Avoid your next
big mistake

Dritan Kapllani Jr. is an 18-year-old US-based individual publicly identified by blockchain investigator ZachXBT on May 12, 2026, as allegedly responsible for approximately $19 million in cryptocurrency thefts conducted through social engineering attacks between August 2025 and March 2026. He is named as Co-Conspirator 1 (CC-1) in US federal criminal case 1:26-cr-20181 (Southern District of Florida), unsealed May 11, 2026, in connection with a March 14, 2026 theft of 185 BTC valued at approximately $13 million. As of May 2026, Kapllani has not been formally charged; named defendants Trenton Richard David Johnston and Brandon Michael Tardibone have been indicted and detained.

ElementalDeFi is a Solana-based DeFi fund and lending platform founded in September 2022 that offers yield products including Elemental Lend, the Geyser Fund, and the Geodium Fund. On April 7, 2026, blockchain investigator ZachXBT publicly disclosed that an individual identified as Keisuke Watanabe — an alleged North Korean IT operative — had been employed at the project for multiple years, and that the same individual served as CTO at the related Solana DEX Stabble. As of May 22, 2026, ElementalDeFi has issued no public response, audit findings, or remediation plan, leaving unresolved the risk that the operative may have introduced backdoors or malicious code into the protocol's production smart contracts.

A coordinated international law enforcement operation announced on April 29, 2026, dismantled at least nine cryptocurrency investment fraud compounds operating across Southeast Asia and Dubai, resulting in 276 arrests and the restraint of over $701 million in cryptocurrency. The operation was led by Dubai Police in cooperation with the FBI, China's Ministry of Public Security, and Royal Thai Police, targeting 'pig-butchering' romance fraud schemes operated by three alleged criminal organizations—Ko Thet Company, Sanduo Group, and Giant Company—whose compounds employed trafficked workers held under coercive conditions. The U.S. Department of Justice charged six defendants in the Southern District of California, and separately charged two Chinese nationals for managing the Shunda compound in Myanmar; related OFAC sanctions targeted a Cambodian senator and 28 associates for protecting scam compound networks.

Stabble is a Solana-based decentralized exchange (DEX) that specializes in stablecoin liquidity pools. On April 7, 2026, onchain investigator ZachXBT publicly identified the protocol's former CTO, operating under the name Keisuke Watanabe, as an alleged North Korean DPRK IT operative who had also worked at Solana DeFi project ElementalDeFi. Following the disclosure, Stabble's new management team issued an emergency alert urging all liquidity providers to withdraw funds immediately, citing the unquantified risk of planted backdoor code; TVL collapsed 62% within hours and the protocol halted operations pending fresh security audits.

Meteora is a Solana-based decentralized exchange and liquidity protocol, originally founded as Mercurial Finance before rebranding in 2023. Its co-founder Benjamin Chow resigned in February 2025 amid allegations that the platform's infrastructure was used to orchestrate coordinated pump-and-dump schemes across at least 15 tokens including LIBRA, MELANIA, M3M3, ENRON, and TRUST, causing an estimated $69 million or more in retail investor losses. Multiple class-action lawsuits are active in the Southern District of New York asserting fraud, RICO violations, and market manipulation; the protocol also issued a $4.2 million MET token airdrop to wallets linked to the Trump team hours after the amended complaint was filed, with all tokens immediately sent to OKX.

BlockFills (operated by Reliz Technology Group Holdings, Inc.) was a Chicago-based institutional cryptocurrency trading and lending firm that processed $61.1 billion in volume in 2025 before filing for Chapter 11 bankruptcy in the U.S. Bankruptcy Court for the District of Delaware on March 15, 2026. The firm suspended client withdrawals and deposits on February 11, 2026, amid approximately $75 million in accumulated lending losses, and subsequently faced two civil lawsuits alleging misappropriation of customer assets and commingling of client funds with company funds. At the time of filing, BlockFills reported assets of $50 million to $100 million against liabilities of $100 million to $500 million, with approximately $145 million in general unsecured obligations.

LAB is the native token of an AI-powered multi-chain trading terminal that launched via a Binance Wallet exclusive Token Generation Event in October 2025. In May 2026, on-chain investigator ZachXBT published two investigations alleging that insiders controlled more than 95% of the token supply, coordinated a pump to a $6 billion fully diluted valuation, and withdrew approximately 100 million LAB tokens worth $480 million through 10 freshly created wallets before the price crashed more than 65%. The alleged scheme involved a BVI-registered shell company, predatory OTC loan agreements, unilateral vesting changes, and on-chain links to a broader pattern of exchange-facilitated supply-control manipulation attributed to an unknown market maker operating primarily through Bitget.

BlockDAG Network (BDAG) is a cryptocurrency project that ran a presale from December 2023 through February 2026, claiming to raise over $442 million, though its CEO stated publicly the actual figure was approximately $200 million. On-chain investigator ZachXBT and a DL News investigation have alleged that the project's true co-founder, Gurhan Kiziloz, operated behind the scenes while using a paid frontman as public CEO, transferred presale funds through Middle Eastern OTC brokers, and commingled at least $25 million in presale proceeds from BlockDAG and a sister project (ZKP) to pay influencers promoting Kiziloz's casino venture. Following its February 2026 token launch, BDAG fell approximately 99.98% from its all-time high within two months.

DSJEX (DSJ Exchange PTY Ltd) and its sister recruitment platform BG Wealth Sharing LTD operated for approximately twelve months as a coordinated fake AI trading platform and multi-level marketing Ponzi scheme, collapsing in late April and early May 2026 with estimated investor losses exceeding $150 million. The scheme attracted victims through promises of 1.3%–2.6% daily returns, a fabricated CEO persona, and MLM referral commissions, while operators ran simulated trading on a fraudulent backend. Following a U.S. domain seizure and law enforcement action on April 23, 2026, operators laundered over $92 million across Ethereum and Tron before a coordinated effort by on-chain investigator ZachXBT, Tether, Binance, OKX, and U.S. law enforcement froze $41.5 million in stolen funds.

The Verus-Ethereum Bridge is a cross-chain asset transfer protocol connecting the Verus blockchain to Ethereum, launched in October 2023. On May 18, 2026, a critical validation flaw in the bridge's checkCCEValues function was exploited, allowing an attacker to drain approximately $11.58 million in assets — comprising 103.6 tBTC, 1,625 ETH, and 147,000 USDC — at a cost of roughly $10 in transaction fees. All stolen funds were converted to approximately 5,402 ETH and subsequently moved through Tornado Cash.

Echo Protocol is a Bitcoin liquidity aggregation and yield infrastructure protocol operating on the Monad and Aptos blockchains, offering liquid staking, restaking, and cross-chain DeFi services through its wrapped Bitcoin asset eBTC. On May 19, 2026, the protocol suffered a critical admin key compromise on its Monad deployment, enabling an attacker to mint approximately 1,000 unauthorized eBTC tokens worth $76.7 million and borrow $3.45 million in WBTC through the Curvance lending protocol, ultimately laundering roughly $822,000 through Tornado Cash. The incident exposed severe centralized access-control failures in a protocol marketed as trustless Bitcoin DeFi infrastructure.

Alpha Finance Lab (later rebranded to Alpha Venture DAO, then Stella) is a DeFi protocol best known for its leveraged yield farming product Alpha Homora. On February 13, 2021, Alpha Homora V2 was exploited for approximately $37.5 million via a sophisticated attack that required insider knowledge of an unannounced smart contract, draining funds from its Iron Bank (Cream Finance) integration. By March 2023, the protocol had repaid less than 2% of the resulting $32 million debt to Iron Bank despite a formal repayment agreement, triggering a second crisis in which user funds were frozen.

EasyFi was a Layer 2 DeFi lending protocol operating on Polygon Network, forked from Compound Finance, that suffered one of the largest DeFi hacks of 2021 when an attacker compromised the CEO's MetaMask admin keys on April 19, 2021, stealing approximately $81 million in EASY tokens and stablecoins. The protocol attempted a hard fork and compensation plan, but a significant portion of token holders on decentralized exchanges alleged they remained uncompensated, and community members raised concerns about transparency, censorship of dissent, and the fundamental security failure of managing over $100 million in assets through a single admin key held in a browser extension. ZachXBT has flagged EasyFi as a high-risk entity.

Uranium Finance was a Binance Smart Chain-based automated market maker (AMM) that was exploited twice in April 2021, resulting in total losses of approximately $54.7 million. The larger exploit on April 28, 2021, drained roughly $53.3 million across 26 liquidity pools due to a mathematical error in its forked Uniswap v2 pair contracts; the protocol subsequently shut down permanently. In March 2026, U.S. authorities indicted Jonathan Spalletta, a Maryland resident, on computer fraud and money laundering charges in connection with both attacks, after previously seizing approximately $31 million in cryptocurrency in February 2025.

Meerkat Finance was a Binance Smart Chain yield-vault protocol that launched on March 3, 2021 and was drained of approximately $31.56 million in BUSD and BNB less than 24 hours later. On-chain evidence indicates the project's own deployer address executed the exploit, pointing to an intentional exit scam rather than an external hack. A developer identifying as 'Jamboo' subsequently claimed the drain was a 'trial' testing user greed, promised full refunds, and approximately 95% of funds were eventually recovered under heavy pressure from Binance and the BSC community.

PAID Network is an Ethereum-based DeFi launchpad and legal-contract protocol whose native PAID token suffered a catastrophic infinite mint exploit on March 5, 2021, resulting in approximately 59.5 million tokens being minted and ~2,040 ETH (~$3 million at the time) extracted before the team intervened. Significant on-chain evidence and community investigators raised allegations that the attack was an insider job or was enabled by gross negligence over a known vulnerability, though the team maintained it was an external private-key compromise. The token has since declined over 99% from its all-time high and retains a negligible market capitalization as of 2025-2026.

y00ts is a generative art NFT collection of 15,000 pieces created by Rohun Vora (known as 'Frank') and DeLabs, originally launched on Solana in September 2022. The project became notable not only for its peak valuations during the 2022 NFT boom but for an unusually turbulent migration history — leaving Solana for Polygon with a $3M grant, then abandoning Polygon for Ethereum after just four months and returning the grant, before ultimately migrating back to Solana in 2024. The project's credibility has been repeatedly questioned by its community following these pivots, the founder's May 2025 resignation, and a disputed wallet breach incident.

Ranger Finance was a Solana-based perpetual futures DEX aggregator that raised $1.9M in seed funding in January 2025 and completed a $6M+ MetaDAO ICO in January 2026. The project shut down in May 2026 following a governance-forced treasury liquidation triggered by alleged ICO misrepresentation, compounded by the April 2026 Drift Protocol exploit and a subsequent funding crisis. Token holders recovered approximately $5.04M USDC from the treasury, while employees and vendors were reportedly left without full compensation.

Rari Capital was a DeFi yield-aggregation and lending protocol launched in July 2020 by teenage co-founders Jai Bhavnani, Jack Lipstone, and David Lucid. It suffered two major security exploits — a $11 million hack in May 2021 and an $80 million reentrancy hack in April 2022 — and subsequently merged with Fei Protocol to form Tribe DAO before winding down in 2022. In September 2024, the SEC secured final court judgments against the company and all three co-founders for misleading investors and operating as unregistered brokers.

Popsicle Finance is a cross-chain automated yield optimization protocol, launched in March 2021, that suffered a critical $20.7 million exploit in August 2021 due to a reward-tracking vulnerability in its Sorbetto Fragola pools. The protocol is part of Daniele Sestagalli's 'Frog Nation' ecosystem alongside Wonderland (TIME) and Abracadabra Money (MIM), which was later engulfed in a major scandal when the treasury manager of Wonderland was revealed to be Michael Patryn, a convicted felon and co-founder of the fraudulent QuadrigaCX exchange. The project subsequently rebranded as WAGMI in 2023 but remains a high-risk entity given the severity of the 2021 exploit, the laundering of stolen funds through Tornado Cash, and the broader Frog Nation governance failures.

Poly Network was a cross-chain interoperability protocol launched in August 2020 by Neo, Ontology, and Switcheo. It suffered the largest DeFi hack in history in August 2021 (~$611M stolen, nearly all returned), followed by a second exploit in July 2023 (~$10M realized losses) attributed to compromised multisig private keys. The protocol permanently shut down all services on September 30, 2024.

bEarn.fi (BearnFi) is a Binance Smart Chain-based cross-chain yield farming and algorithmic stablecoin protocol that launched in late 2020. On May 16, 2021, an attacker exploited a smart contract denomination mismatch to drain approximately $10.85 million in BUSD from the protocol's bVaults via a flash loan attack. The project subsequently became inactive, with its native BFI token recording no price data after mid-2023 and a market capitalization of effectively zero. The entity has been flagged by ZachXBT.

PancakeBunny (Bunny Finance) was a Binance Smart Chain yield-optimizer developed by the anonymous team MOUND (Mound Inc.), which received a $1.6 million seed round led by Binance Labs in April 2021. The protocol suffered three separate exploits across 2021–2022 totaling over $127 million in losses, including a $45 million flash loan attack in May 2021, a $2.4 million polyBUNNY exploit on Polygon in July 2021, and an $80 million hack of its affiliated lending protocol Qubit Finance in January 2022. The BUNNY token has lost more than 99% of its all-time high value, the protocol transitioned to a DAO structure in early 2022, and no stolen funds from any exploit were publicly confirmed as recovered.

