tac

The DeFi protocol Radiant announced that after experiencing a hacker attack in October 2024, and after 18 months of continuous efforts, the DAO no longer has a viable path to continue operations and will gradually enter the "sunsetting" phase.Currently, the project has no progress in recovering funds, no new capital injection, and lacks the funds and development space to maintain normal operations, thus it cannot continue responsible long-term operations.

The blockchain security agency PeckShield has issued an alert stating that Gnosis Pay is currently undergoing a security attack. Meanwhile, Gnosis co-founder Martin Köppelmann has publicly urged users to immediately withdraw their GNO and EURe assets to mitigate potential risks.Market analysis indicates that Gnosis Pay, as an important infrastructure connecting payment scenarios with on-chain assets, may face short-term selling pressure on Gnosis GNO and the euro stablecoin EURe if it is confirmed that funds have been stolen or protocol vulnerabilities exploited, further affecting market sentiment for Gnosis ecosystem-related projects.Currently, the official has not disclosed the scale of the attack, the amount of losses, or specific technical details, and the situation is still developing. Users holding related assets or using Gnosis Pay services should closely monitor official follow-up announcements and assess their risk exposure in a timely manner.

According to TenArmorAlert monitoring, the AROS token on the BSC chain was attacked, resulting in a loss of approximately $295,300.

According to Cointelegraph, CertiK data shows that losses from attacks on crypto platforms in May dropped to $68.3 million, a nearly 90% decrease from $650 million in April. May became the third month in 2026 with losses below $100 million. Of this, approximately $2.6 million came from phishing attacks, and about $9.4 million of stolen funds have been recovered or returned. The largest single loss in May came from the Verus Protocol cross-chain bridge attack, with $11.5 million stolen; THORChain ranked second, with $10.1 million stolen. Code vulnerabilities were the highest loss type, accounting for about $45 million, or 66%; wallet or private key leaks resulted in $13.7 million in losses. Cross-chain bridges were the primary target of attacks, with losses of $28.6 million, accounting for 42%. DeFiLlama data shows that there were a total of 29 incidents in May, of which 7 involved private key leaks.

The Cosmos ecosystem cross-chain bridge Gravity Bridge is suspected to have been attacked due to the leakage of its signing keys, resulting in approximately $5.4 million in assets being stolen. The official team has confirmed that a security incident has occurred and has urgently suspended bridge services for investigation, while also requesting validators to suspend the operation of validation nodes and coordinators. It is reported that its contract keys may have been compromised.

AML / KYT provider Shard disclosed that the number of cyber attacks in the cryptocurrency industry doubled year-on-year in the first quarter of 2026, exceeding 80 incidents, but total losses decreased by 69% year-on-year to $496 million, compared to $1.6 billion in the same period last year. Shard stated that the losses in the same period of 2025 were mainly impacted by a significant theft incident of approximately $1.4 billion involving Bybit; while the attacks in 2026 were more dispersed, targeting DeFi protocols, infrastructure services, and individual users.Looking at the months, there were a total of 29 attacks in January, with losses exceeding $392 million; 26 attacks in February, with losses exceeding $22 million; and 27 attacks in March, with losses exceeding $81 million.

Regarding the attack on the Kelp rsETH LayerZero V2 bridge that occurred on April 18, Aave released a post-incident investigation on the X platform, emphasizing that the exposure was primarily due to third-party bridge infrastructure rather than the protocol itself. The attacker executed an RPC poisoning attack targeting a single validator of LayerZero, forging a cross-chain message. This led to the release of 116,500 rsETH on the Ethereum side without actual destruction on Unichain. The attacker subsequently deposited the stolen rsETH into Aave V3 (Ethereum Core and Arbitrum), borrowing approximately 82,650 WETH and 821 wstETH.The Aave Protocol Guardian and Risk Steward immediately implemented protective measures for the rsETH and WETH reserves. Currently, the WETH and rsETH markets in the affected V3 deployments are operating normally. The rsETH held by the attacker on Arbitrum has been destroyed, the LayerZero OFT adapter has been fully recharged in five batches, rsETH support has been fully restored, and Kelp has reopened the withdrawal, bridging, and claims functions for rsETH. The WETH LTV in the affected markets has been reset to pre-attack values, and Aave V3 is fully operational across all markets except for rsETH.The Arbitrum DAO has voted to authorize the transfer of frozen ETH to Aave LLC, and it is currently awaiting on-chain execution. The court is still reviewing the substantive content of the injunction, and Aave LLC will continue to comply with the injunction during the court's deliberation. Ongoing projects include: the Aave risk framework from Llama Risk, the bridging assessment framework, the release of evaluation reports for currently live assets, on-chain execution of Arbitrum DAO votes, and the court's review of the injunction.

