attacks

Etherlink posted on platform X that the Etherlink EVM Bridge has become a target of a security attack. As a precaution, all transfers have been suspended to protect user funds while the issue is being investigated. No funds have been lost.The team is working closely with LayerZero, Asymmetric Research, and Zeeve to investigate the issue and ensure that the attack attempts are fully mitigated. A timeline for restoring services has not yet been determined.

On-chain security analyst Specter stated that a phishing attack suspected to target Polymarket users is currently occurring, with total losses amounting to approximately $2.94 million.According to its monitoring, attackers have transferred funds from more than 11 victim wallets holding PUSD, converting the stolen assets into ETH, while reminding users to be cautious of phishing risks and stating that the incident is still under ongoing investigation.

According to "On-Chain Detective" ZachXBT's post on his personal channel, Polish social engineering attacker Wojtek Kulisz (online name "Merry") was recently suspected of being raided by Polish law enforcement, along with three others being taken away.Although the official press release did not disclose his name or photo, several designer clothing and jewelry items displayed on his public Instagram account "wojtekk" are highly consistent with the items seized during the police operation. The related case is led by the Polish Central Cyber Crime Fighting Department (CBZC) and has received assistance from agencies such as the FBI and HSI.

Slow Fog stated that over 140 Mastra-related npm packages were subjected to a supply chain attack, with the affected versions introducing the malicious dependency [email protected], triggering code execution controlled by the attacker during the installation phase.

According to Slow Fog's disclosure, a new variant of Shai-Hulud Hades has been found attacking PyPI. The malicious package drops a .pth file that executes automatically when Python starts, and checks if Bun is installed locally; if not installed, it downloads the official Bun binary from GitHub Releases, and then executes a multi-layer obfuscated JavaScript payload to steal credentials from GitHub, npm, AWS, and cloud services.Slow Fog stated that this variant uses the same RSA public key and infrastructure as previous Shai-Hulud attacks, and has capabilities such as encrypted exfiltration, persistence, CI/CD injection, and GitHub Actions injection.

The founder of Slow Fog, Yu Xian, stated that the attack Asterix encountered is similar to that of Flooring Protocol and BMP yesterday (the underlying protocols are DN404 and BT404), with high-level NFT ID displacement operations overflowing and being reused. It seems the attackers are looking for common vulnerabilities.It is reported that Asterix disclosed an attack incident affecting the ASTX token contract yesterday, stating that its Uniswap v4 liquidity pool was attacked on June 8, with attackers stealing approximately 30 ETH through 242 transactions. The vulnerability originated from a lack of token ID restriction checks on approval operations in an early version of DN404. Attackers exploited the outdated token approval to repeatedly sell tokens in the pool to obtain ETH, and then extracted equivalent tokens through forged IDs, leading to a cycle that drained the funds.Smart contracts are immutable and cannot be patched. The team advises users to stop interacting with the current pool and tokens and is planning to migrate to deploy secure tokens. The team suspects that the attackers used a jailbroken AI tool for fuzz testing to discover unconventional logic paths.

SlowMist has issued a security alert, detecting an active npm supply chain attack targeting @redhat-cloud-services related packages. Currently, over 31 packages have been confirmed affected, with a weekly download volume of approximately 116,000 times, and stolen credentials exist in more than 300 GitHub repositories. This attack method is highly similar to the previous "Shai-Hulud" npm attack, including credential theft, creation of malicious repositories, and automated secret leakage. New suspicious repositories continue to emerge, indicating that the attack is still ongoing, and developers are still being continuously infected.Potential harms include: theft of GitHub/npm tokens, leakage of AWS/GCP/Azure cloud credentials, collection of SSH keys and Kubernetes secrets, leakage of local environment and wallet data, creation of malicious repositories and persistence operations, and even potentially destructive actions after tokens are revoked. It is recommended to immediately remove or downgrade affected @redhat-cloud-services package versions, conduct a comprehensive audit of CI/CD workflows and dependency installations, rotate all GitHub, npm, cloud service, SSH, and wallet-related keys, retain logs, and rebuild exposed developer machines or Runners from clean images while maintaining a high level of vigilance.