DeGods is a 10,000-piece NFT collection originally launched on Solana in October 2021 by Rohun Vora (known publicly as 'Frank DeGods'), which rose to become one of the most prominent Solana NFT projects before a series of controversial chain migrations, leadership changes, and product missteps substantially eroded community trust and floor value. The project migrated from Solana to Ethereum in early 2023, its sister collection y00ts moved to and then departed from Polygon, and both collections later bridged back to Solana in 2024. Rohun Vora resigned as CEO in May 2025 amid falling floor prices, a suspicious wallet incident, and unresolved community grievances around governance and tokenomics.

C.R.E.A.M. Finance (Crypto Rules Everything Around Me) is a decentralized lending and borrowing protocol launched in August 2020, forked from Compound Finance. The protocol suffered three major exploits in 2021 totaling approximately $185 million in losses, making it one of the most frequently and severely hacked DeFi protocols in history. On-chain investigator ZachXBT flagged the protocol and its founders, and the CREAM token has collapsed more than 99% from its all-time high.

Mirror Protocol was a Terra-based DeFi platform enabling synthetic assets (mAssets) that tracked prices of US stocks. The protocol suffered a $90 million exploit in October 2021 that went undetected for seven months, a governance attack campaign in December 2021 targeting $40 million in community funds, and a second $2 million oracle exploit in May 2022. It became permanently inactive in August 2022 following the catastrophic collapse of the Terra/LUNA/UST ecosystem, which was orchestrated by its parent company Terraform Labs under Do Kwon, who was subsequently convicted of fraud and sentenced to 15 years in prison.

Indexed Finance was an Ethereum-based decentralized protocol offering passively managed index pools, launched in late 2020. On October 14, 2021, the protocol suffered a sophisticated $16 million flash loan exploit targeting its DEFI5 and CC10 pools, destroying most user funds. The alleged attacker, Canadian mathematics prodigy Andean Medjedovic, was later charged by U.S. prosecutors in February 2025 in connection with $65 million in combined DeFi thefts and remains a fugitive as of early 2026.

Frank DeGods, the pseudonym of Rohun Vora, is the founder and former CEO of DeLabs, the company behind the DeGods and y00ts NFT collections. He stepped down as CEO in May 2025 after a period of sustained controversy including allegations of mismanagement, insider trading accusations tied to the LIBRA token scandal, a disputed post-resignation wallet compromise, and a series of contentious cross-chain migrations. No formal charges or regulatory actions have been filed against Vora as of the time of this report.

Vee Finance is a decentralized lending and leveraged trading protocol deployed on the Avalanche blockchain that launched its mainnet on September 14, 2021. Within one week of launch, on September 20-21, 2021, an attacker exploited price oracle manipulation and a decimal calculation error in the protocol's smart contracts, draining approximately $35 million in ETH and BTC — a hack that ranks among the largest DeFi exploits on Avalanche. The protocol relaunched as V2 with improved security measures including Chainlink oracle integration, but the stolen funds were never recovered, and activity and token value have declined precipitously since the incident.

Compound V2 is a legacy Ethereum-based decentralized lending protocol launched in May 2019 and formally deprecated in December 2025 in favor of Compound V3 (Comet). The protocol has experienced a series of material incidents including a ~$80M COMP token distribution bug in October 2021, a $89M oracle-driven liquidation cascade in November 2020, a confirmed website hijack flagged by ZachXBT in July 2024, a social media phishing hack in 2023 that resulted in $4.4M in losses, and an alleged governance attack in July 2024 in which a whale coordinated the passage of a $24M treasury transfer. V2 is now in wind-down mode with new borrows and mints paused.

AnubisDAO was an OlympusDAO fork that launched on October 28, 2021, and raised approximately 13,556 WETH (roughly $60 million) in under 20 hours through a Copper Liquidity Bootstrapping Pool. Before the sale concluded, the entire pool was drained to an external wallet, wiping investors to zero; on-chain investigator ZachXBT later identified two pseudonymous actors — Beerus and Ersan — as the likely perpetrators, and traced the stolen funds through Tornado Cash in 2023. No criminal charges have been publicly confirmed, no investor recovery has occurred, and the ANKH token is worthless.

AscendEX (formerly BitMAX) is a Singapore-based cryptocurrency exchange founded in 2018 that suffered one of the largest centralized exchange hot wallet hacks on record in December 2021, with approximately $77.7 million stolen across Ethereum, Binance Smart Chain, and Polygon networks. The exchange operates without regulatory authorization in major jurisdictions including the UK (FCA warning issued) and France (AMF blacklisted), and has accumulated a Trustpilot rating of 1.3/5 driven by user reports of frozen funds, unannounced token delistings, and unresponsive customer support. The exchange received a $50 million Series B investment in November 2021 — just weeks before the hack — from backers including Alameda Research, a firm later implicated in the collapse of FTX.

Grim Finance was a Fantom-based DeFi yield optimizer (fork of Beefy Finance) that suffered a devastating reentrancy exploit on December 19, 2021, resulting in approximately $30 million in user funds stolen. The vulnerability — a missing reentrancy guard in the depositFor() function — had existed in an audited codebase and was classified by security researchers as an entirely preventable, well-understood attack class. The protocol has since collapsed to a near-zero TVL of roughly $29,000 and its proposed compensation plan yielded no meaningful restitution for affected users.

Snowdog (SDOG) was an Avalanche-based OlympusDAO fork launched in November 2021 as a self-described '8-day decentralized reserve meme coin experiment' by the anonymous team behind Snowbank DAO. The project accumulated a $44 million MIM treasury before a planned token buyback on November 25, 2021, collapsed the token price by over 90% within seconds, with alleged insiders exploiting a hidden 'challengeKey' mechanism to extract approximately $20 million in profits while ordinary holders were locked out. The team declined to acknowledge deliberate wrongdoing, characterizing the event as a 'game-theory experiment gone wrong,' and subsequently renounced ownership, leaving investors with near-total losses.

BitMart is a centralized cryptocurrency exchange founded in 2017 by Sheldon Xia, incorporated in the Cayman Islands and operated by Bachi.Tech Corporation. In December 2021, the exchange suffered one of the largest crypto exchange hacks in history, with approximately $196 million in customer funds stolen after attackers compromised a private key to two hot wallets; reimbursement was promised but reported as slow and incomplete by many victims. The exchange has subsequently faced an FTC investigation, a UK FCA unauthorized-firm warning, an alleged 2025 data breach affecting 1.2 million users, recurring user complaints about frozen withdrawals, and its platform was used as a venue for DOJ-charged wash-trading schemes targeting retail investors.

Qubit Finance was a Binance Smart Chain lending and cross-chain bridge protocol developed by South Korean firm Mound Inc., the same team behind PancakeBunny. On January 27, 2022, an attacker exploited a logic error in the QBridge Ethereum-BSC bridge to mint approximately 77,162 qXETH tokens without depositing any ETH, then drained roughly $80 million in protocol assets; no funds were ever recovered and the attacker was never identified.

Inverse Finance Frontier (originally called Anchor) was a variable-rate lending market on Ethereum operated by Inverse Finance DAO, founded by Nour Haridy in 2020. The protocol suffered two separate oracle manipulation exploits in 2022 — one in April resulting in $15.6 million in losses and a second in June resulting in $5.8 million in bad debt — both attributed to vulnerabilities in how Frontier priced collateral assets. The protocol is now deprecated in favor of Inverse Finance's FiRM fixed-rate market, and the DAO continues to work down residual bad debt from both incidents.

DEUS Finance is a decentralized derivatives and synthetic asset protocol built primarily on Fantom, co-founded by Lafayette Tabor and Mohammad Abrishami. The protocol suffered three separate security exploits between March 2022 and May 2023, resulting in combined losses exceeding $22 million across flash loan oracle attacks and a smart contract implementation flaw, with stolen funds routed through Tornado Cash in the 2022 incidents. Repeated security failures across distinct vulnerability classes raise severe concerns about the protocol's security practices and long-term viability.

Dego Finance is a multi-chain NFT and DeFi aggregator protocol launched in September 2020 by an anonymous team. On February 10, 2022, an attacker compromised the team's deployer private keys and drained approximately $10 million from liquidity pools on Uniswap and PancakeSwap across Ethereum, Binance Smart Chain, and Cronos. No stolen funds were recovered; the project responded with a token migration but offered no direct restitution to affected liquidity providers.

Ronin Bridge is the cross-chain bridge that connected the Axie Infinity gaming ecosystem's Ronin sidechain to Ethereum, operated by Sky Mavis. In March 2022 it suffered the largest DeFi hack in history at the time — $625 million in ETH and USDC stolen by North Korea's Lazarus Group via compromised validator private keys obtained through social engineering. A second, smaller exploit occurred in August 2024. The legacy bridge was deprecated in April 2025 and migrated to Chainlink CCIP infrastructure.

Saddle Finance was an Ethereum-based automated market maker (AMM) optimized for pegged-value assets such as stablecoins and wrapped BTC, founded in 2020 and launched in January 2021. The protocol suffered a critical exploit on April 30, 2022, when an attacker leveraged an unpatched MetaSwapUtils library bug to drain approximately $11 million via flash-loan-assisted price manipulation, with $3.8 million subsequently rescued by security firm BlockSec. The protocol formally wound down in September 2023 following a DAO vote (SIP-54) triggered in part by the broader DeFi security climate after the Curve Finance hack.

Nomad was a cross-chain messaging bridge operated by Illusory Systems, Inc. that suffered one of the largest DeFi exploits in history on August 1–2, 2022, when a smart contract initialization bug allowed approximately $190 million in user funds to be drained in a chaotic free-for-all involving over 300 wallet addresses. The protocol never recovered meaningful user adoption after a December 2022 relaunch, faced a class action lawsuit and an FTC enforcement action, and in December 2025 agreed to a settlement requiring repayment of $37.5 million to affected users.

Curve Finance is a major decentralized exchange and automated market maker (AMM) on Ethereum, optimized for low-slippage swaps of pegged assets such as stablecoins. On July 30, 2023, several of its liquidity pools were drained of approximately $70 million due to a reentrancy vulnerability in the Vyper smart contract compiler (versions 0.2.15, 0.2.16, and 0.3.0), one of the largest DeFi exploits of 2023. Separately, founder Michael Egorov's practice of using large CRV holdings as loan collateral across multiple DeFi protocols created systemic risk that culminated in a $140 million liquidation event in June 2024, generating over $10 million in bad debt across connected protocols.

Wintermute is a London-headquartered algorithmic trading firm and cryptocurrency market maker founded in 2017 by Evgeny Gaevoy. On September 20, 2022, the firm's DeFi operations were exploited for approximately $160 million after an attacker leveraged a known cryptographic vulnerability in the Profanity vanity address tool to compromise Wintermute's admin private key. The stolen funds were never recovered, though the firm remained solvent, repaid its outstanding DeFi loans, and has continued operating and expanding into U.S. markets.

Harmony's Horizon Bridge is a cross-chain bridge connecting the Harmony (ONE) blockchain to Ethereum and Binance Smart Chain, launched in October 2020. In June 2022, it was exploited for approximately $100 million by the Lazarus Group, a North Korea-affiliated state-sponsored hacking collective, through compromise of a 2-of-5 multisig scheme controlling bridge funds. The FBI formally confirmed Lazarus Group attribution in January 2023; as of 2025, full victim restitution has not been achieved.

Badger DAO is a decentralized autonomous organization and DeFi protocol launched in December 2020 focused on generating yield on Bitcoin-backed assets via Ethereum-based vaults. In December 2021, a front-end attack exploiting a compromised Cloudflare API key resulted in approximately $120–130 million in user funds being drained across roughly 500 wallets. As of 2025, the protocol has seen significant decline: its flagship eBTC product was sunset, BADGER was delisted from Binance, and total value locked has fallen to low single-digit millions.

Deribit is a crypto options and futures exchange founded in 2016 in the Netherlands by John and Marius Jansen, historically operated through a Panama-registered entity and now licensed under Dubai's VARA framework as Deribit FZE. The exchange suffered a $28 million hot wallet compromise on November 1, 2022, covering the loss entirely from its own balance sheet. Coinbase completed the acquisition of Deribit for approximately $2.9 billion on August 14, 2025, making it a subsidiary of a publicly traded, NASDAQ-listed U.S. company.

Euler Finance V1 was a permissionless DeFi lending protocol on Ethereum that launched in December 2021 and was exploited for approximately $197 million on March 13, 2023, in what was the largest DeFi hack of that year. The attack exploited a missing health check in the donateToReserves function introduced in EIP-14, despite the codebase having undergone multiple external audits. In a highly unusual outcome, the pseudonymous attacker known as 'Jacob' returned all recoverable funds by April 3, 2023, with the total recovered value reaching approximately $240 million due to ETH price appreciation during the recovery period.

