stolen

On-chain detective ZachXBT stated that the cryptocurrency exchange KuCoin has sent a legal threat email to a victim whose stolen funds were laundered through a KuCoin account and purchased KYC identity. The case involves a theft incident from the Atomic wallet on August 18, 2025, resulting in a loss of approximately $250,000, with the stolen funds transferred to multiple KuCoin deposit addresses.ZachXBT mentioned that it has issued multiple warnings about KuCoin in recent months, including issues such as blocking legitimate users, enabling illegal activities (such as transactions related to dark web markets), and slow responses to requests from law enforcement agencies.

Blockchain intelligence company AMLBot's monitoring data shows that recently Polymarket users on the Polygon network had approximately $3.1 million PUSD stolen due to a front-end malicious script intrusion.The attackers implanted a malicious script that induced users to sign authorization transactions (involving EIP-7702 delegated execution), resulting in the users' wallets being emptied. The stolen funds were then converted to USDC.e through Relay, bridged to Ethereum, and ultimately exchanged for ETH, which was concentrated in a designated address. Currently, about 1891.9 ETH is distributed across three new wallets.AMLBot pointed out that this attack is similar to the incident involving the 2024 1inch web application, where a wallet theft script was implanted in the Lottie Player library, both cases involved third-party scripts being compromised, leading to front-end contamination.

According to on-chain detective ZachXBT's monitoring, it was found that signs of mixing appeared in the funds stolen from the Humanity Protocol and Kelp DAO vulnerability attacks one hour ago, indicating that there may be an overlap between the attackers of these two incidents.Based on this new evidence, it can be largely ruled out that the theft case of Humanity Protocol was committed by an insider.

According to monitoring by PeckShield, the address marked as the KyberSwap attacker has transferred 2,000 ETH to Tornado Cash again. Over the past two years, this attacker has transferred and laundered a total of 16,100 ETH through Tornado Cash, equivalent to approximately $40 million at current prices, accounting for over 80% of the $48.8 million in losses from the KyberSwap attack in November 2023. There are still some stolen funds that have not yet been fully transferred.

Taiko officially stated on X: "We have identified the root cause of this attack and are currently developing a fix to restore the blockchain's online operation as soon as possible. At the same time, we are working closely with major exchanges and security partners to track and freeze the hacker's assets. The remaining funds in the cross-chain bridge are currently safe, and we will announce the next steps in our upcoming updates. To focus on fixing the vulnerabilities and protecting user assets, we will pause updates for a few hours."Previously, it was reported that the Taiko cross-chain bridge was attacked, with losses potentially reaching up to $1.7 million.

The well-known MEV Bot address ae13 issued a white hat bounty notice on-chain to hackers, stating, "If 2,150 Ethereum is returned to this address within 48 hours, we are willing to pay 50% of the white hat bounty; otherwise, we will take all feasible legal and enforcement actions to hold accountable."According to previous reports, the well-known MEV robot Jaredfromsubway.eth (ae13), which has been active on the Ethereum network for a long time, was attacked by hackers exploiting vulnerabilities in the automated execution system, resulting in losses exceeding $75 million.

According to monitoring by PeckShield, the OLPC/LABUBU liquidity pool on PancakeSwap on the BNB Chain was attacked, with the attacker stealing assets worth approximately $1.1 million. After the incident, the attacker transferred the stolen funds across chains to Ethereum and subsequently deposited 633.4 ETH into the mixing protocol Tornado Cash. In addition, the attacker sent 0.0221 BNB and 0.0411 ETH to an abandoned address, and the details of the attack and the flow of funds are still being tracked.

According to monitoring by Lookonchain, the Humanity Protocol attacker has exchanged part of the stolen funds for USDC and deposited them into KuCoin.

Axelar Network stated on platform X that an event affecting assets bridged from the Axelar chain to the Secret Network via IBC has been discovered, with approximately $4.67 million worth of tokens stolen.According to the information currently available, the issue is limited to the ICS-20 smart contract on the Secret side, which is part of the Cosmos IBC connection between Secret and Axelar, used to bridge assets from Axelar to Secret. The Axelar Emergency Committee immediately disabled the Secret and Secret-SNIP connections upon discovering the incident. The team is contacting relevant exchanges and law enforcement agencies. The incident is limited to assets bridged from Axelar to Secret via IBC. Other IBC connections or Secret tokens do not appear to be affected. Other Axelar integrations are unaffected. The core protocol of Axelar is not impacted.Additionally, according to Common Prefix's analysis of the Secret Network incident, an attacker exploited an infinite minting vulnerability in a modified CW20-ICS20 token contract on Secret, stealing approximately $4.67 million. The attacker minted arbitrary Secret-wrapped Axelar assets on Secret by launching a new Cosmos chain (with only one validator) and self-relaying IBC packets to it. The contract did not verify which IBC channel the inbound tokens came from. The attacker exited through the Axelar bridge. The Axelar protocol was not compromised and prevented the spread of contagion to other chains.

