The team also reminded users to exercise caution when authorizing third-party services and to independently assess the associated risks.
Amount of loss: - Attack method: Unknown
Description of the event: According to a BlockSec alert, the SynapLogic contract lacked critical parameter validation in the swapExactTokensForETHSupportingFeeOnTransferTokens function, allowing attackers to manipulate the whitelist logic and designate arbitrary recipient addresses. In addition, the contract failed to verify whether the total amount of native tokens distributed exceeded the actual payment made, enabling attackers to withdraw excess native tokens while simultaneously receiving newly minted SYP, resulting in losses of approximately $186,000.
Amount of loss: $ 186,000 Attack method: Smart Contract Vulnerability
Description of the event: The blockchain verification protocol Truebit was suspected to have been hacked, losing 8,535 ETH, valued at approximately $26.44 million.
Amount of loss: $ 26,440,000 Attack method: Unknown
Description of the event: CertiK Alert tweeted that the X account of Darren Lau, founder of The Daily Ape, has been compromised by hackers. The CertiK security team warns users not to click any links or approve any transactions before control of the account is restored, and to remain vigilant.
Amount of loss: - Attack method: The X account was hacked
Description of the event: The X (formerly Twitter) account of Bitlight Labs, a Bitcoin RGB protocol and Lightning Network stablecoin payment infrastructure provider, was suspected of being compromised and posted content related to a meme token.
Amount of loss: - Attack method: Account Compromise
Description of the event: The Unleash Protocol project deployed on Story Protocol suffered an unauthorized contract upgrade, followed by the malicious transfer of user assets. The attacker manipulated the project’s multisig governance privileges to perform the upgrade, resulting in the theft and cross-chain transfer of assets including WIP, USDC, WETH, stIP, and vIP to external addresses. The currently confirmed loss is approximately USD 3.9 million. Unleash has suspended all operations and initiated a full investigation and audit process, urging users to refrain from interacting with its contracts. Story Protocol itself remains unaffected.
Amount of loss: $ 3,900,000 Attack method: Privilege compromise
Description of the event: SlowMist founder Cos stated on the X platform that the team is currently following up on the DeBot incident and monitoring on-chain activity. According to him, users’ private keys associated with DeBot have been compromised, and the hacker has so far profited approximately $255,000, with theft still ongoing. Previously, in response to community claims that the DeBot wallet may have been hacked and user funds stolen, the DeBot official team said that the secure wallet addresses are operating normally and have not been affected. They added that they have noticed the issue concerning certain addresses and are actively following up and handling the matter. On December 30, all compensation applications for Debot were fully processed and issued. The team stated that if any security issues occur in the future, they will continue to uphold a 100% compensation commitment.
Amount of loss: $ 255,000 Attack method: Private Key Leakage
Description of the event: The 0G Foundation posted on X that a targeted attack on December 11 resulted in a breach of their reward contract. The attacker exploited the emergency withdrawal function of the 0G reward contract, which is used for distributing alliance rewards, stealing 520,010 $0G tokens, 9.93 ETH, and $4,200 worth of USDT. These tokens were subsequently bridged and dispersed through Tornado Cash. Due to a critical vulnerability in Next.js (CVE-2025-66478) exploited on December 5, the attacker moved laterally via internal IP addresses, affecting services including the Alignment service, Validator nodes, Gravity NFT service, Node Sales service, Compute, Aiverse, Perpdex, Ascend, and others. However, the core chain infrastructure and user funds remained unaffected.
Amount of loss: $ 520,000 Attack method: Private Key Leakage
Description of the event: According to an announcement by Almanak, during today’s airdrop, operational errors and a DDoS attack caused delays in claims and failures in wallet deployment. The claim function was originally scheduled to open at 12:15 UTC, but was actually delayed until 12:35 UTC. About 1,100 users encountered a “PENDING” status issue while creating wallets.The team has restored the system, cleared the backlog, and confirmed that users’ tokens remain safe and intact.
