Author: Changan I Biteye Content Team

In April 2026, Kelp DAO was hacked for $292 million, with attackers borrowing real assets on Aave using unsecured tokens, resulting in over $200 million in bad debt within 46 minutes.

This is just one of many theft incidents this year, with Drift being hacked for $285 million, Step Finance for about $30 million, and Resolv Labs for about $23 million. News of thefts keeps coming, and the industry hasn't had time to react before the next project is compromised.

Are there any patterns behind these incidents? How do hackers attack protocols?

This article reviews 20 of the most representative theft cases in history and recent times, attempting to find answers.

From the 20 cases we compiled, three clear patterns emerge:

• Technical vulnerability cases are the majority, but individual losses are relatively limited; while cases of permission and social engineering attacks are fewer, they contribute the vast majority of total losses.

• The scale of permission-based attacks is continuously escalating. In the 20 cases, the four incidents with the largest losses all involved North Korean hackers.

• The battlefield for technical vulnerabilities is shifting; cross-chain bridges have never been secure.

I. The 10 Projects with the Largest Theft Amounts

1. Project Name: Bybit (Amount Stolen: $1.5B | Time: February 2025)

Reason for Theft:

The North Korean hacker organization Lazarus Group (high confidence attribution by FBI and ZachXBT, code-named "TraderTraitor" operation) compromised the multi-signature mechanism of Safe Wallet through front-end UI hijacking and multi-signature fraud.

Attackers injected malicious JavaScript code into the Safe wallet front end. When multi-signature holders (6 signers) executed a routine cold wallet transfer, the UI displayed the normal receiving address and amount, but the underlying Call Data was tampered with, redirecting 401,000 ETH to the attacker's address. Under the "seeing is not believing" deception, 3 out of 6 signers approved the transaction, and the funds were instantly lost.

The fundamental issue: multi-signature relies on human-computer interaction, and the front end's failure to independently verify led to a breakdown in mathematical security; Tether froze the related USDT within hours, while Circle delayed freezing USDC for 24 hours, exacerbating the losses. This incident exposed the deadly threat of social engineering and UI attacks to centralized exchanges, prompting the emergence of trading verification networks like Safenet.

This incident is highly similar to the Drift Protocol model (April 2026, $285M): targeted social engineering to establish trust, followed by UI/signature fraud, marking a shift in hacker tactics from contract vulnerabilities to "human-computer weaknesses."

In subsequent handling, Bybit quickly used its own funds to fully compensate for all losses, ensuring zero loss for users, and the platform is currently operating stably.

2. Project Name: Ronin Network (Amount Stolen: $624M | Time: March 2022)

Reason for Theft:
The North Korean hacker organization Lazarus Group successfully gained full control of the private keys of the validation nodes through social engineering and backdoor methods.

Attackers infiltrated the internal systems of Sky Mavis and exploited a backdoor in the gas-free RPC node to control 5 out of 9 validation nodes (including 4 Sky Mavis nodes and 1 Axie DAO node). They then constructed two forged withdrawal transactions, illegally extracting 173,600 ETH and 25.5M USDC.

The root cause of this incident lies in the highly centralized verification authority in the design of the cross-chain bridge. The threshold for completing operations with 5 out of 9 nodes is almost meaningless in the face of targeted social engineering attacks.

3. Project Name: Poly Network (Amount Stolen: $611M | Time: August 2021)

Reason for Theft:
The core reason for the theft of Poly Network is a serious vulnerability in the permission management design of cross-chain contracts.

Attackers exploited the relationship between two high-permission contracts, EthCrossChainManager and EthCrossChainData, to forge an executable function call. Since EthCrossChainManager itself had the authority to modify the Keeper public key, and the _method parameter used during the call could be customized by the user, attackers successfully called the putCurEpochConPubKeyBytes function, which was originally executable only by high permissions, by constructing a hash collision.

As a result, the attackers replaced their public key with that of the legitimate administrator, gaining control over cross-chain assets and ultimately transferring funds from multiple chains.

