hacker

Cryptocurrency ATM operator Bitcoin Depot disclosed that it lost approximately 50.9 bitcoins in a cybersecurity incident, equivalent to about $3.7 million at current prices. According to documents submitted to the U.S. Securities and Exchange Commission (SEC), the attack occurred on March 23, with hackers obtaining credentials related to the company's enterprise-level bitcoin wallet, allowing them to breach some internal systems. Bitcoin Depot stated that customer accounts, the platform, and personal data were not affected.

According to Decrypt, Bitcoin ATM operator Bitcoin Depot Inc. suffered a security breach on March 23, with hackers stealing approximately 50.9 bitcoins from the company's controlled wallet, valued at $3.665 million.It is reported that the attackers infiltrated the company's IT system and obtained credentials for the digital asset settlement account, allowing them to transfer cryptocurrency without authorization. This is at least the second known security incident for the company, which previously experienced a hack in 2023 that resulted in the personal data of 58,000 users being compromised.

According to the monitoring by PieShield, the hacker of Drift Protocol, who stole $285 million in cryptocurrency, transferred 185 SOL, worth $15,000, to ChangeNow on the Solana network.

According to on-chain analyst Yu Jin's monitoring, about 1 hour ago, Resolv Labs destroyed 36.73 million USR held by the hacker through a contract upgrade.The hacker minted 80 million USR through a minting vulnerability without collateral, of which approximately 34 million USR were sold off by the hacker for 11,409 ETH (24.48 million USD) stored at the address 0x8ED...81C. Additionally, about 46 million USR were destroyed from the hacker's address by the Resolv project team through a contract upgrade. The actual loss from this vulnerability exploitation incident for Resolv is 34 million USD.

Drift Protocol posted on platform X that the preliminary investigation into the attack on April 1, 2026, shows that the operation was orchestrated by the North Korean government-supported hacker group UNC4736 (also known as AppleJeus or Citrine Sleet). This organization has been interacting face-to-face with Drift contributors for six months since the fall of 2025, by sending intermediaries to attend cryptocurrency conferences and establishing fake quantitative trading companies, and inducing them to download malicious code repositories or applications. Currently, Drift has frozen all protocol functions and removed the compromised wallets from multi-signature. Mandiant has been invited to participate in a deep forensic investigation. The investigation confirms that the on-chain fund flows used to test the operation can be traced back to the Radiant Capital attackers in October 2024.

According to data from DefiLlama, in the first quarter of 2026, hackers stole over $168.6 million in crypto assets from 34 decentralized finance (DeFi) protocols, a significant decrease from $1.58 billion during the same period in 2025, when the high losses were mainly due to the $1.4 billion theft incident from Bybit.The largest single attack this quarter was the private key leak incident at Step Finance in January, resulting in a loss of approximately $40 million; followed by the attack on Truebit due to a smart contract vulnerability on January 8, resulting in a loss of $26.4 million in Ethereum; and third was the private key theft incident at stablecoin issuer Resolv Labs on March 21.

According to CoinDesk, blockchain analytics firm Elliptic stated that the Drift Protocol attack resulted in a loss of $285 million, with "multiple signs" pointing to the North Korean-supported DPRK hacker organization. Elliptic focused on analyzing on-chain behavior, money laundering techniques, and signals at the network level, all of which align with previous state-affiliated attacks.The Elliptic report noted: "If confirmed, this would be the 18th DPRK attack tracked by Elliptic this year, with over $300 million stolen to date." On a technical level, Elliptic described this attack as "premeditated and meticulously planned," with early test transactions and pre-positioned wallets prior to the main attack. After the execution of the attack, the funds were quickly consolidated and transferred across chains, converted into more liquid assets, forming an organized and repeatable money laundering process aimed at obscuring the source of funds while maintaining control.This incident involved over ten types of assets, with funds being transferred across chains from Solana to Ethereum and other chains, further highlighting the importance of cross-chain tracing capabilities. Drift Protocol is the largest decentralized perpetual contract trading platform on the Solana blockchain, and its token has dropped over 40% to approximately $0.06 since the hack.

Ledger's Chief Technology Officer Charles Guillemet stated that the attack method used in the Drift Protocol exploit is similar to the 2025 Bybit hacking incident, which is widely believed to be linked to North Korean hackers.Guillemet pointed out that this attack did not target any smart contracts; instead, the attackers infiltrated the devices of multi-signature signers over a long period, tricking them into approving malicious transactions. The signers may have always thought they were authorizing legitimate operations. He emphasized that the root of the problem lies in the lack of security at the personnel and operational levels, rather than in the code itself.

According to monitoring by @ai_9684xtpa, the Drift hacker has exchanged 2.45 million USDC for 1,195 ETH in the past 5 minutes. Currently, four addresses have accumulated a total of 130,293 ETH, worth approximately 266 million dollars.

The attacker stole the npm access token of the chief maintainer of Axios, the most popular HTTP client library for JavaScript, and used that token to publish two malicious versions containing cross-platform remote access trojans (RATs) (axios@1.14.1 and axios@0.3.4), targeting macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry about 3 hours after being published.According to data from security company Wiz, Axios is downloaded over 100 million times weekly and exists in about 80% of cloud and code environments. Security company Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure window. Notably, the Axios project had previously deployed modern security measures such as OIDC trusted publishing mechanisms and SLSA provenance proofs, but the attacker completely bypassed these defenses. Investigations revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN, and npm defaults to using the traditional token when both coexist, allowing the attacker to publish without breaching OIDC.

