hacker

According to on-chain analyst Yu Jin's monitoring, the Balancer hacker has started exchanging ETH for BTC through THORChain, having already converted 14,300 ETH into 419.3 BTC (worth $32.51 million).He currently holds 7,700 ETH on the ETH chain and 419.3 BTC on the BTC chain, valued at $50.4 million. The assets he stole last November were worth $98 million, which has significantly decreased since the ETH price was around $3,600 at that time.

According to on-chain analyst Yu Jin's monitoring, the KelpDAO hacker exchanged all 75,700 ETH for BTC through THORChain yesterday. The hacker who stole $98 million in assets from Balancer last November also exchanged ETH for BTC through THORChain today.Today, the Balancer hacker has already exchanged 7,000 ETH for 204.7 BTC ($15.88 million) and is still continuing. Currently, the Balancer hacker holds 15,000 ETH ($34.65 million) on the ETH chain and 204.7 BTC ($15.88 million) on the BTC chain.

According to monitoring by Lookonchain, the Balancer attacker has become active again after a 5-month silence, having previously stolen nearly $120 million. They are currently laundering money by exchanging ETH for BTC through THORChain.In the past hour, the attacker has transferred 1,100 ETH (approximately $2.55 million) and is in the process of converting it to BTC.

According to a research report by cybersecurity company Expel, it is tracking a highly assessed APT organization supported by North Korea (DPRK) called "HexagonalRodent," which primarily targets Web3 developers and specializes in stealing high-value digital assets such as cryptocurrencies and NFTs.The organization mainly conducts attacks by forging job postings—posting high-paying positions on LinkedIn and Web3 recruitment platforms to lure job seekers into completing "skills tests" embedded with malicious code, using the tasks.json feature of VSCode to automatically execute malicious programs when victims open project folders. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, which have capabilities for password theft, remote control, and reverse shell.It is noteworthy that the organization heavily utilizes generative AI tools such as ChatGPT and Cursor to develop malware, build fake company websites, and create AI-generated executive teams, even registering shell companies in Mexico to enhance the credibility of their attacks

According to on-chain analyst Yu Jin's monitoring, within a day and a half, the KelpDAO hacker has exchanged nearly all of the 75,700 ETH (175 million USD) for BTC.The hacker mainly used the THORChain protocol for cross-chain exchanges, contributing 800 million USD in trading volume and 910,000 USD in platform fee revenue to THORChain.

DefiLlama founder 0xngmi posted on platform X, stating that after verifying the data, if the funds seized by Arbitrum are prioritized for use in the AAVE market on Arbitrum, Aave will have no bad debt on Arbitrum under the condition that all rsETH share the depreciation.In a scenario where only the value of the mainnet rsETH is guaranteed (ignoring the value of the mapped version of rsETH on Layer 2), Aave will reduce bad debt on Arbitrum by 80%, from $88 million to $17 million.

The Arbitrum Security Committee announcement has taken emergency action to rescue 30,766 ETH stored at the Arbitrum One address, which is related to the KelpDAO vulnerability. With the assistance of law enforcement, the Security Committee identified the attacker and has always ensured that the safety and integrity of the Arbitrum community are maintained without affecting any Arbitrum users or applications.After extensive technical investigation and review, the Security Committee identified and executed a technical solution to transfer the funds to a secure location without impacting the state of any other chains or Arbitrum users. As of 11:26 PM Eastern Time on April 20, the funds have been successfully transferred to an intermediate frozen wallet. The address that originally held the funds can no longer access them, and only the Arbitrum governance body can take further action to transfer these funds, which will be coordinated with the relevant parties.

Curve founder Michael Egorov stated that the recent large number of avoidable security incidents in DeFi stem from centralized single points of failure, which are harming the entire industry. He cited the Aave and rsETH incidents as examples, indicating that related issues should be prevented before accidents occur, rather than remedied afterward.He called for the industry to collaboratively establish DeFi security standards to reduce single points of failure and to share best practices among project teams, auditing agencies, and risk assessment teams; he also suggested that the Ethereum Foundation and Solana Foundation could coordinate ecological participants to develop security principles and rules.

