News linked to this event type.
According to a research report released by cybersecurity firm Expel, the company is tracking an advanced persistent threat (APT) group dubbed “HexagonalRodent,” which is highly assessed to be a North Korean (DPRK) state-sponsored actor. This group primarily targets Web3 developers and specializes in stealing high-value digital assets—including cryptocurrencies and NFTs. In the first quarter of 2026 alone, the group compromised 2,726 developer devices and stole access credentials for 26,584 cryptocurrency wallets, with the total value of stolen assets reaching as high as $12 million. The group primarily carries out its attacks via fake job postings—publishing lucrative positions on LinkedIn and Web3 recruitment platforms to lure job seekers into completing “skills assessments” embedded with malicious code. These assessments exploit VSCode’s tasks.json functionality to automatically execute malware when victims open the project folder. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, all of which possess capabilities such as password theft, remote control, and reverse shell execution. Notably, the group extensively leverages generative AI tools—including ChatGPT and Cursor—to develop malware, build counterfeit corporate websites, and generate AI-forged executive teams. It even registered a shell company in Mexico to enhance the credibility of its operations. Additionally, the group recently carried out its first-ever supply-chain attack, successfully infiltrating a VSCode extension.
Kelp DAO released a community update on X, noting that the recent rsETH security incident has remained tense over the past several days. However, with support from partners and the broader community, discussions are progressing in a positive direction, and efforts to identify an appropriate resolution are being accelerated. The guiding principles have already been reflected in initial actions, and subsequent updates will continue along this path, aiming for a win-win outcome for all stakeholders. Over the past four days, the Kelp team has engaged in in-depth communication with partners and other relevant parties. Specific progress includes: the Arbitrum Security Council has taken measures to freeze the stolen funds, and the SEAL 911 emergency response team has swiftly stepped in to conduct preliminary investigations, providing a clear and objective analytical perspective on the incident. While some developments have not yet been fully disclosed, related work continues to advance steadily. Kelp DAO stated that its current priority is safeguarding user assets and strengthening the protocol itself. This incident is also viewed as a critical test—not only for the project but for the broader DeFi ecosystem—and key follow-up developments will continue to be shared via official channels.
According to on-chain analyst Ai Aunt (@ai_9684xtpa), the address 0xb5E…Fc24e deposited a total of 1.397 million UNI tokens—worth approximately $4.6 million—into three exchanges two hours ago. Notably, the Bybit deposit address has had multiple interactions with the DeFi crypto fund DeFiance Capital, which is an investor in both Aave and LayerZero—two entities closely linked to the recent Kelp DAO hack incident.
SlowMist CISO 23pds (@im23pds) disclosed that the Bitwarden CLI version 2026.4.0 was subjected to a Checkmarx supply-chain attack between 17:57 and 19:30 ET on April 22. During this window, attackers abused a GitHub Action within Bitwarden’s CI/CD pipeline to briefly distribute a malicious package via npm. The official statement confirmed that Vault data was not compromised and production systems remained unaffected; only users who installed this specific version via npm during the aforementioned time window were impacted. Affected users are advised to immediately uninstall version 2026.4.0, clear their npm cache, rotate sensitive credentials—including API tokens and SSH keys—investigate anomalous activity in GitHub and CI environments, and upgrade to the patched version 2026.4.1.
According to on-chain analyst Onchain Lens (@OnchainLens), the Balancer hacker’s address has reactivated after five months of dormancy, transferring 100 ETH (approximately $233,000) to a new wallet and beginning fund transfers via ThorChain. The hacker currently still holds 21,900 ETH, valued at approximately $51.13 million.
According to information on the governance forum page, Mantle plans to provide Aave with a loan of 30,000 ETH to help it address the non-performing loan risk triggered by the recent attack. According to analyst Yujin’s statistics, confirmed rescue funds now cover a shortfall of approximately 43,500 ETH.
According to Onchain Lens monitoring, the Balancer attacker, dormant for five months, has transferred 100 ETH (approximately $233,000) to a new address and begun transferring funds through Tornado Cash.The attacker currently still holds 21,900 ETH, valued at approximately $51.13 million.
