1987 hack event(s)
Description of the event: According to monitoring by SlowMist’s MistEye security monitoring system, potential suspicious activities related to @futureswapx have been detected. Further analysis indicates that the root cause lies in an attacker creating a malicious proposal and leveraging flash loans to vote, ultimately granting privileges to the attack contract and enabling it to transfer tokens from other users.
Amount of loss: - Attack method: Governance Attack
Description of the event: SlowMist has issued a security alert to the cryptocurrency exchange ICRYPEX Global, stating that a potentially critical vulnerability has been identified.
Amount of loss: - Attack method: Security Vulnerability
Description of the event: According to monitoring by Paidun, Yearn Finance V1 suffered a hacker attack, resulting in a total loss of approximately USD 300,000. The attacker has converted the stolen funds into 103 ETH, which are currently held at the address: 0x0F21...4066.
Amount of loss: $ 300,000 Attack method: Unknown
Description of the event: SlowMist sent a security alert to the cryptocurrency exchange Azbitm, stating that a potential vulnerability has been detected.
Amount of loss: - Attack method: Unknown
Description of the event: On December 14, Aevo announced that a vulnerability introduced during a smart contract upgrade led to an attack on the legacy Ribbon DOV vault on December 12, resulting in losses of approximately $2.7 million.
Amount of loss: $ 2,700,000 Attack method: contract vulnerability
Description of the event: According to SlowMist founder Yu Cos and ZEROBASE officials, a malicious contract on the BSC chain, “Vault” (0x0dd2…2396), impersonated the ZEROBASE frontend to trick users into authorizing USDT. The incident is suspected to have occurred due to a compromise of the ZEROBASE frontend and was not an issue with the Binance Web3 wallet itself. So far, hundreds of addresses have been affected, with the largest single loss reaching $123,000. The stolen funds have been transferred to the Ethereum address 0x4a57…fc84. ZEROBASE has enabled an authorization monitoring mechanism, and the community is urging users to quickly revoke risky authorizations via revoke.cash.
Amount of loss: $ 123,000 Attack method: Frontend Attack
Description of the event: The 0G Foundation posted on X that a targeted attack on December 11 resulted in a breach of their reward contract. The attacker exploited the emergency withdrawal function of the 0G reward contract, which is used for distributing alliance rewards, stealing 520,010 $0G tokens, 9.93 ETH, and $4,200 worth of USDT. These tokens were subsequently bridged and dispersed through Tornado Cash. Due to a critical vulnerability in Next.js (CVE-2025-66478) exploited on December 5, the attacker moved laterally via internal IP addresses, affecting services including the Alignment service, Validator nodes, Gravity NFT service, Node Sales service, Compute, Aiverse, Perpdex, Ascend, and others. However, the core chain infrastructure and user funds remained unaffected.
Amount of loss: $ 520,000 Attack method: Private Key Leakage
Description of the event: According to an announcement by Almanak, during today’s airdrop, operational errors and a DDoS attack caused delays in claims and failures in wallet deployment. The claim function was originally scheduled to open at 12:15 UTC, but was actually delayed until 12:35 UTC. About 1,100 users encountered a “PENDING” status issue while creating wallets.The team has restored the system, cleared the backlog, and confirmed that users’ tokens remain safe and intact.
Amount of loss: - Attack method: DDoS Attack
Description of the event: According to cybersecurity firm Blockaid, the official website of the meme coin PEPE was compromised by attackers, who modified the website’s front-end code, causing users visiting the site to be redirected to a malicious page.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: According to PeckShieldAlert, the stablecoin project USPD has suffered a major security breach, resulting in approximately $1 million in losses. The USPD team later confirmed that the protocol had been exploited, with the attacker minting tokens without authorization and draining liquidity. The official team has urgently advised users to revoke all token approvals granted to the USPD contract. According to the project’s confirmation, the incident was identified as a “CPIMP” attack. During the deployment phase, the attacker used Multicall3 to preemptively initialize the proxy and seize administrator privileges, while disguising the malicious implementation as an audited contract. The hidden logic remained dormant for several months before being activated, allowing the attacker to upgrade the proxy, mint approximately 98 million USPD tokens, and transfer around 232 stETH. The USPD team has disclosed the attacker addresses (Infector: 0x7C97…9d83, Drainer: 0x0833…215A) and stated that they are working with law enforcement and white-hat partners to trace the funds. The team has also offered a 10% bounty if the attacker returns the stolen assets.
