News linked to this event type.
According to PeckShield monitoring, the Verus-Ethereum Bridge has been hacked, resulting in the loss of assets including 103.6 tBTC, 1,625 ETH, and 147,000 USDC. The hacker subsequently swapped the stolen assets for approximately 5,402.4 ETH. The attacker's address received an initial 1 ETH approximately 14 hours ago via the mixing protocol Tornado Cash.
: On-chain analyst Tom Wan stated on platform X that the current ETH utilization rate has dropped below 90%, and the lending APY has fallen to 1.9%. Since the rsETH LayerZero cross-chain bridge was attacked, the deposits of wstETH and weETH have decreased by approximately $1.2 billion and $1.76 billion, respectively. As the strategy of leveraged looping wstETH/weETH against ETH becomes profitable again, market attention is turning to whether demand for ETH leveraged loops will return, or if capital will continue to wait on the sidelines or flow into protocols like Spark and Morpho.
Odaily News: Blockaid posted on platform X, stating that its vulnerability detection system has discovered an attack on the Verus Ethereum cross-chain bridge, which has so far caused losses of approximately $11.58 million.
on-chain analyst Specter stated that the hijacking incidents of investor Keith Gill, Matt Furie, and WinRAR accounts on the X platform are all linked to the same hacker organization. This organization has accumulated over $14 million in profits by hijacking accounts to promote tokens and conducting cross-chain money laundering, with funds flowing through five chains: Solana, BNB Chain, Ethereum, Tron, and Hyperliquid.Specter claims the organization may also be connected to a $2.45 million wstETH phishing attack in 2024. The investigation found that hackers used compromised accounts to issue Pepe imitation tokens, incorporating a built-in 2% automatic fee mechanism to generate profits; related fund flows are associated with the bnbshare.fun platform and multiple Solana, Tron, and Ethereum addresses. Analysis also showed that several tokens (including USOR, VDOR, DROID, WCOR, UGOR) were used to inflate market caps before being dumped to zero.
Open-source data visualization tool Grafana announced on X that it recently discovered an unauthorized attacker had obtained a token granting access to Grafana Labs’ GitHub environment and used it to download code repositories. An investigation confirmed that no customer data or personal information was compromised, and no impact was found on customer systems or business operations. Forensic analysis was initiated immediately following the incident, and the source of the credential leak has been identified. Additional security measures have also been deployed to strengthen environmental protections. Additionally, Grafana disclosed that the attacker attempted to extort payment via ransomware to prevent public disclosure of the code repositories; however, the company ultimately decided not to pay the ransom. More details from the post-incident review will be shared after the investigation concludes.
Odaily News: THORChain officially stated that a large number of fake accounts and false information have been spotted on the market, involving activities such as "refunds," "airdrops," and "compensation." Preliminary investigations indicate that user funds were not compromised in the previous security incident. No refund, airdrop, or compensation plan has been initiated. Any accounts claiming otherwise are imposters or are disseminating false information. Further investigation progress and additional details will be announced subsequently.
Odaily Odaily, THORChain posted on platform X that its developers have released an incident update on Discord. Current evidence points to a node thor16uc...cn84q, which recently joined the network, as being associated with the attack. This node is operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to leak over time. This ultimately enabled the reconstruction of the vault's private key and the execution of unauthorized outgoing transactions.Regarding network status, the network has been paused after multiple node operators executed `make pause`. RUNE transfers and on-chain observation may resume within approximately 12 hours, but transactions, LP operations, signing, and other sensitive operations remain paused.Discussed recovery plans include slashing the affected node's bond, covering losses with protocol-owned liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation. The Treasury is gathering forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or longer.
According to a research report released by Binance Research, approximately 11% of illicit cryptocurrency transaction volume was seized in 2025—55 times the global fiat recovery rate (less than 1%). Even after excluding the single Prince Group case involving roughly $15 billion worth of BTC, the remaining seized amount still stands at about 10 times the fiat baseline. Data from on-chain security firms SlowMist and PeckShield shows that between 8.3% and 13.2% of stolen funds were recovered or frozen in 2025, reflecting continuously improving collaboration efficiency among exchanges, stablecoin issuers, and law enforcement agencies. Binance Research notes that blockchain’s inherent transparency is being fully leveraged by regulators and investigators, and the notion that “cryptocurrency is a breeding ground for illicit activity” is gradually becoming an outdated misconception.
