theft

According to on-chain analyst ZachXBT, a counterfeit Ledger Live application was launched on the Apple App Store, resulting in over 50 users' assets being stolen, with total losses amounting to approximately $9.5 million, involving various assets such as Bitcoin, EVM chain assets, TRON, Solana, and XRP.The stolen funds were subsequently transferred through more than 150 KuCoin deposit addresses and laundered using a centralized mixing service called AudiA6. Data shows that the largest single loss reached $3.23 million. The application has recently been removed by Apple.

According to CoinDesk, researchers from the University of California, Santa Barbara, the University of California, San Diego, blockchain security company Fuzzland, and World Liberty Financial have jointly published a paper warning that "LLM routers"—intermediary services located between users and AI models—have become a significant security risk for crypto assets.The researchers found that 26 LLM routers are secretly injecting malicious tool calls and stealing user credentials, with one incident leading to the emptying of a customer's crypto wallet worth $500,000.Additionally, the researchers were able to control about 400 downstream hosts within hours by "polluting" the router ecosystem. Since sensitive data such as private keys and API credentials are often transmitted in plaintext through these routers, users are effectively exposing their assets to risk without their knowledge.The researchers pointed out that as McKinsey predicts AI agents will mediate $30 trillion to $50 trillion in global consumer spending by 2030, Binance founder Changpeng Zhao also predicts that the payment volume of AI agents will be a million times that of humans. The current infrastructure security is severely lagging behind the pace of industry development, and the risk of the "weakest link" could trigger a systemic chain crisis.

According to market news, researchers from the University of California recently disclosed that some third-party AI large language model (LLM) routers have security risks that could lead to the theft of cryptocurrency assets. The research shows that LLM routers, acting as API intermediaries, can read plaintext information, and some routers have been found to inject malicious code and steal credentials.The team tested 28 paid and 400 free routers, finding that 9 routers actively injected malicious code, 2 deployed evasion triggers, and 17 accessed Amazon Web Services credentials. Some routers even transferred ETH using the researchers' Ethereum private keys.The study pointed out that the malicious behavior of the routers is difficult to detect, and some AI agent frameworks' "YOLO mode" can automatically execute commands, increasing security risks. The research recommends that developers should not allow private keys or mnemonic phrases to be transmitted through AI agents and calls on AI companies to encrypt signatures in responses to enhance security.

As the infiltration and attacks targeting the cryptocurrency industry continue to escalate, security experts point out that the core difference from hackers with backgrounds in other countries is that cryptocurrency assets have become an important direct source of financing for military expenses in that country. Reports indicate that during a recent months-long infiltration operation against Drift Protocol, North Korean hackers once again caused a stir in the industry.Experts state that this model is not merely a "fund transfer tool," but rather a direct "predatory profit" mechanism used to bypass international sanctions and obtain immediately usable hard currency. Security researchers note that, unlike countries such as Russia and Iran, North Korea almost entirely lacks sustainable foreign economic and commodity export capabilities, making it more reliant on cryptocurrency theft as a core source of income to support its nuclear weapons and ballistic missile programs.Experts also emphasize that North Korean hacker attack targets have expanded from simple phishing to exchanges, wallet services, and key holders of DeFi protocols, commonly employing long-term social engineering and identity disguise infiltration methods. Due to the characteristic of blockchain transactions being "irreversible once confirmed," the cryptocurrency industry is far weaker than the traditional financial system in terms of freezing and recovering funds, making such attacks more destructive in speed and scale. Security personnel warn that this type of "long-term infiltration + precise power seizure" attack model has yet to be effectively addressed by the industry.

X product head and Solana advisor Nikita Bier stated that during this round of creator revenue sharing, the revenue share for all aggregated accounts has been reduced to 60%. In the next cycle, it will be further reduced by 20%. Nikita Bier pointed out that the large amount of plagiarized reposts and clickbait content published daily on the timeline not only squeezes the living space of real creators but also hinders the growth of new authors. The next step will be to permanently deduct earnings from users who habitually post clickbait content and use the "BREAKING" label in every post. X will not restrict speech or the scope of dissemination but will not provide revenue compensation for manipulating distribution mechanisms or misleading user behavior.

Circle Chief Strategy Officer Dante Disparte published a response regarding the over $270 million theft incident involving Drift Protocol. Disparte stated that Circle only freezes USDC when legally mandated to do so, and this is not a unilateral decision, nor is it a backdoor or algorithmic monitoring. This reflects the rule of law in internet-native financial activities.He pointed out that the core issue facing open systems is that the legal framework's response speed lags behind technological development. Protocols, wallets, exchanges, and stablecoin issuers should regard security and accountability as a shared obligation, and DeFi protocols can develop on-chain technical protection measures by referencing the circuit breaker mechanisms of traditional markets.He also called for the legislative processes of the U.S. GENIUS Act and CLARITY Act to incorporate due process, property rights, and financial privacy protection standards into law before the next major security incident occurs.

