stolen

According to Cointelegraph, stablecoin issuer Circle is facing a class-action lawsuit in the U.S. District Court for the District of Massachusetts for failing to freeze the stolen funds from the Drift Protocol during the attack incident.The plaintiffs claim that the attacker transferred approximately $230 million USDC from Solana to Ethereum within hours using Circle's Cross-Chain Transfer Protocol (CCTP), and Circle did not intervene. The lawsuit accuses Circle of complicity and incitement to misappropriation and negligence. Crypto analytics firm Elliptic previously suspected that the attack may be related to North Korean-backed hackers, and the related funds were subsequently exchanged for ETH and transferred via Tornado Cash.

According to on-chain analysis platform Arkham (@arkham), attackers exploiting the Bridged Polkadot vulnerability have transferred all stolen funds into Tornado Cash, involving an amount of approximately $269,000.

According to Decrypt, Bitcoin ATM operator Bitcoin Depot Inc. suffered a security breach on March 23, with hackers stealing approximately 50.9 bitcoins from the company's controlled wallet, valued at $3.665 million.It is reported that the attackers infiltrated the company's IT system and obtained credentials for the digital asset settlement account, allowing them to transfer cryptocurrency without authorization. This is at least the second known security incident for the company, which previously experienced a hack in 2023 that resulted in the personal data of 58,000 users being compromised.

Drift posted on platform X that it has confirmed key information related to the vulnerability attack. Drift is currently sending on-chain messages from address (0x093...C105) to four ETH wallets holding the stolen funds, indicating that it is ready to engage in dialogue and requesting the other party to contact them via Blockscan chat.Drift will share further updates with the community after third-party attribution is completed. Previously, it was reported that the Solana ecosystem Drift Protocol was attacked, resulting in losses of at least $200 million.

The attacker stole the npm access token of the chief maintainer of Axios, the most popular HTTP client library for JavaScript, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) (axios@1.14.1 and axios@0.3.4), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.According to data from security company Wiz, Axios is downloaded over 100 million times weekly and exists in about 80% of cloud and code environments. Security company Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed these defenses. Investigations revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN, and npm defaults to using the traditional token when both coexist, allowing the attacker to publish without breaching OIDC.

Drift Protocol tweeted that a malicious actor gained unauthorized access through a new type of attack involving durable nonce, quickly taking over the management rights of the Drift security committee. The attack was highly sophisticated, prepared over several weeks, and included the use of durable nonce accounts to pre-sign transactions to delay execution. Current investigations show that the cause of this incident is not due to vulnerabilities in the Drift program or smart contracts; there is no evidence that the mnemonic phrases were stolen; the attacker gained access through unauthorized or forged transaction approvals (possibly involving social engineering).The final result led to approximately $280 million in funds being withdrawn from the protocol. All lending, vault deposits, and trading funds were affected. DSOL (the portion not deposited in Drift, including assets staked to Drift validators) and insurance fund assets were not affected, and the latter is being withdrawn for protection. As a precaution, all remaining protocol functions have been frozen, and the multi-signature has been updated to remove the compromised wallet.

The analysis of the Drift theft incident by Slow Fog pointed out that a week before the attack, Drift adjusted its multi-signature mechanism to "2/5" (1 old signer + 4 new signers) and did not set a timelock. The attacker then gained administrator privileges, forged CVT tokens, manipulated the oracle, disabled security mechanisms, and transferred high-value assets from the liquidity pool.Currently, the stolen funds have mainly been aggregated to an Ethereum address, totaling approximately 105,969 ETH (about 226 million USD). Slow Fog stated that the flow of related funds is still being tracked.

Renowned on-chain detective ZachXBT has once again criticized Circle, stating that the Drift hacking incident occurred during U.S. trading hours, with millions of USDC transferred from Solana to Ethereum via CCTP (Circle's cross-chain protocol), while Circle remained inactive and took no action.A few days ago, Circle casually froze at least 16 corporate hot wallets, which are still slowly being unfrozen. ZachXBT concluded, "Circle is the bad actor in this industry."