Amount of loss: $ 1,000,000 Attack method: "CPIMP" (Clandestine Proxy In the Middle of Proxy) attack
Description of the event: According to Finance Feeds, hackers exploited a vulnerability in the React JavaScript library to inject code into websites that steals funds from cryptocurrency wallets, primarily targeting cryptocurrency platforms. On December 3, the React team released a patch for CVE-2025-55182, a vulnerability that allowed unauthenticated code to execute on remote computers. The React team strongly advised all affected modules to upgrade immediately to prevent further exploitation.
Amount of loss: - Attack method: Supply Chain Attack
Description of the event: The on-chain private fund Goldfinch’s old contract on Ethereum (0x0689) contained a vulnerability. Because the user deltatiger.eth did not revoke the authorization in time, they were exploited and lost approximately USD 330,000. The attacker has already sent 118 ETH (around USD 329,000) into the privacy mixer Tornado Cash.
Amount of loss: $ 330,000 Attack method: contract vulnerability
Description of the event: According to PeckShieldAlert on X, Yearn Finance suffered an attack in which the hacker drained the liquidity pool by infinitely minting yETH, causing losses of roughly $9 million. Approximately 1,000 ETH (about $3 million) was transferred to Tornado Cash, while the attacker’s address still holds around $6 million worth of crypto assets. On December 1, according to PeckShield’s monitoring, Yearn recovered 2.4 million USD by burning the pxETH held by the hacker. An equivalent amount of pxETH has been re-minted and returned to the Redacted Cartel multisig wallet.
Amount of loss: $ 9,000,000 Attack method: Contract Vulnerability
Description of the event: Upbit CEO Woo Kyung-sik issued a public statement regarding the recent security breach and apologized to users, noting that the incident resulted from shortcomings in Upbit’s internal security management. On the morning of the 27th, Upbit detected abnormal withdrawals from its Solana-based wallets, prompting an immediate full-scale inspection of related networks and wallet systems. During the investigation, the team identified a vulnerability that could potentially be exploited to infer private keys, which has since been patched. To safeguard user assets, Upbit suspended all cryptocurrency deposits and withdrawals and initiated on-chain tracking and asset-freezing procedures for funds transferred externally. On December 6, after completing the replacement of all virtual asset wallets and strengthening security controls, Upbit restored full deposit and withdrawal services. According to current estimates, the total value affected by the incident is approximately KRW 44.5 billion (about USD 30.3 million). Of this amount, approximately KRW 38.6 billion (about USD 26.33 million) belongs to users, and KRW 2.3 billion (about USD 1.57 million) has been successfully frozen. Upbit’s own funds affected total approximately KRW 5.9 billion (about USD 4.02 million). On December 8, Upbit’s operating company Dunamu provided an update, stating that an additional KRW 2.6 billion (approximately USD 1.77 million) in compromised assets has now been frozen. Recovery procedures are currently in progress to ensure the secured funds can be safely reclaimed.
Amount of loss: $ 30,300,000 Attack method: Unknown
Description of the event: BasisOS disclosed on X: “Due to a security breach, the Agentic FoF was compromised, resulting in approximately USD 531,000 in leaked funds. All vaults have now been suspended, and withdrawals from the Agentic FoF have also been paused pending the results of an internal investigation.”
