stolen

According to the "Procuratorial Daily," Lin, Zeng, and Dai conspired to use virtual currency trading as a pretext. During the trading process, they secretly filmed the victim's digital wallet private key and, after the virtual currency was credited, secretly logged into the victim's wallet to reverse the transaction, transferring the related virtual currency back to their controlled accounts. The three committed the crime three times, causing the victim a total economic loss of 660,000 yuan.The first-instance court held that in the absence of a clear judicial interpretation regarding the valuation method of virtual currency and sentencing standards, it was inappropriate to directly determine the amount involved as particularly huge based on the victim's purchase amount of 660,000 yuan. Therefore, they sentenced the three based on "other serious circumstances," imposing prison terms ranging from eight years to five years and six months, along with fines. The Hanyang District Procuratorate of Wuhan City in Hubei Province subsequently filed an appeal, which was supported by the Wuhan City Procuratorate.The prosecution argued that the first-instance court applied the law incorrectly and imposed an excessively light sentence. Prosecutor Dai Wentao of the Wuhan City Procuratorate stated that in the case where the victim had a clear loss amount to refer to, it was contradictory and legally erroneous to claim that the value of virtual currency could not be determined. In judicial practice, using the resale price and transaction price as the basis for determining the amount of theft has become mainstream, and determining the value of virtual currency based on the actual cost paid by the victim has factual, legal, and practical basis.The Intermediate Court of Wuhan accepted the prosecution's opinion in the second instance, revoked the corresponding content of the original judgment, and changed the determination of the theft amount to particularly huge. It sentenced the principal offender Lin to ten years and six months in prison for theft, and sentenced the accomplices Zeng and Dai to eight years in prison each, along with fines.

SlowMist has issued a security alert, detecting an active npm supply chain attack targeting @redhat-cloud-services related packages. Currently, over 31 packages have been confirmed affected, with a weekly download volume of approximately 116,000 times, and stolen credentials exist in more than 300 GitHub repositories. This attack method is highly similar to the previous "Shai-Hulud" npm attack, including credential theft, creation of malicious repositories, and automated secret leakage. New suspicious repositories continue to emerge, indicating that the attack is still ongoing, and developers are still being continuously infected.Potential harms include: theft of GitHub/npm tokens, leakage of AWS/GCP/Azure cloud credentials, collection of SSH keys and Kubernetes secrets, leakage of local environment and wallet data, creation of malicious repositories and persistence operations, and even potentially destructive actions after tokens are revoked. It is recommended to immediately remove or downgrade affected @redhat-cloud-services package versions, conduct a comprehensive audit of CI/CD workflows and dependency installations, rotate all GitHub, npm, cloud service, SSH, and wallet-related keys, retain logs, and rebuild exposed developer machines or Runners from clean images while maintaining a high level of vigilance.

According to The Defiant, approximately $220 million of unfrozen funds from the Kelp DAO cross-chain bridge attack has been almost entirely laundered by hackers. On-chain analyst Arkham Intelligence tracking shows that only about $1.7 million remains in the original attacker's wallet. This hacker is linked to North Korea and previously launched a $292 million cross-chain bridge attack on LayerZero in April.Funds were transferred using privacy tools such as THORChain, Wasabi, Tornado Cash, and Umbra. The approximately $71 million in Ethereum frozen by the Arbitrum security council on April 20 is currently the only recoverable portion. A report released by LayerZero on May 18 attributed the attack to the North Korean group TraderTraitor. Kelp has recovered approximately 116,000 rsETH by migrating to Chainlink CCIP and the DeFi United program, while the Aave security module absorbed about $190 million in bad debt.

According to a post by Specter, it has jointly frozen $91,000 of the stolen funds from Gravity Bridge with ChangeNOW. The attacker still holds most of the funds and has not transferred them.Previously, it was reported that the key to the Gravity Bridge bridging contract was leaked, resulting in $5.4 million in assets being stolen. The assets extracted by the attacker include: $4.3 million USDC, 274 WETH (worth approximately $553,000), $434,000 USDT, and $64,000 PAYG. The addresses involved are 0x7B58...1F9 and 0x4d3c...A47.

Blockaid disclosed on platform X that the Alephium TokenBridge Ethereum cross-chain bridge was attacked. The attacker controlled 3 out of 4 Guardian keys to forge a VAA (Verification Authorization Message) and completed the attack in about 7 minutes, stealing approximately $815,000 in assets.During the attack, the attacker minted 13.76 million Wrapped ALPH out of thin air, exceeding the circulating supply before the attack by over 100%, while also unlocking and transferring assets such as USDT, USDC, WBTC, and WETH from the custody pool.Currently, the attacker's address still holds approximately $815,000 in stolen assets and 13.76 million uncollateralized Wrapped ALPH, with the largest abnormal transaction being the minting of 13.76 million Wrapped ALPH out of thin air.