Blockaid disclosed on platform X that the Alephium TokenBridge Ethereum cross-chain bridge was attacked. The attacker controlled 3 out of 4 Guardian keys to forge a VAA (Verification Authorization Message) and completed the attack in about 7 minutes, stealing approximately $815,000 in assets.During the attack, the attacker minted 13.76 million Wrapped ALPH out of thin air, exceeding the circulating supply before the attack by over 100%, while also unlocking and transferring assets such as USDT, USDC, WBTC, and WETH from the custody pool.Currently, the attacker's address still holds approximately $815,000 in stolen assets and 13.76 million uncollateralized Wrapped ALPH, with the largest abnormal transaction being the minting of 13.76 million Wrapped ALPH out of thin air.

On-chain monitoring shows that the cross-chain bridge Gravity Bridge may have encountered a security incident due to a contract key leak, involving assets such as USDC, WETH, and USDT, with total losses of approximately 5.4 million dollars.

Superfortune, incubated by Manta, recently released an update on the X platform regarding a security incident, stating that the attack was not carried out by internal personnel and that no team members were involved. The claim about the team secretly selling tokens is incorrect. The team has also not had any contact with Web3Port.The investigation confirmed that the attack was not due to address poisoning, but rather a leak of the signer's private key. The attacker independently held the private key and submitted a transaction with a forged address 43 minutes after the correct transaction. The forged address shares the first and last four characters with the correct address (starting with 0x70AE and ending with 5C15) to disguise itself in the Safe interface preview. The stolen funds are fully traceable and are currently stored in three cold wallets on Ethereum, containing approximately 2784 ETH, along with about 170,000 USDT that were cross-chain transferred out.The attacker also created a large number of counterfeit addresses and sent false transfer events to these addresses using Unicode-forged token symbols in an attempt to confuse tracking. This counterfeit address construction technique is the same as the method used when attacking this project. The attacker had pre-built a large-scale infrastructure, indicating that this was an industrialized operation rather than an opportunistic attack.

According to a video shared by DEGEN NEWS, Nic Carter, a partner at Castle Island Ventures, stated that Solana needs a complete rebuild to defend against quantum attacks. He pointed out, "This will be tricky for Solana because they have highly optimized around a certain variant of elliptic curve and have also made targeted optimizations at the hardware level.The entire core idea of Solana is high throughput. Ultimately, they may adopt lattice-based cryptography, but the speed will slow down, and the throughput may decrease, which is precisely what Solana is all about."

According to on-chain data, the private key of the StakeDAO deployer was leaked on Arbitrum, and the attacker minted approximately 54.5 trillion vsdCRV, partially exchanging it for 43.7 ETH.

The cross-chain liquidity aggregation protocol LI.FI announced the launch of LI.FI Intents, a modular full-stack execution engine that competes for order execution through a network of specialized solvers, built on the reference contract of the Open Intents Framework.The Open Intents Framework is a public goods initiative led by the Ethereum Foundation, with contributions from over 30 teams including LI.FI, OpenZeppelin, Wonderland, Uniswap Labs, Hyperlane, and others. LI.FI Intents is a large-scale implementation of OIF in a production environment, providing stablecoin payments, access to real-world assets, and compliant on-chain liquidity for enterprises.LI.FI stated that historically, the intent stack has been too rigid, forcing all applications to adopt a single execution model. Teams had to build from scratch to solve multiple issues such as order expression, solver networks, cross-chain settlement, and fill validation. OIF empowers teams with the freedom to choose and customize through modular components, reducing the time to build intent applications from months to days.The Ethereum Foundation commented, "The Open Intents Framework is designed as a shared infrastructure for intents, a modular and open framework for the ecosystem to collaboratively build intent applications. This framework takes the next step: achieving large-scale adoption."

According to The Block, since the KelpDAO cross-chain bridge attack in mid-April, the total value locked (TVL) in DeFi has decreased by about 14%, from approximately $172 billion to $148 billion. The attackers exploited vulnerabilities in off-chain infrastructure rather than smart contract vulnerabilities, stealing about $292 million and exposing new infrastructure risks.The outflow of funds has continued for more than five weeks, indicating that investors are broadly withdrawing marginal capital rather than just targeting specific protocols that were attacked. Lending, as the largest DeFi category, saw its locked amount decrease from about $53 billion to $40 billion, marking the largest decline. Liquidity re-staking protocols also experienced significant drops. The KelpDAO attack indicates that as the security of smart contracts improves, off-chain infrastructure is becoming a more easily exploitable attack surface.

