News linked to both this project and an event.
Odaily, Mitchell Amador, CEO of bug bounty platform Immunefi, stated at the WAIB Summit that new AI models such as Claude Opus 4.8 and ChatGPT 5.5 are shifting the balance of cybersecurity offense and defense in favor of attackers, leading to a resurgence in crypto hacks in 2026. Data from DefiLlama shows that in April 2026, illicit actors stole over $634 million from crypto platforms, the highest monthly total since the Bybit hack in February 2025 drove losses of approximately $1.4 billion.Amador stated that the crypto industry is in a critical survival period for the next three to four years until security teams leverage similar AI models to build codebases that attackers cannot breach; if the industry adopts more crowd-sourced security solutions, this timeline could be shortened to within two years. The latest Claude Mythos model, Fable 5, from AI company Anthropic, previously raised concerns about accelerating the ability to exploit crypto vulnerabilities.Anthropic stated that Fable 5 has safeguards in place that will redirect topics related to cybersecurity and similar fields to Claude Opus 4.8. On April 19, an attacker transferred approximately 116,500 restaked Ethereum (rsETH) from Kelp DAO's LayerZero-based rsETH bridge, valued at around $290 million to $293 million at the time. Cross-chain protocol LayerZero stated that the 1/1 decentralized verification network configuration of Kelp DAO relied on a single verification path for processing cross-chain messages, creating a single point of failure. (Cointelegraph)
AML/KYT provider Shard disclosed that the number of cyberattacks targeting the cryptocurrency industry in Q1 2026 doubled year-on-year, exceeding 80 incidents; however, total losses declined by 69% year-on-year to $496 million, down from $1.6 billion in the same period last year. Shard noted that losses in Q1 2025 were primarily driven by a major theft incident involving Bybit, valued at approximately $1.4 billion; in contrast, attacks in Q1 2026 were more dispersed, targeting DeFi protocols, infrastructure services, and individual users. On a monthly basis: 29 attacks occurred in January, causing losses exceeding $392 million; 26 attacks occurred in February, causing losses exceeding $22 million; and 27 attacks occurred in March, causing losses exceeding $81 million.
According to on-chain investigator Eye, DxSale is suspected of withdrawing approximately $7.3 million from some of its early liquidity pools locked on BNB Chain since 2021—impacting over 1,400 LPs. Eye stated that the attack involved silent ownership transfers and over 80 wallet hops. Eye noted that the newly used wallet address in the attack received 104 BNB from Bybit 20 hours prior to the liquidity pool withdrawal, and subsequently received approximately 1,200 BNB after the funds were withdrawn from the liquidity pools. Thereafter, this address transferred roughly 3,400 BNB in total to two wallets, with the related funds already withdrawn via multiple Binance deposit addresses.
According to an official announcement, Bybit recently completed an innovative anti-money laundering (AML) research collaboration with a student team from The University of Hong Kong (HKU). This collaboration used Bybit’s February 2025 security incident as a case study, providing HKU Business School master’s students with hands-on experience in blockchain investigations and AML analysis.
Ronghui Gu, co-founder and CEO of CertiK, stated that AI tools are exacerbating the imbalance between attack and defense in DeFi security, making it easier for attackers to discover vulnerabilities and replicate attack paths across different protocols.He pointed out that the DeFi security situation was particularly severe in April of this year, with only 3 days that month free from hacker attacks, resulting in cumulative losses exceeding $690 million for DeFi protocols. Excluding the Bybit attack in February 2025, April has become the month with the highest losses from DeFi hacks since March 2022.Ronghui Gu believes that attackers can concentrate significant computing power to repeatedly test a single protocol, whereas security companies need to serve multiple clients simultaneously with dispersed resources, putting the defense side at a natural disadvantage. Meanwhile, the focus of recent attacks is also shifting from smart contract vulnerabilities to operational security and weak points in the supply chain.He emphasized that even if AI fails to find vulnerabilities over an extended period, it does not prove the code is completely secure; under current technical conditions, formal verification remains a more reliable method for ensuring security.