On-chain monitoring shows that the cross-chain bridge Gravity Bridge may have encountered a security incident due to a contract key leak, involving assets such as USDC, WETH, and USDT, with total losses of approximately 5.4 million dollars.

According to crypto KOL Yusuf's monitoring, yesterday the EURR and USDR contracts under the European stablecoin issuer StabIR were attacked, resulting in losses exceeding 10 million dollars.After the incident, over 100,000 dollars of stolen funds have been frozen, and the USDR and EURR have depegged by more than 20%.

The TON Network expansion project TAC has disclosed that a security incident occurred with the TON-TAC asset bridge on May 11. Four days later, approximately 80% of the affected assets have been returned. TAC today released a post-incident analysis report detailing the events. The root cause of the vulnerability was a lack of a single verification in the sorter software: the attacker deployed a counterfeit Jetton wallet on TON, and the sorter accepted the counterfeit tokens because it did not verify the code hash of the sender's wallet. The total loss was approximately $2.86 million, involving USDT, BLUM, and tsTON. Following a public appeal, about 90% of the assets were returned to the multi-signature address controlled by TAC on May 14, with the remaining 10% retained by the attacker.The cross-chain bridge remains paused, awaiting independent review of the repaired sorter software by the auditing party and TON partners. Cross-chain operations will resume once the verification of the repaired software is completed and the gap is filled with recovered assets and TAC Foundation token reserves. Due to the need for multi-party coordination, a precise timeline cannot be provided. The remaining funding gap will be filled by the TAC Foundation treasury, ensuring that users and protocols incur no financial losses. TAC reminds users that official updates are only published through this account and Telegram, and any unsolicited "recovery" or "support" private messages are scams.

According to Slow Fog's Yu Xian monitoring, multiple user wallets of Bankr have been stolen. @bankrbot replied that the incident was a social engineering attack targeting the trust layer between automated agents, specifically involving the interaction between Grok and Bankrbot, which led to unauthorized transaction signatures.

According to monitoring by Paitun, the Adshares cross-chain bridge attacker has returned 256 ETH to the project deployer's address, worth approximately $540,700, accounting for about 86% of the previously stolen funds.Previously, the Adshares cross-chain bridge was attacked on May 17, 2026, resulting in a loss of approximately $628,000.

According to monitoring by PeckShield, Verus's Verus-Ethereum Bridge has been hacked, with lost assets including 103.6 tBTC, 1625 ETH, and 147,000 USDC. The hacker subsequently exchanged the stolen assets for approximately 5402.4 ETH. The attacker's address obtained an initial fund of 1 ETH about 14 hours ago through the mixing protocol Tornado Cash.

U.S. Judge Margaret M. Garnett in New York postponed the ruling on Aave's emergency application on Wednesday, which aims to unfreeze $71 million in ETH related to the Kelp DAO hacking incident, and requested both parties to submit supplemental briefs before the hearing on June 5. Aave is attempting to reclaim the $71 million in ETH frozen on Arbitrum to assist in the asset recovery efforts from this hacking incident—Kelp DAO suffered losses of up to $293 million from the hack, making it one of the most severe security incidents in the DeFi space this year.However, the U.S. law firm Gerstein Harrow LLP submitted a restraining order to the court in early May, claiming that its client has rights to the aforementioned funds. Aave then filed an emergency motion to lift the freeze, warning that if the funds are not released in a timely manner, it could lead to user liquidations and potentially impact the entire DeFi market. Judge Garnett noted in her ruling that Aave failed to adequately explain how user funds would incur "compound losses" if the restraining order remained in place. She also acknowledged the complexity of the case, the risks faced by the victims, and requested both parties to provide supplemental statements on six key issues, including: whether the hacking transaction is subject to New York state sanctuary principles, the legal distinctions between fraud and theft and what rights the hacker has over the stolen assets, which laws apply to determine the priority of claims for frozen assets, whether constructive trusts are an appropriate remedy, and whether Aave or Arbitrum can identify individual victims and proportionally return assets. Both parties must submit supplemental briefs by May 22.Meanwhile, the overall compensation work for Kelp DAO is progressing. Kelp and Aave announced on Tuesday that the rsETH held by the hacker has been destroyed on Arbitrum, and approximately $278 million in loss tokens will be restored within the next two weeks through the funds of the Aave Recovery Guardian multi-signature wallet. Once the relevant smart contracts are reactivated, all functions of rsETH will return to normal.

