hacker

The Ethereum Foundation recently released a summary report on the ETH Rangers security project, revealing that during a 6-month security funding program, researchers identified approximately 100 suspected state-sponsored cyber operatives, including infiltrators from North Korea, who have been active in multiple Web3 projects.The report indicates that relevant investigations were advanced through projects like the "Ketman Project," where researchers issued warnings to about 53 blockchain projects, revealing that these individuals infiltrated development teams under false identities and participated in fund flows and technical positions. Meanwhile, some related funds have been frozen, amounting to hundreds of thousands of dollars. The security team also incorporated relevant intelligence into the threat analysis system for the Lazarus Group and disclosed it at security conferences such as DEF CON, showing that state-level cyber attacks are continuously infiltrating the infrastructure of the cryptocurrency industry.In terms of overall results, the program has frozen or recovered over $5.8 million in funds, reported or documented over 785 vulnerabilities, and handled 36 security incidents, indicating that the security threats currently faced by the Ethereum ecosystem have escalated from simple vulnerability attacks to systemic risks involving state-level actors. Additionally, the report points out that North Korean hackers have also infiltrated projects through methods such as "remote IT workers," involving various attack paths such as account takeovers, freelancing platform infiltrations, and fund transfers, making them a key target for industry prevention.The Ethereum Foundation emphasizes that the security of decentralized networks requires "decentralized defense" and will continue to support security research, threat intelligence, and talent development to address the escalating state-level cyber threats.

In response to the recent attack on the "ListaDAOLiquidStakingVault" contract, ListaDAO officially released a statement clarifying that the attacked contract was not deployed by the official team, but rather was a counterfeit contract created by an unverified third party using a similar name. All official contracts of ListaDAO were not affected by this incident.According to an in-depth analysis by the GoPlus security team, the attack occurred on April 16, 2026, and the root cause was a business logic flaw in the third-party contract. When a token transfer was made, it triggered the Dividend.setShares() function and altered the share accounting within the contract, which in turn affected the reward calculation in the claimReward() function. The attacker exploited this vulnerability to deplete the assets within the contract.GoPlus reminds that since this logical flaw exists in both segments of the contract code mentioned above, any development projects that fork or reuse this code face a high risk of being exploited. It is recommended that relevant developers promptly conduct code inspections and fixes, and implement continuous auditing mechanisms to ensure the security of smart contracts.

Tether CEO Paolo Ardoino posted on X that Tether has frozen 3.29 million USDT in the hacker address of Rhea Finance.Paolo Ardoino specifically mentioned, "Tether takes this matter seriously," seemingly implying that Circle has not restricted the actions of hackers using USDC to transfer stolen funds in recent incidents such as Drift.

Bitcoin core developer Jameson Lopp stated that, compared to the potential quantum computing attacks that may arise in the future, he prefers to "freeze" about 5.6 million long-dormant BTC from the network rather than let them be acquired by attackers. These Bitcoins have not moved for over 10 years and may be permanently lost, valued at approximately $42 billion at current prices. If future breakthroughs in quantum computing lead to the decryption of old address private keys, this portion of assets could be re-transferred, triggering severe market fluctuations or even a crisis of confidence.Although the community recently proposed BIP-361, the proposal is still in its early stages and is not an officially promoted plan, but rather more like a contingency plan to address "extreme risks."

The security research organization Elastic Security Labs has disclosed a new social engineering attack targeting personnel in the finance and cryptocurrency industries. The attackers impersonate venture capital firms on LinkedIn and Telegram, tricking targets into opening an Obsidian note repository that contains a built-in malicious payload, thereby deploying a previously unrecorded Windows remote access Trojan called PHANTOMPULSE.This attack does not exploit any software vulnerabilities but instead abuses the Shell Commands plugin of Obsidian to automatically execute malicious code when the note repository is opened. On the macOS side, it uses an obfuscated AppleScript launcher in conjunction with a Telegram channel as a backup command and control server, while on the Windows side, it leverages Ethereum transaction data to achieve blockchain-based C2 address resolution.

The crypto wallet Zerion disclosed that North Korean hackers are using AI for long-term social engineering attacks, stealing approximately $100,000 from the company's hot wallet.Zerion confirmed that user funds, applications, and infrastructure were not affected, and has proactively disabled the web application as a precaution. Zerion also stated that the attackers obtained some session and credential information from team members who were logged in, as well as the private keys of the company's hot wallet, and pointed out that AI is changing the way cyber threats operate.

According to market news, a report released by the blockchain security company Hacken shows that Web3 projects lost a total of $464.5 million this quarter due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million, becoming the main source of losses.A hardware wallet scam that occurred in January caused a loss of $282 million, accounting for 81% of the total quarterly losses. Smart contract vulnerabilities led to losses of $86.2 million, while access control failures (including breaches of keys and cloud services) caused losses of $71.9 million. The report points out that the largest security incidents often occur in off-chain operations and infrastructure layers, which traditional audits find difficult to cover. The European regulatory frameworks MiCA and DORA are increasing requirements for security monitoring and incident response, and global regulatory agencies are also raising standards for real-time monitoring and emergency response.

A 27-year-old German hacker, Noah Christopher, was arrested in Bangkok, Thailand, facing up to 74 arrest warrants for cyber crimes in Europe.Investigations show that this individual is suspected of developing and operating a ransomware platform and a "cybercrime-as-a-service" (CaaS) system between 2021 and 2025, including providing distributed denial-of-service (DDoS) attack tools (such as Fluxstress and Neldowner), assisting global clients in launching cyber attacks and charging fees, with related ransom payments involving cryptocurrencies and other digital assets, constituting transnational cybercrime activities. His visa has been revoked, and he is currently detained awaiting extradition to Germany.

