Web3 is Going Just Great

Polish authorities have launched investigations into the apparent collapse. Losses have been estimated at 350 million zł (~$96 million).

Poland's Prime Minister Donald Tusk has also recently accused Zondacrypto of sponsoring conservative and right-wing politicians, including Polish President Karol Nawrocki. Nawrocki has repeatedly vetoed legislation aiming to regulate the crypto sector, describing it as overly burdensome to crypto businesses. Tusk has also alleged that Zondacrypto was funded by the Russian mafia and Russian intelligence services. These allegations are also being investigated by Polish authorities, and one report citing the country's Internal Security Agency claims that the Kremlin-linked Tambovskaya Bratva Russian mafia group took over the exchange as far back as 2018.

Volo says they have frozen or recovered all but around $60,000. They have also said they are "prepared to absorb this loss", rather than passing losses along to their users.

Aave maintains a $50 million insurance fund to absorb bad debt. However, this can't cover such a huge shortfall.

RaveDAO describes itself as a "community-driven global rave powerhouse", and sells NFT tickets to rave events.

RaveDAO has denied any responsibility for the recent price movements, but did not address allegations of enormous token concentration with the project's team or large transfers to exchanges around the time of the price jump.

When tokens are bridged from one chain to another, the tokens on the original chain are locked in the bridge smart contract while the token is used on the other chain, preventing its owner from double-spending the asset. With 116,500 locked rsETH now stolen, those using the token on other blockchains are now holding possibly unbacked tokens.

The rush for holders to offload their dubiously backed tokens is likely to worsen contagion throughout defi protocols, where those platforms could be left holding the bag. Some platforms, including Aave, Lido Finance, and Ethena, have paused markets involving rsETH to try to protect themselves.

This hack has set the new record for the largest defi hack in 2026, following the $285 million Drift exploit on April 1.

Some of the stolen tokens were returned by the attacker to the protocol, and around $4.35 million USDT were frozen by its issuer, Tether. Altogether, around $10 million was recovered, leaving $8.4 million outstanding.

According to blockchain intelligence firms TRM Labs and Chainalysis, Grinex is a rebranded version of the Garantex cryptocurrency exchange that was shut down and sanctioned in March 2025. Two of its operators were subsequently criminally charged in the US.

One victim, a musician who goes by G. Love, wrote: "I lost my retirement fund in a hack/Scam when I switched my Ledger over to my new computer and by accident downloaded a malicious ledger app from the Apple store. All my BTC gone in an instant." According to him, he lost 5.9 BTC (~$445,000).

Crypto sleuth zachxbt traced some of the stolen funds through Kucoin, a Chinese cryptocurrency exchange that was recently fined and forced to exit US markets over licensing and anti-money laundering failures. "The three largest victims lost seven figures each," he wrote.

Apple removed the malicious app from their App Store on April 13, six days after it had been added.

The following day, a Hyperbridge developer posted a screenshot of a blockchain transaction, writing "Lmao the uniBTC exploiter is testing Hyperbridge. I hope you have a quantum computer bro". Another commenter replied, "Rule #1 dont actively provoke attackers".

About two weeks later, an attacker was able to forge a transaction to change the admin rights for the Polkadot/Ethereum bridge contract, allowing them to mint 1 billion DOT tokens. They were able to cash out about $2,500,000 due to limited liquidity.

The April Fools' posts have since been deleted.

Bitcoin Depot is the largest operator of crypto ATMs globally and in the United States, with approximately 8,700 kiosks in the US and 9,200 worldwide.

The project later described the exploit as "a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers." Once the attacker had access to admin capabilities, they quickly eliminated risk management limits on the protocol and drained huge quantities of tokens, which they swapped to USDC and then ETH. The attack was attributed to extremely sophisticated social engineering, likely by North Korean hackers.

Some have criticized USDC's issuer, Circle, for not freezing the stolen funds during the six hours they were held in USDC. Unlike ETH, USDC is controlled by a centralized company that can, and regularly does, freeze assets determined to have been stolen or connected to illicit activity.

The theft is among the largest in defi history.

Ultimately, facing being outvoted, the attacker dumped their MFAM holdings and the proposal was canceled as their balance had fallen below the proposal threshold.