Binance Bridge (BSC Token Hub) was the official cross-chain bridge connecting the BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20), operated by Binance. On October 6-7, 2022, an attacker exploited a critical flaw in the bridge's IAVL Merkle proof verification logic inherited from Cosmos SDK, forging deposit proofs to mint 2 million BNB (approximately $586 million at time of exploit). Although the BNB Chain was halted by validators to contain the damage — trapping roughly $430 million on-chain — approximately $110–137 million escaped to other networks before the halt took effect.

Mango Markets V3 was a Solana-based decentralized margin trading protocol that suffered a $116 million oracle manipulation attack in October 2022 executed by Avraham Eisenberg, who artificially inflated the MNGO token price to extract funds against fabricated collateral. The protocol subsequently reached a partial recovery settlement, faced SEC and CFTC enforcement actions, and formally wound down operations by January 2025.

Arbix Finance was a yield farming protocol on Binance Smart Chain (BSC) that executed a deliberate rug pull on January 4, 2022, draining approximately $10 million in user funds. The anonymous development team minted 10 million unbacked ARBX tokens, dumped them on PancakeSwap to collapse the price, drained all user vaults, bridged the stolen assets to Ethereum via AnySwap, laundered them through Tornado Cash, and deleted the project website, Twitter, and Telegram accounts. Despite holding a CertiK audit from November 2021, the exploited contract fell entirely outside the audit scope.

Bitrue is a Singapore-incorporated centralized cryptocurrency exchange founded in 2018 that suffered a confirmed $23 million hot wallet exploit in April 2023, with stolen funds subsequently laundered through Tornado Cash as recently as June 2025. The exchange holds no license from Singapore's Monetary Authority (MAS) and relies on a VASP registration in Lithuania — a lower-tier regulatory framework — while accumulating a persistent record of user complaints alleging unjustified account freezes and asset seizures.

Atomic Wallet is a non-custodial multi-asset cryptocurrency wallet founded in 2017 and headquartered in Tallinn, Estonia. In June 2023, the platform suffered one of the largest individual wallet hacks in cryptocurrency history when attackers — subsequently attributed with high confidence to North Korea's Lazarus Group — drained over $100 million from approximately 5,500 user wallets. A 2022 third-party security audit had publicly identified critical vulnerabilities that the company allegedly failed to remediate prior to the attack.

GDAC was a South Korean cryptocurrency exchange operated by Peertec Co., Ltd. that launched in May 2018 and was registered as a Virtual Asset Service Provider (VASP) with Korea's Financial Intelligence Unit (KoFIU). On April 9, 2023, attackers drained approximately $13–14 million from its hot wallets — representing 23% of total custodial assets — causing the exchange to permanently shut down with no compensation offered to affected users.

Transit Swap is a cross-chain DEX aggregator incubated by TokenPocket, supporting swaps across Ethereum, BNB Chain, Polygon, Tron, Solana, and other networks. On October 1–2, 2022, an attacker exploited an input validation vulnerability in the platform's swap contract, draining approximately $21–28.9 million in user funds across Ethereum and BNB Chain. The attacker subsequently returned roughly 70% of stolen assets after security firms identified the exploiter's IP address and email, though an estimated 30% of funds — including amounts routed through Tornado Cash — remain unrecovered.

MonoX was a decentralized exchange protocol built on Ethereum and Polygon using a novel single-token liquidity model, which raised $5M in September 2021 and launched mainnet shortly before suffering a critical smart contract exploit on November 30, 2021. The attacker exploited a missing validation check in the swap function — using the MONO token as both input and output — to artificially inflate its price and drain approximately $31M in user funds across both chains. The protocol attempted a relaunch via MonoX 2.0 with a debt-token compensation mechanism, but MONO has since collapsed to near-zero value with negligible trading activity.

Stake.com is a Curaçao-licensed cryptocurrency gambling and sports betting platform co-founded in 2017 by Australians Ed Craven and Bijan Tehrani, operating as one of the largest crypto casinos globally with reported 2024 revenue of $4.7 billion. On September 4, 2023, the platform suffered a critical security breach in which approximately $41.35 million in cryptocurrency was drained from its hot wallets across Ethereum, BNB Smart Chain, and Polygon networks; the FBI formally attributed the attack to North Korea's Lazarus Group (APT38) within 48 hours. Stake.com restored full operations within five hours of the incident and stated that user funds were not affected, though the root cause — a likely hot wallet private key compromise — has never been officially confirmed by the company.

Mixin Network is a Hong Kong-based layer-2 cross-chain payment protocol that suffered the largest single crypto hack of 2023 when attackers compromised its cloud service provider's database and drained approximately $200 million in ETH, BTC, and USDT. The network remains operational but has only partially compensated users, the majority of stolen funds remain unrecovered, and a dormant attacker wallet moved funds to Tornado Cash in February 2026.

Multichain (formerly AnySwap) was a cross-chain bridge protocol that collapsed in mid-2023 following the arrest of its CEO Zhaojun by Chinese police in May 2023, which resulted in the seizure of private keys controlling over $1.5 billion in user assets. On July 7, 2023, approximately $126–127 million was drained from Multichain bridge reserves in transfers widely attributed to Chinese authorities or insiders with access to the CEO's confiscated key material. The protocol formally ceased operations on July 14, 2023, leaving users with unrecoverable losses.

Balancer V2 is a decentralized automated market maker (AMM) protocol launched in 2021 on Ethereum and multiple chains that separates AMM logic from token custody via a central Vault architecture. The protocol has experienced at least four documented security incidents across its V1 and V2 deployments, including a November 2025 exploit that drained approximately $128 million and directly led to the dissolution of Balancer Labs, the corporate entity behind the protocol, announced in March 2026.

Poloniex is a cryptocurrency exchange founded in 2014 and acquired in 2019 by an investor group led by Tron founder Justin Sun. On November 10, 2023, the exchange suffered one of the largest hot wallet compromises in crypto history, with attackers draining approximately $126 million across Ethereum, TRON, and Bitcoin networks in an attack attributed by multiple blockchain security firms to North Korea's Lazarus Group. The exchange has also faced significant regulatory enforcement actions, including a $7.59 million OFAC sanctions settlement and a $10.4 million SEC settlement for operating an unregistered national securities exchange.

Orbit Bridge is a cross-chain interoperability protocol developed by South Korean blockchain firm Ozys that suffered one of the largest bridge exploits in crypto history on December 31, 2023, losing approximately $81.5 million in ETH, WBTC, USDT, USDC, and DAI. The attacker allegedly compromised seven of ten multisig signatories after a former chief information security officer allegedly weakened the company firewall before departing, and blockchain analysts have linked the attack's patterns to North Korea's Lazarus Group, though no formal attribution has been confirmed by authorities. As of 2025, the majority of stolen funds remain unrecovered, with the attacker having laundered over 17,000 ETH through Tornado Cash.

Munchables is a Blast-chain NFT game that suffered a $62.5 million exploit on March 26, 2024, when a contractor later attributed to North Korea exploited a backdoor they had embedded in the project's upgradeable smart contracts before launch. The developer surrendered private keys and the full sum was recovered within approximately 24 hours, but the incident exposed fundamental failures in contractor due diligence and smart contract architecture.

Kronos Research is a Taipei-based cryptocurrency quantitative trading firm and market maker founded in 2018 by Mark Pimentel and Jack Tan. The firm experienced two serious security incidents within months of each other in 2023: an insider sabotage case in which two disgruntled engineers tampered with trading code causing $1.4 million in losses, and an external hack in November 2023 where compromised API keys led to the theft of approximately $25–26 million. The November hack cascaded onto WOO X, an exchange Kronos incubated and served as primary liquidity provider, causing a temporary trading halt and liquidations for 227 users.

KyberSwap Elastic is the concentrated liquidity automated market maker (AMM) component of Kyber Network, a decentralized exchange protocol deployed across more than a dozen EVM-compatible blockchains. On November 22–23, 2023, it suffered the largest DeFi exploit of that year — approximately $48–56 million drained via a precision rounding bug in its tick-crossing swap logic — after which the alleged attacker issued an on-chain ultimatum demanding full executive control of the company. Canadian national Andean Medjedovic was indicted by U.S. prosecutors in February 2025 on charges including wire fraud, computer hacking, and extortion; he remains a fugitive as of mid-2026.

Prisma Finance is a Liquity-forked, Ethereum-based DeFi protocol that allowed users to mint overcollateralized stablecoins (mkUSD and ULTRA) against liquid staking tokens (LSTs) such as wstETH, rETH, sfrxETH, and cbETH. On March 28, 2024, a critical vulnerability in the protocol's MigrateTroveZap helper contract was exploited for approximately $11.6 million, with a total loss across all attacker wallets of roughly $12.3 million; the primary exploiter sent the majority of stolen funds through Tornado Cash while claiming a 'whitehat rescue,' and as of 2026 the protocol's TVL has collapsed from a pre-exploit peak of approximately $220 million to under $300K.

Gala Games is a blockchain gaming platform founded in 2019 by Eric Schiermeyer and Wright Thurston whose GALA token has been at the center of two major controversies: a 2023 civil lawsuit alleging Thurston stole 8.6 billion GALA tokens (~$130M) from company wallets, and a separate May 2024 smart contract exploit in which an unauthorized minter minted 5 billion tokens worth approximately $200M. Both co-founders have filed competing civil suits alleging misappropriation of hundreds of millions of dollars, while Thurston also faces an unrelated SEC fraud action over a separate crypto mining venture.

DMM Bitcoin was a licensed Japanese cryptocurrency exchange operated by DMM Group (DMM.com) that launched in January 2018. In May 2024 it suffered the eighth-largest crypto theft in history when North Korean state-sponsored hackers attributed to the TraderTraitor subgroup of Lazarus Group stole 4,502.9 BTC (approximately $305–308 million USD) through a sophisticated supply-chain attack targeting Ginco, a third-party wallet management provider. Following the hack, Japan's Financial Services Agency issued a business improvement order, the exchange restricted operations, and in December 2024 announced full closure with all customer assets transferred to SBI VC Trade by March 2025.

Hedgey is a token vesting, lockup, and claims protocol that served over 100 on-chain projects before suffering a critical smart contract exploit on April 19, 2024, resulting in the theft of approximately $44.7 million across Ethereum and Arbitrum. The vulnerability — a missing input validation check in the ClaimCampaigns.sol contract — was present despite two prior audits by ConsenSys Diligence. No confirmed recovery of stolen funds has been reported; Hedgey was subsequently acquired by Anchorage Digital in late 2025.

Sonne Finance is a Compound V2 fork deployed on Optimism that was exploited for approximately $20 million on May 14, 2024, in what became the largest exploit in Optimism's history. The attack exploited a well-known precision-loss donation vulnerability in Compound V2 forks, triggered during the rollout of a new VELO token market; the attacker leveraged a multi-transaction deployment architecture and a two-day timelock window to manipulate exchange rates and drain user funds.

UwU Lend is an Ethereum-based DeFi lending protocol forked from Aave V2, launched in September 2022 and operated by Michael Patryn (known pseudonymously as 0xSifu), a co-founder of the collapsed Canadian crypto exchange QuadrigaCX and a convicted felon. In June 2024, the protocol was exploited twice by the same attacker — first for approximately $19.3 million on June 10 and again for $3.7 million on June 13 — via oracle price manipulation using flash loans, bringing combined losses to approximately $23 million.

Indodax (formerly Bitcoin Indonesia) is Indonesia's largest licensed cryptocurrency exchange, founded in 2014 by Oscar Darmawan and William Sutanto and serving over 9.6 million users. In September 2024, the exchange suffered a major security breach attributed to North Korea's Lazarus Group, resulting in approximately $22–25 million in losses across multiple blockchains. The exchange pledged full reimbursement to affected users, resumed operations within roughly 80 hours, and has since undergone a leadership restructuring.

BingX is a Singapore-headquartered centralized cryptocurrency exchange founded in 2018 (originally as Bingbon), operating across 160+ countries with over 10 million reported users. In September 2024, the exchange suffered a confirmed hot wallet breach totaling approximately $52 million across at least seven blockchain networks, with on-chain forensics subsequently linking the attack to North Korea's Lazarus Group. The exchange pledged full user compensation from reserves and resumed withdrawals within days, but independently unverified regulatory claims and initial opacity around the breach raise ongoing due-diligence concerns.

WazirX, operated in India by Zanmai Labs Pvt. Ltd., suffered a $234.9 million hack attributed to North Korea's Lazarus Group on July 18, 2024, freezing user funds and triggering multiple Indian regulatory investigations. India's Supreme Court dismissed a victims' petition in April 2025 citing a lack of crypto regulatory framework, while the Enforcement Directorate, Financial Intelligence Unit, and other agencies have opened probes into the exchange's operations, ownership structure, and alleged links to terror financing. A Singapore court approved a restructuring plan in October 2025, offering partial recovery to creditors.