According to on-chain analyst aryan's disclosure on the X platform, in the attack incident on the Drift protocol treasury, the attacker's address obtained funds through NEAR Intents 8 days ago but remained inactive until receiving a large amount of assets from the Drift treasury.The attacker transferred the funds to multiple money laundering addresses. Notably, these money laundering addresses received funds through Backpack yesterday, and Backpack should have conducted KYC verification on these accounts. Subsequently, the money laundering addresses transferred the funds to an Ethereum address via Wormhole, which had previously received funds through Tornado Cash.

According to Ember Monitoring, the $285 million in assets stolen from Drift has been exchanged for 129,000 ETH (approximately $278 million).

According to on-chain analyst Yu Jin (@EmberCN), a Kraken user is suspected of falling victim to a social engineering attack, resulting in the theft of 8,662 ETH, worth approximately $18.19 million. The attacker then exchanged 878 ETH for 26.5 BTC using the cross-chain tool THORChain, and six hours later transferred all stolen assets (7,784 ETH + 26.5 BTC) to the HitBTC exchange.

The U.S. Attorney's Office for the Southern District of New York has filed charges against Maryland man Jonathan Spalletta (36 years old), accusing him of hacking the decentralized exchange Uranium Finance twice in 2021. Prosecutors claim that Spalletta first stole approximately $1.4 million through deceptive smart contract transactions, and weeks later exploited a contract vulnerability to take $53.3 million, causing the exchange to shut down due to depleted funds.The stolen funds were subsequently used for money laundering and purchasing millions of dollars worth of rare Pokémon and Magic: The Gathering cards, as well as collectibles including a piece of original fabric from the Wright brothers' airplane that had reached the lunar surface during the Apollo moon landing mission. Spalletta faces two charges: computer fraud (up to 10 years) and money laundering (up to 20 years), with a maximum combined sentence of 30 years. U.S. authorities had previously recovered $31 million in cryptocurrency assets in February 2025.

Bo Shen, the founder of Distributed Capital, posted on social media to publicly solicit clues related to the theft of his personal wallet and established a bounty mechanism.Bo Shen stated that his personal wallet was hacked in 2022, resulting in a loss of approximately $42 million. In the three years since the incident, his team has continued tracking efforts and has now gathered more key clues and evidence, with the on-chain flow path of the stolen assets gradually becoming clearer. This bounty program is open to all individuals and institutions, with no restrictions on identity, background, or form. Anyone who makes a substantial contribution to the recovery of the assets will receive a reward of 10% to 20% of the final recovered amount, with the specific percentage determined based on the actual contribution level.

The Chief Information Security Officer of Slow Fog, 23pds (Shan Ge), posted on the X platform stating that there are reports that the LiteLLM vulnerability attackers have stolen approximately 300GB of data and compromised about 500,000 credentials. He advises all cryptocurrency developers to immediately verify and quickly rotate relevant keys and credentials, check logs, access records, and the exposure of sensitive data to avoid losses similar to the Trust Wallet incident.Previously, it was reported that LiteLLM, which has a monthly download volume of 97 million, suffered a supply chain attack, allowing the simple installation to steal all sensitive credentials, including SSH keys.

Resolv Labs disclosed on platform X that the Resolv team has sent an on-chain message to the attacker's address, proposing to return 90% of the stolen funds (approximately 25 million USD in ETH) in exchange for keeping the remaining 10% as a settlement incentive, with a deadline of 72 hours. If the attacker does not respond within the specified time, Resolv will take escalated measures such as coordinating with centralized exchanges, cross-chain bridges, and infrastructure providers to freeze assets, publicly disclose relevant addresses and transaction traces, collaborate with blockchain analysis companies and law enforcement agencies, and take legal action.Previously, Resolv Labs updated on the security incident, stating that a malicious attacker illegally accessed Resolv's infrastructure through a stolen private key and minted approximately 80 million USD in uncollateralized USR, of which 9 million illegally minted USR have been destroyed.

