Avoid your next
big mistake

Miasma is a multi-wave, self-propagating npm supply chain attack campaign active from June 1 through at least June 10, 2026, that compromised hundreds of widely-used npm packages and dozens of GitHub repositories across organizations including Red Hat, Vapi.ai, and Microsoft Azure. The malware, a variant of the Mini Shai-Hulud credential-stealing worm associated with threat actor TeamPCP (also tracked as UNC6780), exfiltrates cloud credentials, CI/CD secrets, SSH keys, and browser-stored data including crypto wallet files, then uses stolen tokens to republish backdoored package versions and spread to additional repositories. No confirmed cryptocurrency theft or quantified financial loss from crypto assets had been publicly documented as of the investigation date, though the malware's collectors enumerate local wallet storage and the attack's credential-theft scope poses downstream risk to any crypto developer environments that installed affected packages.

LAB is the native token of the AI Terminal, a multi-chain trading platform founded by Vova Sadkov (Vladimir Sadkov) and a co-founder identified as Mark X. In May 2026, on-chain investigator ZachXBT published findings alleging that insiders controlled more than 95% of the circulating LAB token supply, that 226 million tokens were concentrated in Bitget deposit addresses before a 350%-plus price pump, and that the project simultaneously operated four distinct mechanisms to extract value from retail participants. The token subsequently crashed as much as 77% from its peak, wiping approximately $6.8 billion in market value.

The name 'Zinc' encompasses at least three distinct crypto entities: (1) Zinc Protocol, a 2018 Tel Aviv-based ERC20 advertising token that appears to have gone dormant with a ~98.8% price decline from its all-time high; (2) Zinc, a Solana-based gamified mining protocol that emerged from a pivot of the failed ZKLSOL privacy mixer project funded through MetaDAO, which became one of Solana's top revenue generators but is embroiled in a documented governance dispute over investor buyout terms; and (3) Zinc, a Zcash inscription protocol operating at zinc.is. The most active and notable entity as of mid-2026 is the Solana-based Zinc/ZKFG project, which raises concerns about anonymous founding team, absence of formal legal documentation governing its pivot from the original ZKLSOL mandate, and an unresolved governance conflict with MetaDAO investors.

Katana Network is a DeFi-native Ethereum Layer-2 rollup incubated by Polygon Labs and GSR, launched on Polygon's AggLayer in mid-2025. Its native governance and incentive token, KAT, had its Token Generation Event (TGE) in March 2026 and is distinct from the older Katana DEX built by Sky Mavis on the Ronin sidechain for Axie Infinity. The project carries acknowledged centralization risks at its current Stage 0 classification by L2Beat, significant post-TGE token price depreciation, and elevated smart-contract and bridge risk stemming from its multi-protocol integration architecture.

Allo Protocol is an open-source, EVM-compatible smart contract framework for on-chain capital allocation, developed by Gitcoin and launched on Ethereum mainnet in November 2023. It served as the underlying infrastructure for Gitcoin Grants Stack from 2023 through May 2025, when Gitcoin's software division (Grants Lab) was shut down due to financial constraints, placing Allo in maintenance mode. No fraud allegations, regulatory actions, or security exploits have been publicly documented against the protocol itself.

0x62d5a59e0d67c0381aad53b201b4a1b8dcd2c833 is an Ethereum externally owned account (EOA) with minimal on-chain activity, consisting of exactly two zero-value incoming transfers from the same source address in May 2026. No name tags, entity labels, scam reports, or regulatory flags have been identified for this address across Etherscan, ChainAbuse, or open-web sources as of June 2026.

Smoking Chicken Fish (SCF) is a Solana-based meme coin launched on Pump.fun in mid-August 2024 that rapidly reached a $130 million market cap within two weeks of launch and incorporated an unusual real-world dimension as a registered nonprofit planning to build a physical church in Marfa, Texas. The project imploded in September 2024 when its de facto leader, known as 'Pastor Kelby,' was ousted by the community following allegations that he accepted undisclosed payments from derivative token projects, solicited donations directly into his personal wallet, and had a history of alleged rug pulls. The token has since declined approximately 99.6% from its all-time high, trading at fractions of a cent as of mid-2026.

Antier Solutions Pvt. Ltd. is an India-based blockchain and Web3 development firm headquartered in Mohali, Punjab, founded in 2005 and led by CEO Vikram R. Singh. The company provides custom blockchain development, crypto exchange development, DeFi platforms, and enterprise blockchain services to global clients. In May 2026 it received its first institutional funding of $3 million led by GVFL; it carries generally positive ratings on B2B review platforms, though a small number of Trustpilot reviews allege fraudulent conduct, a claim not corroborated by regulatory filings or major news sources.