Odaily, Web3 security firm CertiK has released the "Skynet North Korean Crypto Threat Report." Data shows that since 2016, North Korean hacking groups have accumulated approximately $6.75 billion in stolen digital assets. In 2025 alone, their thefts amounted to $2.06 billion in losses, accounting for nearly 60% of the total annual losses in the global crypto industry (including the $1.5 billion Bybit hack). As of early 2026, this threat trend continues, with losses attributable to them making up about 55%.The report emphasizes that the North Korean hackers' attack patterns have fundamentally shifted, evolving from mere code vulnerability exploitation into a state-level attack system combining social engineering, deep supply chain attacks, and 'physical infiltration.' In the recent Drift protocol incident, attackers even spent six months infiltrating offline industry conferences, building trust through real financial transactions and personal interactions before launching the attack.CertiK security experts warn that in the face of such systemic attacks, purely technical defenses are proving inadequate. Crypto institutions urgently need to fully implement a 'zero-trust' hiring model, reinforce third-party supply chains, establish fund circuit breaker mechanisms, and collaborate with professional security firms to build a full lifecycle defense system covering code auditing, round-the-clock risk monitoring, and on-chain anti-money laundering/KYT (Know Your Transaction) fund tracking.
Odaily Odaily PaperImperium, the head of MegaETH, disclosed on X platform that documents from the U.S. District Court for the Southern District of New York show that a U.S. court has issued an injunction against the Arbitrum DAO, prohibiting it from transferring approximately $71 million in ETH assets that were previously frozen during the KelpDAO hacking incident. In response, on-chain detective ZachXBT posted on X platform, stating that certain U.S. law firms are using his investigative work and on-chain forensics to help victims of some hacking incidents file legal claims. However, this practice may actually slow down or hinder victims from receiving compensation or recovering funds.ZachXBT added that in previous hacking incidents involving the Lazarus Group, such law firms often stepped in after on-chain fund tracking or freezing was completed, proposing subsequent legal actions that were weakly related to the crypto incidents themselves. Similar "free-riding claims" strategies were used in events like Harmony and Bybit. He called on the crypto community to establish a DAO to resist such practices.
According to CertiK Alert (@CertiKAlert), cryptocurrency security incidents in April 2026 resulted in total losses of approximately $651 million, of which around $3.5 million stemmed from phishing attacks. This marks the highest monthly loss since March 2022 (approximately $715 million), second only to the Bybit hack in February 2025 (excluded from comparison).
According to on-chain analyst Ai Aunt (@ai_9684xtpa), the address 0xb5E…Fc24e deposited a total of 1.397 million UNI tokens—worth approximately $4.6 million—into three exchanges two hours ago. Notably, the Bybit deposit address has had multiple interactions with the DeFi crypto fund DeFiance Capital, which is an investor in both Aave and LayerZero—two entities closely linked to the recent Kelp DAO hack incident.
According to information from the governance forum, Bybit’s public chain Mantle plans to lend 30,000 ETH to Aave to address the bad debt risks arising from recent security incidents.According to statistics from crypto analyst Ember (@EmberCN), the confirmed scale of bailout funds is estimated to cover a shortfall of approximately 43,500 ETH.
According to on-chain analyst Specter (@SpecterAnalyst), the North Korean hacking group TraderTraitor began laundering stolen funds from KelpDAO at approximately 3 a.m. Beijing time today—just three hours after the Arbitrum Council froze 30.7 ETH (approximately $71 million). The attackers split the remaining funds across three wallets, holding roughly 25,000 ETH (~$57.6 million), 25,700 ETH (~$59.2 million), and 25,000 ETH (~$57.9 million), respectively. The third wallet immediately initiated laundering operations and now holds only about 3,800 ETH (~$8 million). The majority of the funds were bridged to the Bitcoin network via THORChain, with approximately 99% flowing through this protocol. As a result, THORChain’s daily trading volume surged to $211 million—more than ten times its 30-day average—and generated roughly $189,000 in fees. During this laundering process, the illicit proceeds were also commingled with funds stolen in the BTC Turk (2025) and Bybit (2025) hacks. To date, approximately 442 BTC (~$33 million) linked to these incidents have been traced on the Bitcoin network, and over 400 addresses have been utilized throughout the entire laundering operation.
Bybit’s Security Operations Center has identified a multi-stage malware campaign targeting macOS users of Claude Code, an AI-powered search and development tool. Attackers used search engine optimization (SEO) poisoning to push malicious domains to the top of Google search results, luring users to counterfeit installation pages. Once installed, the malware steals browser credentials, macOS Keychain data, Telegram sessions, VPN configurations, and cryptocurrency wallet information. Bybit stated that the malware can also establish persistent access via backdoor functionality and attempts to target over 250 browser wallet extensions and multiple desktop wallet applications. This malicious infrastructure was identified on March 12, and related analysis, mitigation, and detection measures were completed the same day.