357 hack event(s)
Description of the event: The Blast ecosystem project Bloom was attacked, resulting in a loss of approximately $540,000. On May 10th, Bloom announced that they had successfully recovered most of the stolen funds. The Bloom team stated that after paying a 10% bug bounty, they had retrieved $486,000 of the stolen funds, which accounts for 90% of the total amount ($540,000). All recovered funds will be redistributed to liquidity providers.
Amount of loss: $ 540,000 Attack method: Contract Vulnerability
Description of the event: The blockchain data analysis platform Dune tweeted that its account was compromised earlier today and a fake post about a Dune Airdrop was live for about 15 minutes. The Dune team now has control over the account again.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to on-chain analyst ZachXBT's monitoring, the group of scammers who stole 8 figs with Magnate, Kokomo, Lendora, Solfire, etc is back with a new project on Blast @Leaperfinance. Last week they funded an address on Blast with ~$1M of laundered funds from the previous rugs and have begun adding liquidity to bait people in. Over time, the fraudulent team increased their TVL to over a million dollars, then stole all user funds deposited into the protocol, and forged KYC documents using low-level auditing companies. Currently, this fraudulent group has initiated scams on platforms such as Base, Solana, Scroll, Optimism, Arbitrum, Ethereum, and Avalanche.
Amount of loss: - Attack method: Scam
Description of the event: The Bitcoin-native lending protocol, Zest Protocol twitted that it experienced an attack. The attacker lent out an amount exceeding the value of their collateral by artificially inflating its value. The attack has been mitigated, and all unauthorized access has been disabled. The attacker removed 324,000 STX from the protocol, and this loss will be compensated from the Zest Protocol's treasury, ensuring full reimbursement of user assets.
Amount of loss: $ 1,000,000 Attack method: Price Manipulation
Description of the event: The full-chain Web3 ecosystem xBlast, built inside Telegram, disclosed on Twitter that it had been hacked. The attacker transferred XBL tokens from its project's main wallet address and sold them for approximately 22 ETH. xBlast's proposed solution is to deploy a new XBL token and restore liquidity, promising fair compensation for all losses.
Amount of loss: $ 84,500 Attack method: Unknown
Description of the event: The Twitter account of Wormhole co-founder Robinson Burkey was hacked, and a suspicious link was posted.
Amount of loss: - Attack method: Account Compromise
Description of the event: In the Blast ecosystem, the project Avolend Finance is suspected to be a rug pull. Currently, its official website and Twitter account cannot be accessed.
Amount of loss: $ 253,000 Attack method: Rug Pull
Description of the event: The Blast ecosystem project Munchables was attacked, resulting in a loss of approximately $62.5 million. On the same day, Blast founder Pacman tweeted: "$97m has been secured in a multisig by Blast core contributors. Took an incredible lift in the background but I’m grateful the ex munchables dev opted to return all funds in the end without any ransom required.."
Amount of loss: $ 62,500,000 Attack method: Insider Manipulation
Description of the event: The email newsletter account of Web3 media company Decrypt has been compromised, and a phishing scam email has been sent to all of our subscribers. Please do not click on any links. Currently, the attacker has profited $3,000 through phishing.
Amount of loss: $ 3,000 Attack method: Account Compromised
Description of the event: The new blockchain game Super Sushi Samurai, based on the Blast layer-2, was attacked due to a vulnerability in its token contract, resulting in a loss of approximately $4.6 million. Shortly after the theft, the attacker contacted the project, claiming to be a whitehat. Later, Super Sushi Samurai confirmed that the funds had been returned, minus a 5% bounty.
Amount of loss: $ 4,600,000 Attack method: Contract Vulnerability
Description of the event: According to on-chain investigator ZachXBT, the X account of TON Blockchain has been compromised.
Amount of loss: - Attack method: Account Compromise
Description of the event: According to blockchain investigator ZachXBT, an account impersonating Solana ecosystem KOL Ansem (@blknoiz06) capitalized on the recent meme coin craze to profit over $2.6 million through phishing.
Amount of loss: $ 2,600,000 Attack method: Social Engineering
Description of the event: The Blast ecosystem's LaunchPad and yield aggregator BLASTOFF announced that its Future Yield Minter Vault has been hacked, resulting in the theft of approximately 150 ETH (approximately $600,000). The official team has disabled staking in the affected pool and is currently conducting a thorough investigation.
Amount of loss: $ 600,000 Attack method: Unknown
Description of the event: The Twitter account of the security company @sherlockdefi was hacked, with the attackers using the account to post a tweet containing phishing links.
Amount of loss: - Attack method: Account Compromise
Description of the event: Capital Killer, an anti-capitalist hacker group, revealed on twitter that they have attacked the Grayscale official website, claiming it as a gift to the AVAV community in support of fairness and anti-capitalism. Currently, the Grayscale official website is inaccessible, but the page for Grayscale's Bitcoin ETF GBTC remains accessible.
Amount of loss: - Attack method: Unknown
Description of the event: The Twitter account of MicroStrategy, the largest public holder of BTC, appears to have been compromised, with phishing airdrop links being posted. According to on-chain detective ZachXBT, the incident has resulted in the theft of assets worth $440,000.
Amount of loss: $ 440,000 Attack method: Account Compromise
Description of the event: Aleo, a blockchain project that advertises it's a place for "fully private applications" with "built-in privacy" has just emailed private identification documents — including selfies and photographs of government identification cards — to the wrong users. Aleo acknowledged their screw-up on social media, claiming that only ten individuals were impacted, and that it had happened thanks to a "copy/paste error in email metadata".
Amount of loss: - Attack method: Information Leakage
Description of the event: SlowMist founder Cos tweeted that there is a backdoor code in the Tornado Cash IPFS version frontend that hijacks deposit certificates. A governance attack led to malicious proposals being passed, and the malicious code has been present for about two months.
Amount of loss: - Attack method: Governance Attack
Description of the event: Axie Infinity co-founder Jihoz tweeted that his personal two addresses have been compromised. The attack is limited to his personal accounts and is unrelated to the validation or operation of the Ronin chain. Additionally, the leaked keys are unrelated to the operations of Sky Mavis. He reassured everyone that strict security measures have been taken for all related activities.
Amount of loss: $ 10,000,000 Attack method: Private Key Leakage
Description of the event: Keith Grossman, the president of MoonPay, currently has a compromised X account distributing wallet drainer links.
Amount of loss: - Attack method: Account Compromise