On March 28, the cybersecurity platform VECERT disclosed that hackers, under the name PexRat, are selling a database containing personal information of 1.5 million Binance users on the dark web. The content includes sensitive information such as names, emails, phone numbers, KYC verification status, login IP addresses, and two-factor authentication methods.Analysis indicates that this incident was not a direct intrusion into Binance's internal servers, but rather that the attackers bypassed the CAPTCHA mechanism and obtained data through credential stuffing and automated scraping methods. Affected users face a high risk of SIM card hijacking and phishing attacks. At the time of this incident, Binance's institutional OTC trading business is experiencing rapid growth, with trading volume reaching 25% of the total for the entire year of 2025 in just January and February of this year. This is another data security crisis for Binance following the leak of 420,000 sets of account credentials in January.

According to Reuters: Hackers linked to Iran claim to have hacked the email of the FBI director.

Hackers have launched Android malware attacks in Brazil by spoofing a phishing page that mimics the Google Play Store. Currently, all known victims are located in Brazil.The attackers set up a phishing website that closely resembles Google Play, enticing users to download a fake application called "INSS Reembolso." Once installed, the application releases hidden malicious code in stages and loads it directly into memory, leaving no visible files on the device, which makes it highly stealthy. One of the core functions of the malware is cryptocurrency mining, with an embedded XMRig mining program compiled for ARM devices that silently connects to the attacker's controlled mining server in the background. The program monitors battery level, temperature, and device usage status, dynamically adjusting mining behavior to evade detection, and bypasses Android's background process management mechanism by looping silent audio files.Some variants also include banking trojans that can overlay fake pages on the USDT transfer interface of Binance and Trust Wallet, silently replacing the recipient address. Additionally, the malware supports various remote control commands such as recording, screenshotting, keylogging, and remote locking of the device.

Bitcoin payment service provider Bitrefill disclosed on platform X that it suffered a cyberattack on March 1, 2026, resulting in a customer data breach. The attack originated from a compromised employee's laptop and allowed the attackers to access certain databases and cryptocurrency wallets.Investigations revealed that the attack method was highly similar to past attacks on cryptocurrency companies by the North Korean DPRK Lazarus/Bluenoroff hacker group. Approximately 18,500 purchase records involved limited customer information (email, cryptocurrency payment addresses, and IP metadata), with about 1,000 records having customer name information stored in an encrypted format, but potentially accessible. Bitrefill stated that customers do not need to take special actions but are advised to be vigilant for unusual information.Bitrefill further added that it has currently shut down related systems for isolation and is collaborating with security experts, on-chain analysts, and law enforcement. Operations have nearly returned to normal. The company emphasized that it is long-term profitable and financially robust enough to absorb this loss and will continue to strengthen cybersecurity measures, including internal access controls, monitoring, and emergency response mechanisms.

Slow Fog's Yu Xian posted on platform X: "A group hacking incident is occurring, hacker address: 0x913efc2062984288a0a083cd42b3a3422c07fcef, the hacker has currently profited $85,000, and this amount is still increasing. According to community feedback, this group mainly consists of yield farmers, and private keys/mnemonic phrases have been collected in advance by the hacker. The hacker is consolidating related funds. If you are using the MoreLogin fingerprint browser, please be cautious, but there is currently no evidence that MoreLogin or related plugins are the issue."

According to market news, a hacker group in China has experienced internal strife due to disputes over the distribution of stolen goods. Members publicly revealed that they had stolen approximately $7 million in cryptocurrency assets through supply chain attacks, targeting platforms such as the cryptocurrency wallet Trust Wallet.According to the leaked information, the group operated under the name of the cybersecurity company Wuhan Anshun Technology, publicly engaging in activities such as vulnerability discovery, network offense and defense, and security services, while internally actually involved in activities related to the theft of cryptocurrency assets and other gray market operations. Team members claimed they obtained mnemonic phrases in bulk and scanned multi-chain assets, including Ethereum, BNB Chain, Arbitrum, etc., through supply chain vulnerabilities in the Electron client, plugin reverse engineering, and automation tools.The whistleblower stated that the team had developed automated tools to scan mnemonic phrase assets in bulk and used remote control programs to steal wallet data, subsequently transferring and splitting the funds. The related attacks reportedly involved 37 types of tokens across multiple blockchain networks. The trigger for the exposure of this incident was an internal dispute over the distribution of stolen goods.The whistleblower claimed to have had conflicts with the team leader over unfair profit distribution and publicly presented relevant evidence after the promised severance compensation was not fulfilled, planning to turn themselves in to law enforcement. Currently, the related accusations have not been officially confirmed, and the details of the incident are still under further investigation. Industry insiders pointed out that this incident once again highlights the security risks of cryptocurrency wallet supply chains and plugins, as well as the trend of targeted attacks against high-value users.

According to market news, a wallet that received 7,447 ETH (16.29 million USD) from Tornado Cash, "0x7a7," is suspected to be the mastermind behind the CAKE/THE liquidation cascade event on Venus Protocol.The attacker deposited this ETH as collateral into Aave, borrowing 9.92 million USD in stablecoins; subsequently, they hoarded THE tokens and allegedly inflated their price on centralized exchanges; then deposited 36.1 million THE into Venus and borrowed assets such as BTC, BNB, and CAKE; about 40 minutes later, the price of THE plummeted, triggering a chain liquidation. Ultimately, Venus Protocol incurred 2.15 million USD in bad debt (with 1.18 million CAKE and 1.84 million THE still outstanding); the attacker extracted approximately 5.07 million USD in assets from this. Their actual profit may have come from short positions opened on centralized exchanges during the price crash.