4. Project Name: Wormhole (Amount Stolen: $326M | Time: February 2022)

Reason for Theft:
Normally, when users want to transfer assets from one chain to another, the system must first confirm that the assets have indeed been deposited and that the relevant signatures are real and valid; only then will the corresponding assets be generated on the other chain.

The problem with Wormhole lies in the "verification of signatures" step. Wormhole's code used an outdated and insecure function to check the validity of transactions. This function was originally meant to confirm whether the system had indeed completed the signature verification. However, its checks were not rigorous, providing an opportunity for attackers.

Attackers exploited this vulnerability to forge a set of seemingly "verified" information, leading the system to mistakenly believe that the cross-chain operation was real and valid. In other words, the system should have first confirmed "whether the money was really locked in," but because the verification step was bypassed, the system directly trusted the false proof submitted by the attackers.

Thus, the attackers were able to mint a large amount of wETH without actually depositing sufficient assets. After these assets were generated, they were further transferred and exchanged, ultimately leading to a loss of approximately $326 million for Wormhole.

5. Project Name: Drift Protocol (Amount Stolen: $285M | Time: April 2026)

Reason for Theft:
DPRK hackers conducted a six-month targeted infiltration, completing the attack in conjunction with the Solana Durable Nonce pre-signing scam.

Starting in the fall of 2025, attackers disguised themselves as a quantitative trading company, establishing offline trust relationships with Drift contributors at multiple international crypto conferences and injecting over a million dollars into the Ecosystem Vault to build credibility. After gaining trust, the attackers induced members of the Security Council to pre-sign multiple seemingly harmless transactions: using Solana's Durable Nonce mechanism to hide management transfer instructions within. Meanwhile, Drift had just completed its migration to zero-delay multi-signature, eliminating the window for post-event detection and intervention.

After gaining control of the protocol, the attackers registered a fake token CVT with only a few hundred dollars in real liquidity, creating a price illusion through self-buying and selling, and then deposited 500 million CVT as collateral into the protocol, borrowing $285 million in USDC, SOL, and ETH. The entire execution phase lasted only 12 minutes.

Drift officials and the SEAL 911 security team attributed this attack with "medium to high confidence" to the DPRK-associated organization (a state-sponsored hacking group from North Korea), stating that the executor was not a North Korean national but a third-party intermediary controlled by them who completed the offline contact.

6. Project Name: WazirX (Amount Stolen: $235M | Time: July 2024)

Reason for Theft:
The core of this attack lies in the gradual compromise of the multi-signature wallet, ultimately being replaced by a malicious contract.

Attackers first obtained permissions from some signers through phishing and other means (including direct breaches and induced signatures). Based on this, they misled other signers through a forged interface, causing them to unknowingly approve malicious transactions.

After collecting enough signatures, the attackers did not directly transfer assets but instead utilized the upgradable mechanism of the multi-signature wallet to execute a contract upgrade operation, replacing the original implementation contract with their deployed malicious contract.

Once the malicious contract was set as the new execution logic, all subsequent transactions would be redirected, and funds would continuously flow to the attacker's address. Ultimately, control of the multi-signature wallet was completely taken over, and on-chain assets were gradually transferred out.

7. Project Name: Cetus (Amount Stolen: $223M | Time: May 2025)

Reason for Theft:
This attack stemmed from an arithmetic overflow vulnerability in the protocol's liquidity calculation.

Specifically, Cetus had a boundary check error in the mathematical functions used for handling large number calculations. When a certain value reached the critical threshold, the system failed to correctly identify the impending overflow and continued executing the calculation, leading to an anomalously amplified result.

Attackers constructed a set of operational processes around this point:
First, they created extreme price conditions through large transactions, then created liquidity positions in a specific range while only investing a minimal amount of assets (dust level). Under these conditions, the overflow issue in the contract was triggered, causing the system to believe that the attacker should receive far more liquidity shares than their actual input.

Subsequently, the attackers utilized these inflated shares to execute liquidity removal operations, extracting far more assets from the liquidity pool than they had invested. The entire process could be repeated, continuously siphoning funds from the pool, ultimately causing massive losses.

