hacker

On-chain investigator Specter issued a security warning that a certain old liquidity pool of the Solana DeFi protocol Raydium is suspected to have been attacked, with the attacker stealing approximately $1.34 million in assets, mainly including USDC, RAY, and wSOL. The hacker has transferred the stolen funds to Ethereum via a bridge and subsequently deposited them into Tornado Cash for mixing.

According to Cointelegraph, Anthropic has released the first public version of the Claude Mythos model, Fable 5. Despite built-in safety barriers, cryptocurrency users are concerned that it may be used for malicious purposes. The model had previously been found to have over 10,000 high-risk vulnerabilities in "systemically important software." Anthropic stated that Fable 5 is now secure for general use, and the barriers will redirect topics like cybersecurity to other models.Simon Dedic, founder of Moonrock Capital, warned that the cost and skill requirements for using Fable 5 to find smart contract vulnerabilities will "drop to virtually zero," making unaudited protocols targets, and known vulnerabilities will be continuously exploited. He advised users to revoke wallet authorizations, move assets out of protocols, and transfer to new hardware wallets.Michael Egorov, co-founder of Curve, believes the threat is exaggerated, as the amount of smart contract code is only a few thousand lines. Humans and conventional AI can already reason sufficiently, and the real risks lie in operational security and supply chain attacks.

According to the official announcement, Humanity has shared the real-time tracking page of the stolen funds with all CEXs, DEXs, and trading aggregators, and will continue to update the relevant data. The project team has also set up a reward of 1 million USDT for any information that helps recover the stolen funds, and all recovered funds will be used to repurchase H tokens.In addition, while formulating a recovery plan for affected users, the team has launched a real-time tracker for the attacker's address and downstream fund flows, publicly displaying the attacker's wallet, fund movements, and asset disposal status to allow users to monitor the progress of the event in real-time.

According to on-chain analyst Yu Jin's monitoring, the Humanity attackers have issued an additional 1 billion H tokens 20 minutes ago.Yu Jin stated that previously the attackers had repeatedly issued H tokens in increments of 100 million, but this time they directly issued 1 billion. However, as market liquidity continues to dry up, the attackers' cash-out ability has significantly decreased. Currently, selling 10 million H tokens at once can only be exchanged for about 6 BNB, worth approximately 3,600 USD. The price of H has now fallen to about 0.0003 USD.

According to on-chain analyst Yu Jin's monitoring, "private key leakage" has allowed the issuance and selling of H to last for 13 hours, with the so-called "hacker" still able to issue H and sell it on the BSC chain, squeezing the last penny from the pool. The "hacker" has issued 300 million H and has sold approximately 450 million, cashing out 34 million dollars (ETH + BNB).The liquidity in the H pool on BSC has been reduced to only 13 dollars, and the price of H has dropped by 99.9% to 0.0009 dollars. Meanwhile, the perpetual contract price in CEX is 0.09 dollars, a price difference of 100 times. Essentially, it has become two unrelated coins.

According to Lookonchain monitoring, 6 hours ago, the Pando Rings hacker (0x303...3d9F) spent 10 million DAI to buy 6,243 ETH at an average price of $1,602.

According to on-chain analyst PeckShield (@PeckShieldAlert), approximately 19 hours ago, TesseraDao (@TesseraDao) on the BNB Chain was attacked, with hackers maliciously minting 99 million TSR and immediately selling it off, causing the TSR price to plummet by 99%.The attackers then exchanged the obtained TSR for approximately 2.5 million USDT and transferred the funds across chains to Ethereum, where they have completed money laundering operations of 1,285.5 ETH through TornadoCash.

According to The Defiant, approximately $220 million of unfrozen funds from the Kelp DAO cross-chain bridge attack has been almost entirely laundered by hackers. On-chain analyst Arkham Intelligence tracking shows that only about $1.7 million remains in the original attacker's wallet. This hacker is linked to North Korea and previously launched a $292 million cross-chain bridge attack on LayerZero in April.Funds were transferred using privacy tools such as THORChain, Wasabi, Tornado Cash, and Umbra. The approximately $71 million in Ethereum frozen by the Arbitrum security council on April 20 is currently the only recoverable portion. A report released by LayerZero on May 18 attributed the attack to the North Korean group TraderTraitor. Kelp has recovered approximately 116,000 rsETH by migrating to Chainlink CCIP and the DeFi United program, while the Aave security module absorbed about $190 million in bad debt.

The DeFi protocol Radiant announced that after experiencing a hacker attack in October 2024, and after 18 months of continuous efforts, the DAO no longer has a viable path to continue operations and will gradually enter the "sunsetting" phase.Currently, the project has no progress in recovering funds, no new capital injection, and lacks the funds and development space to maintain normal operations, thus it cannot continue responsible long-term operations.

A white hat hacker using the alias "0xflorent" stated on X on Sunday that he has helped recover approximately 1,003 ETH (worth about $2 million) from a faulty smart contract of the Hong Coin (HONG) token sale in 2016, involving 48 investors.Hong Coin was originally designed as a community-operated decentralized venture capital fund, with the token sale starting on August 29, 2016, and ending on October 28 of the same year, but it failed to launch due to not reaching its funding goal. The contract was supposed to automatically refund investors, but a vulnerability in the refund function caused the funds to be locked for nearly a decade.0xflorent collaborated with the HONG creator to exploit an administrator function with an integer overflow vulnerability, resetting the token holders' balances and triggering the refund mechanism through specific inputs, successfully extracting the locked funds. According to Etherscan data, one investor has already received a refund of 96 ETH (approximately $192,500). Previously, on May 24, 0xflorent also recovered 19.33 ETH from another failed token sale project from 2018.

