The theft is only the latest in a string of attacks targeting vulnerable legacy smart contracts, many of which cannot be deleted, paused, or changed due to blockchains' immutable nature. Raydium and DxSale are two other platforms that have recently suffered losses due to old, insecure code.
Deprecated project Aztec Connect exploited for $2.1 million
Aztec Connect, an abandoned defi privacy bridge from Aztec Labs, was drained of $2.1 million after an attacker exploited a bug in the project's smart contracts. Although the project was deprecated three years ago, funds remained in the legacy system. "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the project posted on social media.
Raydium users lose $1.34 million after legacy smart contract exploited
An attacker exploited a legacy smart contract that had been used by the Raydium Solana DEX before it was deprecated in 2021. Though the contract was unused, there were still funds in the liquidity pools affected by the vulnerable contract. Using fake LP tokens, the exploiter was able to trick an old smart contract with insufficient validation into allowing them to withdraw assets.
Raydium has said it will compensate users who lost funds in the exploit.
Humanity Protocol loses $36 million to employee laptop compromise
Humanity Protocol, a decentralized identity project that uses palm scans to try to prove that users are human, has suffered a $36 million loss after attackers compromised a laptop belonging to an employee. After the laptop was infected with malware, the malicious code gained root access, then stole seven private keys that were reportedly accidentally stored in a backup. Several of the keys were sufficient to satisfy multisignature requirements, which are intended to prevent private key leaks from allowing attackers to gain control over sensitive infrastructure like bridges. With multisignature wallets, keys are supposed to be stored separately across multiple individuals and devices; however, in this case, attackers only needed to compromise one laptop to gain control over multisig-protected contracts.
With the keys, the attacker stole more than 6 million of Humanity's H token, then used other keys to upgrade a bridge and drain 141 million more tokens. With the bridge access, they also minted 300 million new H tokens. The attacker then quickly swapped the ill-gotten tokens for ETH, causing the H price to plummet by 80–90%.
Humanity Protocol markets itself as a competitor to Sam Altman's World (formerly Worldcoin), a decentralized identity project that aims to use iris scans to prove that users are unique humans. Humanity raised $20 million in 2025 from Pantera Capital and Jump Crypto.
DxSale exploited for $7.3 million
DxSale, a project that was popular in 2021 for launching new tokens and creating liquidity pools, suffered a $7.3 million exploit after ownership of a locker contract was transferred to a new address. Nine months later, the contract ownership was repeatedly moved between many new wallets — likely in an attempt to cover tracks — before $7.3 million was taken from old liquidity pools. The stolen assets were then swapped to BNB and routed through bridges and mixers to obscure the trail.
Largest North American bitcoin ATM operator, Bitcoin Depot, files for bankruptcy
Bitcoin Depot has filed for Chapter 11 bankruptcy. The company operates a fleet of kiosks at retail locations that allow customers to purchase bitcoin with cash. Bitcoin Depot announced in a press release that its 9,700 kiosks – primarily located at gas stations and convenience stores – had already been taken offline.
The company's bankruptcy filing reports between $10 million and $50 million in both assets and liabilities. In a recent financial disclosure, the company had reported a 49% year-over-year reduction in revenue and a net loss of $9.5 million for the year. The company had also suffered a $3.67 million hack in April.
Bitcoin Depot has blamed a challenging state-level regulatory environment for its bankruptcy, pointing to a series of regulatory restrictions and outright bans on crypto ATMs, which are a major conduit for crypto scams. An FBI report on Internet crime in 2024 showed 11,000 reports of fraud involving crypto ATMs – a 99% increase from the prior year. Almost $250 million was reported lost due to such scams, with a majority of it coming from victims over 60 years old. Several states have responded by introducing laws imposing strict compliance requirements or transaction limits on ATM operators, and Indiana and Tennessee have both recently banned the kiosks entirely. Additionally, the company is defending against lawsuits from both Massachusetts and Iowa, which argue that the company uses a misleading pricing structure, knowingly enables crypto scames, and maintains a predatory refund policy.
- "Bitcoin Depot Initiates Voluntary Chapter 11 Process to Facilitate an Orderly Wind-Down and Sale of the Company’s Assets", Bitcoin Depot press release [archive]
- Issue 92, Citation Needed [archive]
- Issue 105, Citation Needed [archive]
- Chapter 11 Voluntary Petition
Verus bridge hacked for $11.6 million
An attacker stole $11.6 million in various crypto assets from the Verus–Ethereum bridge, which allows users to use tokens from the Verus network on the Ethereum chain and vice versa. The attacker then swapped the tokens for ETH, limiting the ability for issuers of more centralized tokens to freeze the stolen assets.