Cryptocurrency ATM operator Bitcoin Depot disclosed that it lost approximately 50.9 bitcoins in a cybersecurity incident, equivalent to about $3.7 million at current prices. According to documents submitted to the U.S. Securities and Exchange Commission (SEC), the attack occurred on March 23, with hackers obtaining credentials related to the company's enterprise-level bitcoin wallet, allowing them to breach some internal systems. Bitcoin Depot stated that customer accounts, the platform, and personal data were not affected.

According to Decrypt, Bitcoin ATM operator Bitcoin Depot Inc. suffered a security breach on March 23, with hackers stealing approximately 50.9 bitcoins from the company's controlled wallet, valued at $3.665 million.It is reported that the attackers infiltrated the company's IT system and obtained credentials for the digital asset settlement account, allowing them to transfer cryptocurrency without authorization. This is at least the second known security incident for the company, which previously experienced a hack in 2023 that resulted in the personal data of 58,000 users being compromised.

According to the monitoring by PieShield, the hacker of Drift Protocol, who stole $285 million in cryptocurrency, transferred 185 SOL, worth $15,000, to ChangeNow on the Solana network.

According to on-chain analyst Yu Jin's monitoring, about 1 hour ago, Resolv Labs destroyed 36.73 million USR held by the hacker through a contract upgrade.The hacker minted 80 million USR through a minting vulnerability without collateral, of which approximately 34 million USR were sold off by the hacker for 11,409 ETH (24.48 million USD) stored at the address 0x8ED...81C. Additionally, about 46 million USR were destroyed from the hacker's address by the Resolv project team through a contract upgrade. The actual loss from this vulnerability exploitation incident for Resolv is 34 million USD.

Drift Protocol posted on platform X that the preliminary investigation into the attack on April 1, 2026, shows that the operation was orchestrated by the North Korean government-supported hacker group UNC4736 (also known as AppleJeus or Citrine Sleet). This organization has been interacting face-to-face with Drift contributors for six months since the fall of 2025, by sending intermediaries to attend cryptocurrency conferences and establishing fake quantitative trading companies, and inducing them to download malicious code repositories or applications. Currently, Drift has frozen all protocol functions and removed the compromised wallets from multi-signature. Mandiant has been invited to participate in a deep forensic investigation. The investigation confirms that the on-chain fund flows used to test the operation can be traced back to the Radiant Capital attackers in October 2024.

According to data from DefiLlama, in the first quarter of 2026, hackers stole over $168.6 million in crypto assets from 34 decentralized finance (DeFi) protocols, a significant decrease from $1.58 billion during the same period in 2025, when the high losses were mainly due to the $1.4 billion theft incident from Bybit.The largest single attack this quarter was the private key leak incident at Step Finance in January, resulting in a loss of approximately $40 million; followed by the attack on Truebit due to a smart contract vulnerability on January 8, resulting in a loss of $26.4 million in Ethereum; and third was the private key theft incident at stablecoin issuer Resolv Labs on March 21.

According to CoinDesk, blockchain analytics firm Elliptic stated that the Drift Protocol attack resulted in a loss of $285 million, with "multiple signs" pointing to the North Korean-supported DPRK hacker organization. Elliptic focused on analyzing on-chain behavior, money laundering techniques, and signals at the network level, all of which align with previous state-affiliated attacks.The Elliptic report noted: "If confirmed, this would be the 18th DPRK attack tracked by Elliptic this year, with over $300 million stolen to date." On a technical level, Elliptic described this attack as "premeditated and meticulously planned," with early test transactions and pre-positioned wallets prior to the main attack. After the execution of the attack, the funds were quickly consolidated and transferred across chains, converted into more liquid assets, forming an organized and repeatable money laundering process aimed at obscuring the source of funds while maintaining control.This incident involved over ten types of assets, with funds being transferred across chains from Solana to Ethereum and other chains, further highlighting the importance of cross-chain tracing capabilities. Drift Protocol is the largest decentralized perpetual contract trading platform on the Solana blockchain, and its token has dropped over 40% to approximately $0.06 since the hack.

Ledger's Chief Technology Officer Charles Guillemet stated that the attack method used in the Drift Protocol exploit is similar to the 2025 Bybit hacking incident, which is widely believed to be linked to North Korean hackers.Guillemet pointed out that this attack did not target any smart contracts; instead, the attackers infiltrated the devices of multi-signature signers over a long period, tricking them into approving malicious transactions. The signers may have always thought they were authorizing legitimate operations. He emphasized that the root of the problem lies in the lack of security at the personnel and operational levels, rather than in the code itself.

According to monitoring by @ai_9684xtpa, the Drift hacker has exchanged 2.45 million USDC for 1,195 ETH in the past 5 minutes. Currently, four addresses have accumulated a total of 130,293 ETH, worth approximately 266 million dollars.

The attacker stole the npm access token of the chief maintainer of Axios, the most popular HTTP client library for JavaScript, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) ([email protected] and [email protected]), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.According to data from security company Wiz, Axios is downloaded over 100 million times weekly and exists in about 80% of cloud and code environments. Security company Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed these defenses. Investigations revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN, and npm defaults to using the traditional token when both coexist, allowing the attacker to publish without breaching OIDC.