incident

According to the Korea Herald, the five major virtual asset trading platforms in South Korea (Upbit, Bithumb, Coinone, Korbit, Gopax) have experienced a total of 57 hacking and system failure incidents over the past six years (from 2020 to April 2026), with a total compensation amount of approximately 7 billion Korean won (about 5.1 million USD). By exchange, the number of incidents is as follows: Upbit 26 incidents, Bithumb 14 incidents, Gopax 8 incidents, Coinone 6 incidents, Korbit 3 incidents.Among them, Bithumb compensated approximately 2.5 billion Korean won (about 1.8 million USD) for the BTC misissue incident in February this year, Upbit compensated approximately 790 million Korean won (about 570,000 USD) for a hacking incident in November 2025, and compensated approximately 3.2 billion Korean won (about 2.3 million USD) for a system incident on December 3, 2024. It is worth noting that the standards for compiling incident reports by exchanges and the scale and form of compensation vary. For example, Gopax counts errors that occur when viewing the asset list as system failures, while Bithumb only counts situations where all customers encounter difficulties using core services for more than 10 minutes as system failures.In addition, Bithumb also provided some applicants who suffered losses due to system failures with free fee vouchers instead of cash compensation. The compensation amounts for system failures are as follows: Upbit approximately 3.21 billion Korean won, Bithumb approximately 3.2 billion Korean won, Coinone approximately 49 million Korean won. Korbit and Gopax did not provide any compensation.

Dragonfly Managing Partner Haseeb published a statement regarding the recently patched Zcash vulnerability, indicating that there are many misunderstandings in the market about this event. He pointed out that even if the vulnerability had been exploited before it was fixed, attackers could only profit by faking ZEC in the privacy pool, and these tokens must first be converted from a privacy address to a transparent address to enter mainstream trading platforms.Since the supply of ZEC in transparent addresses can be publicly verified, any abnormal transfers exceeding the maximum supply will be detected and blocked, so the vast majority of investors holding transparent ZEC and exchange users will not be affected.Haseeb stated that the Zcash team plans to introduce a new "Turnstile" mechanism and a brand new privacy pool in future upgrades to verify that there is no inflation issue in the current privacy pool. He also mentioned that formally verified cryptographic systems can reduce implementation errors from a design perspective. Haseeb finally disclosed that Dragonfly still holds ZEC, and he is also a ZODL investor.

Slow Fog's Yuxian stated on platform X that incidents of search engine poisoning involving fake Codex, Claude Code, and others have recently surged. It mentioned that it has previously warned multiple times about Google search results and its own services like Google Sites being exploited by black and gray market poisoning, but Google has not taken action against such obvious poisoning methods.

The prediction market platform Polymarket believes that its competitor Kalshi may be engaging in corporate espionage against its New York office and employees. Polymarket's marketing director confirmed that the company is conducting an internal investigation and stated that "there are too many coincidences," suspecting that Kalshi has malicious intentions.Reports indicate that Polymarket has compiled an internal dossier titled "Imitators," documenting about a dozen suspicious incidents. These include Polymarket's original plan to launch a free grocery flash event on February 12, while Kalshi launched a similar event about 9 days earlier; additionally, Polymarket was set to announce its perpetual contract product plan on April 21, but about 1 hour before the announcement, the tech media The Information reported that Kalshi was also preparing to launch a similar product.Polymarket employees are also concerned that the venture capital firm Paradigm, which supports Kalshi, has an office directly across from theirs, posing a risk of employees' computer screens being spied on. It is reported that Polymarket installed privacy film on some office windows this spring.In response, a Kalshi spokesperson denied all allegations, stating that Polymarket's suspicions are "sad and almost delusional."