According to The Block, a developer using the pseudonym Florent helped rescue approximately 1003 ETH (worth about $2 million) that had been trapped in the 2016 HongCoin ICO contract for nine years through white hat hacking techniques. The ICO was supposed to automatically refund due to not meeting the funding target, but a coding error caused the funds to be locked. The contract used an old version of the Solidity language, lacking overflow protection mechanisms.Florent discovered that by calling the team's admin function and inputting a specific value, he could reset the holder's balance to 1, thereby releasing the ETH through a refund check. This admin function was restricted to HongCoin's multi-signature address. Florent contacted the team and, after verifying the process on the test network, the team signed the unlock transaction themselves. The entire process took about a week, during which the team signed 41 transactions covering approximately 1000 ETH. So far, two investors have claimed 96.5 ETH and voluntarily paid Florent a white hat reward. Florent stated that his motivation was curiosity and understanding how the old contract worked.

According to monitoring by PeckShieldAlert, the Gravity Bridge hacker has stolen approximately $5.4 million and has laundered part of the stolen assets through ChangeNow and Binance, currently still holding 2,102 ETH (approximately $4.23 million).Previously, according to on-chain analyst Specter, the cross-chain bridge Gravity Bridge was suspected to have been attacked, with its contract keys seemingly leaked, resulting in approximately $5.4 million in assets being stolen. The stolen assets mainly include about $4.3 million in USDC, 274 WETH (approximately $553,000), $434,000 in USDT, and $64,000 in PAYG. Currently, Gravity Bridge officials have not responded.

On-chain monitoring shows that a batch of funds suspected to be related to hacking or phishing activities has recently continued to buy Monero (XMR), with a total purchase scale of approximately 23 million dollars, significantly impacting market prices.

The court in Qujiang District, Quzhou City, Zhejiang Province, China recently ruled on a hacker case that used government and enterprise websites as a platform for pornography. The defendant, Zhou, illegally controlled over 150 servers (involving 157 government and enterprise units and well-known apps) through website vulnerabilities, batch-injecting malicious files, forcing redirection to overseas pornographic websites, and selling control permissions for profit. To evade tracking, Zhou rented a house and opened accounts using the identities of friends and relatives, arranged for accomplices to operate

Kelp DAO announced on Monday that after losing $293 million due to an attack by North Korea's Lazarus Group on April 18, rsETH has been fully restored after five weeks of repairs. Kelp DAO stated that the final batch of 20,373.7 rsETH has been sent to the LayerZero smart contract responsible for cross-chain transfers, officially concluding the operational phase of the rsETH recovery plan.Multiple crypto protocols contributed funds through the DeFi United initiative to assist in restoring the support for rsETH. The first batch of 25,000 rsETH was transferred on May 13, and withdrawals were reopened the next day. Currently, minting, redemption, and reward operations are all functioning normally. This attack caused a chain reaction in the DeFi lending market, with the attacker borrowing WETH using a large amount of stolen rsETH as collateral on Aave, resulting in Aave incurring $190 million in bad debt. The TVL dropped from $26.4 billion to below $14 billion and has since remained in the range of $13.9 billion to $15.1 billion without showing signs of recovery. In April, there were 25 crypto hacking incidents, resulting in total losses of $630 million.

According to Cryptopolitan, cybersecurity analysts have discovered a new type of fileless remote access trojan (RAT) named RemotePE. It is believed that the cybercrime organization Lazarus Group, associated with North Korea, is using this trojan to attack banks and cryptocurrency companies. The trojan operates entirely in memory, making it difficult for traditional antivirus and forensic tools to detect. Attackers impersonate trading company employees via Telegram, using forged Calendly and Picktime links for social engineering attacks. The malware is loaded in a three-stage chain through DPAPILoader, RemotePELoader, and RemotePE, with the entire process avoiding contact with the file system, utilizing process hollowing, anti-analysis checks, and encrypted C2 communication to evade detection.This malware was first discovered in September 2025. In the first four months of 2026, the Lazarus organization has stolen approximately $577 million in cryptocurrency assets, accounting for 76% of the total global cryptocurrency theft. Since 2017, the organization has accumulated a total theft amount of $6 billion.

According to GoPlus monitoring, the hacker group TeamPCP claims to have obtained the source code from about 4,000 private repositories within GitHub and is selling it for $50,000 on underground forums, offering sample verification. If no one buys it, this batch of data may be publicly released for free later.Previously, GitHub officials confirmed that they are investigating the issue of "unauthorized access to internal repositories," suspecting that malicious VS Code/AI Coding plugins were installed on GitHub employee devices.

According to Onchain Lens monitoring, Echo Protocol was attacked on the Monad chain. The attacker minted 1,000 eBTC ($76.7 million) and withdrew funds from Curvance through a previously tested attack path.Currently, the attacker has deposited 45 eBTC ($34.5 million) into Curvance as collateral, borrowed about 11.29 WBTC ($867,700), and cross-chained to Ethereum, sending 385 ETH (approximately $818,000) to TornadoCash after exchanging for ETH. The attacker still controls a large amount of minted eBTC.

According to monitoring by PeckShield, Verus's Verus-Ethereum Bridge has been hacked, with lost assets including 103.6 tBTC, 1625 ETH, and 147,000 USDC. The hacker subsequently exchanged the stolen assets for approximately 5402.4 ETH. The attacker's address obtained an initial fund of 1 ETH about 14 hours ago through the mixing protocol Tornado Cash.