hackers

According to a report by Cointelegraph, a report released by cybersecurity company CrowdStrike shows that losses from cryptocurrency assets caused by North Korean hackers and threat actors exceeded $2 billion in 2025, a 51% increase year-on-year, despite a decrease in the number of attacks. CrowdStrike stated that North Korean hackers are the largest threat organization targeting cryptocurrency users, and the stolen funds are almost certainly used to finance the regime's military programs.Attackers prioritize high-value targets, mainly focusing on Web3 projects and cryptocurrency exchanges, as stolen funds are easier to cash out and transfer anonymously. In April of this year, the Ethereum Foundation identified 100 North Korean hackers, and the Drift Protocol was infiltrated by North Korean tech workers, resulting in a loss of $280 million, with these threat actors establishing face-to-face relationships through third-party intermediaries.

According to a notice from Transit Finance, a security incident recently occurred in the project due to historical vulnerabilities in an old version of the smart contract deployed on TRON, which was deprecated in 2022, affecting a small number of users after being exploited.The team stated that after discovering the issue, they urgently completed investigation, isolation, and repair, and on May 12, further auditing and rectification were carried out. The currently used contract version has not been affected, has been running safely for over four years, and continues to undergo security audits and monitoring.Transit stated that affected users will receive full compensation, and specific plans will be announced through official channels. They also reminded users to be wary of counterfeit official messages and not to disclose private keys or mnemonic phrases.

According to Decrypt, Microsoft's threat intelligence department disclosed that attackers implanted malicious code into the Mistral AI package distributed through the PyPI platform. This malicious code automatically runs when developers use it on Linux systems, downloading a malicious file named transformers.pyz and executing it in the background, with the filename deliberately mimicking the widely used Hugging Face Transformers library to confuse users.Microsoft pointed out that this malware primarily steals developer login credentials and access tokens, and it avoids Russian systems. Some of the code can randomly delete device files located in Israel or Iran. This attack is related to the "Shai-Hulud" supply chain attack campaign that started in September. Mistral responded that investigations show the attack originated from compromised developer devices, and the company's infrastructure was not breached.

Web3 security company CertiK has released the "Skynet North Korea Cyber Threat Report." The data shows that since 2016, North Korean hacker groups have plundered approximately $6.75 billion in digital assets. In 2025 alone, the losses from thefts they orchestrated reached as high as $2.06 billion, accounting for nearly 60% of the total losses in the global cryptocurrency industry for the entire year (including the $1.5 billion Bybit theft case). As of early 2026, this threat trend continues, with losses accounting for about 55%.The report emphasizes that the attack patterns of North Korean hackers have undergone a fundamental shift, evolving from simple code vulnerability exploitation to a national-level attack system that combines social engineering, deep supply chain attacks, and "physical infiltration." In the recent Drift protocol incident, attackers even spent six months lurking at offline industry conferences, establishing trust through real funds and interpersonal interactions before executing their attack.CertiK security experts warn that in the face of such systemic attacks, simple technical defenses have become weak. Cryptocurrency institutions urgently need to fully implement a "zero trust" hiring model, strengthen third-party supply chains, establish fund circuit breaker mechanisms, and collaborate with professional security organizations to build a comprehensive lifecycle defense system covering code audits, round-the-clock risk monitoring, and on-chain anti-money laundering/KYT (Know Your Transaction) fund tracking.

According to Decrypt, Google's Threat Analysis Group confirmed that cybercriminals used an AI model to discover and exploit a zero-day vulnerability in a popular open-source web management tool that could bypass two-factor authentication. Google stated that this is the first time the company has confirmed AI-assisted zero-day vulnerability development in a real-world environment. Before attackers could exploit it on a large scale, Google worked with the affected vendor to patch the vulnerability. Google's report noted that the vulnerability was a logic error, where the software trusted a condition that could bypass two-factor authentication. Unlike traditional scanners that look for crashes or error codes, AI analyzed the expected behavior of the software and detected logical contradictions, allowing attackers to bypass security checks without compromising encryption.