According to Cointelegraph, CertiK data shows that losses from attacks on crypto platforms in May dropped to $68.3 million, a nearly 90% decrease from $650 million in April. May became the third month in 2026 with losses below $100 million. Of this, approximately $2.6 million came from phishing attacks, and about $9.4 million of stolen funds have been recovered or returned. The largest single loss in May came from the Verus Protocol cross-chain bridge attack, with $11.5 million stolen; THORChain ranked second, with $10.1 million stolen. Code vulnerabilities were the highest loss type, accounting for about $45 million, or 66%; wallet or private key leaks resulted in $13.7 million in losses. Cross-chain bridges were the primary target of attacks, with losses of $28.6 million, accounting for 42%. DeFiLlama data shows that there were a total of 29 incidents in May, of which 7 involved private key leaks.

AML / KYT provider Shard disclosed that the number of cyber attacks in the cryptocurrency industry doubled year-on-year in the first quarter of 2026, exceeding 80 incidents, but total losses decreased by 69% year-on-year to $496 million, compared to $1.6 billion in the same period last year. Shard stated that the losses in the same period of 2025 were mainly impacted by a significant theft incident of approximately $1.4 billion involving Bybit; while the attacks in 2026 were more dispersed, targeting DeFi protocols, infrastructure services, and individual users.Looking at the months, there were a total of 29 attacks in January, with losses exceeding $392 million; 26 attacks in February, with losses exceeding $22 million; and 27 attacks in March, with losses exceeding $81 million.

According to a video shared by DEGEN NEWS, Nic Carter, a partner at Castle Island Ventures, stated that Solana needs a complete rebuild to defend against quantum attacks. He pointed out, "This will be tricky for Solana because they have highly optimized around a certain variant of elliptic curve and have also made targeted optimizations at the hardware level.The entire core idea of Solana is high throughput. Ultimately, they may adopt lattice-based cryptography, but the speed will slow down, and the throughput may decrease, which is precisely what Solana is all about."

According to Slow Fog's disclosure, the security agency MistEye detected a cross-registry supply chain attack incident, where attackers targeted developers in the fields of cryptocurrency, DeFi, Solana, Sui/Move, and AI by publishing malicious packages on npm, PyPI, and crates.io. This attack activity includes more than 34 malicious packages and over 384 related versions. The attackers may steal cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, environment variables, and developers' confidential information.Some of the malicious payloads also attempted to achieve persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, cron, systemd, and SSH. Developers are advised to immediately remove the affected packages, isolate the affected systems, retain logs, rotate exposed credentials, rebuild CI environments and developer machines from clean images, and review GitHub, cloud services, SSH, and wallet activity logs.

The British police announced that five people have been sentenced in a "Wrench Attack" case targeting cryptocurrency holders. The suspects met the victims at a bar in Shoreditch, London, in July 2025, forcibly took them back to their homes, and through violent threats and facial recognition verification, coerced them into accessing their bank and cryptocurrency accounts, stealing over £10,000 in cash, cryptocurrency, and other valuables such as watches.During the investigation, the cryptocurrency exchange platform Coinbase reported to the police after discovering unusual activity in the victims' accounts. The police subsequently identified and arrested the individuals involved. The court ultimately sentenced four main offenders to prison terms ranging from 3.5 to 6.5 years, while another individual involved was sentenced to community service for money laundering. The police stated that this case has caused long-term psychological trauma to the victims and their families, highlighting the rising risk of offline violent crimes against cryptocurrency asset holders.

Bitcoin mining company MARA Holdings allocated approximately $4.3 million for CEO Fred Thiel's personal security expenses in fiscal year 2025, which includes $430,780 for vehicle bulletproof modifications, as well as expenses for bodyguards and residential security facilities. According to documents submitted to the U.S. SEC, MARA also provided approximately $3.9 million in security expenses for CFO Salman Khan, including $438,380 for vehicle bulletproof costs.Reports indicate that as incidents of "ransom attacks" targeting executives and investors in the crypto industry increase, crypto companies are significantly ramping up their investment in executive physical security. The so-called "ransom attack" typically refers to forcing victims to hand over private keys or account access through kidnapping, violence, or coercion. Data shows that in 2025, there were 72 confirmed incidents of crypto-related entity coercion globally, a year-on-year increase of 75%. Among these, France recorded 19 incidents, the highest in the world.