The American law firm Gibbs Mura has officially announced a collective lawsuit investigation regarding the Drift Protocol theft incident, involving a fund scale of approximately $280 million to $285 million. It is reported that over $230 million USDC was transferred to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP).Gibbs Mura believes that although Circle has the technical capability to freeze funds, it did not take freezing action during this attack. The law firm is currently assessing whether investors can file claims against Circle for "failure to intervene in a timely manner," "insufficient monitoring," and "failure to fulfill stablecoin responsibilities," and is calling on affected users to participate in the lawsuit to advance fund recovery.

The People's Court of Honggang District, Daqing City, Heilongjiang Province recently announced a first-instance judgment. Two men were sentenced for stealing electricity from high-voltage lines in an oil field to mine Bitcoin. The main offender, Zhang, was sentenced to 10 years in prison and fined 50,000 yuan, while the accomplice, Zhao, was sentenced to 4 years and 10 months in prison and fined 20,000 yuan.According to the judgment, Zhang illegally connected to the high-voltage line of an oil field from a certain oil extraction plant in Daqing and set up 24 Bitcoin mining machines in an abandoned pigsty he rented. In December of the same year, Zhao joined in knowing that Zhang was stealing electricity and purchased an additional 12 mining machines, bringing the total to 36 machines running. In August 2025, the two were arrested by the public security authorities. It was calculated that Zhang stole 565,375.2 kilowatt-hours of electricity, valued at 438,580.52 yuan; Zhao stole 468,060 kilowatt-hours, valued at 363,750.78 yuan. The court found both men guilty of theft, with Zhang being the principal offender and Zhao the accomplice. The court also ordered Zhang to compensate 438,580.52 yuan, while Zhao was jointly liable for 363,750.78 yuan of that amount. The mining machines and related equipment involved in the case will be handled by the public security authorities in accordance with the law.

In the DeFi protocol Drift theft incident, the loss of JLP positions is approximately $155.6 million. In response, Jupiter officials stated that the platform was not affected by this incident, its lending product Jupiter Lend was not involved in the Drift market, and that JLP assets are "fully backed by underlying assets."Jupiter also stated that this incident is a "difficult day" for the Solana DeFi ecosystem and expressed concern for the Drift team and affected users.According to previous news from ChainCatcher, the Solana ecosystem Drift Protocol was attacked, resulting in losses of at least $200 million.

Distributed Capital partner Shen Bo posted on X detailing the complete list and addresses of his stolen assets in 2022. He revealed that the theft occurred on November 10, 2022, Eastern Time, between 00:46 and 01:02. The Trust Wallet hot wallet installed on his iPhone 12 Pro Max was stolen, with assets valued at approximately 42 million dollars.The address details are: ETH: 0x6be85603322df6DC66163eF5f82A9c6ffBC5e894 BTC: 1ECNeZyiHgqJmv42i3pkWY48xiXy7KukTG / bc1qg3mnvn8saea50js7nzkhm8k054mpwqmcuq3de5 TRON: TJLBmmUb5TcFFXTLzuuaKU96uTg5Sjn1yD26. On that day, Shen Bo set a bounty to recover approximately 42 million dollars worth of cryptocurrency stolen three years ago.

Andrej Karpathy posted on the X platform that litellm has encountered a PyPI supply chain attack, where executing pip install litellm can steal SSH keys, AWS/GCP/Azure credentials, Kubernetes configurations, git credentials, environment variables, encrypted wallets, SSL private keys, CI/CD keys, and database passwords.litellm has a monthly download volume of 97 million, and the risk can spread to all projects that depend on litellm, such as dspy. The version with the malicious code was online for less than about 1 hour, and it was discovered due to a flaw in the attack code that caused Callum McMahon's machine to run out of memory and crash. Andrej Karpathy stated that supply chain attacks are the most threatening issue in modern software, as each installation of dependencies can introduce tampered packages deep within the dependency tree, leading him to increasingly prefer reducing dependencies and using LLM to directly implement simple functions.

According to Decrypt, Chinese citizen Zhang Xinghua was sentenced to two years in prison by a Singapore court for conspiring to abuse computer systems and handling criminal proceeds in connection with a theft of approximately $6.9 million at the SafeX cryptocurrency exchange.Prosecutors stated that he conspired with two other accomplices, one of whom, Chen Chong Xin, who is still at large, accessed the SafeX crypto vault without authorization three times between June and August 2025, transferring over $6.9 million to multiple wallets. He then laundered part of the funds through Tornado Cash, depositing over $1.6 million in two transactions, which could have yielded over $886,000 in profits, but police intervened to stop it.The case came to light after the SafeX system triggered a low balance alert. Singapore has frozen or seized approximately $2.1 million in related crypto assets, while about $4.8 million remains unrecoverable in offshore private wallets or with virtual asset service providers. Court hearings revealed that Zhang Xinghua returned approximately $95,000 in Bitcoin through his wife. Another accomplice in the case is still under investigation.