Penpie is a yield-boosting DeFi protocol built on Pendle Finance by the Magpie DAO ecosystem, allowing users to earn boosted yields on Pendle liquidity pools without directly locking PENDLE tokens. On September 3, 2024, an attacker exploited a reentrancy vulnerability in Penpie's staking contract to drain approximately $27.3 million across Ethereum and Arbitrum, subsequently laundering all stolen funds through Tornado Cash and ignoring recovery appeals. The protocol filed reports with the FBI and Singapore Police but recovered no funds; a partial community compensation plan was proposed but not fully executed.

The US government holds one of the largest concentrations of seized cryptocurrency in the world, accumulated through major law enforcement actions including the 2016 Bitfinex hack and the Silk Road darknet marketplace. In October 2024, a government-controlled wallet linked to Bitfinex seizure funds was drained of approximately $20 million in what was subsequently attributed to alleged insider theft by John Daghita, son of a US Marshals Service contractor, who was arrested in Saint Martin in March 2026 after a blockchain investigation by ZachXBT exposed the scheme.

Phemex is a centralized cryptocurrency derivatives exchange founded in November 2019 by former Morgan Stanley executives and registered in the British Virgin Islands. In January 2025, the exchange suffered one of the largest crypto hacks of that year, with an estimated $69–85 million drained from hot wallets across 16 blockchains, subsequently attributed to North Korea's Lazarus Group through on-chain evidence linking the same wallets to the February 2025 Bybit hack. Phemex has also faced formal regulatory enforcement actions in Ontario, Canada, and operates without authorization in the United Kingdom.

Infini is a Hong Kong-based stablecoin neobank offering yield-bearing accounts and a global payment card. On February 24, 2025, a former developer who had covertly retained administrative privileges over Infini's smart contracts drained approximately $49.5 million in USDC from the Morpho MEVCapital vault, converting the funds to ETH and routing them through Tornado Cash. As of May 2026, no funds have been recovered, and the attacker's wallet remained active through at least February 2026.

M2 Exchange is an Abu Dhabi-based centralized cryptocurrency exchange licensed by the ADGM FSRA that suffered a $13.7 million hot wallet breach on October 31, 2024, attributed to an access control vulnerability spanning Bitcoin, Ethereum, and Solana. The exchange claims to have covered all customer losses from company reserves within hours of the incident, though the lack of a public post-mortem and two CEO transitions within eighteen months raise unresolved transparency questions.

Polter Finance was a decentralized lending protocol on the Fantom blockchain that suffered a critical oracle price manipulation exploit on November 16, 2024, resulting in losses estimated between $8.7 million and $12 million. The protocol was an unaudited fork of Geist Finance that relied on spot prices from SpookySwap liquidity pools as its oracle, a fundamental design flaw that allowed an attacker using funds originating from Tornado Cash to drain nearly all protocol TVL. The platform ceased operations following the hack, with no confirmed recovery of stolen assets as of mid-2026.

Injective Protocol is a Layer 1 blockchain built on the Cosmos SDK, designed for decentralized finance applications including derivatives, perpetuals, and spot trading via a fully on-chain order book. Founded in 2018 by Eric Chen and Albert Chon and backed by Binance Labs, Pantera Capital, and Mark Cuban, it launched its canonical mainnet in November 2021 and has grown to a top-tier DeFi chain. No regulatory enforcement actions have been identified against Injective; however, concerns exist around a 2025-2026 bug bounty dispute involving an alleged $500 million critical vulnerability, validator stake concentration, and third-party scams impersonating the protocol.

Celestia is a modular blockchain network that provides a dedicated data availability (DA) layer, allowing rollups and other chains to post transaction data cheaply and verifiably. Its native token TIA launched via mainnet and airdrop on October 31, 2023, and reached an all-time high near $20.85 in early 2024 before declining approximately 95% from peak. The project has faced serious community criticism over aggressive token unlock schedules, alleged insider selling by founders and early investors, airdrop manipulation by sybil attackers, and questions about whether its ecosystem has achieved real developer adoption.

Sei Network is a Layer 1 blockchain developed by Sei Labs, co-founded in 2021 by Jayendra Jog and Jeff Feng, designed to optimize high-throughput trading and DeFi with a parallelized EVM architecture. The project raised $35 million across seed and Series A rounds from prominent crypto VCs, launched its mainnet in August 2023, and has grown to over $600 million in TVL as of mid-2025. While no regulatory enforcement actions have been brought against Sei Labs or the Sei Foundation directly, the project faced community backlash over its 2023 airdrop distribution and carries structural risk concerns related to token unlock schedules, insider allocation concentration, and a low validator decentralization score.

Polygon (formerly Matic Network) is a Layer 2 scaling solution for Ethereum, originally founded in 2017 by Jaynti Kanani, Sandeep Nailwal, and Anurag Arjun. The project rebranded from Matic Network to Polygon in February 2021 and has grown into one of the most widely used Ethereum scaling platforms, though it has faced regulatory scrutiny from the SEC, allegations of token misallocation by on-chain analytics firm ChainArgos, and a significant undisclosed security vulnerability patched in 2021. The network's native token migrated from MATIC to POL in September 2024 as part of a broader Polygon 2.0 roadmap.

Cetus Protocol is a concentrated liquidity market maker (CLMM) and the dominant decentralized exchange on the Sui Network, launched in 2023. On May 22, 2025, an arithmetic overflow vulnerability in its fixed-point math library enabled an attacker to drain approximately $223 million from liquidity pools in the largest DeFi exploit of 2025, of which roughly $162 million was subsequently frozen by Sui validators and later returned to affected users via an on-chain governance vote. The incident raised significant concerns about smart contract security, audit effectiveness, and the degree of decentralization on the Sui network.

DEXX is a Solana-based on-chain memecoin trading terminal that suffered a catastrophic private key compromise on November 16, 2024, resulting in approximately $30 million in user losses across more than 8,600 wallets. Despite marketing itself as non-custodial, DEXX stored user private keys in plaintext on its own servers — a centralization risk that CertiK had flagged as unresolved prior to the breach. A partial compensation initiative led by LBank was announced in early 2025, but full recovery of stolen funds remains unlikely as the attacker laundered substantial ETH through Tornado Cash.

WOO X is a centralized cryptocurrency exchange founded in 2019 and incubated by Taiwanese quantitative trading firm Kronos Research, offering spot and derivatives trading with a focus on deep liquidity and low fees. The exchange has experienced two significant security events: a November 2023 liquidity crisis triggered by a $26 million hack of its primary market maker Kronos Research, and a July 2025 $14 million breach of nine user accounts attributed to a North Korean state-sponsored group (UNC4899/Lazarus) via phishing of a developer. Both incidents resulted in user compensation from company reserves, though the pattern of security failures and structural dependency on Kronos Research represent elevated counterparty and operational risk.

Cork V1 is a DeFi depeg protection protocol built on Ethereum that launched its public beta on March 4, 2025 and was exploited for approximately $12 million on May 28, 2025, less than three months after launch. The exploit resulted from a lack of input validation in the CorkHook smart contract and permissionless market creation logic, a vulnerability that slipped past four separate security audits from Quantstamp, Cantina, Sherlock, and Runtime Verification — three of which explicitly excluded the vulnerable contract from scope. All protocol functions were paused following the incident, stolen funds were laundered through Tornado Cash, and no user compensation plan has been publicly confirmed.

ThalaSwap is the decentralized exchange component of Thala Labs, an Aptos-based DeFi protocol offering an AMM, the Move Dollar (MOD) overcollateralized stablecoin, liquid staking, and a launchpad. On November 15, 2024, an input-validation bug introduced in a two-line patch to the v1 farming contract allowed an attacker to drain $25.5 million in liquidity pool tokens; funds were fully recovered within hours after SEAL 911 identified the exploiter via on-chain evidence and the attacker returned assets in exchange for a $300,000 bounty.

SwissBorg is a Swiss-based crypto wealth management and exchange aggregator founded in 2017, holding MiCA authorization from France's AMF and VQF membership in Switzerland. In September 2025, the platform suffered a $41.5 million loss when its staking partner Kiln's API was compromised via a GitHub token theft and Kubernetes pod injection, resulting in the unauthorized transfer of 192,600 SOL from SwissBorg's SOL Earn program; the company subsequently pledged full reimbursement from treasury funds. While SwissBorg maintains legitimate regulatory standing and transparency measures including Proof of Liabilities, the third-party supply chain failure exposes material counterparty risk in its Earn product architecture.

Truebit is an Ethereum-based protocol for verifiable off-chain computation, co-founded by mathematician Jason Teutsch and Solidity creator Christian Reitwiessner. On January 8, 2026, an integer overflow vulnerability in a five-year-old, closed-source legacy Purchase contract was exploited, draining 8,535 ETH (approximately $26.44 million) and causing the TRU token to collapse by over 99.9%; the attacker subsequently laundered all stolen funds through Tornado Cash.

Matcha (matcha.xyz) is a DEX aggregator built and operated by 0x Labs, launched in 2020, that routes trades across 130+ liquidity sources on 15+ blockchains using the 0x Protocol. The core Matcha platform has no history of direct exploits; however, Matcha Meta — a related but distinct meta-aggregator product launched later by the same team — suffered a $13.4M exploit in January 2026 via a third-party SwapNet contract, affecting users who had disabled the platform's default one-time approval security setting. 0x Labs is a well-funded, established entity whose protocol contracts have been audited by Trail of Bits, OpenZeppelin, and Ouroboros, and whose bug bounty program offers up to $1M via Immunefi.

UXLINK is a Singapore-based Web3 social infrastructure protocol that suffered a critical $11.3 million multisig exploit in September 2025, in which an attacker used deepfake video technology to socially engineer a team member, then minted up to 10 trillion unauthorized tokens — collapsing the token price by over 90%. The project has raised over $15 million from credible VCs including HashKey Capital and SevenX Ventures, but centralization risks in its smart contract architecture and persistent post-hack selling pressure have left the token trading at roughly 99% below its pre-hack highs as of May 2026.

Garden Finance (garden.finance) is a Bitcoin cross-chain bridge and swap protocol launched in December 2023 by former Ren Protocol core team members, using Hashed Timelock Contracts (HTLCs) and an intents-based solver network to enable non-custodial Bitcoin swaps across chains. In October 2025, a compromised solver operator lost approximately $11.4 million in a security incident attributed by forensic investigators to a North Korea-linked threat actor. Prior to the exploit, blockchain investigator ZachXBT alleged that a substantial portion of Garden's volume — with estimates ranging from 25% to over 75% — originated from illicit sources including funds stolen in the $1.46 billion Bybit hack by Lazarus Group, allegations the team disputed but did not fully refute.

Blend Pools V2 is a modular, permissionless lending protocol built on the Stellar blockchain by Script3, launched as an upgrade to Blend V1 with additions including flash loans and a reduced backstop threshold. In February 2026, a community-managed pool built on top of the protocol (YieldBlox DAO Pool) suffered a $10.8 million oracle manipulation exploit; Script3 stated the core V2 contracts were not at fault, attributing the incident to pool-operator misconfiguration of the Reflector VWAP oracle.

BALD was a memecoin launched on Coinbase's Base Layer 2 network on July 29, 2023, allegedly named as a reference to Coinbase CEO Brian Armstrong's appearance. After attracting over $66 million in ETH to its liquidity pool through aggressive liquidity additions and a price surge of approximately 4,000,000% within 24 hours, the anonymous deployer removed approximately $25.6 million in liquidity on July 31, 2023, causing the token price to collapse by roughly 90%. On-chain investigators linked the deployer's wallet to addresses with documented interactions with Alameda Research, with Wintermute's head of research publicly identifying former Alameda co-CEO Sam Trabucco as the most likely suspect — though no conclusive proof of identity was ever established.

Blizz Finance was a decentralized lending protocol on Avalanche, forked from Aave v2, that launched in November 2021 and was rendered insolvent in May 2022 when the Terra LUNA collapse triggered a Chainlink oracle circuit breaker that froze the LUNA price at $0.10 while the token's actual market price fell to near zero. Attackers exploited the stale price feed to borrow approximately $8.3 million in protocol assets using nearly worthless LUNA as collateral, draining the protocol entirely. The team announced permanent shutdown shortly after, recovering and distributing only approximately $1.5 million to affected users.

AlphaPo is a cryptocurrency payment processor incorporated in Panama and operating primarily in the online gambling sector, serving clients such as HypeDrop, Bovada, and Ignition. On July 22, 2023, attackers drained approximately $60 million in ETH, BTC, and TRX from its hot wallets via a private key compromise, disrupting withdrawals across multiple dependent platforms. On-chain investigator ZachXBT and subsequently the FBI attributed the attack to the DPRK-affiliated Lazarus Group (also designated TraderTraitor and APT38), placing the incident within a broader 2023 North Korean cryptocurrency theft campaign that totaled over $200 million.

GMX V1 was a decentralized perpetual exchange on Arbitrum and Avalanche that operated from September 2021 until July 2025, when a reentrancy exploit drained approximately $42 million from its GLP liquidity pool. The protocol has since disabled all V1 trading and GLP minting; it is no longer an active product, with users directed to GMX V2, which was unaffected by the exploit.