According to Decrypt, research published by Glassnode shows that nearly one-third of circulating Bitcoin has exposed public keys, theoretically making it vulnerable to future quantum computer attacks. Specifically, about 6.04 million Bitcoins worth over $46.9 billion are at quantum risk. Among these, approximately 1.92 million are structurally exposed, originating from early "pay-to-public-key" addresses, multi-signature structures, and Taproot outputs, which are script formats that default to exposing public keys.About 4.12 million are operationally exposed, stemming from address reuse behavior. Among the Bitcoins with operational exposure, approximately 1.66 million are related to exchanges, accounting for 8.3% of the total supply and about 40% of all operationally exposed Bitcoins. From the holdings of major exchanges, only 5% of Coinbase's Bitcoins are exposed to quantum risk, while Binance and Bitfinex have exposure rates of 85% and 100%, respectively. Glassnode states that this result should not be interpreted as a risk ranking of specific companies or a signal of solvency.

The Echo Protocol encountered a vulnerability attack on the Monad network, where the attacker minted 1,000 eBTC (worth approximately $76.64 million). According to PeckShield's tracking, the attacker deposited 45 eBTC (about $3.45 million) into Curvance, borrowed 11.29 WBTC, and then bridged it to Ethereum to exchange for ETH, of which 384 ETH were transferred to Tornado Cash. Curvance has suspended the affected market, stating that the smart contract was not compromised and other markets were unaffected.The Echo Protocol has suspended all cross-chain transactions. Monad CEO Keone Hon clarified that the vulnerability did not affect the Monad network, and security researchers assessed that approximately $816,000 was actually stolen.This incident raises the total number of crypto hacking events in May to 14, with three significant DeFi attacks occurring in just the past five days: THORChain suffered a treasury vulnerability loss of over $10 million on May 15, and the Verus Ethereum cross-chain bridge was attacked three days later, resulting in a loss of about $11.58 million. The series of security incidents highlights the systemic security risks that the DeFi sector continues to face.

PeckShield posted on platform X that from February to mid-May 2026, there have been at least 8 significant security incidents related to cross-chain bridges in the crypto industry, with attackers stealing approximately $328.6 million in assets from cross-chain protocols. PeckShield pointed out that cross-chain infrastructure remains a high-frequency target for hackers, and the associated risks continue to be highlighted in the context of the expansion of the multi-chain ecosystem.

According to a report by The Block, the crypto security firm CertiK released a report today indicating that in the first four months of 2026, there have been 34 confirmed cases of crypto "ransom attacks" globally (i.e., offline physical assaults and extortion targeting crypto asset holders), an increase of 41% compared to the same period in 2025, with total losses for victims amounting to approximately $101 million. If the trend continues, the total number of incidents for the year is expected to reach around 130, with losses potentially soaring to hundreds of millions of dollars.In terms of geographical distribution, out of the 34 incidents, 28 (82%) occurred in Europe, with France being particularly notable, having recorded 24 incidents in just the first four months of 2026, surpassing the total of 20 incidents for the entire year of 2025. CertiK attributes this to France's hosting of flagship crypto companies like Ledger and Binance, frequent data breaches, and a prevalent culture of "showing off wealth and doxxing" within the community. In contrast, the number of reported incidents in the United States dropped from 9 in 2025 to 3 in the first quarter, while Asia saw a decrease from 25 to 2.Regarding attack patterns, CertiK pointed out that criminal groups have shifted to a "data-driven targeting" model, reducing the need for on-site reconnaissance by purchasing victims' names, addresses, and asset information from data intermediaries. This year, over half of the incidents involved threats or direct harm to victims' family members (spouses, children, elderly parents) as a means of exerting pressure. In terms of execution, small groups of 3 to 5 individuals typically operate through

According to CoinDesk, Angus Fletcher, head of digital assets at State Street Bank, stated at the Consensus Miami conference that in light of the recent surge in DeFi attack incidents, institutional investors are looking for improvements in blockchain security. He pointed out that the young crypto industry needs to find solutions now before trillions of dollars in real-world assets are put on-chain.Fletcher believes that the interoperability between blockchains needs to be clearly defined and understood, and institutional clients need to understand the legal ownership and rights of cross-chain tokens. Dennis Bree, head of Morpho, stated that April could be the month with the most hacker attacks in DeFi history, and regulators are conducting more due diligence on the security of collateralized assets.

According to CoinDesk, Ripple announced on Monday that it will share its internal intelligence on North Korean hackers with the cryptocurrency industry threat intelligence sharing organization Crypto ISAC to help businesses identify coordinated infiltration actions.This move comes against the backdrop of a recent shift in attack patterns faced by the cryptocurrency industry. Ripple stated, "The strongest crypto security posture is a shared posture. A threat actor who has not passed a background check at one company may submit resumes to three other companies in the same week. Without shared intelligence, each company starts from scratch."