According to Huma Finance's official disclosure, its old V1 contract on Polygon was exploited, resulting in approximately 101,400 USDC being transferred out. The project team stated that this incident did not affect user fund security, and Huma Finance PST was not impacted. Its V2 system on Solana is a completely restructured version and is not affected by the vulnerability.Huma stated that the team had previously been working on gradually phasing out the V1 liquidity pool, and has now fully suspended all V1 related contracts, and will continue to handle the subsequent wrap-up work.

TrustedVolumes confirmed on platform X that it has been attacked, disclosing that the stolen funds are currently stored in three addresses, totaling approximately 6.7 million USD. Two of the addresses hold about 3 million USD in assets each, while the other address holds about 700,000 USD in assets. At the same time, TrustedVolumes expressed its willingness to engage in constructive communication with the attacker regarding a bounty for the vulnerability and a mutually acceptable solution.

According to market news, an anonymous crypto whale residing in Puerto Rico has sued Coinbase, accusing the exchange of refusing to return funds stolen in a 2024 hacking incident.The lawsuit is highly similar to a security breach in August 2024, when a crypto user lost over $55 million in DAI stablecoins after falling victim to a phishing attack. The plaintiff claims to have hired several on-chain investigation firms to trace the stolen funds, which were tracked to a Coinbase account. Coinbase confirmed in early December 2024 that it had locked the relevant funds but froze them pending investigation. However, a year and a half later, Coinbase has still not returned the funds, claiming that a court order is needed to release them.The attack was initially identified by on-chain detective ZachXBT, who reported that the hacker created a fake DeFi Saver login page using the "Inferno Drainer" platform, leading the victim to mistakenly hand over control of their wallet to the attacker.

According to on-chain analyst Specter, the attacker of the Wasabi protocol has transferred all stolen funds into Tornado Cash, completing a centralized mixing operation of approximately $5.9 million in assets.On-chain analysis shows that this attacker and a suspected North Korean-related hacker organization (DPRK) have recently continued to use Tornado Cash to launder stolen funds, including those from KelpDAO and LayerZero, exhibiting a multi-stage complex flow of funds.A typical money laundering path includes: funds first entering the Wasabi Mixer for initial mixing and withdrawal, then cross-chain flowing back to Ethereum, re-entering Tornado Cash for deep mixing, withdrawing to a new wallet, and dispersing to multiple addresses. New tokens are deployed in the new wallets, liquidity is guided to buy and extract liquidity assets, and then cross-chain to the Tron (USDT) system, where funds briefly stay before flowing to OTC-related wallets. On-chain security analysis indicates that this model has become a high-frequency attack money laundering template recently, presenting a combination structure of "mixing + cross-chain + tokenization + OTC exit."Industry security personnel remind that such attacks have shifted from simple theft to systematic engineered money laundering paths, significantly increasing the difficulty of tracking.

According to official news, a recent agreement was attacked due to a lack of verification mechanisms, resulting in approximately 11 BTC being stolen, mainly involving altcoin trading. The attackers exploited a negative miner fee vulnerability to transfer funds to their own accounts through multi-signature transactions.Currently, Bisq is discussing compensation plans, and victims can choose compensation in Bitcoin or BSQ tokens, but it must be implemented after a DAO vote, which is expected to be determined after the DAO cycle ends on May 25.Bisq stated that the vulnerability has been fixed and plans to release a patch update while strengthening the security review of the codebase, focusing on preventing vulnerabilities that may affect wallets. In addition, Bisq reminds users to temporarily reduce the amount of BTC stored in their wallets. The officials believe that although this incident is serious, it is controllable, and they hope to provide a security warning for other projects.

In less than three weeks, 12 agreements were stolen for over $606 million. Among them, the Drift incident resulted in a loss of $285 million, and Kelp DAO suffered a loss of $292 million, with the two attacks accounting for approximately 95% of the total losses.

According to the latest report from TRM Labs, North Korean hackers stole nearly $600 million worth of cryptocurrency in the attacks on Drift Protocol and Kelp DAO, accounting for 76% of the total losses. TRM Labs estimates that since 2017, hackers associated with North Korea have stolen over $6 billion from cryptocurrency protocols and projects.The report shows that the share of losses caused by North Korean hackers in global cryptocurrency hacking attack losses has increased from less than 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025.

According to monitoring by blockchain security firm CertiK, the Wasabi Protocol has experienced a security breach, with approximately $2.9 million in funds stolen. Preliminary investigations indicate that the attacker gained privileged roles after compromising the wallet deployed by Wasabi, subsequently carrying out the attack.The stolen funds are currently dispersed across the following addresses: 0xb8Bb...70dB (approximately $677,000) and 0x6244...f906 (approximately $1.1 million), and the incident is still under investigation.