Verus halted the entire Verus network after the exploit was detected in hopes of limiting further damage.
The exploiter later accepted a bounty offer by Verus, returning 4,052 ETH (~$8.5 million) while keeping the remaining ~25% as a "bounty".
THORchain exploited for $10.8 million
The THORchain cross-chain liquidity protocol was exploited for around $10.8 million across several blockchains: Bitcoin, Ethereum, BNB Chain, and Base. The protocol paused trading after observing the suspicious transactions. News of the hack caused the protocol's RUNE token to drop in price by more than 10%.
Transit Finance hacked for $1.88 million
Transit Finance was exploited for $1.88 million after an attacker exploited a "legacy contract" on the TRON blockchain that the project said was deprecated in 2022. "Historical vulnerabilities within it" were exploited, the project explained, allowing the attacker to steal $1.88 million.
Transit was previously exploited in 2022 for $21 million, although around 70% of the stolen assets were later returned.
TAC bridge exploited for $2.8 million
The TAC bridge, which bridges assets from the Ethereum blockchain to the Telegram-linked TON chain, was exploited for $2.8 million. The project paused the bridge and announced they were investigating.
The project has announced they intend to "restor[e] bridge liquidity through a legally structured sale of Foundation's TAC token treasury reserves."
TrustedVolumes suffers $6.7 million exploit
TrustedVolumes, a resolver and market maker used by 1inch and other defi platforms, suffered a $6.7 million exploit after an attacker was able to steal funds without proper validation. The thief then swapped the stolen wETH, USDT, wBTC, and USDC through ChangeNow and converted them to ETH to evade freezes.
Blockchain research firm Blockaid has linked the attacker to a similar exploit in March 2025 that saw $5 million drained from 1inch. This time, 1inch has asserted that although they use TrustedVolumes as a resolver, the exploit did not involve any of their systems.
Ekubo exploited for $1.4 million
The Ekubo automated market maker infrastructure project experienced a $1.4 million theft after attackers were able to take advantage of a smart contract that improperly verified permissions. They stole 17 wBTC ($1.4 million), which they swapped for ETH and laundered via Tornado Cash.
Wasabi Protocol exploited for more than $5 million
The Wasabi Protocol defi derivatives platform has been exploited for more than $5 million across multiple blockchains. The attack has been attributed by blockchain security firms to a compromised admin key, which allowed the attacker to upgrade contracts to steal assets.
Polish Zondacrypto exchange stops processing withdrawals amid possible insolvency
The Polish cryptocurrency exchange Zondacrypto faced complaints that withdrawals were not being processed as far back as December 2025, but the crisis seems to have escalated. CEO Przemysław Kral attempted to assuage insolvency fears by pointing to a cryptocurrency wallet containing around 4,500 BTC (~$330 million) as proof of assets, but he also admitted that the keys to the wallet were known only to the exchange's previous CEO and not transferred during the company's 2021 sale. The former CEO has been missing for four years.
Polish authorities have launched investigations into the apparent collapse. Losses have been estimated at 350 million zł (~$96 million).
Poland's Prime Minister Donald Tusk has also recently accused Zondacrypto of sponsoring conservative and right-wing politicians, including Polish President Karol Nawrocki. Nawrocki has repeatedly vetoed legislation aiming to regulate the crypto sector, describing it as overly burdensome to crypto businesses. Tusk has also alleged that Zondacrypto was funded by the Russian mafia and Russian intelligence services. These allegations are also being investigated by Polish authorities, and one report citing the country's Internal Security Agency claims that the Kremlin-linked Tambovskaya Bratva Russian mafia group took over the exchange as far back as 2018.
- "UOKiK zbada sprawę Zondacrypto. 'Znacznie poważniejsze nieprawidłowości'", Money.pl (in Polish) [archive]
- Polish leader Tusk claims Russia-linked crypto firm backed Nawrocki’s presidential bid", AP News [archive]
- "Powerful Russian mafia 'took control' of crisis-hit Polish firm Zondacrypto", TVP World [archive]
Volo Protocol exploited for $3.5 million, most recovered
The Sui-based Volo Protocol defi yield platform was exploited for around $3.5 million after an attacker targeted three vaults holding wBTC, XAUm (a tokenized gold asset), and the USDC stablecoin.
Volo says they have frozen or recovered all but around $60,000. They have also said they are "prepared to absorb this loss", rather than passing losses along to their users.