DefiLlama founder 0xngmi has outlined three possible courses of action that KelpDAO may take following the rsETH hacking incident. Each of the three paths has significant flaws, and the final decision will test KelpDAO's credibility and Aave's risk tolerance.Path One: All users share the losses. KelpDAO will uniformly deduct 18.5% of the losses from all rsETH holders proportionally. Currently, there are about 666,000 rsETH collateralized across the Aave network, primarily highly leveraged on the mainnet and L2 (assuming all are at a 95% liquidation LTV). Once socialized losses occur, the equity of all positions on the mainnet will be completely wiped out, resulting in approximately $216 million in bad debt. The Umbrella protocol can cover $55 million in bad debt, and the Aave treasury will additionally bear $85 million, leaving a gap of about $76 million. KelpDAO may fill this gap by borrowing or selling Aave tokens (currently valued at about $51 million), but this would still put significant pressure on Aave, and all users would need to share the losses.Path Two: Directly rug the rsETH holders on L2. KelpDAO will only guarantee the mainnet rsETH and consider the rsETH on L2 as worthless. Currently, Aave L2 has about $359 million in rsETH collateral (calculated at current oracle prices), and if all are calculated at maximum leverage, it would result in approximately $341 million in bad debt, which cannot be covered by the Umbrella protocol at all. Aave can only use the treasury or borrowing to save part of the market, most likely abandoning chains like Arbitrum, Mantle, and Base, which have the largest losses, leading to a collapse of these L2 markets. This option has a minor impact on the Aave mainnet but would severely damage the credibility of the L2 ecosystem and could trigger a chain reaction.Path Three: Attempt to refund only the holders based on a snapshot taken before the hack, which is extremely difficult to execute. KelpDAO tries to fully refund only the rsETH holders based on the snapshot taken before the hack, while subsequent buyers or transfer holders would bear the losses themselves. However, since funds have significantly flowed after the attack, and the nature of DeFi protocols is liquidity pools, it is impossible to truly distinguish between different batches of depositors, making technical execution very challenging. The hacker borrowed $124 million on the Aave mainnet and $18 million on Arbitrum, and after deducting the coverage from the Umbrella protocol, there remains about $91 million in losses. Although this plan theoretically minimizes the spread of impact, its practical implementation is nearly impossible and could easily lead to legal and community disputes.

The Ethereum Foundation recently released a summary report on the ETH Rangers security project, revealing that during a 6-month security funding program, researchers identified approximately 100 suspected state-sponsored cyber operatives, including infiltrators from North Korea, who have been active in multiple Web3 projects.The report indicates that relevant investigations were advanced through projects like the "Ketman Project," where researchers issued warnings to about 53 blockchain projects, revealing that these individuals infiltrated development teams under false identities and participated in fund flows and technical positions. Meanwhile, some related funds have been frozen, amounting to hundreds of thousands of dollars. The security team also incorporated relevant intelligence into the threat analysis system for the Lazarus Group and disclosed it at security conferences such as DEF CON, showing that state-level cyber attacks are continuously infiltrating the infrastructure of the cryptocurrency industry.In terms of overall results, the program has frozen or recovered over $5.8 million in funds, reported or documented over 785 vulnerabilities, and handled 36 security incidents, indicating that the security threats currently faced by the Ethereum ecosystem have escalated from simple vulnerability attacks to systemic risks involving state-level actors. Additionally, the report points out that North Korean hackers have also infiltrated projects through methods such as "remote IT workers," involving various attack paths such as account takeovers, freelancing platform infiltrations, and fund transfers, making them a key target for industry prevention.The Ethereum Foundation emphasizes that the security of decentralized networks requires "decentralized defense" and will continue to support security research, threat intelligence, and talent development to address the escalating state-level cyber threats.

In response to the recent attack on the "ListaDAOLiquidStakingVault" contract, ListaDAO officially released a statement clarifying that the attacked contract was not deployed by the official team, but rather was a counterfeit contract created by an unverified third party using a similar name. All official contracts of ListaDAO were not affected by this incident.According to an in-depth analysis by the GoPlus security team, the attack occurred on April 16, 2026, and the root cause was a business logic flaw in the third-party contract. When a token transfer was made, it triggered the Dividend.setShares() function and altered the share accounting within the contract, which in turn affected the reward calculation in the claimReward() function. The attacker exploited this vulnerability to deplete the assets within the contract.GoPlus reminds that since this logical flaw exists in both segments of the contract code mentioned above, any development projects that fork or reuse this code face a high risk of being exploited. It is recommended that relevant developers promptly conduct code inspections and fixes, and implement continuous auditing mechanisms to ensure the security of smart contracts.