8. Project Name: Gala Games (Amount Stolen: $216M | Time: May 2024)

Reason for Theft:

The core of this attack lies in the private key of the high-permission minting account being compromised, leading to a failure in access control.

Gala's contract itself has permission restrictions on the mint function, but one account with minting permissions (minter account) had its private key obtained by the attackers. This account had not been used for a long time but still retained full high permissions.

After gaining control of this account, the attackers directly called the mint function of the contract, minting approximately 5 billion GALA tokens and transferring them to their personal address. Subsequently, the attackers exchanged these tokens in batches on the market for ETH, realizing cash out.

The entire process did not exploit smart contract vulnerabilities but instead executed malicious operations directly through legitimate permissions.

9. Project Name: Mixin Network (Amount Stolen: $200M | Time: September 2023)

Reason for Theft:
The core of this attack lies in Mixin storing private keys in a centrally managed cloud database.

Mixin Network claims to be maintained by 35 mainnet nodes, supporting cross-chain transfers across 48 public chains, but the private keys for its hot wallets and numerous deposit addresses were stored in a "recoverable manner" in a third-party cloud service provider's database. In the early hours of September 23, 2023, attackers breached this database and extracted these private keys in bulk.

With the private keys in hand, attackers did not need to crack any contract logic; they could directly initiate transfers with legitimate signatures. On-chain records show that attackers sequentially emptied addresses in order of balance, involving over 10,000 transactions over several hours, with major assets including approximately $95.3 million in ETH, $23.7 million in BTC, and $23.6 million in USDT, with USDT quickly exchanged for DAI to avoid freezing.

10. Project Name: Euler Finance (Amount Stolen: $197M | Time: March 2023)

Reason for Theft:
The core of this attack lies in inconsistencies in the internal asset and liability calculation logic of the protocol, which were amplified and exploited by flash loans.

Specifically, Euler's DonateToReserve function only destroyed the eToken representing collateral assets during execution but did not synchronize the destruction of the dToken representing liabilities, leading to a breakdown in the correspondence between "collateral" and "liabilities" in the system.
In this situation, the protocol mistakenly believed that collateral assets had decreased and that the debt structure had changed, resulting in an abnormal asset state.

Attackers constructed a complete operational process around this point:
First, they borrowed a large amount of funds through flash loans, performed deposit and borrowing operations within the protocol, and repeatedly adjusted the relationship between eToken and dToken quantities. By exploiting the aforementioned logical flaw, the system continuously generated erroneous asset/liability states, allowing them to obtain borrowing limits exceeding their actual collateral capacity.

After gaining an abnormally amplified borrowing capacity, attackers then withdrew funds in batches and completed transfers using various assets (DAI, USDC, stETH, wBTC). The entire process was completed in a single transaction and amplified profits through multiple operations, ultimately resulting in a loss of approximately $197 million.

II. Recent Theft of 10 Projects

1. Project Name: Hyperbridge (Amount Stolen: Approximately $2.5M, April 2026)

Reason for Theft:
The core of this incident lies in the flawed proof verification logic of the Token Gateway.

Attackers exploited a lack of input validation in the MMR (Merkle Mountain Range) proof check to forge a cross-chain proof that should not have passed. Due to the system mistakenly treating this invalid proof as valid, the attackers further gained management rights over the Ethereum bridging DOT contract, subsequently minting approximately 1 billion forged bridged DOT and dumping it on Dex.

At the same time, the attack also affected DOT pools on Ethereum, Base, BNB Chain, and Arbitrum, with officials later revising the initial estimated loss of approximately $237,000 to about $2.5 million.

2. Project Name: Venus Protocol (Amount Stolen: Approximately $3.7M to $5M, March 2026)

Reason for Theft:
The core of this attack lies in the ability to bypass supply cap checks, compounded by the exploitation of exchange rate calculation logic.

Specifically, Venus directly uses balanceOf() to read the real balance in the contract when calculating market funds; however, the supply cap restriction is only checked during the mint() process.
Attackers bypassed the mint() by directly transferring underlying assets to the vToken contract (ERC-20 transfer), thus avoiding the supply cap check.