This was only the most recent of Moonwell's troubles after the protocol suffered a $1.78 million loss in February due to an oracle misconfiguration and a $3.7 million loss in November 2025.

Balancer co-founder Fernando Martinelli has said he strongly considered shutting down the protocol entirely, but ultimately decided to continue the project as it generates a relatively small amount of revenue. Instead, the project will move to being operated by a DAO and operating company, which Martinelli hopes will allow them to dodge "real and ongoing legal exposure" and "the liability of past security incidents".

Although another Balancer co-founder has optimistically presented this as "the start of a better chapter" for Balancer, it remains to be seen whether a skeleton crew will be able to revive the project.

An exploiter took advantage of a flaw in USR's minting code to create tens of millions of USR tokens without depositing any assets to back them. The attacker then sold the unbacked USR, crashing the stablecoin's price to as low as $0.14. The attacker has profited at least 11,400 ETH (~$24 million), though they are still selling.

Some defi protocols paused USR-exposed strategies to avoid downstream impacts. Resolv issued a statement that the token's collateral pool was unaffected, though this is likely little comfort for those who purchased the unbacked USR.

While the exploit left the Venus Protocol with over $2 million in bad debt, it's not clear if the attacker even made money from the exploit. The exploiter's position was ultimately liquidated, collapsing the increase in THE price. However, it's possible the exploiter took advantage of the price discrepancy elsewhere to profit.

The Venus Protocol has had a number of issues in the past — notably in June 2023, when the team developing the BNB Chain had to intervene when the a thief borrowed $150 million on Venus against stolen tokens and then faced liquidation.

BlockFills was backed by investors including Susquehanna and CME Ventures.

The Aave founder offered to refund the user the $600,000 in fees collected from the transaction, and acknowledged "there are additional guardrails the industry can build to better protect users".

Chaos Labs, presumably embarrassed to have lived up to its name, promised to reimburse users whose positions were improperly liquidated.

According to Gondi, the exploiter took advantage of functionality that allowed users to sell their NFTs to automatically repay loans.

Gondi has said it has reimbursed customers by buying them "comparable items" from the same collections as their stolen NFTs, although it seems questionable that this will satisfy customers who purchased products whose whole selling point is that they aren't interchangeable.

The blunder was likely due to the authorities' lack of knowledge about cryptocurrency. The move was somewhat akin to authorities publicly posting a username and password for a criminal's bank account — though that would likely be an easier mistake to unwind.

According to Step Finance, "we explored every possible path forward, including financing and acquisition opportunities. Unfortunately, we were unable to secure a viable outcome and have made the difficult decision to end all operations effective immediately."

In reply to Step Finance's announcement, crypto investor Mike Dudas claimed that the project had contacted him about bridge financing, but that Step had never responded to his request for more information about the hack. "i responded: 'would need to see the security post mortem before i could consider investing here' <crickets>"

The attacker was able to manipulate the oracle price to show that USTRY was priced at $100 (rather than its actual trading price of around $1.05). Then, they borrowed against the overvalued asset, withdrawing XLM and USDC priced at $10.2 million. However, around 48 million of the stolen XLM (~$7.2 million) were frozen.

Blockchain security researcher Specter has suggested there may be links between this attack and a $50 million theft from the Infini "stablecoin neobank" a year ago.

On February 19, the office announced they had recovered the stolen assets and identified the thief.

This is the second time Moonwell has suffered a loss thanks to an oracle misconfiguration. In November 2025, the platform was left with almost $3.7 million in bad debt after a different asset was mispriced.

Although the vulnerable pull requests were at least partially developed by an AI tool, the security auditor who initially attributed the vulnerability to Claude Opus 4.6 later softened his criticism, noting that even senior developers could have made the same mistake. He did, however, criticize the project for a lack of sufficiently rigorous testing that should have caught the issue.

Platforms limiting or halting withdrawals — particularly lending platforms — is reminiscient of the 2022 crypto crash, when falling crypto prices exposed crypto firms that had been engaging in highly risky or sometimes illegal behavior. As crypto prices fell, firms were unable to meet their loan obligations or faced margin calls, and the tightly interconnected web of lending within the crypto ecosystem often meant that one company failure cascaded into multiple more. It remains to be seen whether this is an isolated incident or the beginning of a trend as crypto prices hit revisit price lows not seen in over a year.

