atta

The lending protocol Purrlend was attacked on the MegaETH and HyperEVM networks, resulting in a loss of approximately $1.52 million.The attacker extracted approximately $1.2 million in assets from the HyperEVM network, including 449,683 USDC, 214,125 USDT, 194,745 USDH, as well as some UBTC, wstHYPE, UETH, kHYPE, and WHYPE. The attacker also extracted approximately $324,000 in assets from the MegaETH network, including USDT, WETH, and USDm. Currently, Purrlend has suspended the protocol and launched an investigation, and the attacker's address has been identified on the block explorers of both networks.

According to on-chain analysts, the Balancer attacker-associated address transferred 5,609 ETH to THORChain in the past, worth 13 million dollars.In November 2025, Balancer was stolen over 116 million dollars, with the same suspects as the Aave attack incident, both pointing to the North Korean hacker organization Lazarus Group, and both have recently been frequently using Tornado Cash for money laundering.

Arkham posted on the X platform that Avi Eisenberg, the attacker who profited approximately $110 million in 2022 by manipulating the price oracle of Mango Markets, has recently signed a transaction with his on-chain address, drawing widespread attention from the community.Avi Eisenberg previously exploited a vulnerability in Mango Finance to conduct "high-profit trades," and later threatened to attack Aave. He was also liquidated on Curve while attempting to liquidate others' positions, and was arrested and imprisoned after the incident. Now, his address has reappeared with on-chain activity, leading the market to speculate whether he has returned to the crypto market, although no further details have been disclosed yet.

According to Onchain Lens monitoring, the Balancer attacker (0xa6d6...BDaA) has exchanged 13,191 ETH for 386.52 BTC in the past 15 hours, worth 30.54 million dollars. The attacker currently still holds 8,000 ETH, worth 18.52 million dollars.

According to a research report by cybersecurity company Expel, it is tracking a highly assessed APT organization supported by North Korea (DPRK) called "HexagonalRodent," which primarily targets Web3 developers and specializes in stealing high-value digital assets such as cryptocurrencies and NFTs.The organization mainly conducts attacks by forging job postings—posting high-paying positions on LinkedIn and Web3 recruitment platforms to lure job seekers into completing "skills tests" embedded with malicious code, using the tasks.json feature of VSCode to automatically execute malicious programs when victims open project folders. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, which have capabilities for password theft, remote control, and reverse shell.It is noteworthy that the organization heavily utilizes generative AI tools such as ChatGPT and Cursor to develop malware, build fake company websites, and create AI-generated executive teams, even registering shell companies in Mexico to enhance the credibility of their attacks

The Chief Information Security Officer of Slow Fog, 23pds, tweeted that HexagonalRodent, a subsidiary of the Lazarus Group, is targeting Web3 developers through social engineering tactics such as "high-paying remote positions" and "recruitment for well-known projects" to induce the execution of malicious code, ultimately stealing users' cryptocurrency assets.On March 9, 2026, a user with the same name as a fast-draft extension developer was infected with the OtterCookie malware, which was used to distribute malicious programs. Attackers extensively used ChatGPT and Cursor to assist in executing the attacks, further enhancing the disguise and deception.

SlowMist CISO 23pds disclosed that the password management tool Bitwarden CLI version 2026.4.0 suffered a Checkmarx supply chain attack between 17:57 and 19:30 Eastern Time. The attacker briefly distributed a malicious package via npm by abusing the GitHub Action in the Bitwarden CI/CD pipeline.The official confirmation states that Vault data was not leaked, and production systems were not affected; only users who installed this version via npm during that time window were impacted. The official recommendation for affected users is to immediately uninstall 2026.4.0, clean the npm cache, rotate sensitive credentials such as API Tokens and SSH Keys, investigate any abnormal activities on GitHub and CI, and upgrade to the fixed version 2026.4.1.

According to Onchain Lens monitoring, the Balancer attacker, who has been silent for 5 months, has transferred 100 ETH (approximately $233,000) to a new address and has begun transferring ETH through Tornado Cash. Currently, the attacker still holds 21,900 ETH, worth approximately $51.13 million.

According to CertiK senior blockchain investigator Natalie Newson, real-time deepfakes, phishing, supply chain attacks, and cross-chain vulnerabilities will be the main sources of crypto hacking attacks.To date, the industry has lost over $600 million due to hacking attacks, including the $293 million vulnerability incident at Kelp DAO and the $280 million theft incident at Drift Protocol, both of which are related to North Korean hacker groups. Newson warned that the accelerated development of AI will make attack methods more complex, including more realistic deepfakes, autonomous attack agents, and "agent AI" that can automatically scan for vulnerabilities in smart contracts, but AI can also serve as a defense tool. CertiK advises investors to verify the authenticity of URLs and use cold wallets to store assets to reduce risk.