Amount of loss: - Attack method: DDoS Attack
Description of the event: According to cybersecurity firm Blockaid, the official website of the meme coin PEPE was compromised by attackers, who modified the website’s front-end code, causing users visiting the site to be redirected to a malicious page.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: According to Finance Feeds, hackers exploited a vulnerability in the React JavaScript library to inject code into websites that steals funds from cryptocurrency wallets, primarily targeting cryptocurrency platforms. On December 3, the React team released a patch for CVE-2025-55182, a vulnerability that allowed unauthenticated code to execute on remote computers. The React team strongly advised all affected modules to upgrade immediately to prevent further exploitation.
Amount of loss: - Attack method: Remote Code Execution Vulnerability
Description of the event: The decentralized AI data network Port3 Network disclosed on X that its token PORT3 was maliciously minted by a hacker exploiting a cross-chain bridge vulnerability. According to on-chain analyst Yujin, the attacker used a contract flaw in the BridgeIn cross-chain bridge to mint 1 billion PORT3 tokens. The hacker then sold 162.75 million of these tokens on-chain, receiving 199.5 BNB (approximately USD 166,000) and causing the PORT3 price to plunge by 76%. Port3 Network later released an incident report explaining that the root cause stemmed from its use of NEXA Network’s CATERC20 cross-chain token solution. CATERC20 contains a boundary-condition validation vulnerability: after token ownership is renounced, a key function returns a value of 0, which unintentionally satisfies the ownership check condition. This results in permission verification failure, allowing attackers to perform privileged operations—including unauthorized token minting—without proper authorization. Notably, this issue was not identified in the CATERC20 audit report. Since Port3 had previously renounced ownership of the token to achieve greater decentralization, it remained vulnerable to this flaw. Following the incident, the Port3 team urgently removed the remaining on-chain liquidity, and several centralized exchanges suspended PORT3 deposits. Unable to continue selling, the attacker burned the remaining 837.25 million unsold PORT3 tokens approximately 40 minutes earlier.
Amount of loss: $ 830,000 Attack method: Contract Vulnerability
Description of the event: According to a WLFI announcement, prior to the platform’s official launch, some user wallets were compromised due to phishing attacks or mnemonic phrase leaks. WLFI emphasized that the incident was not caused by any platform or smart contract vulnerability, but originated from third-party security issues. The team has developed new smart contract logic that allows assets to be reassigned to secure new wallets after completing KYC verification. Wallets that have not submitted a request or failed verification will remain frozen, though users can initiate the recovery process through customer support. According to Emmett Gallic, World Liberty Fi burned a total of 166.67 million WLFI tokens (worth approximately $22.14 million) from a suspected compromised wallet and reallocated an equal amount of tokens to a new secure address.
Amount of loss: - Attack method: Phishing Attack & Private Key Leakage
Description of the event: SlowMist founder Cos reminded users of the NOFX AI open-source automated trading system to be aware of potential security risks. Although the NOFX AI open-source work has shown good intentions, real theft incidents have already occurred, and some users’ wallet private keys as well as CEX/DEX API keys have been leaked as a result. Cos confirmed that this vulnerability also affects the wallet private key security of Aster users. He stated that SlowMist has collaborated with relevant security teams to notify affected users as much as possible to help reduce risks, and advised users to stay vigilant and take timely security measures.
Amount of loss: - Attack method: Private Key Leakage
Description of the event: Sui’s official X account issued a reminder stating that the X account of Aftermath, a liquid staking protocol in the Sui ecosystem, has been compromised. Users are advised not to interact with the account until the team regains control.
Amount of loss: - Attack method: Account Compromise
Description of the event: GMGN co-founder Haze posted on X (Twitter):"We have noticed a deliberate external phishing attack targeting GMGN. The attacker induced users to click by forging a third-party token website, triggering unauthorized transactions not initiated by the users themselves.Currently, this issue has been completely resolved, affected accounts have been restored to safety, and similar phishing attacks have been fully blocked.This incident affected approximately 107 users.For losses caused by unauthorized control of accounts, we will provide 100% full compensation and distribute it to GMGN accounts within today."
Amount of loss: $10,300 Attack method: Phishing Attack