Tether CEO Paolo Ardoino posted on X that Tether has frozen 3.29 million USDT in the hacker address of Rhea Finance.Paolo Ardoino specifically mentioned, "Tether takes this matter seriously," seemingly implying that Circle has not restricted the actions of hackers using USDC to transfer stolen funds in recent incidents such as Drift.

Bitcoin core developer Jameson Lopp stated that, compared to the potential quantum computing attacks that may arise in the future, he prefers to "freeze" about 5.6 million long-dormant BTC from the network rather than let them be acquired by attackers. These Bitcoins have not moved for over 10 years and may be permanently lost, valued at approximately $42 billion at current prices. If future breakthroughs in quantum computing lead to the decryption of old address private keys, this portion of assets could be re-transferred, triggering severe market fluctuations or even a crisis of confidence.Although the community recently proposed BIP-361, the proposal is still in its early stages and is not an officially promoted plan, but rather more like a contingency plan to address "extreme risks."

The security research organization Elastic Security Labs has disclosed a new social engineering attack targeting personnel in the finance and cryptocurrency industries. The attackers impersonate venture capital firms on LinkedIn and Telegram, tricking targets into opening an Obsidian note repository that contains a built-in malicious payload, thereby deploying a previously unrecorded Windows remote access Trojan called PHANTOMPULSE.This attack does not exploit any software vulnerabilities but instead abuses the Shell Commands plugin of Obsidian to automatically execute malicious code when the note repository is opened. On the macOS side, it uses an obfuscated AppleScript launcher in conjunction with a Telegram channel as a backup command and control server, while on the Windows side, it leverages Ethereum transaction data to achieve blockchain-based C2 address resolution.

The crypto wallet Zerion disclosed that North Korean hackers are using AI for long-term social engineering attacks, stealing approximately $100,000 from the company's hot wallet.Zerion confirmed that user funds, applications, and infrastructure were not affected, and has proactively disabled the web application as a precaution. Zerion also stated that the attackers obtained some session and credential information from team members who were logged in, as well as the private keys of the company's hot wallet, and pointed out that AI is changing the way cyber threats operate.

According to market news, a report released by the blockchain security company Hacken shows that Web3 projects lost a total of $464.5 million this quarter due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million, becoming the main source of losses.A hardware wallet scam that occurred in January caused a loss of $282 million, accounting for 81% of the total quarterly losses. Smart contract vulnerabilities led to losses of $86.2 million, while access control failures (including breaches of keys and cloud services) caused losses of $71.9 million. The report points out that the largest security incidents often occur in off-chain operations and infrastructure layers, which traditional audits find difficult to cover. The European regulatory frameworks MiCA and DORA are increasing requirements for security monitoring and incident response, and global regulatory agencies are also raising standards for real-time monitoring and emergency response.

A 27-year-old German hacker, Noah Christopher, was arrested in Bangkok, Thailand, facing up to 74 arrest warrants for cyber crimes in Europe.Investigations show that this individual is suspected of developing and operating a ransomware platform and a "cybercrime-as-a-service" (CaaS) system between 2021 and 2025, including providing distributed denial-of-service (DDoS) attack tools (such as Fluxstress and Neldowner), assisting global clients in launching cyber attacks and charging fees, with related ransom payments involving cryptocurrencies and other digital assets, constituting transnational cybercrime activities. His visa has been revoked, and he is currently detained awaiting extradition to Germany.

Cryptocurrency ATM operator Bitcoin Depot disclosed that it lost approximately 50.9 bitcoins in a cybersecurity incident, equivalent to about $3.7 million at current prices. According to documents submitted to the U.S. Securities and Exchange Commission (SEC), the attack occurred on March 23, with hackers obtaining credentials related to the company's enterprise-level bitcoin wallet, allowing them to breach some internal systems. Bitcoin Depot stated that customer accounts, the platform, and personal data were not affected.