According to The Block, JPMorgan analysts noted in their latest report that ongoing DeFi security vulnerabilities and stagnant growth in total value locked (TVL) continue to constrain institutional enthusiasm for the DeFi sector. Recently, Kelp DAO’s cross-chain bridge suffered a major attack, during which the attacker minted $292 million worth of uncollateralized rsETH tokens and borrowed real ETH on Aave, resulting in approximately $230 million in bad debt. This caused DeFi TVL to evaporate by roughly $20 billion within several days. LayerZero and blockchain security researchers have attributed this attack to the North Korean hacker group Lazarus Group; some of the stolen funds have been frozen, while the rest remain in circulation. Analysts also pointed out that DeFi TVL denominated in ETH has remained range-bound for an extended period, raising market concerns about whether DeFi can achieve organic growth sufficient to support institutional adoption. Furthermore, following each security incident, users tend to shift funds into USDT as a safe-haven asset—yet this trend has not yet significantly driven USDT’s market capitalization growth.
According to information from the governance forum, Bybit’s public chain Mantle plans to lend 30,000 ETH to Aave to address the bad debt risks arising from recent security incidents.According to statistics from crypto analyst Ember (@EmberCN), the confirmed scale of bailout funds is estimated to cover a shortfall of approximately 43,500 ETH.
According to on-chain analyst Ember (@EmberCN), the rsETH incident on April 18 resulted in a funding shortfall of approximately 68,900 ETH (around $160 million): the hacker collateralized rsETH to borrow 99,600 ETH; after Arbitrum recovered 30,700 ETH, the remaining funds were fully converted by the hacker into BTC. The incident has now entered the remediation phase. Aave is coordinating the establishment of a “DeFi United” relief fund, which has so far received cumulative donations totaling 13,500 ETH (approximately $31.45 million). Donors include Lido Finance (2,500 stETH), ether.fi Foundation (5,000 ETH), Aave founder Stani Kulechov (5,000 ETH), Golem Foundation (1,000 ETH), as well as LayerZero and Ink Foundation (amounts undisclosed).
the Lido team has initiated a proposal, planning to allocate up to 2,500 stETH (approximately $5.8 million) from the DAO to cover the rsETH asset shortfall resulting from the recent attack on Kelp DAO.Lido noted that the LayerZero-based exploit has led to insufficient rsETH reserves, triggering a chain reaction across the DeFi ecosystem, including rising interest rate pressure, tightening lending markets, and certain leveraged strategies facing passive liquidation risks.The proposal emphasizes that these funds will only be used as part of a complete recovery solution, provided that the overall shortfall can be fully addressed.Previously, the approximately $292 million attack on Kelp DAO had already impacted Aave, leading to bad debt issues, and its total value locked (TVL) once declined by nearly $8 billion.
Aave released the latest update on the rsETH security incident on the X platform, announcing that it has paused rsETH reserve-related operations on the Ethereum mainnet as well as networks including Arbitrum, Base, Mantle, and Linea. This measure is intended to prevent excess aETHrsETH from being withdrawn, thereby pushing positions close to the 95% liquidation threshold. This action aims to preserve as much capital as possible and reduce systemic risk while the asset recovery plan is underway. Aave stated that further progress and resolution plans will be continuously disclosed to the community.
Aave announced the latest developments regarding the rsETH security incident on X, stating that rsETH-related reserve operations have been suspended on Ethereum Mainnet and on networks including Arbitrum, Base, Mantle, and Linea. This measure aims to preserve as much capital as possible and mitigate systemic risk while the asset recovery plan is underway. Aave stated that it will continue to disclose subsequent updates and resolution plans to the community.
Lido has released an update regarding the Kelp security incident, stating that its Earn-series vaults are working with the management team to address the issue, focusing on two key risk areas: rsETH exposure and tightening liquidity in lending markets. Lido emphasizes that its core staking protocol remains unaffected, and both stETH and wstETH remain secure and stable. Currently, only the EarnETH vault holds approximately 9% of its TVL in rsETH exposure; related deposits and withdrawals have been suspended by the management team pending resolution. Of the ~$70 million in ETH stolen in the earlier attack, roughly $70 million has already been recovered; asset recovery and loss allocation efforts are ongoing. To mitigate liquidity pressure, the management team has reduced leverage and optimized position structures, significantly decreasing wETH debt exposure. Should losses ultimately materialize, EarnETH will activate its $3 million “first-loss protection mechanism,” funded by the DAO. Other vaults remain unaffected: DVV and EarnUSD are operating normally. The GGV sub-vault is currently experiencing negative yields due to a combination of recursive staking strategies and rising borrowing rates, but active adjustments are underway. Users’ previously submitted withdrawal requests will be processed at pre-incident valuations.