According to on-chain analyst Ai Yi (@ai_9684xtpa), the Resolve attacker minted 50 million USR using 100,000 USDC, then converted 35 million USR into wstUSR, and continuously exchanged wstUSR for USDC and USDT. Currently, the attacker has used the obtained USDT to purchase approximately 4.55 million USD worth of ETH.

According to market news, a hacker group in China has experienced internal strife due to disputes over the distribution of stolen goods. Members publicly revealed that they had stolen approximately $7 million in cryptocurrency assets through supply chain attacks, targeting platforms such as the cryptocurrency wallet Trust Wallet.According to the leaked information, the group operated under the name of the cybersecurity company Wuhan Anshun Technology, publicly engaging in activities such as vulnerability discovery, network offense and defense, and security services, while internally actually involved in activities related to the theft of cryptocurrency assets and other gray market operations. Team members claimed they obtained mnemonic phrases in bulk and scanned multi-chain assets, including Ethereum, BNB Chain, Arbitrum, etc., through supply chain vulnerabilities in the Electron client, plugin reverse engineering, and automation tools.The whistleblower stated that the team had developed automated tools to scan mnemonic phrase assets in bulk and used remote control programs to steal wallet data, subsequently transferring and splitting the funds. The related attacks reportedly involved 37 types of tokens across multiple blockchain networks. The trigger for the exposure of this incident was an internal dispute over the distribution of stolen goods.The whistleblower claimed to have had conflicts with the team leader over unfair profit distribution and publicly presented relevant evidence after the promised severance compensation was not fulfilled, planning to turn themselves in to law enforcement. Currently, the related accusations have not been officially confirmed, and the details of the incident are still under further investigation. Industry insiders pointed out that this incident once again highlights the security risks of cryptocurrency wallet supply chains and plugins, as well as the trend of targeted attacks against high-value users.

According to The Block, the Gwangju District Prosecutor's Office in South Korea sold 320.8 bitcoins, with the proceeds of 31.6 billion won (approximately 21.5 million USD) submitted to the national treasury.This batch of bitcoins was originally confiscated after a crackdown on an illegal gambling platform, but was stolen due to a phishing attack on officials, until the hacker voluntarily returned it in February of this year. The prosecution then sold it in batches over 11 days (from February 24 to March 6). The hacker is still at large, and the investigation is ongoing.

According to Cointelegraph, the decentralized anonymous lottery protocol Foom Cash lost approximately $2.26 million in funds due to a security vulnerability exploit, but white hat hackers intervened in time to help recover $1.84 million (about 81% of the stolen funds).This security incident stemmed from a critical error during the deployment of Foom Cash, specifically involving a Groth16 verifier configuration issue that allowed attackers to submit forged proofs to the protocol.A white hat hacker known as Duha identified the vulnerability and quickly protected the funds on the Base chain, while the security company Decurity was responsible for the rescue of funds on Ethereum. In return, Foom Cash paid the white hat hacker a bounty of $320,000 and paid Decurity a security fee of $100,000.

The former CEO of the collapsed exchange Mt. Gox, Mark Karpelès, recently proposed a Bitcoin hard fork plan, suggesting to modify the consensus rules to recover approximately 79,956 BTC stolen in the 2011 hacking incident, which is valued at about 5.2 billion dollars at current prices.The proposal targets a wallet address associated with the 2011 Mt. Gox system breach, which received nearly 80,000 bitcoins after the hack and has remained unused for over 15 years. Currently, under existing Bitcoin rules, these funds can only be transferred if the corresponding private key is held. According to the proposal, the new rules would allow the unspent outputs in that address to be controlled through signatures from the Mt. Gox recovery address, thereby incorporating the funds into the existing judicial oversight compensation process for repaying Mt. Gox creditors.Karpelès stated that the plan is merely a starting point for discussion, intending to limit the rule modification to a single address and activate it at a specific block height in the future. However, the proposal also acknowledges that this plan requires coordinated upgrades across the entire network, and if some community members refuse to support it, it could lead to the risk of a blockchain split. It is important to note that these approximately 80,000 BTC are currently not part of the assets allocated to Mt. Gox creditors and are not under the control of the bankruptcy trustee.