Renegade posted on platform X that a legacy V1 version of the protocol was attacked earlier this morning, resulting in a loss of approximately $209,000. White hat hackers have returned about $190,000, and all affected users will receive full compensation.The team confirmed that the issue only exists in the V1 Arbitrum deployment, and other deployments (V1 Base, V2 Arbitrum, V2 Base) are safe. All infrastructure supporting V1 Arbitrum transactions has been suspended, with no further risk to funds, and integrators do not need to take any action.

According to the latest report from TRM Labs, North Korean hackers stole nearly $600 million worth of cryptocurrency in the attacks on Drift Protocol and Kelp DAO, accounting for 76% of the total losses. TRM Labs estimates that since 2017, hackers associated with North Korea have stolen over $6 billion from cryptocurrency protocols and projects.The report shows that the share of losses caused by North Korean hackers in global cryptocurrency hacking attack losses has increased from less than 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025.

North Korean hackers had months of offline contact and infiltration with employees of Drift Protocol before launching one of the largest social engineering attacks in the history of the cryptocurrency industry, resulting in a loss of approximately $285 million.Data from blockchain security company TRM Labs shows that North Korean hackers have accounted for 76% of all cryptocurrency hacking losses in 2026 to date.

The latest report from blockchain intelligence agency TRM Labs shows that approximately 76% of global cryptocurrency hacking losses are related to organizations associated with North Korea, with a total stolen amount of about $577 million.North Korea's share of global crypto theft continues to rise: 22% in 2022, 37% in 2023, 39% in 2024, rising to 64% in 2025, and further increasing to 76% in 2026. Since 2017, the total illegal profits have exceeded $6 billion. The report points out that these losses mainly stem from two major incidents in April: a $292 million attack on KelpDAO and a $285 million theft from Drift Protocol, with the two attacks accounting for about 3% of all hacking incidents during the same period.

In the past ten years, the cumulative loss was $17.1 billion, involving 518 incidents; in the past five years, the loss was approximately $15.2 billion, involving over 450 incidents; in the past year, the loss was about $2.5 billion, involving over 140 incidents. Recent losses indicate that crypto attacks have shifted from smart contract vulnerabilities to private key leaks and access control.

According to on-chain analyst Yu Jin's monitoring, the KelpDAO hacker exchanged all 75,700 ETH for BTC through THORChain yesterday. The hacker who stole $98 million in assets from Balancer last November also exchanged ETH for BTC through THORChain today.Today, the Balancer hacker has already exchanged 7,000 ETH for 204.7 BTC ($15.88 million) and is still continuing. Currently, the Balancer hacker holds 15,000 ETH ($34.65 million) on the ETH chain and 204.7 BTC ($15.88 million) on the BTC chain.

According to official news, KelpDAO stated that over the past few days, the team has been continuously advancing the handling of related events with the support of partners, allies, and the community. Discussions are progressing in a positive direction, and efforts are being accelerated to reach a suitable solution. The project party emphasized that it always adheres to the core principle of "user first," and subsequent measures will be gradually implemented with the aim of safeguarding the overall interests of users.In the past four days, the Kelp team has been working around the clock in collaboration with multiple parties, maintaining close communication with all relevant parties, and making substantial progress on several potential solutions. This includes measures taken by the Arbitrum Security Council to freeze the stolen funds, as well as SEAL 911 participating in the preliminary investigation to provide objective and clear analytical support for the incident.Kelp stated that the current focus of work remains on protecting user asset security and strengthening the protocol itself. This incident is not only of critical significance to the project but also has enlightening value for the entire industry. The team will continue to disclose subsequent progress through official channels and thanks the ecological partners and community for their ongoing support.Previous reports indicated that the KelpDAO hacker has essentially laundered $175 million in ETH into BTC.