Odaily Chainalysis posted on X platform, stating that prior to the THORChain theft, wallets suspected to be linked to the attacker had been transferring funds through Monero, Hyperliquid, and THORChain for several consecutive weeks. As early as late April, the attacker-associated wallets deposited funds into Hyperliquid positions via Hyperliquid and the Monero privacy bridge. These funds were subsequently converted to USDC and transferred to Arbitrum, then bridged to Ethereum. Some of the ETH was then moved to THORChain to stake as RUNE for a newly joined node, which is believed to be the source of the attack.Subsequently, the attacker bridged a portion of the RUNE back to Ethereum and split it into four chains. One chain went directly to the attacker, passing through intermediate wallets before transferring 8 ETH to the wallet that would ultimately receive the stolen funds, just 43 minutes before the attack. The funds from the other three chains flowed in reverse. Between May 14 and 15, these wallets bridged the ETH back to Arbitrum again, deposited it into Hyperliquid, and transferred it into Monero via the same privacy bridge, with the final transaction occurring less than 5 hours before the attack commenced. As of Friday afternoon, the stolen funds remain untouched, but the attacker has demonstrated sophisticated cross-chain money laundering capabilities. The Hyperliquid to Monero path may be the next move.
following the $292 million exploit of Kelp DAO's LayerZero bridge, the security of cross-chain infrastructure has once again come under scrutiny. DeFi protocols Kelp DAO, Solv Protocol, Re, and crypto exchange Kraken have all taken similar migration measures, with the total value of this outflow reaching approximately $4 billion.Decentralized finance protocol Lombard has become the latest project to join the migration wave, announcing a gradual phase-out of LayerZero and the migration of over $1 billion in Bitcoin collateral assets to Chainlink's Cross-Chain Interoperability Protocol (CCIP). Bitcoin-related tokens issued by Lombard include LBTC and BTC.b. It is reported that Lombard's initial migration assets cover the Solana, Etherlink, Berachain, Corn, and TAC chains, while the use of LayerZero on Morph and Swell will also be terminated. As of now, LayerZero has not responded to requests for comment. (CoinDesk)
Euler Finance announced it will take over the maintenance and operation of the Euler contract stack known as Mewler under HypurrFi on the Hyperliquid EVM. The relevant infrastructure is undergoing a smooth transition, with Clearstar Labs continuing to serve as the risk manager for the Prime, Yield, and Earn vaults. HypurrFi Scale and Pooled Markets are scheduled to gradually wind down and undergo orderly liquidation over the coming weeks. However, all existing markets remain solvent and fully operational, with no security vulnerabilities or emergency parameter adjustments.During the migration process, new borrowing functionality for some Pooled assets has been frozen, but HYPE, USDC, and USDT0 can still be used for liquidity provision to allow borrowers to gradually unwind their positions. Euler emphasized that its isolated lending architecture on HyperEVM will continue to serve as core infrastructure, jointly maintained by Euler and Clearstar Labs.The HypurrFi team stated that user deposits, positions, and collateral assets remain fully secure. This adjustment is an active strategic migration, not a security incident or protocol failure. According to the plan, Euler Prime and Yield markets will become the primary entry points for lending and yield markets on HyperEVM moving forward. The HypurrFi brand will be gradually phased out, with related support services closing after May 28. Full market liquidation is expected to be completed by July 15, 2026.HypurrFi also reminded users to be aware of risks and fraudulent links during the migration process, to operate only through official channels, and to use the built-in migration tools to transfer Pooled positions to Euler Prime or Yield markets.
