On February 19, the office announced they had recovered the stolen assets and identified the thief.
South Korean prosecutors lose $22 million of seized crypto to the wallet inspector, later recover it
Staff members working for South Korean prosecutors, for some reason, decided to use a "wallet checking tool" during an August 2025 audit of seized crypto assets. The tool they selected turned out to be a phishing tool, and five wallets were drained of 320 BTC.
Moonwell lending protocol suffers $1.78 million loss after second oracle misconfiguration in four months
After an oracle misconfiguration, the Moonwell defi lending protocol accumulated $1.78 million in bad debt. When the protocol showed that cbETH was priced at just over a dollar, rather than its actual market price of around $2,200, bots and humans alike rushed to take advantage of the mispricing. The error cascaded into liquidations across the platform.
This is the second time Moonwell has suffered a loss thanks to an oracle misconfiguration. In November 2025, the platform was left with almost $3.7 million in bad debt after a different asset was mispriced.
Although the vulnerable pull requests were at least partially developed by an AI tool, the security auditor who initially attributed the vulnerability to Claude Opus 4.6 later softened his criticism, noting that even senior developers could have made the same mistake. He did, however, criticize the project for a lack of sufficiently rigorous testing that should have caught the issue.
BlockFills crypto lender halts withdrawals
The Chicago-based institutional crypto lending firm BlockFills has halted deposits and withdrawals, citing "recent market and financial conditions" and a desire to "further the protection of clients and the firm". They've also noted the need to "restore liquidity to the platform".
Platforms limiting or halting withdrawals — particularly lending platforms — is reminiscient of the 2022 crypto crash, when falling crypto prices exposed crypto firms that had been engaging in highly risky or sometimes illegal behavior. As crypto prices fell, firms were unable to meet their loan obligations or faced margin calls, and the tightly interconnected web of lending within the crypto ecosystem often meant that one company failure cascaded into multiple more. It remains to be seen whether this is an isolated incident or the beginning of a trend as crypto prices hit revisit price lows not seen in over a year.
BlockFills claims to have more than 2,000 institutional clients globally, and boasted of facilitating more than $61 billion in transactions in 2025. The company's backers include Susquehanna Capital and CME Ventures.
Bithumb accidentally gives away $44 billion to customers
The South Korean cryptocurrency exchange Bithumb disclosed that it had accidentally given its customers more than 620,000 BTC (~$44 billion) in a promotional event gone wrong. Intending to reward each customer with at least ₩2,000 (~$1.40), the exchange accidentally rewarded each customer at least 2,000 BTC (almost $140 million).
The exchange announced that they had recovered 99.7% of the erroneously awarded tokens, leaving around 1,860 BTC (~$130 million) unaccounted for.
The incident has drawn further scrutiny from Korean regulators, who said that the error "has exposed the vulnerabilities and risks of virtual assets." Regulatory agencies in the country had already been cracking down on crypto firms following a $30 million hack of the Upbit crypto exchange in November 2025.
Gemini crypto exchange fires 25% of staff, blames AI
Gemini, the cryptocurrency exchange founded and run by Cameron and Tyler Winklevoss, will lay off as many as 200 employees globally. The news came amid an announcement that the company would be withdrawing from the UK, EU, and Australia. "These foreign markets have proven hard to win in for various reasons," they said. They also announced that they would be "parting ways" with their CFO, CLO, and COO.
As many companies do these days, the Winklevosses tried to pin the layoffs on AI, claiming that the engineers using AI are ten times more productive. "A smaller organization, leveraging the right tools, isn't just more efficient, it's actually faster," they wrote — in a blog post that itself reeks of AI.
CrossCurve users exploited for around $3 million
Hackers exploited a bug in smart contracts deployed by the defi protocol CrossCurve to steal an estimated $3 million across multiple blockchains. The thief was able to spoof cross-chain messages, causing the CrossCurve bridge to release assets not belonging to them.
CrossCurve took a conciliatory tone in on-chain messages sent to the thief, writing, "These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent." (Who among us hasn't accidentally stolen millions of dollars?) However, they warned, they planned to escalate to working with law enforcement and blockchain security firms to investigate and prosecute the theft if the funds were not returned within 72 hours.
$29 million stolen from from Step Finance treasury wallets
The Solana-based defi portfolio tracker Step Finance lost 261,854 SOL (~$28.7 million) when a thief gained access to treasury and fee wallets. It's not yet clear how the attacker was able to steal the funds, although Step Finance posted to Twitter that the theft occurred via a "well known attack vector". Step wrote that they were working with cybersecurity firms and law enforcement to address the incident.
Aperture Finance users lose at least $3.4 million
An attacker exploited a bug in an Aperture Finance smart contract to steal at least $3.4 million from users who had enabled "instant liquidity management" features. Aperture Finance is a defi platform that aims to allow users to trade by telling large language models their "intents".
Aperture has said they disabled portions of their web app impacted by the bug, and are working to try to trace and recover stolen funds.
$13.43 million stolen from Matcha Meta users in SwapNet exploit
Some users of Matcha Meta, a decentralized exchange aggregator on the Base blockchain, suffered losses after a thief exploited a vulnerability in its SwapNet integration. SwapNet is another DEX aggregator that integrates with Matcha Meta, and Matcha blamed a vulnerability in their smart contracts that enabled a thief to steal assets transferred via the integration.
Most of the lost funds came from a single user, who lost $13.34 million in assets. Other users lost a combined $90,000.
- "SwapNet Incident Post Mortem", Matcha Meta
Thief of millions in seized U.S.-controlled crypto alleged to be government crypto contractor's son
Two crypto thieves decided to settle an argument over who was wealthier by screensharing as they transferred crypto between wallets to prove ownership. In doing so, one of them — known online as "Lick" — revealed a wallet address that crypto sleuth zachxbt quickly tied to the theft of around $40 million from US government wallets containing seized crypto assets, including a $20 million theft zachxbt reported in October 2024. Lick's wallets contained around $90 million in total, including the stolen government assets and those stolen from other victims.
zachxbt has alleged that "Lick" is a man named John Daghita. After reporting Daghita's identity, "Lick" appeared to try to scrub his Telegram account, then dusted zachxbt's public crypto wallet from one of the theft addresses.
Daghitia is reportedly the son of Dean Daghita, the owner of Command Services & Support (CMDSS). In October 2024, CMDSS landed a contract with the US Marshals to manage seized crypto assets, which is still active. After zachxbt linked the younger Daghita to his father and CMDSS, CMDSS also scrubbed its online presence. Around that time, Lick began trolling zachxbt again, and later sent 0.6767 ETH (~$1,900) of the stolen funds to zachxbt.
CMDSS' website boasts that they are "a proven provider of mission-critical services to the Department of Defense and Department of Justice".