Web3 is Going Just Great

The project didn't disclose who the fund manager was, or the circumstances in which the "loss" occurred.

The Staked Stream USD token depegged on November 3, and crashed further following the announcement.

The exploit also impacted forked protocols like Beets Finance, which lost around $3 million. Balancer's BAL token dropped over 10% following the theft.

This was Balancer's third major security incident since 2020, despite prior audits by OpenZeppelin and Trail of Bits.

There wasn't much sympathy to be had for Garden after this exploit. The protocol had recently announced hitting a milestone of bridging more than $2 billion in assets, but the celebration was criticized after zachxbt pointed out that a substantial portion of the bridged funds were proceeds of crimes being laundered to evade detection and recovery.

Cryptomus was temporarily banned from trading in British Columbia in May. The CA$177 million fine smashes Canada's previous record for the largest penalty they've ever imposed. That honor previously went to KuCoin, another crypto exchange fined CA$20 million (US$14.3 million) in September.

In 2023, Fortress experienced a $15 million theft. Though the company originally announced it would be acquired by Ripple, which had agreed to cover the shortfall, the deal eventually fell through. It's not clear how — or if — the funds were ever restored.

Fortress's insolvency has strong parallels to that of Prime Trust, another trust company that shares a founder in Scott Purcell. NFID issued a cease and desist to Prime Trust in June 2023 after finding the company was insolvent; in bankruptcy proceedings, that company later blamed much of the insolvency on losing access to a hardware wallet that held customer assets.

Paxos later announced that the mint was an "internal technical error", and that they had burned the excess tokens.

While PayPal promises its customers that "Reserves are held 100% in US dollar deposits, US treasuries and cash equivalents – meaning that customer funds are available for 1:1 redemption with Paxos," there clearly isn't much in the way of safeguards to ensure that is always the case. As with most stablecoin issuers, Paxos merely issues self-reported and unreviewed portfolio reports, and monthly third-party attestations (not audits) of reserves.

Some originally feared that the theft was enabled by an exploit on Hyperliquid itself, shortly after another Hyperliquid-based project was compromised, but the theft appears to have been a key leak rather than an exploit on the protocol.

The project disclosed the theft, describing the exploit as affecting "some deprecated contracts". They downplayed the theft, saying they'd bought back the stolen assets using treasury funds.

Abracadabra previously suffered a $13 million theft in March 2025, and a $6.5 million theft in January 2024.

As recently as this year, Futureverse was earning spots on "most innovative company" lists. In April, they announced they'd be acquiring Candy Digital, an NFT company created by Mike Novogratz, Gary Vaynerchuk, and others (which itself had raised a $100 million series A in 2021, and another funding round in 2023). "NFTs will be back in a big way one of these days", wrote Axios, covering the sale in April 2025.

But now, Futureverse has announced they've "made the difficult decision to begin a restructuring of the business". Focusing only on the AI portion of their business, and conspicuously omitting any mention of blockchains, NFTs, or metaverses, the company says they "recognize that adjustments are needed to ensure the long-term sustainability of our vision."

Futureverse locked comments on the post, likely to try to dodge angry community members who accused the company of stealing from them or rug-pulling.

Hyperdrive paused all markets while investigating the vulnerability, and patched the bug. They also compensated those who had lost money in the exploit.

The project had attracted customers by advertising yields of 76–95%.

SBI Crypto has not made any public statements addressing the apparent theft.

Griffin AI promises to allow customers to "build, deploy, and scale autonomous AI agents for crypto finance". These are essentially AI-powered bots that perform various functions — some of Griffin's advertised examples include a "robo-adviser" to provide "tailored investment strategies", and bots to do arbitrage trading or manage staked assets.

Seedify has been a launchpad for blockchain games, NFT projects, and other web3 products. The team recently has embraced "vibe coding" — a practice in which people rely heavily on AI to generate code.

Shortly after the hack, the attacker apparently approved a phishing contract, perhaps in their rush to swap tokens before the price crashed further or before exchanges could freeze the tokens. Around 542 million of the UXLINK tokens were sent to a phishing address as a result, though it doesn't appear the phishing wallet has been able to sell the tokens.

Despite the project's attempted reassurances, the YU stablecoin lost its $1 peg, plummeting as low as around $0.20. As of writing, about a day later, the stablecoin is still well below its peg, at around $0.94.

The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.

Later that week, Thorbjornsen apparently suffered another loss — this one confirmed on-chain to be around $1.35 million.

According to crypto sleuth zachxbt, the attackers appeared to be a part of North Korean crypto hacking operations. "JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits. So it’s a bit poetic he got rekt here by DPRK," he wrote.

