Web3 is Going Just Great

October 15, 2025

Paxos accidentally mints more than twice the global GDP in PayPal stablecoins

Paxos, the issuer of PayPal's PYUSD stablecoin, accidentally minted 300 trillion of the supposedly dollar-pegged token. For context, this is approximately 2.5x the global GDP, and around 125x the total number of US dollars actually in circulation.

Paxos later announced that the mint was an "internal technical error", and that they had burned the excess tokens.

While PayPal promises its customers that "Reserves are held 100% in US dollar deposits, US treasuries and cash equivalents – meaning that customer funds are available for 1:1 redemption with Paxos," there clearly isn't much in the way of safeguards to ensure that is always the case. As with most stablecoin issuers, Paxos merely issues self-reported and unreviewed portfolio reports, and monthly third-party attestations (not audits) of reserves.

October 10, 2025

Hyperliquid user loses $21 million to private key leak

An attacker apparently obtained access to a victim's private key, enabling them to drain $21 million in various crypto assets. The attacker quickly bridged the stolen funds to ETH, then bounced through various addresses in hopes of disguising their origin and making the funds more challenging to recover.

Some originally feared that the theft was enabled by an exploit on Hyperliquid itself, shortly after another Hyperliquid-based project was compromised, but the theft appears to have been a key leak rather than an exploit on the protocol.

"Hyperliquid User Loses $21 Million Due to Private Key Compromise, Experts Say", Decrypt [archive]

October 4, 2025

Abracadabra loses more "Magic Internet Money" to third hack in two years

(attribution)

In their third major hack in two years, the Abracadabra defi lending project lost $1.8 million of their Magic Internet Money stablecoin. An attacker took advantage of a bug in the project smart contracts to borrow more than their provided collateral would normally allow. The attack was funded via Tornado Cash, and the exploiter then swapped the stolen tokens for ETH and laundered them back through Tornado.

The project disclosed the theft, describing the exploit as affecting "some deprecated contracts". They downplayed the theft, saying they'd bought back the stolen assets using treasury funds.

Abracadabra previously suffered a $13 million theft in March 2025, and a $6.5 million theft in January 2024.

"Abracadabra loses $1.8 million in protocol's third major DeFi hack since 2024", The Block

September 27, 2025

Hyperdrive lending protocol exploited for $782,000

(attribution)

Exploiters drained $782,000 in crypto assets from two markets on the Hyperdrive lending protocol, which is built on the Hyperliquid layer-1 blockchain. The attacker apparently took advantage of a security flaw in one of the project's smart contracts to drain the funds.

Hyperdrive paused all markets while investigating the vulnerability, and patched the bug. They also compensated those who had lost money in the exploit.

September 24, 2025

SBI Crypto likely suffers $21 million theft

(attribution)

Crypto sleuth zachxbt observed $21 million in "suspicious outflows" from SBI Crypto, a crypto mining subsidiary of the Japanese SBI Group. The money was quickly laundered through instant exchanges and Tornado Cash, in ways zachxbt observed were similar to tactics of North Korean crypto thieves.

SBI Crypto has not made any public statements addressing the apparent theft.

Telegram message by zachxbt [archive]

September 24, 2025

Griffin AI exploited for $3 million one day after launch

(attribution)

One day after Griffin AI launched its GAIN token on Binance Alpha, an attacker minted 5 billion fake GAIN tokens on the Ethereum blockchain, then exploited a cross-chain endpoint to trick the bridge to the Binance chain into recognizing them as the real thing. The attacker was only able to sell a small fraction of their tokens, but they made off with approximately $3 million as the token plunged in price. According to CEO Oliver Feldmeier, the exploit was enabled by "a misconfigured layer Zero (cross-chain messaging) set-up and compromised key".

Griffin AI promises to allow customers to "build, deploy, and scale autonomous AI agents for crypto finance". These are essentially AI-powered bots that perform various functions — some of Griffin's advertised examples include a "robo-adviser" to provide "tailored investment strategies", and bots to do arbitrage trading or manage staked assets.

September 23, 2025

Seedify launchpad project suffers bridge exploit

(attribution)

An attacker exploited bridges for SFUND, the token issued by the Seedify launchpad and incubator. It appears the exploiter has profited around $1.7 million from the theft. Seedify issued a statement announcing the theft, and said the bridge contracts that were exploited had been deployed for three years. The SFUND token crashed in price by around 80% before recovering somewhat.

Seedify has been a launchpad for blockchain games, NFT projects, and other web3 products. The team recently has embraced "vibe coding" — a practice in which people rely heavily on AI to generate code.

September 22, 2025

UXLINK exploited for around $28 million, then hacker gets phished

(attribution)

The "AI-powered web3 social platform" UXLINK was exploited by an attacker that gained control of the project's multisignature wallet, then minted billions of the project's UXLINK token. Though the tokens were worth hundreds of millions of dollars on paper, low liquidity and a crashing token price means the attacker cashed out around $28 million.

Shortly after the hack, the attacker apparently approved a phishing contract, perhaps in their rush to swap tokens before the price crashed further or before exchanges could freeze the tokens. Around 542 million of the UXLINK tokens were sent to a phishing address as a result, though it doesn't appear the phishing wallet has been able to sell the tokens.

September 12, 2025

Shibarium bridge hit with $2.4 million flash loan attack

(attribution)

A bridge for Shibarium, the layer-2 network for the Shiba Inu project, was exploited for approximately $2.4 million in funds. The attacker bought 4.6 million BONE tokens (the governance token for Shibarium) using a flash loan, then used compromised validator signing keys to take control of the majority of validator power. Then, they used that control to drain around 225 ETH and 92.6 billion SHIB, together priced at around $2.4 million at the time of the theft.

The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.

September 9, 2025

Thorchain founder exploited for $1.35 million

(attribution)

John-Paul Thorbjornsen, the founder of Thorchain and Vultisig, suffered a wallet drain, reportedly after experiencing a video meeting scam from an attacker who had exploited the Telegram account belonging to one of his friends. According to JP, the scammer used a malicious video call link to place malware on his computer, which then exfiltrated private keys for one of his crypto wallets. Some questioned whether he had made up the story, as he immediately began using the story to promote his Vultisig product.

Later that week, Thorbjornsen apparently suffered another loss — this one confirmed on-chain to be around $1.35 million.

According to crypto sleuth zachxbt, the attackers appeared to be a part of North Korean crypto hacking operations. "JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits. So it’s a bit poetic he got rekt here by DPRK," he wrote.

"THORSwap issues bounty offer tied to more than $1M exploit of THORChain founder's wallet", The Block