1936 hack event(s)
Description of the event: Nemo Protocol, a DeFi protocol on Sui, was attacked, resulting in a loss of approximately $2.4 million.
Amount of loss: $ 2,400,000 Attack method: Unknown
Description of the event: Swiss crypto platform SwissBorg suffered a security incident in which approximately 192,600 SOL (~$41.5M) was stolen on Solana. According to SwissBorg’s official statement, the incident was caused by a compromised partner API, impacting its SOL Earn program.
Amount of loss: $ 41,500,000 Attack method: Third-party Vulnerability
Description of the event: On-chain investigator ZachXBT reported that the Solana project Aqua has likely executed a rug pull involving approximately 21,770 SOL (~$4.65M). A few hours ago, the funds were split into four parts, moved through multiple intermediary addresses, and then sent to various instant exchanges.
Amount of loss: $ 4,650,000 Attack method: Rug Pull
Description of the event: Bunni, a DEX built on Uniswap v4, was exploited on Ethereum and UniChain, with total losses of approximately $8.4 million.
Amount of loss: $ 8,400,000 Attack method: Flash Loan Attack
Description of the event: The PulseChain-based defi project BetterBank was exploited by an attacker who took advantage of a vulnerability that allowed them to mint arbitrary tokens, some of which they then swapped for ETH. The attacker later returned around $2.7 million of the stolen assets, having cashed out around $1.4 million.
Amount of loss: $ 5,000,000 Attack method: Contract Vulnerability
Description of the event: According to an announcement from Equilibria Finance, a vulnerability was discovered in the ePENDLE auto-compounder contract on Ethereum, resulting in a loss of approximately 13.36 ETH. The issue stemmed from the stk-ePENDLE contract on Ethereum mainnet not being configured as non-transferable. The attacker used flash loans via Balancer to acquire ePENDLE, staked it into stk-ePENDLE, and then repeatedly transferred stk-ePENDLE across multiple addresses. Each transfer triggered a reward claim, enabling the attacker to drain the unclaimed rewards from the contract.
Amount of loss: $ 62,500 Attack method: Contract Vulnerability
Description of the event: ABCCApp on BSC was reportedly attacked, resulting in a loss of approximately $10.1K. The root cause was that the contract’s addFixedDay() function lacked access control, and fixedDay was used in calculating claimable USDT.
Amount of loss: $ 10,100 Attack method: Contract Vulnerability
Description of the event: According to SlowMist Threat Intelligence, puffer[.]fi and @puffer_finance have been compromised.
Amount of loss: - Attack method: Account Compromise
Description of the event: D3X AI (@D3X_AI) was attacked on BSC, resulting in a loss of approximately $158.9K. The root cause was that the exchange() function of contract 0xb8ad relied on the spot price of the d3xat token from a UniswapV2 pair, which the attacker exploited through a price manipulation attack.
Amount of loss: $ 158,900 Attack method: Price Manipulation
Description of the event: The official X account of the stablecoin protocol Level was reportedly compromised, and a fraudulent airdrop link was posted.
Amount of loss: - Attack method: Account Compromise
Description of the event: The Turkish cryptocurrency exchange BtcTurk has reportedly suffered another hack. BtcTurk acknowledged “unusual activity” in its hot wallets and has suspended deposits and withdrawals. However, the exchange did not disclose further details regarding the scale of the attack.
Amount of loss: $ 54,000,000 Attack method: Unknown
Description of the event: The Bitcoin-based memecoin launchpad ODIN.FUN suffered an exploit, losing approximately 58.2 BTC (around $7 million). The attacker allegedly manipulated the prices of several tokens and then withdrew bitcoin based on the inflated values. On August 17, ODIN.FUN co-founder Bob Bodily stated: “Made great progress on funds today (as many of you already saw). 30+ BTC back into Odin. More funds in progress too.”
Amount of loss: $ 7,000,000 Attack method: Price Manipulation
Description of the event: The decentralized lending protocol Credix suffered an exploit, losing approximately $4.5 million. The attacker gained control of an admin wallet, minted tokens, and drained liquidity pools. After the incident, Credix claimed it had reached a settlement with the attacker, who agreed to return the funds on the condition that “a certain amount would be fully paid by the Credix treasury.” However, Credix did not disclose how much was actually paid. Shortly after this announcement, Credix deleted its social media accounts and the team disappeared, sparking speculation that the so-called “hack” may in fact have been a rug pull orchestrated by insiders. To date, the promised reimbursements have not been fulfilled.
Amount of loss: $ 4,500,000 Attack method: Rug Pull
Description of the event: According to monitoring by SlowMist's MistEye security system, the NFT platform SuperRare was exploited. The root cause of the vulnerability was an incorrect permission check in the updateMerkleRoot function, which allowed anyone to modify the Merkle Root and claim tokens.
Amount of loss: $ 730,000 Attack method: Contract Vulnerability
Description of the event: Crypto trading platform WOO X suffered an attack resulting in a loss of approximately $14 million. According to the official disclosure, the incident stemmed from a targeted phishing attack that compromised a team member’s device, allowing the attacker to gain access to the development environment.
Amount of loss: $ 14,000,000 Attack method: Phishing Attack
Description of the event: The AI agent protocol Swarms disclosed on the X platform that its community Discord account had been compromised. Earlier today, a team member’s Discord account was breached after receiving a malicious direct message from a user. As a result, the attacker deleted several channels and removed over 300 community members.
Amount of loss: - Attack method: Account Compromise
Description of the event: On July 19, on-chain investigator ZachXBT posted on his personal channel: “Looks like the India centralized exchange 'CoinDCX' was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community.” Shortly afterward, the company confirmed the breach on X, describing it as a “sophisticated server breach” and stating that only corporate funds were affected.
Amount of loss: $ 44,200,000 Attack method: Security Vulnerability
Description of the event: According to monitoring by SlowMist's MistEye security system, VDS on the BSC appears to have been attacked, with an estimated loss of around $13,000.
Amount of loss: $ 13,000 Attack method: Business Logic Flaw
Description of the event: According to monitoring by the SlowMist security team, cryptocurrency exchange BigONE has suffered a supply chain attack, with losses exceeding $27 million. The attacker breached the production network and altered the operating logic of servers related to account management and risk control, enabling unauthorized fund withdrawals. Notably, no private keys were leaked in this incident.
Amount of loss: $ 27,000,000 Attack method: Supply Chain Attack
Description of the event: According to the incident analysis report released by Arcadia Finance, at 04:05 AM UTC on July 15, 2025, an active exploit targeting a series of peripheral contracts occurred. The attacker abused the delegated powers of Arcadia account owners on the rebalancer and compounder asset manager contracts, resulting in a loss of approximately $3.6 million. This exploit was limited to the asset manager contracts; lending and token contracts were not affected.
Amount of loss: $ 3,600,000 Attack method: Contract Vulnerability