According to on-chain security firm PeckShield, the attacker who previously stole $24 million worth of $aEthUSDC from DeFi user @sillytuna is still transferring the stolen assets, and the money laundering activities are ongoing.Tracking shows that the attacker has taken various measures to disperse the funds:• Exchanged approximately $2 million worth of $DAI and $ETH for 6,174.4 $XMR (Monero), currently stored in Hyperliquid• Deposited about $6.5 million worth of $USDC and $USDT into centralized exchanges such as OKX, MEXC, and Bitkan• Laundered 375 ETH through the privacy mixing protocol Tornado Cash.

Suspect John Daghita in the $40 million cryptocurrency theft case involving the U.S. government has been arrested by the FBI.On-chain detective ZachXBT previously revealed that John Daghita is the son of the CEO of CMDSS, a company that had contracts with the U.S. government to handle seized cryptocurrency.According to ZachXBT, he exposed in January 2026 that John used his father's company CMDSS (which holds the USMS contract) to access and transfer relevant assets from wallets managed by the U.S. Marshals Service (USMS). Subsequently, John mocked ZachXBT multiple times on a Telegram channel and initiated a "dust attack" by publicly sending part of the involved funds to his wallet address.

According to Cointelegraph, Google's Threat Analysis Group recently disclosed a new iOS exploit kit named "Coruna," which is being used for cryptocurrency theft targeting iPhone users. This kit primarily targets devices running iOS versions 13 to 17.2.1 and includes 23 exploit scripts and 5 complete attack chains, some of which are previously unknown vulnerabilities.It can carry out attacks through counterfeit cryptocurrency-related websites. Reportedly, when users access these malicious sites using vulnerable iOS devices, the attack code automatically runs, scanning for sensitive information on the device, particularly text containing keywords such as mnemonic phrases, backup phrases, and bank account details, and attempts to steal assets from cryptocurrency applications like Uniswap and MetaMask.Google researchers strongly recommend that iPhone users immediately update their devices to the latest iOS version. If updating is not possible, they should enable Apple's "Lockdown Mode" to enhance protection.

According to a report by South Korea's Asia Economy, the National Tax Service of South Korea released news materials regarding on-site searches of 124 high-profile, habitual tax evaders, revealing现场照片 that included the seized Ledger hardware wallet's mnemonic phrase, with no pixelation applied.Blockchain data expert Jaewoo Cho stated that shortly after the mnemonic phrase was leaked, all 4 million PRTG tokens stored in the wallet were transferred to an unidentified wallet early this morning, with estimated losses reaching approximately 6.4 billion won (about 4.8 million USD).Analysis shows that the thief first deposited a small amount of Ethereum to be used as transaction fees into the wallet, and then transferred all the tokens in three transactions.

The Hong Kong virtual currency trading platform AAX ceased operations in mid-November 2022 under the pretext of system maintenance and updates, leaving over 300 customers unable to retrieve nearly 100 million Hong Kong dollars in assets. After an investigation, Hong Kong law enforcement discovered that the platform's shutdown was allegedly caused by false information and illegal means, with the person in charge fleeing Hong Kong with a virtual currency wallet and private keys, and later being arrested upon returning.Hong Kong police stated that after a thorough investigation, 191 victims reported losses totaling approximately 81 million Hong Kong dollars, while the AAX person in charge withdrew virtual currency worth about 633 million Hong Kong dollars after the platform ceased operations. He has currently been charged with 3 counts of theft and 1 count of fraud.

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced sanctions against the Russian cybersecurity company Operation Zero and its head, Sergey Sergeyevich Zelenyuk, due to allegations that the company funded activities aimed at stealing U.S. trade secrets through cryptocurrency.The sanctions also include five other related individuals, accused of using cyber attack tools to threaten U.S. national security. This action stems from an investigation by the U.S. Department of Justice last year. An Australian citizen, Peter Williams, has admitted to stealing proprietary software from the U.S. defense contractor he worked for and providing the secrets to Operation Zero in exchange for millions of dollars in cryptocurrency.Williams has pleaded guilty to two counts of trade secret theft. The U.S. Treasury stated that Operation Zero primarily engages in the trading of exploit tools, which can exploit software vulnerabilities to gain unauthorized access, steal data, or control devices. The company also pays individuals who carry out attacks through a bounty system. Treasury Secretary Scott Bessent stated that if anyone steals U.S. trade secrets, the U.S. government will hold them accountable and will continue to protect sensitive technology and national security.

Hong Kong police have arrested an employee of a cryptocurrency trading platform who is suspected of stealing approximately 2.67 million USDT from about 20 customers, worth around 20.87 million HKD. The arrested individual is a 34-year-old network engineer surnamed Choi, who has worked at the company for 4 years and is primarily responsible for managing the mobile application.The company began receiving reports from customers about lost funds in early January this year. Investigations revealed that the employee had logged into the company database and accessed relevant customer accounts. The incident took place at an investment company located in the South Tower of Hong Kong Science Museum Road, Tsim Sha Tsui, which provides a cryptocurrency settlement platform. The case has now been handed over to the Ninth Team of the Criminal Investigation Unit of the Yau Tsim Police District for further investigation.