Raydium has said it will compensate users who lost funds in the exploit.
Raydium users lose $1.34 million after legacy smart contract exploited
An attacker exploited a legacy smart contract that had been used by the Raydium Solana DEX before it was deprecated in 2021. Though the contract was unused, there were still funds in the liquidity pools affected by the vulnerable contract. Using fake LP tokens, the exploiter was able to trick an old smart contract with insufficient validation into allowing them to withdraw assets.
Humanity Protocol loses $36 million to employee laptop compromise
Humanity Protocol, a decentralized identity project that uses palm scans to try to prove that users are human, has suffered a $36 million loss after attackers compromised a laptop belonging to an employee. After the laptop was infected with malware, the malicious code gained root access, then stole seven private keys that were reportedly accidentally stored in a backup. Several of the keys were sufficient to satisfy multisignature requirements, which are intended to prevent private key leaks from allowing attackers to gain control over sensitive infrastructure like bridges. With multisignature wallets, keys are supposed to be stored separately across multiple individuals and devices; however, in this case, attackers only needed to compromise one laptop to gain control over multisig-protected contracts.
With the keys, the attacker stole more than 6 million of Humanity's H token, then used other keys to upgrade a bridge and drain 141 million more tokens. With the bridge access, they also minted 300 million new H tokens. The attacker then quickly swapped the ill-gotten tokens for ETH, causing the H price to plummet by 80–90%.
Humanity Protocol markets itself as a competitor to Sam Altman's World (formerly Worldcoin), a decentralized identity project that aims to use iris scans to prove that users are unique humans. Humanity raised $20 million in 2025 from Pantera Capital and Jump Crypto.
Gravity Bridge drained of $5.4 million
Gravity Bridge, a bridge between the Cosmos and Ethereum blockchains, suffered $5.4 million in losses likely due compromised private keys. The developers of the protocol urged validators to halt while the theft was investigated, and the bridge was indeed halted shortly after. Two weeks after the hack, the Gravity Bridge interface remained unavailable.
DxSale exploited for $7.3 million
DxSale, a project that was popular in 2021 for launching new tokens and creating liquidity pools, suffered a $7.3 million exploit after ownership of a locker contract was transferred to a new address. Nine months later, the contract ownership was repeatedly moved between many new wallets — likely in an attempt to cover tracks — before $7.3 million was taken from old liquidity pools. The stolen assets were then swapped to BNB and routed through bridges and mixers to obscure the trail.
SquidRouterModule, unrelated to Squid Router, exploited for $3.2 million
A third-party Gnosis Safe smart contract called SquidRouterModule was exploited for $3.2 million. The smart contract included a set string that could be passed to identify a "safe" message; however, the string was visible in the public smart contract code and used by an attacker to impersonate Gnosis Safe users and then drain their wallets. 86 wallets had used the module, and lost a combined $3.2 million.
The name led to some confusion due to the similarly named Squid Router, which is not related. It's not clear if the users who installed the module were aware that the two projects were separate.
Largest North American bitcoin ATM operator, Bitcoin Depot, files for bankruptcy
Bitcoin Depot has filed for Chapter 11 bankruptcy. The company operates a fleet of kiosks at retail locations that allow customers to purchase bitcoin with cash. Bitcoin Depot announced in a press release that its 9,700 kiosks – primarily located at gas stations and convenience stores – had already been taken offline.
The company's bankruptcy filing reports between $10 million and $50 million in both assets and liabilities. In a recent financial disclosure, the company had reported a 49% year-over-year reduction in revenue and a net loss of $9.5 million for the year. The company had also suffered a $3.67 million hack in April.
Bitcoin Depot has blamed a challenging state-level regulatory environment for its bankruptcy, pointing to a series of regulatory restrictions and outright bans on crypto ATMs, which are a major conduit for crypto scams. An FBI report on Internet crime in 2024 showed 11,000 reports of fraud involving crypto ATMs – a 99% increase from the prior year. Almost $250 million was reported lost due to such scams, with a majority of it coming from victims over 60 years old. Several states have responded by introducing laws imposing strict compliance requirements or transaction limits on ATM operators, and Indiana and Tennessee have both recently banned the kiosks entirely. Additionally, the company is defending against lawsuits from both Massachusetts and Iowa, which argue that the company uses a misleading pricing structure, knowingly enables crypto scames, and maintains a predatory refund policy.
- "Bitcoin Depot Initiates Voluntary Chapter 11 Process to Facilitate an Orderly Wind-Down and Sale of the Company’s Assets", Bitcoin Depot press release [archive]
- Issue 92, Citation Needed [archive]
- Issue 105, Citation Needed [archive]
- Chapter 11 Voluntary Petition
Verus bridge hacked for $11.6 million
An attacker stole $11.6 million in various crypto assets from the Verus–Ethereum bridge, which allows users to use tokens from the Verus network on the Ethereum chain and vice versa. The attacker then swapped the tokens for ETH, limiting the ability for issuers of more centralized tokens to freeze the stolen assets.
Verus halted the entire Verus network after the exploit was detected in hopes of limiting further damage.
The exploiter later accepted a bounty offer by Verus, returning 4,052 ETH (~$8.5 million) while keeping the remaining ~25% as a "bounty".
THORchain exploited for $10.8 million
The THORchain cross-chain liquidity protocol was exploited for around $10.8 million across several blockchains: Bitcoin, Ethereum, BNB Chain, and Base. The protocol paused trading after observing the suspicious transactions. News of the hack caused the protocol's RUNE token to drop in price by more than 10%.
Transit Finance hacked for $1.88 million
Transit Finance was exploited for $1.88 million after an attacker exploited a "legacy contract" on the TRON blockchain that the project said was deprecated in 2022. "Historical vulnerabilities within it" were exploited, the project explained, allowing the attacker to steal $1.88 million.
Transit was previously exploited in 2022 for $21 million, although around 70% of the stolen assets were later returned.
TAC bridge exploited for $2.8 million
The TAC bridge, which bridges assets from the Ethereum blockchain to the Telegram-linked TON chain, was exploited for $2.8 million. The project paused the bridge and announced they were investigating.
The project has announced they intend to "restor[e] bridge liquidity through a legally structured sale of Foundation's TAC token treasury reserves."