SwissBorg announced that they would be reimbursing impacted customers using treasury funds, and working with security firms and law enforcement to try to recover the stolen assets.

Once the malicious code is injected, it then intercepts network traffic and API calls, scanning for cryptocurrency transactions across numerous blockchains. When a network request is made to transfer crypto, the malicious code intercepts it and replaces the destination with wallets controlled by the attackers.

Various prominent people in crypto have warned about the attack, with Ledger CTO Charles Guillemet tweeting: "If you use a hardware wallet, pay attention to every transaction before signing and you're safe. If you don't use a hardware wallet, refrain from making any on-chain transactions for now."

Ultimately, the exploit was not very financially successful, with reports that less than $1,000 was stolen.

Venus paused the protocol as they investigated the theft. The project then proposed a vote to force liquidation of the attacker's wallet and recover the stolen funds.

Reddit has ended submissions for new avatars, and will shut down its avatar shop, collection display on profiles, and NFT wallet feature.

The feature is apparently so unused that the shutdown announcement garnered zero comments in the r/CollectibleAvatars subreddit. Besides posts relating to the shutdown, the most recent post in the subreddit was a year old.

This is the second blockchain-based feature Reddit has sunset, following the October 2023 decision to end their "Community Points" feature.

The vulnerable smart contract had been audited by cybersecurity firm Zokyo, which claimed they had flagged the issue during an audit. BetterBank responded by claiming that the auditors had either not identified or failed to communicate the true severity of the flaw.

This is the second BtcTurk exploit, following an approximately $55 million theft in June 2024.

A team member suggested they were unsure of the total amount stolen, "but as of right now, our company treasury isn't big enough to cover the losses".

A company called Qubic has been waging the 51% attack by offering economic rewards for miners who join the Qubic mining pool. They claim to be "stress testing" Monero, though many in the Monero community have condemned Qubic for what they see as a malicious attack on the network or a marketing stunt.

Though Qubic has claimed to have achieved 51% of the Monero hashrate, these claims have been disputed. However, they do appear to be very close if not there already, and there have been multiple chain reorganizations — including a 6-block reorganization — suggesting that Qubic has established significant control over Monero mining.

The incidents have been widely condemned as both dangerous and misogynistic by players, coaches, and the league, which has since implemented penalties including immediate ejection, a minimum one-year ban, and possible felony charges for offenders.

"It's super disrespectful," said Chicago Sky player Elizabeth Williams. "The sexualization of women is what's used to hold women down, and this is no different," stated coach Cheryl Reeve of the Minnesota Lynx. "The intent is to sexualize and demean the women players because they are women," wrote Glamour.

"This is empowering to every fucking crypto community to start thinking outside the box. Get creative and fucking do something that makes people actually laugh," said a member of the memecoin community, cheering the incidents for their virality and the subsequent impact on the coin price. The meme was even amplified by Donald Trump Jr., who posted to Instagram a photoshopped image of President Trump dropping one of the green sex toys off the roof of the White House and onto a group of women playing basketball below.

Researchers at Sentinel Labs have estimated that more than $1 million has been drained from various wallets via these malicious contracts.

Credix subsequently announced they had negotiated with the thief, who they said agreed to return the funds "in return for money fully paid by the credix treasury". They did not disclose how much they paid to the hacker.

However, shortly after this announcement, the company deleted its social media accounts and disappeared, leading some to wonder if the "hack" may have in fact been a rug pull by insiders. The promised reimbursements have not yet materialized.

This isn't the first sign of shakiness at Abra, which was alleged to be insolvent by the Texas state securities regulator in 2023. The company wound down its US operations in mid-2023 and refunded $82 million to US customers, after reaching a settlement with 25 state regulators. Abra also faced a lawsuit from the US federal securities regulator in 2024, which they settled in August of that year.

WOO X temporarily froze withdrawals, before reopening accounts after a security review. They offered a 10% "bounty" to the thief.

Blockchain security researcher zachxbt responded to the hack by saying, "I do not feel bad for the team as this CEX processed a good bit of volume from pig butchering, romance, investment scams." Elsewhere he suggested that hacks of "sketchy offshore exchanges" would be a positive for the crypto industry, serving as a "natural cleanse".

Arcadia is backed by Coinbase Ventures. The project acknowledged the hack, encouraging users to revoke permissions.

As it happens, "Ivan & Mouna" match the names of MoonPay CEO Ivan Soto-Wright and CFO Mouna Siala. The crypto address used to send the transaction also appears to be one of MoonPay's company crypto wallets.

MoonPay had told Fox Business shortly before the transaction that they intended to contribute an undisclosed amount to the Trump inaugural fund.

Only weeks after the botched donation, MoonPay was selected as a payment processor for Trump's $TRUMP memecoin.