According to Decrypt, U.S. Representatives Thomas Massie and Lauren Boebert jointly introduced the AI surveillance bill titled the “Surveillance Accountability Act,” which would require U.S. federal agencies to obtain a judicial warrant before using artificial intelligence for data analysis and surveillance. The bill aims to close a loophole in the “third-party doctrine”—a legal framework originating from 1970s court rulings that permits the U.S. government to access users’ data held by third-party platforms (e.g., banks and telecommunications providers) without a warrant. The bill’s sponsors argue that, in the internet and AI era, this doctrine has been excessively expanded, thereby weakening protections for citizens’ privacy.
, Anthropic and OpenAI have experienced security incidents in succession, drawing market attention to the security of AI models themselves. Currently, Anthropic is investigating a possible case of unauthorized user access to its Claude Mythos model. Almost simultaneously, OpenAI was also reported to have accidentally opened access to several unreleased models within its Codex application.Analysts believe that such incidents highlight that even AI model providers focused on cybersecurity capabilities still face significant security challenges. While AI is increasingly used for cyber defense, platform security and access control are becoming critical risk points.Industry insiders point out that these vulnerability incidents have intensified scrutiny over the security governance capabilities of AI companies, and also reflect that the security systems of current AI technology still need improvement amid rapid development. (The Information)
According to Decrypt, OpenAI CEO Sam Altman stated that Anthropic is promoting its AI model Claude Mythos through “fear-based marketing,” using narratives about security risks to justify its limited-open strategy. Claude Mythos has recently drawn attention for its ability to autonomously discover software vulnerabilities and perform complex cybersecurity operations. The report notes that Mozilla previously disclosed that the model identified 271 vulnerabilities in the Firefox browser during testing. Meanwhile, discussions surrounding the model’s potential offensive cybersecurity risks continue to intensify. Altman also emphasized that OpenAI will not scale back its infrastructure investments and will continue expanding its computational capabilities.
Spark announced on X that the total staked native token SPK has just surpassed 500 million tokens, reaching 509,969,466 tokens according to its displayed data. Users staking SPK can now participate in Season 4 of the Spark Points Program and earn points rewards. Previously, due to the rsETH security incident, funds continuously flowed out of Aave, while Spark absorbed some of the capital withdrawn by large whales/institutions from Aave.
Ledger Chief Technology Officer Charles Guillemet pointed out that the development of post-quantum cryptography has entered a critical stage. Although the timeline for a practical quantum computer remains unclear, a full-scale migration of the encryption systems across the industry is an inevitable trend. Led by NIST, the traditional sector plans to phase out high-risk algorithms by 2030 and completely ban them by 2035, with government and enterprise institutions expected to complete their migration layouts by 2029. Encryption and key exchange will adopt ML-KEM to defend against quantum decryption attacks on harvested data, with digital signatures becoming the core of blockchain transformation. The traditional industry prefers ML-DSA hybrid schemes, while the blockchain sector favors the more secure and robust SLH-DSA hash-based signature. Both schemes have their respective advantages and disadvantages. The compatibility challenges of post-quantum algorithms with MPC and threshold signatures remain a key risk that the industry urgently needs to address.
According to Natalie Newson, Senior Blockchain Investigator at CertiK, real-time deepfakes, phishing attacks, supply-chain compromises, and cross-chain vulnerabilities will be the primary drivers of cryptocurrency hacks in 2026. So far this year, the industry has lost over $600 million to hacking incidents—including the $293 million Kelp DAO exploit and the $280 million theft from Drift Protocol in April—both linked to a North Korean hacker group. Newson warns that the accelerated advancement of AI will make attack methods increasingly sophisticated, including more realistic deepfakes, autonomous attack agents, and “agent AIs” capable of automatically scanning smart contracts for vulnerabilities. However, AI can also serve as a defensive tool. CertiK advises investors to verify URL authenticity and store assets in cold wallets to mitigate risk.