Team Finance is a DeFi token-locking and vesting platform operated by TrustSwap Inc. that suffered a critical $14.5 million exploit on October 27, 2022, when an attacker abused a validation flaw in its Uniswap V2-to-V3 migration function. The attacker ultimately returned approximately $7 million, retaining roughly 10% as a self-declared bug bounty; Team Finance subsequently switched auditors to CertiK and reported full user reimbursement by June 2023.

Radiant Capital is a decentralized cross-chain lending protocol built on LayerZero that suffered two significant security incidents in 2024: a $4.5 million flash loan exploit in January 2024 and a far more devastating $50 million multisig compromise in October 2024. The October hack, attributed by Mandiant with high confidence to North Korean state-sponsored group UNC4736 (Citrine Sleet / AppleJeus), involved a months-long social engineering campaign, macOS malware deployment on developer devices, and manipulation of hardware wallet signing interfaces to drain funds across BNB Chain and Arbitrum.

Furucombo is an Ethereum-based DeFi composability protocol launched in March 2020 that enables users to batch complex multi-protocol transactions via a drag-and-drop interface. On February 27, 2021, the protocol suffered a critical 'evil contract' exploit in which an attacker spoofed a new Aave v2 implementation via Furucombo's proxy, draining approximately $14–15 million in ETH and ERC-20 tokens from 22 users who had granted standing token approvals to the platform. The team responded with a compensation plan issuing iouCOMBO tokens subject to a 360-day vesting schedule, but the incident exposed fundamental risks in delegatecall-based proxy architectures and broad token approval models.

Huobi, rebranded to HTX in September 2023, is a major centralized cryptocurrency exchange founded in 2013 that came under the de facto control of Tron founder Justin Sun in late 2022. The exchange has suffered three significant security incidents since September 2023, faces extensive regulatory non-compliance across multiple jurisdictions, and its proof-of-reserves methodology has been subject to credible allegations of double-counting and asset manipulation by investigative outlets.

Beanstalk is an Ethereum-based algorithmic stablecoin protocol that on April 17, 2022 suffered one of DeFi's largest governance exploits, losing approximately $182 million after an attacker used flash loans to acquire a supermajority vote and pass a malicious proposal draining the protocol's treasury. The protocol relaunched in August 2022 following a community fundraiser called the Barn Raise, but its BEAN stablecoin has never recovered its peg and total value locked remains a fraction of pre-exploit levels.

Heco Bridge was the official cross-chain bridge connecting the HECO Chain (HTX Eco Chain) to Ethereum, operated by HTX (formerly Huobi) and associated with Justin Sun. On November 22, 2023, the bridge operator's private key was compromised, resulting in the theft of approximately $86.6 million in crypto assets; combined with a simultaneous HTX hot wallet breach, total losses reached approximately $99 million. Blockchain analytics firm Elliptic attributed the attack to North Korea's Lazarus Group, which subsequently laundered over $100 million of the proceeds through Tornado Cash. The HECO Network was permanently shut down on January 15, 2025.

FixedFloat (ff.io) is a non-custodial, no-KYC cryptocurrency swap exchange launched in 2018 that suffered two confirmed security breaches in 2024 totaling approximately $28.9 million in stolen assets. Both attacks were attributed to the same threat actor exploiting vulnerabilities in FixedFloat's third-party hosting provider, Time4VPS, and stolen funds were routed through the eXch mixer — a service subsequently shut down by German authorities for laundering proceeds from major crypto thefts. The platform resumed operations after a two-month suspension but has faced ongoing scrutiny for its anonymity-first model, opaque team structure, and inadequate incident disclosure.

Bitget is a Seychelles-incorporated centralized cryptocurrency exchange founded in 2018, offering spot, futures, and copy trading to a claimed user base exceeding 150 million. While the exchange has never suffered a direct hack of user funds and publishes monthly proof-of-reserves attestations, it faces a pattern of serious regulatory actions across multiple jurisdictions — including blacklisting by France's AMF, warnings from Australia's ASIC and Japan's FSA, and a ban by the Philippines SEC — and has attracted allegations from blockchain investigator ZachXBT that it knowingly enabled supply-control market manipulation schemes targeting retail traders in 2026.

Elephant Money is a Binance Smart Chain DeFi protocol offering the ELEPHANT reward token and TRUNK stablecoin that suffered a $22.2 million flash loan price-manipulation exploit in April 2022, with stolen funds laundered through Tornado Cash. Independent analysts have additionally alleged that the protocol's yield mechanics constitute a structurally unsustainable Ponzi scheme dependent on continuous new capital inflows.

Pando Rings is an algorithmic lending and borrowing protocol built on the Mixin Network by Fox One, modeled on Compound Finance. On November 5, 2022, an attacker exploited a price oracle vulnerability tied to the sBTC-WBTC LP token on 4swap to drain approximately $21.9 million in ETH, BTC, and EOS from the protocol; an additional ~$50 million remained frozen in the attacker's wallets. The protocol subsequently suffered further losses in the September 2023 Mixin Network infrastructure breach, and as of late 2023 remained in a limited operational state with interest accrual and liquidations suspended.

DogWifTools is a Solana-based memecoin tooling platform that markets features explicitly designed to simulate artificial trading volume, conceal supply concentration across hundreds of wallets, and inflate engagement metrics on pump.fun — capabilities that security researchers and blockchain analysts characterize as enabling wash trading and coordinated pump-and-dump schemes. In January 2025, the platform suffered a supply-chain attack in which threat actors trojaned versions 1.6.3 through 1.6.6 with a Remote Access Trojan, draining an estimated $10 million from users' wallets; the attacker group framed the theft as vigilante justice against scammers. No known regulatory action has been taken against DogWifTools operators, who remain anonymous.

Resolv is a DeFi protocol issuing USR, a delta-neutral stablecoin backed by ETH with perpetual futures hedging, developed by Resolv Labs. On March 22, 2026, the protocol suffered a critical exploit in which an attacker compromised Resolv's AWS key management infrastructure to mint 80 million unbacked USR tokens, extracting approximately $23–25 million in ETH and triggering a severe stablecoin depeg. The protocol remains paused as of May 2026 while recovery and infrastructure remediation are underway.

Rhea Lend is the lending arm of Rhea Finance, a DeFi protocol on NEAR Protocol formed in early 2025 through the merger of Ref Finance and Burrow Finance. In April 2026, Rhea Lend suffered a major exploit in which an attacker drained approximately $18.4 million by exploiting a flaw in the protocol's slippage protection mechanism via a fake-token pool manipulation scheme. Partial recovery of approximately $9–13 million was achieved through voluntary returns and asset freezes, but the incident represents a critical security failure on an audited protocol.

Curio (CurioDAO) is a multi-chain real-world asset (RWA) DeFi protocol that suffered a critical smart contract exploit on March 23, 2024, resulting in approximately $16 million in losses after an attacker exploited a voting-power privilege escalation vulnerability to mint approximately 1 billion unauthorized CGT governance tokens. The protocol had no known third-party security audits prior to the exploit and relied on internal reviews. Curio announced a recovery plan including a new CGT 2.0 token and a phased compensation program, though independent verification of full compensation delivery remains limited.

Upbit is South Korea's largest cryptocurrency exchange by trading volume, operated by Dunamu and commanding approximately 70–80% of the domestic market. The exchange has suffered two significant security breaches — a $49M ETH theft in 2019 and a $36M Solana breach in November 2025, both attributed to North Korea's Lazarus Group — and has faced substantial regulatory sanctions including a $25M AML/KYC fine and a court-contested three-month partial business suspension. While Upbit has consistently reimbursed users from its own assets after security incidents and retains official VASP registration, its pattern of compliance failures, market dominance concerns, and repeated hacks present elevated risk.

Abracadabra.money is a multi-chain DeFi lending protocol that allows users to mint the MIM (Magic Internet Money) USD-pegged stablecoin using interest-bearing tokens as collateral. The protocol has been compromised three times since January 2024, losing a combined total of over $21 million, and its founding ecosystem was shaken in January 2022 when co-founder Daniele Sestagalli's associate — Wonderland's pseudonymous treasury manager known as 0xSifu — was publicly identified as Michael Patryn, a convicted felon and co-founder of the fraudulent exchange QuadrigaCX. The SPELL token has declined approximately 99.5% from its November 2021 all-time high, and the protocol's total value locked has collapsed from over $776 million to under $30 million.

Grinex is a Kyrgyzstan-registered cryptocurrency exchange widely assessed by blockchain intelligence firms and U.S. regulators as a direct successor to Garantex, a sanctioned Russian exchange seized in March 2025. Grinex was formally sanctioned by OFAC in August 2025 for facilitating billions in cryptocurrency transactions linked to ransomware groups, darknet markets, and Russian sanctions evasion. In April 2026, the exchange suspended operations following a reported $13.7 million hack it attributed to Western intelligence agencies — a claim for which no technical evidence was presented and which analysts have suggested may mask an internal exit scam.

Kelp (also known as Kelp DAO) is a liquid restaking protocol built on Ethereum and EigenLayer that issues rsETH, a liquid restaked token. In April 2026 the protocol suffered the largest DeFi exploit of 2026 to date when attackers, attributed to North Korea's Lazarus Group, drained approximately $292 million in rsETH through a compromised LayerZero cross-chain bridge configuration. The protocol and an industry coalition dubbed DeFi United are actively working to restore collateral and resume operations as of May 2026.

Step Finance was a Solana-based DeFi portfolio management and analytics platform founded by George Harrap that operated from 2021 until February 2026. On January 31, 2026, attackers compromised executive team devices and drained approximately $40 million in treasury assets, representing a catastrophic operational security failure. The platform was unable to secure financing or an acquisition to continue operating and formally shut down on February 23, 2026, along with affiliated projects SolanaFloor and Remora Markets.

Cashio was a Solana-based algorithmic stablecoin protocol that issued the CASH token, collateralized by Saber LP tokens. On March 23, 2022, an attacker exploited a critical missing validation flaw in the smart contract to mint approximately 2 billion CASH tokens backed by worthless fake collateral, draining roughly $52 million in real assets and permanently destroying the token's USD peg. The protocol was unaudited, never compensated victims in full, and its pseudonymous creator later admitted the code was rushed and insecure.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

The Blockchain Bandit is an unidentified threat actor or group that systematically exploited Ethereum wallets holding cryptographically weak private keys between approximately 2015 and 2018, accumulating more than 45,000 ETH (worth over $54 million at peak 2018 valuations) through a technique researchers later termed 'Ethercombing.' The actor compromised 732 private keys across 49,060 transactions, draining wallets in near-real-time using automated blockchain monitoring. Dormant since 2018, the actor re-emerged in January 2023 and again in December 2024, consolidating approximately 51,000 ETH (valued at roughly $172 million) into a single multisig wallet, as tracked by on-chain investigator ZachXBT.

Inferno Drainer is a scam-as-a-service (drainer-as-a-service) platform that provided phishing infrastructure and malicious wallet-draining scripts to criminal affiliates in exchange for a percentage of stolen funds. Active from November 2022 through at least early 2025, it is attributed to stealing over $80 million from approximately 137,000 victims during its initial operational phase, with operators claiming a cumulative total exceeding $250 million across all periods including a covert post-shutdown phase. It operates by luring victims to phishing websites impersonating legitimate crypto brands, tricking users into signing malicious transactions that drain wallets across multiple EVM-compatible blockchains.

The Democratic People's Republic of Korea (DPRK), operating primarily through state-sponsored hacking units designated as the Lazarus Group, TraderTraitor, and APT38, has stolen an estimated $6.75 billion in cryptocurrency since 2016 across dozens of major exploits. These operations are attributed by the FBI, OFAC, CISA, and allied governments to North Korea's Reconnaissance General Bureau and are conducted to fund the regime's weapons of mass destruction and ballistic missile programs in circumvention of international sanctions. DPRK-linked hackers are responsible for the largest single crypto theft in history — the $1.5 billion Bybit hack in February 2025 — and continue to operate at unprecedented scale and sophistication.

Malone Lam Yu Xuan (born July 19, 2004), a Singaporean national residing in Miami and Los Angeles, is the alleged ringleader of a crypto theft and money laundering enterprise responsible for stealing over $263 million across multiple victims between 2023 and 2025. He was arrested by the FBI on September 18, 2024, and faces RICO conspiracy charges in what prosecutors describe as the first Bitcoin-related RICO prosecution in U.S. history. As of early 2026, he remains in pretrial detention while negotiating a plea deal.

BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebranding of the Royal ransomware gang, itself a successor to the Conti cybercrime syndicate believed to be operated by Russian-speaking threat actors. The group employed double-extortion tactics across critical infrastructure sectors including healthcare, automotive, education, and government, compromising over 450 U.S. victims and demanding more than $500 million in ransom, primarily in Bitcoin, before international law enforcement dismantled its infrastructure in July 2025 under Operation Checkmate.