According to Odaily, THORChain has issued an emergency announcement stating that after discovering a suspected breach of an Asgard vault, the network has suspended trading operations to respond to the security incident. Preliminary information indicates that user funds remain unaffected, with losses primarily concentrated on the protocol's own capital.The official statement noted that the system automatically detected anomalous behavior and halted signing operations, thereby alerting the community and preventing further asset outflow. The investigation is currently ongoing to determine the root cause of the vulnerability and the full scope of the impact.Known information indicates that this incident involves one of the six Asgard vaults, with estimated losses of approximately $10.7 million. Meanwhile, staked RUNE on the affected nodes has been slashed due to a penalty mechanism triggered by unauthorized outgoing transactions. The network has paused churn operations and delayed the launch of new chains and related features until system stability is restored.THORChain stated that no user cross-chain transactions have been affected so far and has requested node operators to thoroughly inspect their infrastructure, secure key management, and anomalous behavior, and to submit relevant logs to assist the investigation.
on-chain detective ZachXBT stated that the hacker "Dritan Kapplani Jr" transferred approximately $2.59 million in assets today, including 1.99 million DAI and 259 ETH. The funds were moved from address 0x4487...bba6 to address 0x67ec...125d. The stolen funds currently remain dormant.ZachXBT stated that on May 12, they published an investigation detailing the connection between Dritan Kapplani Jr and Trenton (Trent) Johnson in a social engineering theft involving 185 Bitcoin (approximately $13 million).
in April 2026, two major DeFi attacks on Drift Protocol and Kelp DAO resulted in losses of nearly $600 million, triggering approximately $9 billion in capital outflows from protocols like Aave. TRM Labs investigator Nick Carlsen stated that a hacker group suspected to be linked to North Korea has allegedly used AI to assist in target selection and attack path design. Failsafe CEO Aneirin Flynn said that AI has compressed the time for discovering blockchain vulnerabilities from months to days or even hours. The report noted that Anthropic has not fully opened its AI model Mythos due to cybersecurity risks, claiming the model has the capability to discover large-scale zero-day vulnerabilities. Its research indicates that over half of blockchain attacks in 2025 could theoretically be completed autonomously by AI. (Bloomberg)
According to on-chain analyst PeckShield (@PeckShieldAlert), THORChain has been hacked, resulting in losses of approximately $10 million in crypto assets, including 36.75 BTC (around $3 million) and roughly $7 million in assets from BNB Chain, Ethereum, and Base.
On-chain investigator ZachXBT stated that THORChain appears to have been attacked on the Bitcoin, Ethereum, BSC, and Base networks, resulting in losses exceeding $7.4 million.
According to on-chain detective ZachXBT, THORChain has suffered an attack across multiple chains, resulting in losses exceeding $7.4 million.
According to Cointelegraph, privacy-focused messaging app Signal stated it may exit the Canadian market if required to comply with Canada’s proposed lawful access bill, Bill C-22. Udbhav Tiwari, Signal’s Vice President of Strategy and Global Affairs, said the bill could compel service providers to build technical surveillance capabilities and retain certain user metadata for up to one year—potentially undermining end-to-end encryption and increasing the risk of cyberattacks. The report notes that Bill C-22 has not yet entered into force and still requires parliamentary review and royal assent. In addition to Signal, VPN provider Windscribe has also indicated it may follow suit and withdraw from Canada if the bill is passed.
OpenAI has confirmed a supply chain attack targeting a malicious TanStack NPM package in its internal environment, infecting two employees' devices. While user data and core code were not affected, the attackers stole access credentials for some internal code repositories, including code signing certificates used for iOS, macOS, and Windows products.To prevent hackers from exploiting the stolen certificates to distribute counterfeit applications, OpenAI has initiated defensive certificate rotation and announced that all macOS users of ChatGPT desktop, Codex, and Atlas browsers must upgrade to the latest version by June 12, 2026. After this deadline, old certificates will be revoked, and system-level blocks will prevent the launch of older versions and new installations.OpenAI stated that the company had previously deployed stricter code package blocking policies, but the infected devices had not yet synchronized the latest configuration, allowing the malicious component to successfully infiltrate. Currently, the iOS and Windows clients are unaffected, and core data such as user account passwords and API keys have been confirmed secure.
SlowMist’s Yu Xian stated that some in-the-wild attack samples have been obtained. It is currently confirmed that the attacks primarily target iPhones running older versions of iOS, Safari browsers, and users holding cryptocurrency wallets. He noted that malicious JavaScript exploit code may be embedded in fake websites—such as those impersonating adult live-streaming platforms, TRON energy stations, refund procedures, or vulnerability alerts. If users of older iPhone models open such websites using Safari and leave them open, while simultaneously unlocking their wallet apps in preparation for use, their plaintext private keys could be stolen.