Since these funds were counted in the contract balance, the system mistakenly believed that the pool's assets had increased when calculating the exchange rate, but the corresponding vToken quantity did not increase, leading to an abnormal increase in the exchange rate.
In this situation, the value of the collateral assets held by the attackers was amplified, allowing them to obtain borrowing capacity far exceeding their actual collateral.

Subsequently, attackers repeatedly executed borrowing → raising prices → re-borrowing cycles, extracting multiple assets from the protocol, ultimately causing approximately $5 million in losses.

3. Project Name: Resolv Labs (Amount Stolen: Approximately $23M to $25M, March 2026)

Reason for Theft:
The core of this attack lies in the compromise of the key signing private key and the lack of upper limit checks on minting in the on-chain contract.

Resolv's USR minting process relies on an off-chain service: users first submit requests, which are then signed by a system holding a privileged private key (SERVICE_ROLE), and finally executed by the contract for minting.
However, the contract only checks "whether the signature is valid" and does not verify "whether the minted quantity is reasonable," nor does it have collateral ratios, price oracles, or maximum minting limits.

Attackers infiltrated the project's cloud infrastructure and obtained this signing private key, allowing them to generate valid signatures independently.
With signing authority, attackers used a small amount of USDC (approximately $100,000 to $200,000) as input, forged parameters, and directly minted approximately 80 million USR without collateral support.

Subsequently, these uncollateralized USR were quickly exchanged for other stablecoins and ultimately converted to ETH, with funds gradually being transferred out, while a large increase in supply caused the USR price to rapidly decouple.

4. Project Name: Saga (Amount Stolen: Approximately $7M, January 2026)

Reason for Theft:
The core of this attack lies in the flawed verification logic of the EVM precompile bridge.

SagaEVM used an EVM implementation based on Ethermint, which contained undiscovered vulnerabilities affecting the transaction verification logic of the cross-chain bridge.
Attackers constructed specific transactions to bypass checks on "whether collateral assets had been deposited" and "stablecoin supply limits" during the bridging process.

With the verification bypassed, the system treated these forged messages as legitimate cross-chain operations and minted the corresponding amount of stablecoins according to the process. Since there was no real collateral support, attackers could mint large amounts of stablecoins at no cost and exchange them for real assets within the protocol.

Ultimately, protocol funds were continuously siphoned off, stablecoins decoupled, and approximately $7 million in assets were transferred out.

5. Project Name: Solv (Amount Stolen: Approximately $2.5M, March 2026)

Reason for Theft:
The core of this attack lies in the dual minting vulnerability in the BRO Vault contract (triggered by reentrancy).

Specifically, when the contract receives ERC-3525 assets, it calls doSafeTransferIn, and since ERC-3525 is based on ERC-721, the safe transfer process triggers the onERC721Received callback.

In this process, the contract executes a minting operation in the main process while triggering another minting operation in the callback function.

Since the callback occurs before the first minting is fully completed, attackers can trigger two minting operations in a single deposit operation, forming a typical reentrancy path. By repeatedly exploiting this vulnerability, attackers amplified a small amount of assets into a large amount of BRO, which they then exchanged for SolvBTC and transferred out.

6. Project Name: Aave (Indirectly Affected, Bad Debt Risk Approximately $177M to $236M, April 2026)

Reason for Theft:
The direct vulnerability in this incident does not lie with Aave but rather stems from the failure of Kelp DAO's cross-chain bridge verification mechanism.

Attackers sent a forged message to the LayerZero-based cross-chain bridge, causing the system to mistakenly release and mint approximately 116,500 rsETH without actual ETH being deposited. These rsETH had no real asset backing but were treated as normal collateral assets within the system.

Subsequently, the attackers deposited these uncollateralized rsETH into Aave as collateral and borrowed a large amount of real assets (WETH). Due to Aave's parameter settings allowing large-scale collateralization and borrowing, the attackers completed the borrowing and transferred the funds in a short time.

The final result is:
Attackers transferred the risk to Aave through the method of "forged collateral assets → borrowing real assets," resulting in large-scale bad debt.

7. Project Name: YieldBlox (Amount Stolen: Approximately $10.2M, February 2026)

Reason for Theft:
The core of this attack lies in the oracle price being manipulable by a single transaction (low liquidity + VWAP mechanism).

