2026 hack event(s)
Description of the event: The Bilaxy exchange tweeted that the hot wallet was hacked and lost approximately 296 tokens (including ETH).
Amount of loss: $ 21,709,378 Attack method: Wallet Stolen
Description of the event: The DeFi pledge and liquidity strategy platform xToken, which suffered a lightning loan attack, released an analysis report on the vulnerability of the xSNX contract. At 4:43 UTC on August 29th, a vulnerability in the xSNX contract was exploited, and the holder's loss was estimated to be 4.5 million U.S. dollars. xToken believes that it is best to stop providing xSNX products at this time. xToken stated that it will no longer use the xSNX contract for SNX pledge.
Amount of loss: $ 4,500,000 Attack method: Flash loan attack
Description of the event: Polkadot Eco DeFi revenue aggregator Dot.Finance suffered a lightning loan attack. Dot.Finance's token PINK plummeted 35% in a short time, from 0.77 USD to approximately 0.5 USD. The attacker made a profit of 900.89 BNB (approximately $429,724 in total).
Amount of loss: $429,724 Attack method: Flash loan attack
Description of the event: In May of this year, the SEC filed a lawsuit against five people suspected of promoting BitConnect. The SEC believes that BitConnect is an unregistered digital asset securities product, and the program has raised more than $2 billion from retail investors through the promoter network. BitConnect is a cryptocurrency investment plan with the characteristics of a Ponzi scheme launched in 2017. Its token BCC was one of the 20 most valuable cryptocurrencies at the time, with a market value of more than 2.6 billion U.S. dollars. In September, the founder of BitConnect, Glenn Arcaro, admitted to participating in a fraud scheme, which was allegedly amounting to US$2 billion.
Amount of loss: $ 2,000,000,000 Attack method: Scam
Description of the event: Sentinel, a Cosmos ecological dVPN project, stated on Twitter that the $40 million DVPN tokens were stolen due to the leak of the mnemonic phrase on the HitBTC exchange. Sentinel stated that the user's own DVPN was safe, and HitBTC had the problem. They reported the hacking incident to Sentinel one hour after the incident. So Sentinel hopes that HitBTC will take action to return DVPN to users. HitBTC responded that Sentinel was trying to shirk responsibility for its technical defects and deceive everyone. HitBTC believes that Sentinel’s technology has vulnerabilities that can easily cause user mnemonics to be publicly disclosed. Such vulnerabilities are common in the Sentinel network, and the blockchain and software have not been thoroughly tested, and the company has not invested enough Time and resources to protect users. Therefore, HitBTC recommended that Sentinel fix the security vulnerabilities in the software, conduct more tests, and restart the current centralized system.
Amount of loss: $ 40,000,000 Attack method: Affected by the HitBTC event
Description of the event: The founder of one of Russia's largest cryptocurrency scams has been in jail for allegedly defrauding US$100 million from its investors. Finiko was established in Kazan in 2019 and pretended to be a legitimate BTC investment company. In December 2020, Finiko released its native digital currency FNK. According to local reports, the founders will take BTC from investors and reward them with FNK tokens.
Amount of loss: $ 100,000,000 Attack method: Scam
Description of the event: Liquid, a Japanese-based cryptocurrency exchange, said its hot wallet was attacked and it was transferring assets to cold wallets. It is currently investigating and has suspended its deposit and withdrawal services.
Amount of loss: $ 91,350,000 Attack method: Wallet Stolen
Description of the event: Pinecone launched the pledge pool of protocol token PCT at 09:00 UTC on August 18, 2021, and was attacked at 11:41:19 AM UTC. When the Pinecone PCT pledge pool went online, the front-end was processed to limit illegal operations, but the hacker bypassed the front-end page during the attack and directly called the smart contract through the ordinary account, depositing PCT tokens greater than the amount of the account balance, and the PCT pool was wrong. Records the number of user deposits. When withdrawing, you can extract more PCT tokens. After discovering that the currency price had plunged, the project party immediately terminated the call of the smart contract. The current loss of the number of PCTs: about 3.53 million.
Amount of loss: 3,530,000 PCT Attack method: Compatibility Issue
Description of the event: Solana Ecological Lending Agreement Solend tweeted that the agreement was hacked at 20:40 on August 19th, Beijing time. The attacker cracked the insecure identity check in the UpdateReserveConfig function, allowing it to liquidate all accounts. In addition, the hacker also set the APY of borrowed funds to 250%. During this period, the funds of 5 users were mistakenly liquidated, and the liquidator is currently refunding the losses of these 5 users totaling USD 16,000. Solend said that this attack did not result in the theft of funds, and that the scale of the bug bounty will be increased and a better monitoring and alarm system will be established.
Amount of loss: $ 16,000 Attack method: Contract Vulnerability
Description of the event: The Solana chain has experienced its first carpet pull. Luna Yield ($LUNY) is a revenue aggregator launched through the Solana launchpad "SolPad", which has disappeared and is a variety of digital currencies worth about 6.7 million U.S. dollars. Luna Yield advertises itself as a legal project that can aggregate and optimize yield agriculture for its users; it is even supported by the famous Solana-based project launchpad "SolPad", which enables projects that submit "qualified documents" Raise funds through its initial DEX product (IDO) on the Solana-based decentralized platform. Although Luna Yield submitted "qualified documents", its attitude towards investors was indifferent. Before the August 16 fundraising, Luna Yield appeared to be legitimate. Three days after its IDO, Luna Yield sent the funds it raised to the hybrid service Tornado Cash to make it untraceable, and then it closed its website and all social media accounts-no one was able to contact the Luna Yield team.