According to SlowMist's YuXian monitoring, Aztec is suspected to have been hacked again, with its Private Rollup Bridge 0x737...A2ba showing three suspicious transactions, totaling approximately $2.15 million, involving 1,158 ETH, 150,000 DAI, and 0.46963295 renBTC.

Raydium core contributor InfraRAY posted on platform X, stating that the team has confirmed that the old version of the AMM V3 program, which was previously discontinued in 2021, has been attacked. The attacker unauthorizedly removed part of the liquidity, but this incident does not affect current Raydium users, and the related liquidity pools have been unable to interact through the official Raydium UI since being disabled. The Raydium SDK and DApp also do not support operations on the mainnet old version AMM V3 liquidity pools.The five affected liquidity pools include: Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL. Preliminary statistics show that the stolen assets include approximately 150,177 RAY, 5,603 SOL, and 893,700 USDC, with a total value of about $1.34 million. The related losses will be fully compensated by the treasury.Investigations reveal that the vulnerability originated from insufficient verification of the LP token minting address. The attacker created new LP tokens and impersonated legitimate LP tokens, bypassing the protocol's ratio verification mechanism to extract funds. However, this incident is classified as an independent logical vulnerability and is not due to private key leakage or permission intrusion, and there is no risk of spread. Currently, all existing Raydium mainnet programs have not been affected.

According to a report by Chainalysis, over the past six months, at least $36.7 million has been stolen from protocols with unverified source code, involving protocols such as Truebit, Trusted Volumes, Aperture Finance, and Ekubo. Attackers are searching for vulnerabilities by decompiling the original bytecode. AI-assisted vulnerability exploitation development is accelerating this trend, as large language models can scale the identification of vulnerability patterns.Chainalysis points out that unverified contracts lack community review and are often excluded from bug bounty programs. The barrier to AI decompilation and vulnerability analysis is rapidly decreasing, allowing attackers to systematically scan thousands of unverified contracts. Protocols should verify all contract code, audit the contracts actually deployed, expand the coverage of bug bounties, and implement real-time on-chain monitoring. Each unverified contract is a potential target for automated scanning, and relying solely on obfuscation as a security measure is no longer effective.

Humility Protocol released a security incident update on the X platform, indicating that yesterday the H token suffered a coordinated attack on the Ethereum and BSC chains, with over $36 million in assets confirmed to have been stolen and sold off.Preliminary investigations show that the incident originated from an employee's computer being compromised, leading to the leakage of the multi-signature wallet keys controlling the Hyperlane Bridge ProxyAdmin. Among them, the attacker obtained 3 out of 6 private keys from Gnosis Safe holders on the Ethereum chain, transferred ownership of ProxyAdmin to their controlled wallet, and upgraded the bridging contract to a malicious implementation, subsequently transferring approximately 141.2 million H tokens in a single transaction.Meanwhile, the attacker also controlled 3 out of 5 private keys from Safe wallet holders on the BSC chain, taking over ProxyAdmin in the same manner and deploying a malicious contract with unlimited minting capabilities, minting 200 million H tokens to their wallet in two transactions.Humility stated that it has suspended all deposit and withdrawal operations for the affected bridging services and is collaborating with exchanges and other relevant partners to mitigate losses, while also cooperating with law enforcement to investigate and attempt to recover some of the stolen funds.