The edgeX official report on the abnormal price fluctuations of the EDGE token states that the EDGE price once dropped from approximately $1.12 to about $0.32 within about 1 hour, during a period of weak liquidity, due to concentrated sell-offs from multiple addresses combined with high-leverage long liquidations and flash crashes triggered by CEX interactions. There were no changes to the team address during this period.edgeX stated that it will strengthen market making and liquidity, and set up a reward of 200,000 USDC on-chain to trace the addresses associated with the attack. At the same time, for users who incurred actual realized losses due to long positions in EDGE being liquidated or triggering stop-losses on edgeX Perp V1/V2 within a specified time window, the platform will provide goodwill compensation based on the actual loss amount, with a limit of 100,000 USDC per person, of which 50% will be distributed in USDC within 7 days after review, and 50% will be distributed in EDGE based on the 7-day TWAP in the first week of April 2027.

Coinbase released a retrospective report on the large-scale service interruption event on May 7, 2026.The outage lasted approximately 8 hours, with full recovery taking about 12 hours. During this time, trading, deposits, withdrawals, and most core services were unavailable or severely degraded. Coinbase stated that the outage was caused by multiple cooling units failing simultaneously in the cooling system of a data center in one availability zone (use1-az4) in the AWS us-east-1 region, triggering cabinet thermal protection shutdowns, which led to EC2 instances and EBS volumes going offline, affecting multiple internet services.During the recovery process, the Coinbase trading matching engine lost quorum due to the cluster architecture deployed in a single AWS data center losing most nodes. It required urgent code adjustments and the reconstruction of a new node group to restore operation, gradually restarting market trading during the recovery.Additionally, the AWS-managed Kafka (MSK) service experienced control plane failures, preventing the automatic re-election of partition leaders, further blocking quotes, fees, and some settlement and data flow systems, which expanded the overall impact.After manual partition migration in collaboration with the AWS engineering team, the system gradually returned to normal. Coinbase stated that this incident exposed its shortcomings in cross-availability zone automatic switching capabilities and disaster recovery for managed middleware. The company will upgrade its cross-region hot backup architecture, strengthen regular failure drills, and migrate the Kafka system from dual availability zones to a three availability zone deployment, while also working with AWS to advance root cause fixes and improvements.

Zama protocol founder Rand posted on the X platform that, with the assistance of on-chain detective ZachXBT, the root cause of the cUSDC contract freeze has been identified. This freeze was caused by a court-issued injunction against addresses related to the Overnight Finance hacker, which had deposited approximately $12.5 million USDC into the cUSDC contract, accounting for over 99% of the funds within the contract, leading to the entire contract being frozen.Rand emphasized that this freeze is unrelated to the protocol itself or privacy technology, and it is not a sanction against Zama, but rather a typical DeFi judicial restriction scenario. The project adheres to compliance and privacy principles, not confusing the parties involved in transactions, only hiding balances and amounts. Currently, Zama is communicating with multiple parties to advance a resolution, has suspended the cUSDC, cUSDT, and cWETH contracts, and will restore them after completing the investigation and handling of the involved addresses, and will release a detailed review report as soon as possible.

Regarding the incident "DxSale accused of using a backdoor to withdraw $7.3 million in liquidity funds," the security company GoPlus stated that the attack may have been an inside job, and there is still $15.5 million in funds and LP urgently needing rescue. GoPlus recommends that the project team immediately check whether their project LP is locked in the contracts 0xEb3a9C56, 0x81E0eF68, 0x2D045410, 0x5b5e9448, and if so, take immediate measures to withdraw. Since the initial funding source was Bybit, KYC tracing is recommended; the final withdrawal channels are multiple Binance addresses, and it is suggested that the relevant security teams submit on-chain evidence to apply for freezing the attacker's address.GoPlus calls on the project to strengthen security mechanisms, stating that critical admin functions must have a time lock, and Owner permissions must use multi-signature. GoPlus emphasizes that as of now, DxSale has not issued any public incident response statement, and its silence is also worth noting.