Aave faces approximately $200 million in bad debt after Kelp DAO bridge exploit
The Aave defi lending protocol is grappling with anywhere from $177 million to $236 million in bad debt after the Kelp DAO bridge exploiter used Aave to cash out their stolen rsETH. Rather than selling the tokens, the attacker used the rsETH as collateral to borrow wETH, leaving Aave stuck with the huge quantity of unbacked rsETH. Although Kelp and Aave both froze affected markets, the attacker had already cashed out. The attacker borrowed essentially all of the wETH available on the platform, leaving those who'd loaned those tokens unable to withdraw.
Aave maintains a $50 million insurance fund to absorb bad debt. However, this can't cover such a huge shortfall.
RaveDAO accused of pump-and-dump as token crashes 98%
Binance and BitGet have confirmed they are investigating allegations that RaveDAO orchestrate a pump-and-dump to push its RAVE token price from around $0.25 to more than $27 over the past few weeks, before the token price plummeted back down to $0.66. Concerns were first raised by blockchain investigator zachbxt, who called on the exchanges to investigate. He later wrote, "While it's good the exchanges responded, I find it unlikely this activity wasn't spotted internally before I raised it publicly."
RaveDAO describes itself as a "community-driven global rave powerhouse", and sells NFT tickets to rave events.
RaveDAO has denied any responsibility for the recent price movements, but did not address allegations of enormous token concentration with the project's team or large transfers to exchanges around the time of the price jump.
Kelp DAO bridge hacked for $292 million
An attacker stole 116,500 rsETH (restaked ether) from a blockchain bridge run by Kelp DAO. Based on prices at the time of the theft, the stolen tokens would be worth around $292 million — however, the attacker is likely to face challenges selling a quantity of tokens that amounts to 18% of rsETH's circulating supply.
When tokens are bridged from one chain to another, the tokens on the original chain are locked in the bridge smart contract while the token is used on the other chain, preventing its owner from double-spending the asset. With 116,500 locked rsETH now stolen, those using the token on other blockchains are now holding possibly unbacked tokens.
The rush for holders to offload their dubiously backed tokens is likely to worsen contagion throughout defi protocols, where those platforms could be left holding the bag. Some platforms, including Aave, Lido Finance, and Ethena, have paused markets involving rsETH to try to protect themselves.
This hack has set the new record for the largest defi hack in 2026, following the $285 million Drift exploit on April 1.
Rhea Finance exploited for $18.4 million, some recovered
Rhea Finance's lending product was exploited for around $18.4 million after an attacker took advantage of a bug in the platform's slippage protection feature. The stolen assets affected both platform and user funds.
Some of the stolen tokens were returned by the attacker to the protocol, and around $4.35 million USDT were frozen by its issuer, Tether. Altogether, around $10 million was recovered, leaving $8.4 million outstanding.
- RHEA Finance Protocol Incident, Rhea Finance
Russian Grinex exchange halts trading after $13 million+ exploit
The Russian cryptocurrency exchange Grinex has halted trading after disclosing a hack of more than 1 billion rubles (more than $13 million). The exchange has claimed on Telegram that the hack was perpetrated by "foreign special services" they allege were trying to harm Russian financial independence.
According to blockchain intelligence firms TRM Labs and Chainalysis, Grinex is a rebranded version of the Garantex cryptocurrency exchange that was shut down and sanctioned in March 2025. Two of its operators were subsequently criminally charged in the US.
CoW Swap users lose estimated $1.2 million after DNS hijacking
Users who visited the website for the CoW Swap DEX aggregator on April 14 were unknowingly redirected to a malicious website that drained their crypto wallets. An attacker was able to socially engineer CoW Swap's domain registrar, allowing them to redirect visitors to a malicious site for a period of several hours. CoW Swap has estimated that people who used the service during that time lost around $1.2 million.
- "POST MORTEM: Cow.fi Domain Hijack", CoW DAO
Users lose $9.5 million to fake Ledger wallet app on the Apple App Store
After a fake version of the Ledger cryptocurrency wallet app made it onto the normally highly curated Apple App store, customers lost $9.5 million dollars to the malicious product. Believing it was a genuine Ledger product, people entered their seed phrases into the app, then discovered their wallets were immediately drained.
One victim, a musician who goes by G. Love, wrote: "I lost my retirement fund in a hack/Scam when I switched my Ledger over to my new computer and by accident downloaded a malicious ledger app from the Apple store. All my BTC gone in an instant." According to him, he lost 5.9 BTC (~$445,000).
Crypto sleuth zachxbt traced some of the stolen funds through Kucoin, a Chinese cryptocurrency exchange that was recently fined and forced to exit US markets over licensing and anti-money laundering failures. "The three largest victims lost seven figures each," he wrote.
Apple removed the malicious app from their App Store on April 13, six days after it had been added.