Amount of loss: $ 531,000 Attack method: Unknown
Description of the event: The decentralized AI data network Port3 Network disclosed on X that its token PORT3 was maliciously minted by a hacker exploiting a cross-chain bridge vulnerability. According to on-chain analyst Yujin, the attacker used a contract flaw in the BridgeIn cross-chain bridge to mint 1 billion PORT3 tokens. The hacker then sold 162.75 million of these tokens on-chain, receiving 199.5 BNB (approximately USD 166,000) and causing the PORT3 price to plunge by 76%. Port3 Network later released an incident report explaining that the root cause stemmed from its use of NEXA Network’s CATERC20 cross-chain token solution. CATERC20 contains a boundary-condition validation vulnerability: after token ownership is renounced, a key function returns a value of 0, which unintentionally satisfies the ownership check condition. This results in permission verification failure, allowing attackers to perform privileged operations—including unauthorized token minting—without proper authorization. Notably, this issue was not identified in the CATERC20 audit report. Since Port3 had previously renounced ownership of the token to achieve greater decentralization, it remained vulnerable to this flaw. Following the incident, the Port3 team urgently removed the remaining on-chain liquidity, and several centralized exchanges suspended PORT3 deposits. Unable to continue selling, the attacker burned the remaining 837.25 million unsold PORT3 tokens approximately 40 minutes earlier.
Amount of loss: $ 166,000 Attack method: Contract Vulnerability
Description of the event: Aerodrome, a DEX built on Base, posted on X that the centralized domains of Velodrome and Aerodrome were hijacked on November 21 due to an internal security vulnerability at NameSilo, resulting in redirection to malicious content. With the rapid response from security partners including Blockaid, Groom Lake, Security Alliance, and FTI Consulting, MetaMask and Coinbase Wallet displayed warnings within two minutes, and the issue was fully mitigated within four hours. The incident resulted in approximately $700,000 in losses.
Amount of loss: $ 700,000 Attack method: Domain Hijacking
Description of the event: GoPlus has issued a security alert: Users who claimed the DMT airdrop from @dexmaxai are advised to revoke approvals immediately or transfer their assets to a secure wallet. Multiple victims reported today that they were tricked into granting approvals for other tokens during the DMT airdrop process, resulting in over a thousand users being compromised and more than USD 130,000 in assets stolen via cross-chain transfers. The official website and Twitter account of @dexmaxai are now offline, indicating a possible rug pull. Investigations show that attackers prompted users to sign additional transactions during the airdrop claim, thereby obtaining malicious token approvals and subsequently transferring the approved assets. After stealing funds, attackers bridged the assets to Ethereum, with most of the stolen funds flowing into HitBTC, while a smaller portion remains on-chain.
Amount of loss: $ 130,000 Attack method: Phishing Attack
Description of the event: According to on-chain security analyst ZachXBT, the payment project GANA Payment on the BSC chain was attacked a few hours ago, resulting in an estimated loss of $3.1 million. The attacker has deposited 1,140 BNB (around $1.04 million) into Tornado Cash on BSC, and transferred funds to Ethereum via a cross-chain bridge. Of these funds, 346.8 ETH (around $1.05 million) has also been deposited into Tornado Cash on Ethereum. Currently, another 346 ETH (about $1.046 million) remains idle in an Ethereum address starting with 0x7a.
Amount of loss: $ 3,100,000 Attack method: Unknown
Description of the event: According to a WLFI announcement, prior to the platform’s official launch, some user wallets were compromised due to phishing attacks or mnemonic phrase leaks. WLFI emphasized that the incident was not caused by any platform or smart contract vulnerability, but originated from third-party security issues. The team has developed new smart contract logic that allows assets to be reassigned to secure new wallets after completing KYC verification. Wallets that have not submitted a request or failed verification will remain frozen, though users can initiate the recovery process through customer support. According to Emmett Gallic, World Liberty Fi burned a total of 166.67 million WLFI tokens (worth approximately $22.14 million) from a suspected compromised wallet and reallocated an equal amount of tokens to a new secure address.
Amount of loss: - Attack method: Phishing Attack & Private Key Leakage