SUPERFORTUNE AI posted on platform X that the team is investigating the GUA security incident that occurred on May 27. This incident caused severe fluctuations in token prices, and preliminary investigations indicate that the incident may involve address tampering in a multi-signature transaction.The announcement stated that the plan was to send additional unlocked tokens to the airdrop claim contract address, but during the execution of the transaction, the funds were mistakenly sent to another hacker address. The team noted that this hacker address had never interacted with any addresses related to SUPERFORTUNE before, so the likelihood of an "address poisoning attack" as a method of attack is low. Additionally, SUPERFORTUNE stated that its internal processes already include a multi-address verification mechanism, and the team is still continuing to investigate the incident and will update the community on the latest developments.

Stake DAO posted on platform X in response to the security incident, stating that its team is aware of the current security event and advises against interacting with vsdCRV.Previously, an anomaly occurred with contracts related to Stake DAO on Arbitrum, resulting in the minting of 54 trillion vsdCRV. The security team has classified this as a suspected infinite minting exploit.

According to The Block, since the KelpDAO cross-chain bridge attack in mid-April, the total value locked (TVL) in DeFi has decreased by about 14%, from approximately $172 billion to $148 billion. The attackers exploited vulnerabilities in off-chain infrastructure rather than smart contract vulnerabilities, stealing about $292 million and exposing new infrastructure risks.The outflow of funds has continued for more than five weeks, indicating that investors are broadly withdrawing marginal capital rather than just targeting specific protocols that were attacked. Lending, as the largest DeFi category, saw its locked amount decrease from about $53 billion to $40 billion, marking the largest decline. Liquidity re-staking protocols also experienced significant drops. The KelpDAO attack indicates that as the security of smart contracts improves, off-chain infrastructure is becoming a more easily exploitable attack surface.

Tether-supported mobile wallet Oobit clarified in a post on platform X that previously, after "on-chain detective" ZachXBT disclosed that the stablecoin issuer StablR's two smart contracts (EURR and USDR) suffered a vulnerability attack of approximately $13.5 million, related funds attempted to exit through Oobit. However, its compliance team identified the abnormal behavior and successfully froze EURR funds worth six figures, while also closing the exit channel. This incident did not affect any user funds, and Oobit's own system was not breached. They are currently cooperating with StablR and investigators to advance subsequent handling.Earlier reports indicated that StablR suffered a loss of approximately $28 million due to a hacker attack, with both EURR and USDR losing their peg.

The founder of Slow Fog, Yu Xian, posted on the X platform to interpret the Squid security incident. He stated that sampling found that the related Safe wallets were all single-signature, and the owners were all different, but the issue was not with the private keys; the problem lay in the modules (SquidRouterModule) used by these Safe addresses, which had vulnerabilities. Attackers could forge messages, easily bypass relevant validations, and initiate subsequent exchange operations to transfer funds from the target Safe wallet. In addition, Yu Xian also disclosed information about the address where the attackers' profits were deposited.Previously, it was reported that a third-party Gnosis Safe module was exploited on Base and Ethereum, resulting in a loss of approximately $3.2 million, with the victims being 86 Gnosis Safes that had added this contract as a trusted Safe Module. The contract was named "SquidRouterModule" on Basescan, and subsequently, Squid clarified that it was not affected by the Gnosis Safe-related vulnerability incident.

According to Cointelegraph, Bitcoin journalist Joe Nakamoto stated that approximately 70% of violent kidnapping incidents (wrench attacks) targeting cryptocurrency holders and their families occur in France. Since 2026, there have been 41 cryptocurrency-related kidnappings in France, averaging one every two and a half days.Nakamoto attributes this to the centralized storage of KYC (Know Your Customer) data. In the 2020 data breach incident involving hardware wallet manufacturer Ledger, the personal information, home addresses, and emails of over 270,000 users were exposed, providing criminals with precise attack targets. Casa CEO Jameson Lopp stated, "France is the canary in the coal mine, revealing how the surveillance system built by financial regulation can directly harm Bitcoin holders."In response to such threats, industry experts recommend that holders use custodial services with security features that can trigger asset freezes and notify law enforcement in the event of an attack; they also suggest preparing a "decoy" wallet with a small amount of funds and maintaining a low profile in public to avoid exposing holding information.