Amount of loss: $ 6,700,000 Attack method: Rug Pull
Description of the event: On August 17, the DeFi project XSURGE on BSC suffered a lightning loan attack. On August 16, local time, XSURGE officially issued a statement about the SurgeBNB vulnerability before the attack. Since the SurgeBNB contract cannot be changed and has been abandoned, the vulnerability cannot be patched. XSURGE said that it did not disclose any specific details about the nature of this vulnerability, but strongly recommends that users migrate out of SurgereBnb as soon as possible. The vulnerability may be triggered by an attacker at any time. After the announcement, XSURGE was subsequently attacked, and the attacker stole $5 million from SurgeBNB.
Amount of loss: $ 5,000,000 Attack method: Flash loan attack
Description of the event: The NEAR ecological decentralized exchange Ref.Finance team tweeted that at around 2 pm UTC on August 14th, the Ref team noticed the abnormal behavior of the REF-NEAR trading pair, and then discovered that the patch of the recently deployed contract An error, which has been exploited by multiple users, affected approximately 1 million REFs and 580,000 NEARs.
Amount of loss: $ 3,202,539 Attack method: Fix bug
Description of the event: According to Reuters, a High Court judge in London granted artificial intelligence firm Fetch.ai’s request, ordering Binance to track down the hackers who stole $2.6 million in assets from Fetch.ai’s Binance account and freeze the stolen assets. Fetch.ai, founded in the U.K. and Singapore to develop artificial intelligence projects for blockchain databases, claims fraudsters hacked into their cryptocurrency accounts on the Binance exchange on June 6. A Binance spokesperson said that to protect users’ property, Binance regularly freezes accounts identified as having suspicious activity.
Amount of loss: $ 2,600,000 Attack method: Hacked account
Description of the event: The Neko Network, a lending protocol on the Binance Smart Chain (BSC), was attacked. The attacker used vulnerabilities in the protocol to mortgage assets in the name of the user and sent the borrowed funds directly to the attacker’s own address. All asset pools on the Neko Network have been frozen to avoid changes. Multiple attacks occur. Due to the setting of the time lock, it takes 24 hours to develop the fund pool and allow users to raise funds in the pool. Neko Network is a product developed by the Zero Coupon Money Market Protocol Maze Protocol team.
Amount of loss: $ 2,200,000 Attack method: Contract Vulnerability
Description of the event: DAO Maker issued an announcement stating that at around 1:00 UTC on August 12th, hackers maliciously used a DAO Maker wallet and obtained administrator rights. After initially testing this vulnerability and successfully stealing 10,000 USDC, the cybercriminal made another 15 transactions quietly. In this way, hackers embezzled approximately $7 million before the security team was able to track, control, and prevent the outflow of funds. A total of 5,251 users were affected, and each user lost an average of $1250. Fortunately, users who hold up to $900 in funds are not affected at all.
Amount of loss: $ 7,000,000 Attack method: Private Key Leaked
Description of the event: Punk Protocol, the decentralized annuity protocol, stated that it encountered an attack during the fair launch process, causing a loss of 8.9 million US dollars. Later, the team recovered another 4.95 million US dollars and transferred it to a secure wallet. The Punk Protocol team stated that the attacker found a critical loophole in the investment strategy and extracted more than 8.9 million U.S. dollars of three stable currency assets (USDC, USDT, DAI) from the Forge-CompoundModel module, but a white hat hacker noticed The attacker's intent was reached, so a transaction was executed, which was able to recover $4.95 million. The lost funds have been transferred to the Ethereum currency mixing platform Tornado.cash, so it is difficult to keep track of them.
Amount of loss: $ 3,950,000 Attack method: Contract Vulnerability
Description of the event: Poly Network, a cross-chain interoperability protocol, said it was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. Among them, the funds transferred to Binance smart chain addresses starting with 0x0D6e2 exceeded 250 million US dollars, and they were transferred to the ether starting with 0xC8a65. There are over 270 million U.S. dollars in workshop addresses, and over 85 million U.S. dollars in transfers to Polygon addresses. Affected by this, the large amount of assets in the O3 Swap cross-chain pool was transferred out, and the official is investigating.With the efforts of many parties, the hackers have now returned tokens worth 342 million U.S. dollars.
Amount of loss: $ 613,062,100.7 Attack method: Permission Stolen
Description of the event: BachOnChain, a core member of Duet Protocol, a multi-chain synthetic asset protocol, tweeted that the Duet Protocol pioneer network Zerogoki experienced an oracle attack a few hours ago, and the wrong price led to unrecognized transactions. BachOnChain said that the oracle has been suspended, zUSD has experienced certain fluctuations, and it is expected that the price will resume in market trading and arbitrage after a period of time.
Amount of loss: $ 670,000 Attack method: Oracle attack
Description of the event: Wault Finance on the BSC chain was attacked, and the attacker made a profit of 930,000 US dollars. Attackers due to design flaws in the economic model can carry out arbitrage attacks on the pool of WaultSwapPair (BSC_USDT-WEX).
Amount of loss: $ 930,000 Attack method: Flash loan attack
Description of the event: Some Twitter users reported receiving a token airdrop named VERA (The Vera) project, but the tokens in the wallet were stolen after the official website was authorized. After inquiry, it was found that the project was suspected to be an airdrop trap. The specific method was to airdrop 80,000 tokens (worth approximately US$9,600) through a single address to attract user attention, and set up a mechanism to allow users to fail transactions on Pancakeswap, which in turn led users to the official website to cheat. Authorize the implementation of theft.
Amount of loss: - Attack method: Scam