hackers

According to on-chain analyst Yu Jin's monitoring, the KelpDAO hacker exchanged all 75,700 ETH for BTC through THORChain yesterday. The hacker who stole $98 million in assets from Balancer last November also exchanged ETH for BTC through THORChain today.Today, the Balancer hacker has already exchanged 7,000 ETH for 204.7 BTC ($15.88 million) and is still continuing. Currently, the Balancer hacker holds 15,000 ETH ($34.65 million) on the ETH chain and 204.7 BTC ($15.88 million) on the BTC chain.

According to official news, KelpDAO stated that over the past few days, the team has been continuously advancing the handling of related events with the support of partners, allies, and the community. Discussions are progressing in a positive direction, and efforts are being accelerated to reach a suitable solution. The project party emphasized that it always adheres to the core principle of "user first," and subsequent measures will be gradually implemented with the aim of safeguarding the overall interests of users.In the past four days, the Kelp team has been working around the clock in collaboration with multiple parties, maintaining close communication with all relevant parties, and making substantial progress on several potential solutions. This includes measures taken by the Arbitrum Security Council to freeze the stolen funds, as well as SEAL 911 participating in the preliminary investigation to provide objective and clear analytical support for the incident.Kelp stated that the current focus of work remains on protecting user asset security and strengthening the protocol itself. This incident is not only of critical significance to the project but also has enlightening value for the entire industry. The team will continue to disclose subsequent progress through official channels and thanks the ecological partners and community for their ongoing support.Previous reports indicated that the KelpDAO hacker has essentially laundered $175 million in ETH into BTC.

The Ethereum Foundation recently released a summary report on the ETH Rangers security project, revealing that during a 6-month security funding program, researchers identified approximately 100 suspected state-sponsored cyber operatives, including infiltrators from North Korea, who have been active in multiple Web3 projects.The report indicates that relevant investigations were advanced through projects like the "Ketman Project," where researchers issued warnings to about 53 blockchain projects, revealing that these individuals infiltrated development teams under false identities and participated in fund flows and technical positions. Meanwhile, some related funds have been frozen, amounting to hundreds of thousands of dollars. The security team also incorporated relevant intelligence into the threat analysis system for the Lazarus Group and disclosed it at security conferences such as DEF CON, showing that state-level cyber attacks are continuously infiltrating the infrastructure of the cryptocurrency industry.In terms of overall results, the program has frozen or recovered over $5.8 million in funds, reported or documented over 785 vulnerabilities, and handled 36 security incidents, indicating that the security threats currently faced by the Ethereum ecosystem have escalated from simple vulnerability attacks to systemic risks involving state-level actors. Additionally, the report points out that North Korean hackers have also infiltrated projects through methods such as "remote IT workers," involving various attack paths such as account takeovers, freelancing platform infiltrations, and fund transfers, making them a key target for industry prevention.The Ethereum Foundation emphasizes that the security of decentralized networks requires "decentralized defense" and will continue to support security research, threat intelligence, and talent development to address the escalating state-level cyber threats.

In response to the recent attack on the "ListaDAOLiquidStakingVault" contract, ListaDAO officially released a statement clarifying that the attacked contract was not deployed by the official team, but rather was a counterfeit contract created by an unverified third party using a similar name. All official contracts of ListaDAO were not affected by this incident.According to an in-depth analysis by the GoPlus security team, the attack occurred on April 16, 2026, and the root cause was a business logic flaw in the third-party contract. When a token transfer was made, it triggered the Dividend.setShares() function and altered the share accounting within the contract, which in turn affected the reward calculation in the claimReward() function. The attacker exploited this vulnerability to deplete the assets within the contract.GoPlus reminds that since this logical flaw exists in both segments of the contract code mentioned above, any development projects that fork or reuse this code face a high risk of being exploited. It is recommended that relevant developers promptly conduct code inspections and fixes, and implement continuous auditing mechanisms to ensure the security of smart contracts.

Bitcoin core developer Jameson Lopp stated that, compared to the potential quantum computing attacks that may arise in the future, he prefers to "freeze" about 5.6 million long-dormant BTC from the network rather than let them be acquired by attackers. These Bitcoins have not moved for over 10 years and may be permanently lost, valued at approximately $42 billion at current prices. If future breakthroughs in quantum computing lead to the decryption of old address private keys, this portion of assets could be re-transferred, triggering severe market fluctuations or even a crisis of confidence.Although the community recently proposed BIP-361, the proposal is still in its early stages and is not an officially promoted plan, but rather more like a contingency plan to address "extreme risks."

The security research organization Elastic Security Labs has disclosed a new social engineering attack targeting personnel in the finance and cryptocurrency industries. The attackers impersonate venture capital firms on LinkedIn and Telegram, tricking targets into opening an Obsidian note repository that contains a built-in malicious payload, thereby deploying a previously unrecorded Windows remote access Trojan called PHANTOMPULSE.This attack does not exploit any software vulnerabilities but instead abuses the Shell Commands plugin of Obsidian to automatically execute malicious code when the note repository is opened. On the macOS side, it uses an obfuscated AppleScript launcher in conjunction with a Telegram channel as a backup command and control server, while on the Windows side, it leverages Ethereum transaction data to achieve blockchain-based C2 address resolution.

The crypto wallet Zerion disclosed that North Korean hackers are using AI for long-term social engineering attacks, stealing approximately $100,000 from the company's hot wallet.Zerion confirmed that user funds, applications, and infrastructure were not affected, and has proactively disabled the web application as a precaution. Zerion also stated that the attackers obtained some session and credential information from team members who were logged in, as well as the private keys of the company's hot wallet, and pointed out that AI is changing the way cyber threats operate.