According to Polymarket's Vice President of Engineering Josh Stevens, with the assistance of ZachXBT, BitcoinVN, and ChangeNOW, $164,000 in funds have been frozen in the Polymarket private key leak incident, accounting for approximately 28.6% of the total amount transferred, which is $573,200. Josh stated that this incident did not affect Polymarket or the UMA smart contract, user funds are safe, and the platform is operating normally. Investigations show that the incident originated from a private key that had existed for about 6 years, which was used for internal recharge configuration, leading to funds being continuously sent to the affected address. The relevant team is continuing to track the flow of the remaining stolen funds.

Bitcoin mining company MARA Holdings allocated approximately $4.3 million for CEO Fred Thiel's personal security expenses in fiscal year 2025, which includes $430,780 for vehicle bulletproof modifications, as well as expenses for bodyguards and residential security facilities. According to documents submitted to the U.S. SEC, MARA also provided approximately $3.9 million in security expenses for CFO Salman Khan, including $438,380 for vehicle bulletproof costs.Reports indicate that as incidents of "ransom attacks" targeting executives and investors in the crypto industry increase, crypto companies are significantly ramping up their investment in executive physical security. The so-called "ransom attack" typically refers to forcing victims to hand over private keys or account access through kidnapping, violence, or coercion. Data shows that in 2025, there were 72 confirmed incidents of crypto-related entity coercion globally, a year-on-year increase of 75%. Among these, France recorded 19 incidents, the highest in the world.

Polymarket staff Shantikiran Chanal posted on platform X that they have noted a security report related to reward distribution, and user funds and market settlements are in a secure state. The investigation points to a wallet used for internal operations experiencing a private key leak, rather than an issue with the contract or core infrastructure. More updates will be released later.Previously, ZachXBT stated that the Polymarket UMA CTF Adapter contract was suspected to have been attacked on Polygon, with over $520,000 currently leaked.

THORChain has released its fourth update regarding the attack incident on May 15, and the proposal ADR028 has been announced, with voting for node operators now open.According to the recovery plan, the protocol will first absorb losses through its own liquidity, with the remaining portion to be shared by synthetic asset holders; the specific distribution ratio of the two is still under evaluation. The protocol's own liquidity will be reduced to zero, and will be gradually replenished through system revenue. This plan will not issue or sell RUNE, nor will it dilute any holders.On the technical side, GG20 will be temporarily retained and has completed patch upgrades. Trading will resume after the vulnerabilities are fixed and node rotation is successfully conducted, with a future release pace that is slower and more security-conscious. Innocent nodes located in the same vault as the attacker will be protected, while the attacker nodes will be fully confiscated. The recovered RUNE will be paired with the recovered assets, and any excess will be destroyed.The protocol also offers a white hat bounty to the attacker to recover funds; if some are returned, the recovery plan will be adjusted proportionally. THORChain remains neutral and permissionless, and there will be no review of the attacker's Swap transactions after trading resumes. Node operators are currently voting on the proposal direction, and the numbers in the ADR are only indicative, with adjustments to be made through Mimir later.

LayerZero Labs released a report on the KelpDAO attack incident, confirming that the KelpDAO rsETH cross-chain bridge built on its cross-chain communication protocol was attacked, resulting in the theft of approximately 116,500 rsETH (about $292 million). Several security agencies, including Mandiant, CrowdStrike, and independent researchers, attributed the attack to the North Korean-related hacker group TraderTraitor (UNC4899).The report indicates that the attack began on March 6, 2026, when the attackers used social engineering techniques to compromise a LayerZero developer account, obtain session keys, and infiltrate the RPC cloud environment, further contaminating internal RPC node data and manipulating return results to deceive monitoring systems and the decentralized verification network (DVN).LayerZero Labs officially announced that it will adjust its security strategy, including no longer allowing its DVN to act as the sole signer in a single validation configuration, while also rebuilding the affected cloud infrastructure and introducing short-term credentials, instant permission upgrades, and multi-party approval mechanisms to enhance security.