According to the "Procuratorial Daily," Lin, Zeng, and Dai conspired to use virtual currency trading as a pretext. During the trading process, they secretly filmed the victim's digital wallet private key and, after the virtual currency was credited, secretly logged into the victim's wallet to reverse the transaction, transferring the related virtual currency back to their controlled accounts. The three committed the crime three times, causing the victim a total economic loss of 660,000 yuan.The first-instance court held that in the absence of a clear judicial interpretation regarding the valuation method of virtual currency and sentencing standards, it was inappropriate to directly determine the amount involved as particularly huge based on the victim's purchase amount of 660,000 yuan. Therefore, they sentenced the three based on "other serious circumstances," imposing prison terms ranging from eight years to five years and six months, along with fines. The Hanyang District Procuratorate of Wuhan City in Hubei Province subsequently filed an appeal, which was supported by the Wuhan City Procuratorate.The prosecution argued that the first-instance court applied the law incorrectly and imposed an excessively light sentence. Prosecutor Dai Wentao of the Wuhan City Procuratorate stated that in the case where the victim had a clear loss amount to refer to, it was contradictory and legally erroneous to claim that the value of virtual currency could not be determined. In judicial practice, using the resale price and transaction price as the basis for determining the amount of theft has become mainstream, and determining the value of virtual currency based on the actual cost paid by the victim has factual, legal, and practical basis.The Intermediate Court of Wuhan accepted the prosecution's opinion in the second instance, revoked the corresponding content of the original judgment, and changed the determination of the theft amount to particularly huge. It sentenced the principal offender Lin to ten years and six months in prison for theft, and sentenced the accomplices Zeng and Dai to eight years in prison each, along with fines.

SlowMist has issued a security alert, detecting an active npm supply chain attack targeting @redhat-cloud-services related packages. Currently, over 31 packages have been confirmed affected, with a weekly download volume of approximately 116,000 times, and stolen credentials exist in more than 300 GitHub repositories. This attack method is highly similar to the previous "Shai-Hulud" npm attack, including credential theft, creation of malicious repositories, and automated secret leakage. New suspicious repositories continue to emerge, indicating that the attack is still ongoing, and developers are still being continuously infected.Potential harms include: theft of GitHub/npm tokens, leakage of AWS/GCP/Azure cloud credentials, collection of SSH keys and Kubernetes secrets, leakage of local environment and wallet data, creation of malicious repositories and persistence operations, and even potentially destructive actions after tokens are revoked. It is recommended to immediately remove or downgrade affected @redhat-cloud-services package versions, conduct a comprehensive audit of CI/CD workflows and dependency installations, rotate all GitHub, npm, cloud service, SSH, and wallet-related keys, retain logs, and rebuild exposed developer machines or Runners from clean images while maintaining a high level of vigilance.

According to The Defiant, approximately $220 million of unfrozen funds from the Kelp DAO cross-chain bridge attack has been almost entirely laundered by hackers. On-chain analyst Arkham Intelligence tracking shows that only about $1.7 million remains in the original attacker's wallet. This hacker is linked to North Korea and previously launched a $292 million cross-chain bridge attack on LayerZero in April.Funds were transferred using privacy tools such as THORChain, Wasabi, Tornado Cash, and Umbra. The approximately $71 million in Ethereum frozen by the Arbitrum security council on April 20 is currently the only recoverable portion. A report released by LayerZero on May 18 attributed the attack to the North Korean group TraderTraitor. Kelp has recovered approximately 116,000 rsETH by migrating to Chainlink CCIP and the DeFi United program, while the Aave security module absorbed about $190 million in bad debt.

According to a post by Specter, it has jointly frozen $91,000 of the stolen funds from Gravity Bridge with ChangeNOW. The attacker still holds most of the funds and has not transferred them.Previously, it was reported that the key to the Gravity Bridge bridging contract was leaked, resulting in $5.4 million in assets being stolen. The assets extracted by the attacker include: $4.3 million USDC, 274 WETH (worth approximately $553,000), $434,000 USDT, and $64,000 PAYG. The addresses involved are 0x7B58...1F9 and 0x4d3c...A47.

Blockaid disclosed on platform X that the Alephium TokenBridge Ethereum cross-chain bridge was attacked. The attacker controlled 3 out of 4 Guardian keys to forge a VAA (Verification Authorization Message) and completed the attack in about 7 minutes, stealing approximately $815,000 in assets.During the attack, the attacker minted 13.76 million Wrapped ALPH out of thin air, exceeding the circulating supply before the attack by over 100%, while also unlocking and transferring assets such as USDT, USDC, WBTC, and WETH from the custody pool.Currently, the attacker's address still holds approximately $815,000 in stolen assets and 13.76 million uncollateralized Wrapped ALPH, with the largest abnormal transaction being the minting of 13.76 million Wrapped ALPH out of thin air.

On-chain monitoring shows that the cross-chain bridge Gravity Bridge may have encountered a security incident due to a contract key leak, involving assets such as USDC, WETH, and USDT, with total losses of approximately 5.4 million dollars.

According to crypto KOL Yusuf's monitoring, yesterday the EURR and USDR contracts under the European stablecoin issuer StabIR were attacked, resulting in losses exceeding 10 million dollars.After the incident, over 100,000 dollars of stolen funds have been frozen, and the USDR and EURR have depegged by more than 20%.