According to market news, a report released by the blockchain security company Hacken shows that Web3 projects lost a total of $464.5 million this quarter due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million, becoming the main source of losses.A hardware wallet scam that occurred in January caused a loss of $282 million, accounting for 81% of the total quarterly losses. Smart contract vulnerabilities led to losses of $86.2 million, while access control failures (including breaches of keys and cloud services) caused losses of $71.9 million. The report points out that the largest security incidents often occur in off-chain operations and infrastructure layers, which traditional audits find difficult to cover. The European regulatory frameworks MiCA and DORA are increasing requirements for security monitoring and incident response, and global regulatory agencies are also raising standards for real-time monitoring and emergency response.

According to on-chain analyst Yu Jin's monitoring, about 1 hour ago, Resolv Labs destroyed 36.73 million USR held by the hacker through a contract upgrade.The hacker minted 80 million USR through a minting vulnerability without collateral, of which approximately 34 million USR were sold off by the hacker for 11,409 ETH (24.48 million USD) stored at the address 0x8ED...81C. Additionally, about 46 million USR were destroyed from the hacker's address by the Resolv project team through a contract upgrade. The actual loss from this vulnerability exploitation incident for Resolv is 34 million USD.

According to data from DefiLlama, in the first quarter of 2026, hackers stole over $168.6 million in crypto assets from 34 decentralized finance (DeFi) protocols, a significant decrease from $1.58 billion during the same period in 2025, when the high losses were mainly due to the $1.4 billion theft incident from Bybit.The largest single attack this quarter was the private key leak incident at Step Finance in January, resulting in a loss of approximately $40 million; followed by the attack on Truebit due to a smart contract vulnerability on January 8, resulting in a loss of $26.4 million in Ethereum; and third was the private key theft incident at stablecoin issuer Resolv Labs on March 21.

According to monitoring by @ai_9684xtpa, the Drift hacker has exchanged 2.45 million USDC for 1,195 ETH in the past 5 minutes. Currently, four addresses have accumulated a total of 130,293 ETH, worth approximately 266 million dollars.

The attacker stole the npm access token of the chief maintainer of Axios, the most popular HTTP client library for JavaScript, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) (axios@1.14.1 and axios@0.3.4), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.According to data from security company Wiz, Axios is downloaded over 100 million times weekly and exists in about 80% of cloud and code environments. Security company Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed these defenses. Investigations revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN, and npm defaults to using the traditional token when both coexist, allowing the attacker to publish without breaching OIDC.

On March 28, the cybersecurity platform VECERT disclosed that hackers, under the name PexRat, are selling a database containing personal information of 1.5 million Binance users on the dark web. The content includes sensitive information such as names, emails, phone numbers, KYC verification status, login IP addresses, and two-factor authentication methods.Analysis indicates that this incident was not a direct intrusion into Binance's internal servers, but rather that the attackers bypassed the CAPTCHA mechanism and obtained data through credential stuffing and automated scraping methods. Affected users face a high risk of SIM card hijacking and phishing attacks. At the time of this incident, Binance's institutional OTC trading business is experiencing rapid growth, with trading volume reaching 25% of the total for the entire year of 2025 in just January and February of this year. This is another data security crisis for Binance following the leak of 420,000 sets of account credentials in January.

According to Reuters: Hackers linked to Iran claim to have hacked the email of the FBI director.

Hackers have launched Android malware attacks in Brazil by spoofing a phishing page that mimics the Google Play Store. Currently, all known victims are located in Brazil.The attackers set up a phishing website that closely resembles Google Play, enticing users to download a fake application called "INSS Reembolso." Once installed, the application releases hidden malicious code in stages and loads it directly into memory, leaving no visible files on the device, which makes it highly stealthy. One of the core functions of the malware is cryptocurrency mining, with an embedded XMRig mining program compiled for ARM devices that silently connects to the attacker's controlled mining server in the background. The program monitors battery level, temperature, and device usage status, dynamically adjusting mining behavior to evade detection, and bypasses Android's background process management mechanism by looping silent audio files.Some variants also include banking trojans that can overlay fake pages on the USDT transfer interface of Binance and Trust Wallet, silently replacing the recipient address. Additionally, the malware supports various remote control commands such as recording, screenshotting, keylogging, and remote locking of the device.

Bitcoin payment service provider Bitrefill disclosed on platform X that it suffered a cyberattack on March 1, 2026, resulting in a customer data breach. The attack originated from a compromised employee's laptop and allowed the attackers to access certain databases and cryptocurrency wallets.Investigations revealed that the attack method was highly similar to past attacks on cryptocurrency companies by the North Korean DPRK Lazarus/Bluenoroff hacker group. Approximately 18,500 purchase records involved limited customer information (email, cryptocurrency payment addresses, and IP metadata), with about 1,000 records having customer name information stored in an encrypted format, but potentially accessible. Bitrefill stated that customers do not need to take special actions but are advised to be vigilant for unusual information.Bitrefill further added that it has currently shut down related systems for isolation and is collaborating with security experts, on-chain analysts, and law enforcement. Operations have nearly returned to normal. The company emphasized that it is long-term profitable and financially robust enough to absorb this loss and will continue to strengthen cybersecurity measures, including internal access controls, monitoring, and emergency response mechanisms.

Slow Fog's Yu Xian posted on platform X: "A group hacking incident is occurring, hacker address: 0x913efc2062984288a0a083cd42b3a3422c07fcef, the hacker has currently profited $85,000, and this amount is still increasing. According to community feedback, this group mainly consists of yield farmers, and private keys/mnemonic phrases have been collected in advance by the hacker. The hacker is consolidating related funds. If you are using the MoreLogin fingerprint browser, please be cautious, but there is currently no evidence that MoreLogin or related plugins are the issue."