An unidentified threat actor or group breached LastPass in August–November 2022, exfiltrating encrypted customer password vaults containing cryptocurrency seed phrases and private keys stored by an estimated 25–30 million users. Beginning in late 2022 and continuing at least through late 2025, the actors allegedly cracked weak master passwords offline and drained cryptocurrency wallets in coordinated waves, with documented losses exceeding $250 million across hundreds of victims and a single high-profile $150 million XRP theft attributed to Ripple co-founder Chris Larsen. TRM Labs on-chain analysis and law enforcement investigations link the laundering activity to Russian cybercriminal infrastructure, including OFAC-sanctioned exchange Cryptex.

WazirX is an Indian cryptocurrency exchange co-founded in 2018 by Nischal Shetty, Sameer Mhatre, and Siddharth Menon that suffered the largest crypto hack in Indian history on July 18, 2024, when approximately $234.9 million in user assets were stolen from a Gnosis Safe multisig wallet via a sophisticated supply-chain-style attack attributed by Elliptic, ZachXBT, and a joint US-Japan-South Korea government statement to North Korea's Lazarus Group. The hack triggered suspension of all withdrawals, a Singapore court-supervised restructuring process in which users are expected to recover approximately 55% of their assets, and ongoing regulatory and law enforcement scrutiny in India.

Glori Finance was an alleged DeFi lending protocol deployed on the Arbitrum network in early 2024, operating as a Compound V2 fork with approximately $1.4 million in total value locked (TVL) at the time of its exposure. On April 14, 2024, blockchain investigator ZachXBT identified that the top GLORI token holders had seeded liquidity using funds stolen from prior scams — specifically the Crolend, Hash DAO, and HellHoundFi frauds — linking Glori Finance to a serial scam ring responsible for over $20 million in cumulative losses. Following ZachXBT's public disclosure, the Glori Finance X account was deactivated and the protocol's website went offline, consistent with an exit scam.

Magnate Finance was a DeFi lending and borrowing protocol deployed on Coinbase's Base Layer 2 network that executed an exit scam on August 25, 2023, stealing approximately $6.4–6.5 million in user funds by manipulating its price oracle. On-chain investigator ZachXBT issued a public warning hours before the rug pull, having traced the deployer address to at least two prior exit scams: Solfire ($4.8M, January 2022) and Kokomo Finance ($5.5M, March 2023), establishing this as the work of a repeat-offender scam ring responsible for over $16.7 million in total losses.

eXch (exch.cx) was a no-KYC instant cryptocurrency swap service operating from 2014 until its forced shutdown in May 2025. Registered in Belize under the name Private Project Facilitators LTD, the platform processed an estimated $1.9 billion in total volume, deliberately advertising its absence of anti-money laundering controls on criminal underground forums. German federal law enforcement seized approximately $38 million in cryptocurrency assets and 8 terabytes of data from the platform in April 2025, following evidence linking eXch to laundering roughly $200 million of funds stolen in the $1.46 billion Bybit hack carried out by North Korea's Lazarus Group.

Vkevin is a pseudonymous threat actor known for operating fake Safeguard Telegram bot phishing campaigns that have allegedly drained seven figures from victims' cryptocurrency wallets. On January 23, 2025, blockchain investigator ZachXBT published a 31-minute video exposing Vkevin in the act of running these scams from what was described as a New York school, and confirmed the individual had been doxxed. Vkevin is additionally alleged to have conducted a 2022 Discord attack against DigikongNFT using a spoofed MEE6 bot, resulting in over $300,000 in NFT losses.

Aqua (also known as AquaBot) was a Solana-based Telegram trading bot that conducted a presale in September 2025, raising approximately 21,770 SOL ($4.65 million) from retail investors before executing an apparent exit scam. On-chain investigator ZachXBT flagged the project after presale funds were split into four tranches, routed through intermediary wallets, and sent to instant exchanges hours before the scheduled token generation event. The project had secured endorsements from multiple established Solana ecosystem participants — including Meteora, Helius, Dialect, SYMMIO — and had received a near-perfect audit score from QuillAudits just days before the alleged rug pull.

Veer Chetal, known online as 'Wiz,' is a 19-year-old from Danbury, Connecticut who pleaded guilty in November 2024 to conspiracy to commit wire fraud and conspiracy to launder monetary instruments in connection with a $243–245 million Bitcoin theft targeting a single Genesis creditor via social engineering. He was identified and exposed by blockchain investigator ZachXBT, who traced stolen funds on-chain and publicly named the perpetrators before law enforcement arrests were made. Chetal was re-arrested in early 2025 after committing additional crypto thefts while released on bond and faces a federal sentencing guideline range of 19–24 years imprisonment.

On November 3, 2024, unidentified scammers compromised the X (Twitter) account of rapper Wiz Khalifa (35.7 million followers) and used it to promote two fraudulent Solana meme coins — $WIZ and $WIZZLE — launched on pump.fun. The $WIZ token reached a peak market cap of approximately $2.5 million within 15 minutes before collapsing over 95% in under one hour, with at least two insider wallets extracting a combined $160,000 in profit. Blockchain investigator ZachXBT linked the incident to a broader campaign of celebrity account takeovers that allegedly stole over $3.5 million in total, and subsequently accused a former professional Fortnite player known as 'Serpent' of involvement in the coordinated scheme.

TradeOgre was an unregistered, no-KYC cryptocurrency exchange founded around 2018 and known for listing privacy coins including Monero (XMR) and Pirate Chain. On September 18, 2025, the RCMP executed Canada's largest-ever cryptocurrency seizure, dismantling the platform and seizing over CAD $56 million (approximately USD $40 million) in digital assets. Investigators determined that the majority of funds transacted on the platform came from criminal sources, including ransomware proceeds, darknet market activity, hacking exploits, and fraud schemes.

Friend.tech was a SocialFi application launched on Coinbase's Base L2 in August 2023 that allowed users to buy and sell tokenized 'keys' (shares) of social media influencers. The platform suffered a wave of SIM-swap attacks draining at least 343 ETH from users, exposed wallet addresses of 101,000 users via an API data breach, launched its FRIEND token in May 2024 which collapsed 98% within months, and was ultimately abandoned by its pseudonymous founders in September 2024 after they extracted approximately $44 million in protocol fees.

JELLY (JellyJelly / JELLYJELLY) is a Solana memecoin launched in January 2025 by Venmo co-founder Iqram Magdon-Ismail that became the center of a major market manipulation incident on Hyperliquid on March 26, 2025. A coordinated trader used a self-liquidation strategy — opening large opposing long and short positions — to force Hyperliquid's HLP liquidity vault to absorb a toxic short, causing up to $13.5 million in unrealized losses before validators emergency-delisted the token and force-settled all positions at a fixed price. The incident triggered widespread criticism of Hyperliquid's decentralization claims and raised systemic questions about perpetuals DEX risk management.

Avalanche C-Chain address 0x327a81d0d128db8886d265be73c9fdda97194f30 was flagged by on-chain investigator ZachXBT in June 2024 as the primary launderer for the BTCTurk exchange hack, having transferred approximately 1.96 million AVAX (valued at ~$54.2 million) to Coinbase, Binance, Gate.io, and THORChain. ZachXBT's timing analysis linked subsequent BTC withdrawals of approximately $45.96 million to the same threat actor, who was also allegedly responsible for a concurrent $2.9 million theft from Sportsbet. The address currently holds negligible funds, consistent with successful laundering of proceeds.

The 'WallStreetBets' brand has been exploited in at least two distinct crypto fraud incidents: a 2021 Telegram pre-mine scam using a fake 'WallStreetBets – Crypto Pumps' channel that stole over $2.1 million in BNB and ETH, and a 2023 Ethereum meme token (WSB Coin) that surged to a $50 million market cap before insiders allegedly dumped $635,000 worth of tokens within days of launch, collapsing the price by over 90%. Neither token was authorized by Reddit or the r/WallStreetBets subreddit, and ZachXBT publicly identified the alleged perpetrators in the 2023 incident.

GANA Payment was a BNB Smart Chain payment-focused DeFi project (BEP-20 token) that launched on November 11, 2025 and was exploited nine days later on November 20, 2025, resulting in losses exceeding $3.1 million. On-chain investigator ZachXBT confirmed the attack, which involved a compromised deployer private key combined with abuse of EIP-7702 to drain the project's staking contract; stolen funds were subsequently laundered through Tornado Cash on both BSC and Ethereum. The GANA token lost over 90% of its value within 24 hours of the exploit.

Nobitex is Iran's largest cryptocurrency exchange, founded in 2017, claiming over 11 million users and handling approximately 70% of Iran's on-chain crypto volume. A March 2025 Reuters investigation identified its founders as brothers Ali and Mohammad Kharrazi — members of a family with documented ties to Iran's Supreme Leaders and the founding of the Islamic Revolutionary Guard Corps — who operated the exchange under an alternative surname. Blockchain analytics firms including Elliptic, Chainalysis, and TRM Labs have documented billions of dollars in flows through Nobitex connected to sanctioned Iranian state entities including the Central Bank of Iran and the IRGC, making the platform a critical node in Iran's sanctions evasion infrastructure.

Sportsbet.io is a cryptocurrency gambling and sports betting platform operated by mBet Solutions N.V. under the Yolo Group umbrella, licensed in Curaçao. On June 22, 2024, blockchain investigator ZachXBT publicly identified that the platform's hot wallets were drained of approximately $3.5 million in USDT and TRX, attributing the attack to the same threat actor who hours later stole an estimated $55 million from Turkish exchange BtcTurk, with stolen funds allegedly commingled between both hacks. The platform has drawn ongoing scrutiny for operating in regulatory grey markets, serving users in jurisdictions where it holds no local license, and for systemic user complaints involving account closures and fund seizures following wins. Yolo Group founder Tim Heath confirmed in 2025 that the brand is being wound down in favor of fully regulated markets.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

Wallex is an Iranian cryptocurrency exchange founded in 2018 in Tehran by graduates of Sharif University of Technology, serving approximately 1 million users as of 2022 and operating as a major domestic crypto-to-rial on/off-ramp. On March 25, 2026, blockchain investigator ZachXBT flagged suspicious fund consolidation activity, prompting both Tether (USDT) and Circle (USDC) to simultaneously blacklist Wallex-linked wallet addresses, leaving approximately $2.49 million stranded on-chain. Wallex operates in a jurisdiction under comprehensive U.S. OFAC sanctions, has been linked by Chainalysis to transactions with a U.S.-sanctioned individual, and suffered a confirmed data breach in 2021 that exposed user credentials.

C&M Software (also styled CMSW) is a Brazilian financial technology company authorized by the Banco Central do Brasil to provide connectivity between smaller financial institutions and Brazil's national payment infrastructure, including the PIX instant-payment system. On June 30, 2025, hackers exploited credentials sold by an insider employee to drain approximately R$800 million (roughly USD 140–148 million) from reserve accounts of at least six financial institutions, in what became Brazil's largest recorded banking cyberattack. A portion of the stolen funds—estimated at USD 30–40 million—was subsequently laundered through Latin American OTC desks and crypto exchanges using Bitcoin, Ethereum, and Tether USDT, with on-chain investigator ZachXBT playing a central role in tracing and partially freezing the laundered assets.

Masa (also known as Masa Finance, later rebranded as Gopher) is a Web3 data and identity protocol that launched a soulbound token standard on Ethereum in 2023 before pivoting to a decentralized AI data network. The MASA token, sold via CoinList in March 2024 at $0.079 and hitting an all-time high of approximately $0.4697 on its April 11, 2024 listing date, subsequently collapsed by over 99.9% to trade near $0.00002 by mid-2026. ZachXBT publicly accused the project of concealing a six-figure security exploit in September 2024, which the team later confirmed only after the allegation was made public.

LastPass is a widely used password manager that suffered a catastrophic two-stage data breach in 2022, resulting in the theft of encrypted customer password vaults containing cryptocurrency seed phrases and private keys. Threat actors subsequently cracked these vaults offline over the following years, draining crypto wallets in waves totaling more than $438 million across hundreds of victims by late 2025. The breach has led to a £1.2 million UK ICO regulatory fine, a $24.45 million US class action settlement, US federal seizures, and on-chain attribution by TRM Labs and blockchain researcher ZachXBT to Russian cybercriminal infrastructure.

Tapioca DAO is an omnichain DeFi money market built on LayerZero, offering a CDP stablecoin (USDO) and isolated lending markets (Singularity/Big Bang) across Arbitrum and BNB Chain. On October 18, 2024, the protocol suffered a critical security breach when a team member was targeted by a social engineering attack attributed to North Korea's Contagious Interview campaign, resulting in private key compromise, drainage of TAP token vesting contracts, and the minting of 5 quintillion USDO. Approximately $4.4–4.7 million was stolen before a partial counter-exploit recovered roughly 996 ETH (~$2.7 million), leaving the protocol treasury down approximately 45% and the TAP token price collapsed over 95%.

Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.

Bitcoin Depot was once the largest Bitcoin ATM operator in North America, operating more than 9,000 kiosks before filing for Chapter 11 bankruptcy on May 18, 2026. The company faces lawsuits from the attorneys general of Iowa and Massachusetts alleging it knowingly facilitated crypto scams, with one state finding that more than 80% of high-value transactions at its kiosks were linked to fraud. Multiple data breaches, a $3.6 million wallet theft, regulatory enforcement in California, and on-chain evidence flagged by ZachXBT further document systemic compliance and security failures.