According to official news, the Resolv Foundation has released a complete recovery framework following the protocol security incident. Previously, on March 22, 2026, the protocol was attacked due to a security vulnerability, resulting in the illegal minting of USR tokens entering the market. The protocol subsequently suspended operations and entered recovery mode. Resolv stated that USR was designed as a "premium layer" stable asset backed by collateral, while RLP served as an "insurance layer" to absorb losses. According to the recovery plan, USR/wstUSR held before the attack will be exchanged for USDC at a 1:1 ratio, while USR purchased after the attack will be processed at a 1:0.5 USDC ratio; RLP holders will recover approximately 60%+, with part of the compensation distributed in the form of RESOLV tokens. The official compensation application window is open for three months.At the same time, Resolv announced the launch of a new business line called "Vault Street," managed by the Resolv Foundation, focusing on the distribution and structured yield products of tokenized real-world assets (RWA). The first product, primeUSD, has entered the private testing phase, open to professional institutional investors, allowing users to participate in leveraged U.S. Treasury yield strategies through stablecoins. Resolv stated that this product combines structured financing experience from traditional finance with on-chain DeFi infrastructure, aiming to build an institutional-level RWA yield distribution platform. In addition, the functionality of the RESOLV token remains unchanged, with staking and unstaking functions restored, and reward distribution resumed on May 26. Resolv emphasized that it will continue to promote the expansion of Vault Street products, upgrade security architecture, and build on-chain infrastructure for institutional-level assets, stating that "the phase from protocol launch to security incident has ended, and Vault Street will open a new chapter for Resolv."

According to CoinDesk, European stablecoin issuer StablR has suspended the minting and redemption of USDR and EURR due to a hacker attack, and has requested exchanges to stop trading and deposits/withdrawals of the two currencies. The attacker exploited a vulnerability in its Ethereum 1-of-3 multi-signature wallet with a low threshold, compromised a single private key, added themselves as an administrator, and removed the original signers, resulting in the over-issuance of approximately 8.35 million USDR and 4.5 million EURR, valued at approximately $13.5 million at the pegged price, with actual cashing out around $2.8 million.The incident led to both stablecoins being under-collateralized, no longer meeting the MiCA requirement of a 1:1 full reserve. USDR briefly depegged but recovered to about $0.994, while EURR fell to about $0.548. StablR stated that it has initiated an investigation and will report to the Maltese regulators and relevant authorities.

Kelp DAO announced on Monday that after losing $293 million due to an attack by North Korea's Lazarus Group on April 18, rsETH has been fully restored after five weeks of repairs. Kelp DAO stated that the final batch of 20,373.7 rsETH has been sent to the LayerZero smart contract responsible for cross-chain transfers, officially concluding the operational phase of the rsETH recovery plan.Multiple crypto protocols contributed funds through the DeFi United initiative to assist in restoring the support for rsETH. The first batch of 25,000 rsETH was transferred on May 13, and withdrawals were reopened the next day. Currently, minting, redemption, and reward operations are all functioning normally. This attack caused a chain reaction in the DeFi lending market, with the attacker borrowing WETH using a large amount of stolen rsETH as collateral on Aave, resulting in Aave incurring $190 million in bad debt. The TVL dropped from $26.4 billion to below $14 billion and has since remained in the range of $13.9 billion to $15.1 billion without showing signs of recovery. In April, there were 25 crypto hacking incidents, resulting in total losses of $630 million.

According to Cryptopolitan, cybersecurity analysts have discovered a new type of fileless remote access trojan (RAT) named RemotePE. It is believed that the cybercrime organization Lazarus Group, associated with North Korea, is using this trojan to attack banks and cryptocurrency companies. The trojan operates entirely in memory, making it difficult for traditional antivirus and forensic tools to detect. Attackers impersonate trading company employees via Telegram, using forged Calendly and Picktime links for social engineering attacks. The malware is loaded in a three-stage chain through DPAPILoader, RemotePELoader, and RemotePE, with the entire process avoiding contact with the file system, utilizing process hollowing, anti-analysis checks, and encrypted C2 communication to evade detection.This malware was first discovered in September 2025. In the first four months of 2026, the Lazarus organization has stolen approximately $577 million in cryptocurrency assets, accounting for 76% of the total global cryptocurrency theft. Since 2017, the organization has accumulated a total theft amount of $6 billion.

The cross-chain routing protocol Squid stated on platform X that the SquidRouterModule involved in the attack disclosed by Blockaid was neither developed, deployed, nor operated by Squid, but rather a third-party Gnosis Safe module that chose to integrate with protocols like Squid, with no prior connection between the two parties.Squid indicated that this third-party module has a vulnerability that accepts a fixed string provided by the caller as message security verification. The attacker exploited this string, which is publicly visible in the verified code of the contract, to execute arbitrary call data and steal funds. Squid's own routing contract (0xce16F) is architecturally completely different from this module and is unaffected; user funds, authorizations, and integrations are all secure.