BlockFills claims to have more than 2,000 institutional clients globally, and boasted of facilitating more than $61 billion in transactions in 2025. The company's backers include Susquehanna Capital and CME Ventures.

The exchange announced that they had recovered 99.7% of the erroneously awarded tokens, leaving around 1,860 BTC (~$130 million) unaccounted for.

The incident has drawn further scrutiny from Korean regulators, who said that the error "has exposed the vulnerabilities and risks of virtual assets." Regulatory agencies in the country had already been cracking down on crypto firms following a $30 million hack of the Upbit crypto exchange in November 2025.

As many companies do these days, the Winklevosses tried to pin the layoffs on AI, claiming that the engineers using AI are ten times more productive. "A smaller organization, leveraging the right tools, isn't just more efficient, it's actually faster," they wrote — in a blog post that itself reeks of AI.

CrossCurve took a conciliatory tone in on-chain messages sent to the thief, writing, "These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent." (Who among us hasn't accidentally stolen millions of dollars?) However, they warned, they planned to escalate to working with law enforcement and blockchain security firms to investigate and prosecute the theft if the funds were not returned within 72 hours.

Aperture has said they disabled portions of their web app impacted by the bug, and are working to try to trace and recover stolen funds.

Most of the lost funds came from a single user, who lost $13.34 million in assets. Other users lost a combined $90,000.

zachxbt has alleged that "Lick" is a man named John Daghita. After reporting Daghita's identity, "Lick" appeared to try to scrub his Telegram account, then dusted zachxbt's public crypto wallet from one of the theft addresses.

Daghitia is reportedly the son of Dean Daghita, the owner of Command Services & Support (CMDSS). In October 2024, CMDSS landed a contract with the US Marshals to manage seized crypto assets, which is still active. After zachxbt linked the younger Daghita to his father and CMDSS, CMDSS also scrubbed its online presence. Around that time, Lick began trolling zachxbt again, and later sent 0.6767 ETH (~$1,900) of the stolen funds to zachxbt.

CMDSS' website boasts that they are "a proven provider of mission-critical services to the Department of Defense and Department of Justice".

The Saga Dollar token lost its peg and fell to around $0.75 after the attack.

He launched the project on January 12, and buyers piled in in hopes of being early to a high-profile crypto token endorsed by a public figure. However, within hours, the team began pulling liquidity as the price peaked, extracting around $2.5 million. As the price began to fall, the team added back around $1.5 million, leaving around $1 million unaccounted for.

Additionally, on-chain researchers observed at least one wallet that spent almost $750,000 to purchase around 1.5 million $NYC around 10 minutes before the token was publicly announced, leading to speculation around insider trading. However, because of the token price crash after the team began pulling liquidity, the apparent insider ultimately lost around $500,000.

People were quick to accuse Adams, or his unidentified crypto team, of rug-pulling buyers. Adams and the project's social media account have claimed that the team was simply moving or "rebalanc[ing]" liquidity, though they have not yet offered any explanation as to where the missing $1 million went.

Around $700,000 of the stolen assets were frozen thanks to intervention by a security firm called ZeroShadow, although this represents only 0.2% of the total loss.

Truebit acknowledged the hack and urged users not to interact with the vulnerable smart contract.

Some crypto exchanges, such as Upbit and Bithumb, halted withdrawals and deposits for FLOW after the exploit was discovered. Flow later confirmed the exploit, and said that validators "executed a coordinated halt" of the network to shut down the attack.

Binance founder Changpeng Zhao — who supposedly has no managerial role at Binance after he and the company were criminally charged in the US — announced that Binance would reimburse users who lost funds.

After the theft, the victim sent an on-chain message to the scammer, offering a $1 million "bounty" for the return of the remaining funds. They threatened, "We have officially filed a criminal case. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities." However, there's been no activity from the wallet since the message, and the thief had long since begun laundering the funds via Tornado Cash.

This is Yearn's fourth hack, following the $6.6 million theft in November, an $11 million exploit in 2023, and an $11 million exploit in 2021. Yearn also lost around $1.4 million in 2023 in connection to the Euler Finance attack.