Before the attack, the USTRY/USDC trading pair had almost no liquidity, and there were no normal trades within the oracle price window. The Reflector oracle used by YieldBlox is based on VWAP (volume-weighted average price), making it possible for a single transaction to determine the price.

Attackers first posted an extreme price (approximately 500 USDC / USTRY) and then completed a trade with another account at a very small transaction volume (only about 0.05 USTRY), successfully raising the oracle price to about $106.

After the price was inflated, the USTRY held by the attackers was treated by the system as high-value collateral, allowing them to obtain borrowing limits far exceeding the actual value. Subsequently, the attackers directly borrowed all assets in the pool (XLM and USDC), completing the fund extraction.

8. Project Name: Step Finance (Amount Stolen: Approximately $30M to $40M, January 2026)

Reason for Theft:
The core of this attack lies in the devices of core project members being compromised, leading to the loss of private keys or signing processes.

Attackers gained access to the project control wallet by infiltrating the devices of team executives. This access may include directly obtaining private keys or interfering with the transaction signing process through implanted malicious programs, causing managers to unknowingly approve malicious transactions.

After gaining control, attackers operated multiple Solana wallets controlled by the project, including unstaking assets and transferring funds out. The entire process did not involve smart contract vulnerabilities but directly utilized the wallet permissions obtained.

Ultimately, project funds were massively transferred out, resulting in approximately $30 million in losses and triggering a significant drop in token prices.

9. Project Name: Truebit (Amount Stolen: Approximately $26M, January 2026)

Reason for Theft:
The core of this attack lies in an integer overflow vulnerability in the TRU purchase pricing function.

In the price calculation process of buyTRU(), multiple large number multiplications and additions are involved, but the contract uses Solidity version 0.6.10, which does not have overflow checks by default.
When attackers input a specific large parameter, intermediate calculation values overflow, causing a wrap-around and leading to an abnormally low final calculated purchase price, even zero.

In this case, attackers could buy large amounts of TRU at extremely low or even zero cost.
Meanwhile, the protocol's selling logic (sellTRU()) still calculates according to normal rules, allowing them to proportionally exchange for ETH reserves in the contract.

Attackers then repeatedly executed:
👉 Low/zero-cost buying of TRU → Selling at normal prices → Extracting ETH

Through multiple rounds of operations, they continuously siphoned funds from the protocol, ultimately causing approximately $26 million in losses.

10. Project Name: Makina (Amount Stolen: Approximately $4.1M, January 2026)

Reason for Theft:
The core of this attack lies in the reliance on external Curve pool data for AUM / sharePrice calculations, lacking verification, and being manipulated by flash loans.

Attackers borrowed large amounts of funds through flash loans, temporarily injecting liquidity into multiple Curve pools and trading, artificially altering pool states and related calculation results (such as LP value, withdraw calculation results, etc.).
This manipulated data was directly used by the protocol for AUM (Assets Under Management) calculations, further affecting sharePrice.

Due to the lack of effective verification or time-weighted processing of external data, the system treated this abnormal data as real values, leading to:

• AUM being significantly inflated

• sharePrice being abnormally amplified

After sharePrice was inflated, attackers exploited the price difference to conduct arbitrage operations, exchanging assets from the DUSD/USDC pool to realize profits.

III. Common Patterns and Insights from 20 Theft Incidents

From these 20 incidents, we can see an increasingly clear trend: the paths hackers take to steal large amounts of assets ultimately boil down to two: technical vulnerabilities and social engineering.

1️⃣ Technical Vulnerabilities: The temporal distribution of technical vulnerability cases reveals a clear migration path.

Early technical vulnerabilities were highly concentrated in cross-chain bridges, which were the fastest-expanding, newest, and least audited infrastructure during that phase. They carried a large amount of assets but had not yet undergone sufficient adversarial testing.

Subsequently, the industry began to pay attention to the security of cross-chain bridges, with verification mechanisms generally strengthened, and large-scale technical vulnerabilities in cross-chain bridges significantly reduced. However, vulnerabilities did not disappear; they simply shifted to other areas—moving into the mathematical logic within DeFi protocols, oracle designs, and dependencies on third-party libraries.