Vercel's CEO Guillermo Rauch tweeted that the team has completed an in-depth security investigation, analyzing nearly 1 PB of complete Vercel network and API logs, far exceeding the initial Context.ai account breach incident.The investigation revealed that the attackers' activities extended beyond Context.ai and have distributed malware on a broader scale, targeting account keys from platforms like Vercel. Once the keys are obtained, the attackers quickly and comprehensively enumerate non-sensitive environment variables. Current measures include deepening collaboration with industry partners such as Microsoft, AWS, and Wiz to jointly protect the broader internet ecosystem; other suspected victims have been notified and advised to immediately rotate credentials and strengthen security best practices.

According to CoinDesk, monitoring by CertiK reveals that the Lazarus Group is conducting an attack operation named Mach-O Man targeting executives in the fintech and cryptocurrency industries. This operation utilizes ClickFix social engineering techniques, sending fake online meeting invitations to lure victims into pasting repair commands on their Mac terminals, thereby gaining access to company and financial systems.CertiK researcher Natalie Newson stated that the Lazarus Group has stolen over $500 million through attacks on Drift and KelpDAO in the past two weeks. Mach-O Man is a modular macOS malware toolkit developed by the Chollima division of the Lazarus Group, capable of automatically deleting itself after use to evade detection.Additionally, attackers have implemented this attack by hijacking DeFi project domain names and replacing them with fake Cloudflare messages.

According to monitoring by Shield, the KelpDAO attackers have begun to transfer the stolen assets: they transferred some of the stolen ETH from the Ethereum mainnet across to Arbitrum via the Across Protocol, then exchanged it for USDT, and routed it to the TRON DAO ecosystem through LayerZero.This path shows that the attackers are diversifying and laundering funds through multi-chain bridges and stablecoin conversion methods, and the subsequent flow of funds still needs to be continuously tracked.

The privacy protocol Umbra has shut down its hosted frontend website to prevent attackers from using the protocol to transfer stolen funds from recent security incidents.Umbra stated that approximately $800,000 had been transferred through its protocol, but the protocol is only used to hide the identity of the recipient, and the related transactions can still be tracked on-chain. This measure comes after the Kelp protocol was attacked, resulting in losses exceeding $280 million. Umbra stated that it will restore frontend services once it is confirmed that asset recovery efforts are not affected, but it cannot prevent users from continuing to use the protocol through smart contracts or self-hosted frontends.

According to Cointelegraph, Admiral Samuel Paparo of the U.S. Navy stated at a Senate Armed Services Committee hearing that Bitcoin is a "valuable computer science tool," and its proof-of-work technology has significant applications in cybersecurity, increasing the cost of attacks for adversaries and can be used to protect data, information, and command signals, helping to support U.S. national security interests.Paparo noted, "Beyond the economic aspect, it has very important computer science application value in cybersecurity." Previously, Jason Lowery, a member of the U.S. Space Force, also made similar points in 2023.

According to on-chain analyst Ai Yi's monitoring, the Venus attacker transferred 2,301 ETH (approximately 5.32 million USD) to address 0xa21...23A7f, and then gradually transferred it into Tornado Cash for laundering. Currently, there is still 17.45 million USD worth of ETH on-chain.

Bybit's Security Operations Center has discovered a multi-stage malware attack targeting macOS users of the search AI development tool Claude Code.Attackers used search engine optimization poisoning to push malicious domains to the top of Google search results, luring users into a counterfeit installation page, thereby stealing browser credentials, macOS keychain, Telegram sessions, VPN configurations, and cryptocurrency wallet information. Bybit stated that the malware can also establish persistent access through backdoor programs and attempts to target over 250 browser wallet extensions and multiple desktop wallet applications. This malicious infrastructure was identified on March 12, and relevant analysis, mitigation, and detection measures were completed on the same day.

According to on-chain analyst Ai Yi (@ai_9684xtpa), the Kelp DAO attacker transferred 50,700 ETH to 2 new addresses, worth $118 million.

On-chain investigator ZachXBT updated that the funds related to the KelpDAO attack have begun to be transferred, with approximately $1.5 million being cross-chain transferred from the Ethereum mainnet to the Bitcoin network via Thorchain, and another approximately $78,000 being transferred through Umbra.The initial source of funds for the related attack addresses came from Tornado Cash, and the money laundering and cross-chain transfers are still ongoing.

According to monitoring by PeckShield, the KelpDAO attackers have transferred 75,700 ETH to 2 new addresses.

According to monitoring by PeckShield, the Kelp DAO attackers transferred 30,765 ETH (approximately 7.09 million USD) to a special address starting with 0x00000, suspected to be for destruction.