The Ethereum Foundation recently released a summary report on the ETH Rangers security project, revealing that during a 6-month security funding program, researchers identified approximately 100 suspected state-sponsored cyber operatives, including infiltrators from North Korea, who have been active in multiple Web3 projects.The report indicates that relevant investigations were advanced through projects like the "Ketman Project," where researchers issued warnings to about 53 blockchain projects, revealing that these individuals infiltrated development teams under false identities and participated in fund flows and technical positions. Meanwhile, some related funds have been frozen, amounting to hundreds of thousands of dollars. The security team also incorporated relevant intelligence into the threat analysis system for the Lazarus Group and disclosed it at security conferences such as DEF CON, showing that state-level cyber attacks are continuously infiltrating the infrastructure of the cryptocurrency industry.In terms of overall results, the program has frozen or recovered over $5.8 million in funds, reported or documented over 785 vulnerabilities, and handled 36 security incidents, indicating that the security threats currently faced by the Ethereum ecosystem have escalated from simple vulnerability attacks to systemic risks involving state-level actors. Additionally, the report points out that North Korean hackers have also infiltrated projects through methods such as "remote IT workers," involving various attack paths such as account takeovers, freelancing platform infiltrations, and fund transfers, making them a key target for industry prevention.The Ethereum Foundation emphasizes that the security of decentralized networks requires "decentralized defense" and will continue to support security research, threat intelligence, and talent development to address the escalating state-level cyber threats.

In response to the recent attack on the "ListaDAOLiquidStakingVault" contract, ListaDAO officially released a statement clarifying that the attacked contract was not deployed by the official team, but rather was a counterfeit contract created by an unverified third party using a similar name. All official contracts of ListaDAO were not affected by this incident.According to an in-depth analysis by the GoPlus security team, the attack occurred on April 16, 2026, and the root cause was a business logic flaw in the third-party contract. When a token transfer was made, it triggered the Dividend.setShares() function and altered the share accounting within the contract, which in turn affected the reward calculation in the claimReward() function. The attacker exploited this vulnerability to deplete the assets within the contract.GoPlus reminds that since this logical flaw exists in both segments of the contract code mentioned above, any development projects that fork or reuse this code face a high risk of being exploited. It is recommended that relevant developers promptly conduct code inspections and fixes, and implement continuous auditing mechanisms to ensure the security of smart contracts.

Bitcoin core developer Jameson Lopp stated that, compared to the potential quantum computing attacks that may arise in the future, he prefers to "freeze" about 5.6 million long-dormant BTC from the network rather than let them be acquired by attackers. These Bitcoins have not moved for over 10 years and may be permanently lost, valued at approximately $42 billion at current prices. If future breakthroughs in quantum computing lead to the decryption of old address private keys, this portion of assets could be re-transferred, triggering severe market fluctuations or even a crisis of confidence.Although the community recently proposed BIP-361, the proposal is still in its early stages and is not an officially promoted plan, but rather more like a contingency plan to address "extreme risks."

The security research organization Elastic Security Labs has disclosed a new social engineering attack targeting personnel in the finance and cryptocurrency industries. The attackers impersonate venture capital firms on LinkedIn and Telegram, tricking targets into opening an Obsidian note repository that contains a built-in malicious payload, thereby deploying a previously unrecorded Windows remote access Trojan called PHANTOMPULSE.This attack does not exploit any software vulnerabilities but instead abuses the Shell Commands plugin of Obsidian to automatically execute malicious code when the note repository is opened. On the macOS side, it uses an obfuscated AppleScript launcher in conjunction with a Telegram channel as a backup command and control server, while on the Windows side, it leverages Ethereum transaction data to achieve blockchain-based C2 address resolution.

The crypto wallet Zerion disclosed that North Korean hackers are using AI for long-term social engineering attacks, stealing approximately $100,000 from the company's hot wallet.Zerion confirmed that user funds, applications, and infrastructure were not affected, and has proactively disabled the web application as a precaution. Zerion also stated that the attackers obtained some session and credential information from team members who were logged in, as well as the private keys of the company's hot wallet, and pointed out that AI is changing the way cyber threats operate.

According to market news, a report released by the blockchain security company Hacken shows that Web3 projects lost a total of $464.5 million this quarter due to hacker attacks and scams, with phishing and social engineering attacks accounting for $306 million, becoming the main source of losses.A hardware wallet scam that occurred in January caused a loss of $282 million, accounting for 81% of the total quarterly losses. Smart contract vulnerabilities led to losses of $86.2 million, while access control failures (including breaches of keys and cloud services) caused losses of $71.9 million. The report points out that the largest security incidents often occur in off-chain operations and infrastructure layers, which traditional audits find difficult to cover. The European regulatory frameworks MiCA and DORA are increasing requirements for security monitoring and incident response, and global regulatory agencies are also raising standards for real-time monitoring and emergency response.