• Cetus: Boundary condition errors in mathematical libraries,

• Truebit: Integer overflow in old compiler versions,

• YieldBlox: Overreliance on oracles in low liquidity markets.

The essence behind this is singular: the attack surface always follows the assets, follows the age of the code, and follows the blind spots in audit coverage. A certain type of infrastructure is concentratedly attacked, the industry begins to pay attention, defenses are strengthened, and then attackers shift to the next fastest-growing, least-defended area.

2️⃣ Social Engineering: In these 20 theft cases, 4 have been confirmed or highly attributed to North Korean state hacker organizations—Ronin, WazirX, Bybit, and Drift, with total losses exceeding $2.5 billion.

According to Chainalysis data, North Korea-associated hacker organizations stole over $2 billion in crypto assets in 2025 alone, accounting for nearly 60% of the total crypto theft that year. Compared to 2024, the number of North Korean hacker attacks decreased by 74%, but the average amount per attack significantly increased.

North Korean hackers' methods are also continuously upgrading, from direct infiltration of internal systems during the Ronin period to supply chain attacks on Bybit, and then to six months of offline infiltration in Drift, each time finding new ways beyond existing defenses.

More concerning is that North Korean hackers are also massively embedding undercover employees disguised as developers within the global crypto industry. Once they enter target companies, these individuals can understand the internal system structure, gain access to code repositories, and quietly implant backdoors in production code.

The scope of the impact from thefts is expanding: early theft incidents were largely limited to the protocols themselves, but as the composability of DeFi deepens, single-point impacts begin to transmit outward.

• Drift: After the theft, at least 20 protocols relying on its liquidity or strategies experienced interruptions, pauses, or direct losses, with Carrot Protocol seeing 50% of its TVL affected.

• Aave: The Aave contract itself had no issues; merely by accepting Kelp DAO's rsETH as collateral, the failure of external bridge verification directly translated into bad debt risk for Aave.

These patterns ultimately point to a reality: depositing assets into a protocol is not just about trusting the code of that protocol. You are also trusting every external asset it relies on, every third-party service, and the judgment and operational security of those few individuals holding management authority.

Recently, news of thefts has been coming in one after another. Polymarket just launched a market this month asking, "Will there be a crypto project stolen for over $100M this year?" and the market settled in less than a month. This is not coincidental; the scale of assets in DeFi is growing, the dependencies between protocols are deepening, but the ability to safeguard funds has not kept pace with this speed.

The pressure for security has not eased, but the dimensions of threats are increasing. In April 2026, Anthropic released the Claude Mythos Preview, which discovered thousands of high-risk vulnerabilities across every mainstream operating system and browser during testing, and could convert 72% of known vulnerabilities into usable attack paths.

If this capability is systematically applied to scan smart contracts, it means that vulnerabilities in the DeFi industry will be discovered and exploited at an unprecedented speed. Meanwhile, project parties can also proactively use this tool for self-checks, identifying and fixing potential risks in advance, further enhancing their security defenses.

⏰ For ordinary users, these cases provide several direct insights:

1. Do not concentrate assets in a single protocol. While diversifying storage cannot completely eliminate risks, it can control the upper limit of single losses.

2. Maintain distance from new protocols. Most technical vulnerabilities are discovered early after a protocol goes live. A protocol that has been running for two years, undergoing multiple rounds of audits and real stress tests, is much safer than one that just launched with high yields.

3. Check whether the protocol is genuinely profitable. Profitable protocols have actual compensation capabilities when losses occur. Protocols that rely on token incentives to maintain operations and have no real income often can only offer new tokens or vague promises as compensation when issues arise.

A truly mature financial infrastructure will not allow security to always be ranked behind growth metrics. Until that day arrives, news of thefts will not cease.

Risk Warning: All content in this article is for informational reference only and does not constitute any investment advice. The cryptocurrency asset market is highly volatile, and smart contracts carry inherent risks; please make independent judgments after fully understanding the risks.