HyperCycle (HYPC) is an Ethereum ERC-20 token marketed as infrastructure for decentralized AI-to-AI transactions, co-founded by SingularityNET's Ben Goertzel and TODA inventor Toufi Saliba. The token has lost approximately 99% of its value from its all-time high of $1.29, and its smart contract contains a PAUSER_ROLE that allows a designated admin to halt all token transfers at will. No independent smart contract security audit has been publicly submitted, and the tokenomics structure — which allocates 20% to team, advisors, and partners with a relatively short vesting cliff — has been cited by multiple analysts as generating sustained selling pressure that disadvantages retail participants. ZachXBT has broadly flagged AI-narrative token projects as high-risk.

Wasabi Protocol is a decentralized perpetual futures and leveraged trading platform for memecoins and long-tail assets, deployed on Ethereum, Base, Berachain, and Blast. On April 30, 2026, the protocol suffered a critical multi-chain exploit in which a compromised admin deployer key was used to execute malicious UUPS proxy upgrades across core contracts, draining over $5 million in user funds. Security firm BlockSec reported that the attacker's wallets had been funded via Tornado Cash, and on-chain investigator ZachXBT publicly criticized the protocol for single-EOA admin control, absence of a timelock or multisig, and alleged misappropriation of project funds on influencer marketing.

Noones is a peer-to-peer cryptocurrency trading platform targeting Africa and the Global South, founded and initially led by Ray Youssef, co-founder of the now-defunct Paxful. In January 2025, the platform suffered an $8 million hot-wallet exploit that was concealed for nearly three weeks before on-chain investigator ZachXBT publicly exposed the breach. Compounding platform risk, Youssef was subsequently indicted by the DOJ in early 2026 on federal AML charges stemming from his leadership of Paxful, and stepped down as Noones CEO shortly thereafter.

MEXC is a centralized cryptocurrency exchange founded in 2018, incorporated in Seychelles, that has accumulated a significant regulatory record across multiple jurisdictions including warnings or cease orders from authorities in Hong Kong, Germany, Belgium, Japan, Estonia, and South Korea. The exchange gained widespread notoriety in late 2025 after on-chain investigator ZachXBT amplified user reports of frozen funds, including a high-profile case in which a trader known as 'The White Whale' had approximately $3 million frozen without adequate explanation, eventually prompting a public apology from the exchange's Chief Strategy Officer. MEXC's parent entity MEXC Global Ltd was struck off by the Seychelles registry in August 2023, dissolved in December 2024, and never obtained a license under the Seychelles VASP Act 2024, leaving its current operational and legal standing opaque.

Kroll Restructuring Administration LLC served as the court-appointed claims and noticing agent for the FTX, BlockFi, and Genesis bankruptcy proceedings. On August 19, 2023, a threat actor executed a SIM swap attack against a Kroll employee's T-Mobile account, gaining unauthorized access to files containing the personal data of tens of thousands of crypto bankruptcy claimants. The exposed data was subsequently exploited in large-scale phishing and social engineering campaigns, with blockchain investigator ZachXBT estimating total losses attributable to the breach at eight to nine figures, and at least one alleged perpetrator — Danish Zulfiqar, also known as 'Danny' — was arrested in Dubai in late 2025 on RICO charges related to a broader $263 million social engineering conspiracy.

1EU2pMence1UfifCco2UHJCdoqorAtpT7 is a legacy P2PKH Bitcoin address holding approximately 9,999.99 BTC that has never had any outgoing transactions, marking it as a dormant high-value wallet. The address has been publicly circulated in attacker-community repositories as a brute-force cracking target, appearing in GitHub issue lists of 'rich wallet addresses for BTC crack' alongside automated key-collision tools. No verifiable private-key compromise or confirmed theft has been documented as of the investigation date; however, the address's inclusion in brute-force tooling databases and its indexing on privatekeys.pw elevates its risk profile considerably.

Renzo Protocol is an Ethereum liquid restaking protocol that issues ezETH, serving as an interface to the EigenLayer ecosystem. In April 2024, ezETH suffered a severe depeg event — dropping as low as $700 in under one hour — triggered by an unpopular REZ tokenomics announcement that concentrated approximately 65% of supply with insiders and investors. The event caused over $56 million in DeFi liquidations affecting more than 250 users, and the REZ token has since lost approximately 97% of its all-time high value.

Metawin is an offshore crypto casino and gaming platform licensed under the Anjouan (Comoros) gaming authority, operated by Asobi N.V. from Curacao, and founded by Richard 'Skel' Skelhorn. On November 3, 2024, the platform suffered a significant hot wallet exploit across Ethereum and Solana blockchains resulting in approximately $4 million in stolen funds, with blockchain investigator ZachXBT tracing the stolen assets to KuCoin and a nested HitBTC service across more than 115 attacker-linked addresses. The CEO subsequently claimed to have personally covered the losses, restoring withdrawals for approximately 95% of affected users, though the platform's offshore jurisdictional status and the underlying security vulnerability raise ongoing concerns.

Spartans Bet (spartans.com) is a crypto betting and casino platform launched in 2025, operated by Nexus International Entertainment Ltd, a company registered in Belize and licensed under the disputed Anjouan (Comoros) gaming authority. On-chain investigator ZachXBT alleged in 2025 that the platform's suspected co-founder, Gurhan Kiziloz, is also the hidden operator behind BlockDAG Network, a project ZachXBT claims raised over $300 million from retail investors through deceptive social media advertising and misappropriated presale funds via Middle Eastern OTC channels. Spartans makes prominent 'provably fair' claims that lack independently verifiable third-party audit documentation, and the platform carries a below-average safety index of 6.4/10 from casino.guru, with user complaints citing refused withdrawals and unfair bonus terms.

Mixin Network is a Hong Kong-based cross-chain Layer 2 protocol that suffered one of the largest cryptocurrency hacks of 2023, losing approximately $200 million when its cloud service provider's database was compromised on September 23, 2023. The hack exposed a fundamental contradiction in Mixin's self-described decentralized architecture: the majority of user funds were held in hot wallets backed by a centralized cloud database. As of early 2026, the majority of stolen assets remain unrecovered, with the attacker beginning to launder funds through Tornado Cash.

PAAL AI is an Ethereum ERC20 token launched in July 2023, marketed as an AI-powered chatbot and automation ecosystem for crypto communities. In September 2023, blockchain investigator ZachXBT published on-chain evidence and leaked Telegram messages alleging that four prominent crypto influencers — TraderSZ, TraderNJ1, PetaByte, and Trader_XO — received undisclosed token allocations from the PAAL AI team and engaged in a coordinated pump-and-dump scheme, collectively dumping hundreds of thousands of dollars in PAAL tokens on retail buyers. The token subsequently declined approximately 98.7% from its March 2024 all-time high of $0.8653 to below $0.013 by mid-2026, while the PAAL brand has also been exploited by third-party wallet-draining scams impersonating its staking platform.

Act I: The AI Prophecy (ACT) is a Solana-based AI-narrative memecoin launched via Pump.fun in October 2024 with no verified product utility. The token reached an all-time high of approximately $0.92 in November 2024 before declining over 98% to roughly $0.013 by mid-2026. It has been subject to a documented co-founder token dump, a suspicious 49% flash crash on Binance in April 2025 attributed to large coordinated sell orders, and broad sector criticism from on-chain investigator ZachXBT who labeled 99% of AI agent tokens as scams.

Token 2049 is one of the world's largest crypto conferences, held annually in Singapore and Dubai by Hong Kong-based BOB Group. The event has faced repeated criticism for insufficient sponsor vetting, most notably when OFAC- and UK-sanctioned Russia-linked stablecoin A7A5 was listed as a platinum sponsor and given a speaking slot at the October 2025 Singapore edition. Separately, in March 2025, on-chain investigator ZachXBT publicly flagged multiple Token 2049 sponsors — including DWF Labs, Bitunix, JuCoin, WEEX, and Spacecoin — for fraud, wash trading, and regulatory non-compliance, warning that conference sponsorship carries no implied credibility.

ANDY is a meme token launched on the Base (Ethereum L2) network in 2024, built around the 'boy's club' internet meme character. Blockchain investigator ZachXBT documented a theft of approximately $2 million in ANDY tokens from a victim's wallet in June 2024, with the perpetrator converting roughly half the stolen funds to Ethereum. CertiK's Skynet platform assigned the token a score of 2.7 out of 100, indicating serious security and governance deficiencies. Allegations that individuals associated with the token conducted SIM-swap attacks targeting Korean-American crypto holders have been attributed to ZachXBT's flagging but remain unconfirmed by independently verifiable Tier 1 or Tier 2 sources.

Netmind AI (netmind.ai) is a London-based decentralized GPU compute network that issues the NMT token on both Ethereum (ERC20) and BNB Smart Chain (BEP20) via upgradeable proxy contracts. In March 2024, 440,000 NMT tokens were sold in a sudden dump that caused a 76% price crash — attributed by the team to a compromised early miner wallet, though the mechanism remains disputed. The NMT contract is an upgradeable transparent proxy that grants the owner unilateral ability to disable sells, change fees, mint, or transfer tokens, representing a material centralization and rug-risk vector flagged by security tools and, according to AVOID.NET source tagging, by ZachXBT.

JRNY Crypto (real name allegedly Tony Spark) is a pseudonymous cryptocurrency and NFT influencer operating since 2017, with over 760,000 followers on X and 590,000 YouTube subscribers at peak activity. ZachXBT flagged the account in November 2024 after approximately $4 million in crypto assets were drained from associated wallets in a suspected private key compromise; JRNY did not publicly acknowledge the incident. Separate community-sourced allegations include undisclosed paid promotions, a paid strategic advisory role at BSC launchpad Seedify that critics allege was not consistently disclosed to audiences, and criticism over the JRNY Club and Planet Xolo NFT projects failing to meet roadmap commitments.

SBI Crypto is a cryptocurrency mining subsidiary of Japan's SBI Holdings, operating one of the top Bitcoin mining pools globally and offering related infrastructure services. On September 24, 2025, addresses linked to the company saw approximately $21–24 million in suspicious outflows across five cryptocurrencies; blockchain investigator ZachXBT and security firm Cyvers identified laundering patterns consistent with DPRK-affiliated Lazarus Group operations. SBI Group did not proactively disclose the breach and provided only minimal confirmation after independent researchers surfaced the incident publicly.

Truflation is a blockchain-based inflation data oracle protocol that provides real-time economic indices to DeFi applications via its Truflation Stream Network (TSN) and TRUF token. In September 2024, the project suffered a confirmed malware attack that compromised private keys across its treasury multisig and personal wallets, resulting in losses estimated between $4.6 million and $5.2 million — predominantly in TRUF tokens, ETH, and DAI. On-chain investigator ZachXBT was among the first to publicly identify and report the incident; the project subsequently initiated a full TRUF token migration as a remediation measure.

Crypto.com is a Singapore-headquartered centralized cryptocurrency exchange founded in 2016 (originally as Monaco) by Kris Marszalek, Bobby Bao, Gary Or, and Rafael Melo. The platform has been subject to multiple serious security incidents, including a confirmed January 2022 hack in which $34 million was stolen via a 2FA bypass and laundered through Tornado Cash, and an alleged 2023 data breach linked to the Scattered Spider hacking group that the company did not publicly disclose to affected users. Blockchain investigator ZachXBT has publicly accused Crypto.com of governance manipulation and tokenomics fraud, citing the March 2025 reissuance of 70 billion CRO tokens that had been permanently burned in 2021, and the company's controversial 2020 forced swap from its original MCO token to CRO at unfavorable rates.

Nexera (formerly AllianceBlock) is a blockchain infrastructure protocol focused on compliant real-world asset tokenization, operating primarily on Ethereum. In August 2024, a threat actor later attributed to North Korea's Lazarus Group used social engineering and BeaverTail malware to steal smart contract management credentials, enabling unauthorized transfer of 47.24 million NXRA tokens valued at approximately $1.9 million. The team mitigated further losses by zeroing out and subsequently burning the 32.5 million tokens that remained in the attacker's wallet, limiting confirmed liquidated losses to roughly $449,000.

Serenity Shield is a blockchain-based data storage and crypto inheritance protocol built on BNB Smart Chain, operating a product called StrongBox. On February 27, 2024, a team MetaMask wallet was compromised and 6.9 million SERSH tokens valued at approximately $5.6 million were stolen, causing the token price to collapse by over 95% within 24 hours. On-chain investigator ZachXBT linked the attacker to a serial hacker responsible for multiple private-key compromise incidents across at least six other protocols in late 2023 and early 2024.

CoinEx is a centralized cryptocurrency exchange that suffered a major hot wallet breach on September 12, 2023, with losses estimated between $54 million and $70 million across multiple blockchains. On-chain investigators ZachXBT and Elliptic attributed the attack to the Lazarus Group (TraderTraitor), a North Korean state-sponsored threat actor, based on wallet address overlap with the contemporaneous Stake.com hack. Stolen proceeds were subsequently laundered in part through the Sinbad Bitcoin mixer, which was sanctioned by the U.S. Treasury's OFAC on November 29, 2023.

Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.

EigenLayer is a legitimate Ethereum restaking protocol operated by Eigen Labs that became a high-value target for phishing campaigns, wallet drainer attacks, and social engineering in 2024 following the launch of its EIGEN token. In October 2024 alone, the protocol's official X account was compromised to promote a fake airdrop resulting in at least $800,000 lost by one victim, and a separate email-based social engineering attack redirected approximately $5.7 million in locked investor tokens to an attacker's wallet. EIGEN holders and restakers face an elevated and persistent threat surface from impersonation sites, fake airdrop claims, and token-approval drainer schemes that exploit the protocol's name and brand recognition.

Cardano (ADA) holders face a persistent and multi-vector threat landscape that includes deepfake giveaway scams impersonating founder Charles Hoskinson, social media account hijackings used to promote fraudulent tokens, phishing campaigns distributing credential-stealing malware disguised as wallet software, and NFT-based wallet drainers. The Cardano Foundation's own X account was compromised in December 2024, resulting in the promotion of a fake token and false regulatory claims. State-sponsored actors including the North Korean Lazarus Group have also targeted ADA holders through the Atomic Wallet supply chain attack.

Andy Ayrey is a New Zealand-based AI researcher and self-described performance artist who created Truth Terminal, an autonomous AI chatbot that became closely associated with the Goatseus Maximus (GOAT) memecoin, which briefly reached a $900M–$1B market cap in late 2024. Ayrey disclosed holding 1.25 million GOAT tokens gifted to him and pledged not to trade on insider knowledge, later establishing a non-profit foundation (Truth Collective) to manage the AI's holdings. ZachXBT's involvement concerns the October 2024 SIM-swap hack of Ayrey's X account — which third-party hackers exploited to deploy scam memecoins netting over $1.5M — rather than direct fraud allegations against Ayrey himself; however, broader ethical concerns persist around the gray-area ecosystem of AI-agent-driven memecoin promotion that Truth Terminal helped legitimize.

Kiln is an institutional-grade, non-custodial staking infrastructure provider that manages over $14 billion in staked assets across 50+ proof-of-stake networks, including approximately 6% of the entire Ethereum validator set. In September 2025, Kiln suffered a sophisticated supply chain attack in which a threat actor compromised a GitHub access token belonging to a Kiln infrastructure engineer, injected malicious code into the Kiln Connect API, and caused the theft of approximately 192,600 SOL (~$41 million) from enterprise customer SwissBorg. The incident prompted Kiln to exit all 1.6 million ETH worth of its Ethereum validators as a precautionary measure, triggering the longest Ethereum exit queue backlog in the network's history.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

BONAD.fun is a permissionless meme token launchpad operating on the Monad blockchain, positioned as BONK's community-driven expansion from Solana into the EVM ecosystem via Monad. The platform is an independent community project not officially endorsed or vetted by the BONK Foundation, and no public smart contract audit has been documented. The platform shares brand identity and fee-recycling mechanics with Bonk.fun, the Solana-based predecessor that suffered a domain hijacking and wallet-drainer attack in March 2026 — a front-end attack vector that is directly relevant to BONAD.fun's risk surface as a structurally similar deployment.

Thunder Terminal is a Solana-based on-chain trading terminal that suffered a $240,000 exploit on December 27, 2023, when an attacker leveraged compromised MongoDB credentials to steal session tokens and drain 86.5 ETH and 439 SOL from 114 user wallets in under nine minutes. The attacker subsequently routed the stolen ETH through the Railgun privacy protocol and demanded a 50 ETH ransom for deletion of alleged user data, directly contradicting Thunder Terminal's public claim that no user data or private keys were compromised. Thunder Terminal pledged full reimbursement of stolen funds, engaged the FBI, and implemented additional security controls, though no public confirmation of completed reimbursements has been verified.

MustStopMurad is the X handle of Murad Mahmudov, a Princeton-educated former Goldman Sachs analyst and co-founder of the now-defunct Adaptive Capital hedge fund, who rose to prominence in 2024 as the primary advocate of the 'memecoin supercycle' thesis following a widely-circulated speech at TOKEN2049 Singapore. On-chain investigator ZachXBT published what he alleged to be 11 wallets linked to Mahmudov in October 2024, holding approximately $24 million in memecoins, raising concerns about undisclosed large holdings in tokens he publicly promotes to hundreds of thousands of followers. No regulatory action has been filed; the core allegations of supply control, potential front-running, and undisclosed conflicts of interest remain contested and unproven in any legal forum.

BitoPro is a Taiwanese centralized cryptocurrency exchange operated by BitoGroup, serving over 800,000 users with TWD (New Taiwan Dollar) fiat on/off-ramps. On May 8, 2025, the exchange suffered an approximately $11.5 million hot wallet theft attributed to North Korea's Lazarus Group via a social-engineering and AWS-token-hijacking attack. The exchange did not publicly disclose the breach for approximately 25 days, only confirming the incident after on-chain investigator ZachXBT flagged suspicious outflows on June 2, 2025.

Rain (rain.com / Rain Financial) is a Bahrain-headquartered cryptocurrency exchange founded in 2017, holding licenses from the Central Bank of Bahrain and the Abu Dhabi Global Market's Financial Services Regulatory Authority. In April 2024, the exchange suffered a confirmed security breach of approximately $14.8 million in BTC, ETH, SOL, and XRP, which went undisclosed for approximately two weeks until blockchain investigator ZachXBT publicly exposed it. Rain subsequently confirmed the incident and stated that all customer funds were covered from company reserves.

SafePal is a hardware and software cryptocurrency wallet founded in 2018 by Veronica Wong and incubated by Binance Labs, with over 10 million claimed users. The platform has been surrounded by multiple serious security incidents including a malicious Firefox extension that impersonated the wallet for seven months in 2021, a Binance-backed Launchpad token (SFP), hardware vulnerabilities disclosed by Kraken Security Labs, and a $6.5–7 million theft linked to a tampered hardware wallet sold via the Chinese platform Douyin (TikTok China). SafePal itself has not been hacked directly, but its brand has been repeatedly exploited by third-party threat actors, and ZachXBT has documented its wallets appearing in fund-laundering flows.

Across Protocol is a cross-chain bridge protocol built on UMA's optimistic oracle, founded by Hart Lambur and the UMA/Risk Labs team and launched in 2021. In June 2025, pseudonymous investigator Ogle alleged that protocol insiders used undisclosed wallets to push through two governance proposals transferring approximately 150 million ACX tokens ($23 million) from the DAO treasury to Risk Labs, the team's own organization, constituting alleged self-dealing and DAO manipulation. Separate allegations from LayerZero founder Bryan Pellegrino claimed insider trading preceded a surprise Binance listing of ACX in December 2024, with the protocol subsequently proposing in early 2026 to dissolve its DAO entirely and convert to a U.S. C-corporation.

CoinsPaid is an Estonia-based cryptocurrency payment processor founded by Max Krupyshev that was targeted in two major security breaches: a $37.3 million hack in July 2023 attributed by the company and the FBI to North Korea's Lazarus Group (achieved via a sophisticated social engineering campaign using fake job offers), and a second breach in January 2024 resulting in approximately $7.5 million in losses. Despite the company's stated transparency and rapid operational recovery, the consecutive incidents raise significant concerns about its security posture and its status as a repeated high-value target for state-sponsored threat actors.

KAITO is the native token of Kaito AI, an AI-powered 'InfoFi' (information finance) platform built on Base blockchain, founded by former Citadel quantitative trader Yu Hu and launched in February 2025. On March 15, 2025, both the official Kaito AI X account and Yu Hu's personal account were compromised by hackers who spread false claims of wallet breaches while simultaneously holding short positions on KAITO, netting an estimated $1 million in profit from the manufactured price panic. The platform faced additional scrutiny from blockchain investigator ZachXBT over alleged AI bot spam incentivized by its Yaps reward system, which was ultimately sunset in January 2026 after X revoked API access to all InfoFi applications.

Hypurr NFTs are a 4,600-piece cat-themed NFT collection airdropped by the Hyper Foundation on September 28, 2025, to early Hyperliquid users who participated in the November 2024 Genesis Event. On the day of launch, blockchain investigator ZachXBT flagged the theft of eight Hypurr NFTs from compromised HyperEVM wallets, yielding approximately $400,000 in profit for the attacker. The collection itself is a legitimate product of the Hyper Foundation, but the incident exposed wallet security vulnerabilities in the HyperEVM ecosystem and coincided with a broader pattern of exploits across Hyperliquid-based protocols in late September 2025.

Strike (operated by Zap Solutions, Inc.) is a Bitcoin and Lightning Network payments application founded by Jack Mallers. The platform has faced scrutiny over a 2023 data breach it initially denied, the use of Tether (USDT) as a backing for purported USD cash balances for non-US users, and a 2026 proposed merger with Twenty One Capital (XXI) that raises serious conflict-of-interest concerns given Mallers serves as CEO of both entities.

Coinbase (NASDAQ: COIN) is the largest publicly listed cryptocurrency exchange in the United States, founded in 2012 and regulated across multiple jurisdictions. Despite its regulated status, the platform has been the subject of significant documented concerns: a May 2025 insider-enabled data breach affecting approximately 70,000 users with estimated remediation costs of $180–400 million, ongoing documented losses exceeding $300 million per year from social engineering scams targeting Coinbase users (as reported by blockchain investigator ZachXBT), a $100 million AML compliance settlement with the NYDFS in 2023, and controversies surrounding its Base Layer-2 blockchain including a disputed token launch and a contentious departure from the Optimism OP Stack ecosystem.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Circle Internet Group is the issuer of USDC, the second-largest USD-pegged stablecoin by market capitalization. Circle has faced sustained criticism from blockchain investigator ZachXBT and others for its policy of refusing to freeze USDC linked to hacks or scams without a formal court order or law enforcement mandate, which critics allege has allowed over $420 million in illicit funds to flow freely since 2022. The company went public on the NYSE in June 2025 under the ticker CRCL and received conditional OCC approval for a national trust bank charter in December 2025.

Rapper Nelly (Cornell Iral Haynes Jr.) is flagged here not as a perpetrator of crypto fraud, but as a victim of an account compromise. In October 2023, an X (formerly Twitter) account associated with Nelly — handle @NellioETH — was hacked by an unknown third party who then used it to run a social engineering phishing campaign against crypto users. Blockchain investigator ZachXBT first identified and publicized the incident; specific amounts stolen from victims and detailed on-chain forensics have not been publicly confirmed.

M2 is a UAE-based cryptocurrency exchange licensed by the Abu Dhabi Global Market (ADGM) Financial Services Regulatory Authority, operating as a regulated Multilateral Trading Facility and custodian since late 2023. On October 31, 2024, the exchange suffered a $13.7 million hot wallet breach attributed to an access control vulnerability across the Bitcoin, Ethereum, and Solana networks. M2 subsequently reimbursed all affected customers from its own assets and stated it had engaged law enforcement and regulatory authorities.

Bittensor is a decentralized blockchain protocol functioning as a peer-to-peer marketplace for machine intelligence, using the TAO token to reward AI model contributors. In July 2024, the protocol was the target of a supply chain attack via a malicious version of its official PyPI package, resulting in the theft of approximately $28 million in TAO tokens from 32 wallets. A civil lawsuit filed in January 2025 alleges that former Opentensor Foundation employees orchestrated the attack, and on-chain investigator ZachXBT identified a key suspect through NFT wash-trade analysis and Railgun de-mixing.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Transak is a fiat-to-crypto on-ramp infrastructure provider founded in 2019 and serving over 8 million users across 160+ countries, with integrations into major platforms including MetaMask, Phantom, and Uniswap. In October 2024, a phishing attack on an employee's laptop led to unauthorized access to a third-party KYC vendor's dashboard, exposing the personal identity documents of approximately 92,554 users globally, including names, dates of birth, government-issued IDs, and selfie photos. The breach resulted in a $601,000 class action settlement covering U.S.-based affected users, and the Stormous ransomware group claimed responsibility, alleging extraction of over 300GB of data.

Pendle is a permissionless yield-trading protocol on Ethereum, launched in 2021 by TN Lee and Vu Nguyen, that allows users to separate and trade the principal and yield components of yield-bearing assets. In September 2024, Penpie — an independent yield optimizer built on top of Pendle — suffered a $27 million reentrancy exploit that was made possible in part by Pendle's permissionless market creation design. Although Pendle's own contracts were not directly exploited, the protocol's architecture contributed to the attack surface, and all 11,261 ETH in stolen funds were subsequently laundered through Tornado Cash.

Trezor is a legitimate Prague-based hardware wallet manufacturer (SatoshiLabs) and one of the oldest in the industry, but it has accumulated a significant threat ecosystem around its brand. A January 2024 breach of its third-party support portal exposed contact data for approximately 66,000 users, which subsequently fueled targeted phishing campaigns delivered via email, physical mail, and fake apps. Trezor hardware devices have also been subject to disclosed physical attack vectors, including an alleged unpatchable flaw in the STM32 microcontroller used in the Trezor T model.