Meta-1 Coin was a fraudulent digital asset marketed from 2018 to 2023 by Robert Dunlap through the Meta-1 Coin Trust, with false claims that the token was backed by $44 billion in gold and $1 billion in fine art. Dunlap used automated trading bots on a sham exchange called the Meta Exchange to inflate the coin's apparent price and volume, defrauding approximately 1,000 investors of more than $20 million. In April 2026, Dunlap was sentenced to 23 years in federal prison following a November 2025 conviction on mail fraud charges in the Northern District of Illinois.

Amir Hossein Rad is the chairman, co-founder, and former CEO of Nobitex, Iran's largest cryptocurrency exchange. On June 2, 2026, OFAC personally designated Rad under Executive Orders 13224 and 13902 for his leadership role at an exchange the U.S. Treasury accused of enabling sanctions evasion, supporting the Islamic Revolutionary Guard Corps (IRGC), and facilitating terrorist financing. He was among four individuals designated alongside the exchange itself as part of the Trump administration's 'Economic Fury' campaign targeting Iran's financial infrastructure.

On May 11, 2026, threat actor group TeamPCP executed a sophisticated supply chain attack against the TanStack npm ecosystem, compromising 42 packages across 84 malicious versions collectively downloaded millions of times per week. The attack, branded internally as the 'Mini Shai-Hulud' worm, chained three GitHub Actions vulnerabilities to extract an OIDC token from runner memory and autonomously publish credential-stealing payloads that spread to over 170 additional npm and PyPI packages including Mistral AI, UiPath, and OpenSearch. The campaign is the fourth documented wave from TeamPCP, a group active since at least late 2024, and represents the first recorded npm worm to produce validly-attested malicious packages under SLSA Build Level 3 provenance.

Evan Tangeman, 22, of Newport Beach, California, pleaded guilty on December 8, 2025 to RICO conspiracy for his role as a money launderer in the 'Social Engineering Enterprise,' a multi-state criminal organization that stole over $263 million in cryptocurrency between October 2023 and May 2025. He admitted to laundering at least $3.5 million in stolen proceeds and was sentenced on April 24, 2026 to 70 months in federal prison plus three years supervised release by U.S. District Judge Colleen Kollar-Kotelly in Washington, D.C. Tangeman was the ninth defendant to plead guilty in what prosecutors described as one of the largest cryptocurrency theft conspiracies ever prosecuted.

An active phishing campaign, first disclosed by OX Security in March 2026 and continuing into June 2026, abuses the OpenClaw brand and GitHub's issue notification system to target software developers with fake $5,000 CLAW token giveaways. Victims are directed via Google LinkShare redirect URLs to token-claw[.]xyz, a near-identical clone of openclaw.ai, where a malicious wallet-connect prompt triggers a JavaScript drainer (eleven.js) capable of siphoning funds from MetaMask, Trust Wallet, OKX Wallet, Bybit Wallet, and WalletConnect-compatible wallets. OpenClaw founder Peter Steinberger has publicly stated the project has no token and never will.

Vortex is a cryptocurrency market-making firm whose leadership was indicted by a federal grand jury in Oakland, California on August 28, 2025, on charges of wire fraud conspiracy and wire fraud in connection with an alleged coordinated wash-trading scheme. Three Russian nationals — Gleb Gora (CEO, age 24), Sergei Ryzhkov (CFO), and Michael Vogel (Business Development Manager) — are alleged to have artificially inflated cryptocurrency token prices using automated trading bots and planned to liquidate their holdings at peak prices, leaving retail investors with losses. The indictment was publicly announced on March 30, 2026, as part of the DOJ's Operation Token Mirrors, a multi-agency undercover enforcement action targeting market-manipulation-as-a-service operations.

The Malone Lam Crypto Syndicate, also known as the Social Engineering Enterprise (SEE), is an alleged multi-state criminal organization that stole approximately $263 million in cryptocurrency between October 2023 and May 2025 through social engineering, residential home invasions, and hardware wallet theft. Led by Singaporean national Malone Lam (alias 'Anne Hathaway', 'Greavys'), the enterprise comprised at least 14 members recruited through online gaming platforms and operated specialized roles including database hackers, social engineering callers, money launderers, and physical burglars. The DOJ charged the organization under the RICO statute — one of the most aggressive crypto theft prosecutions ever filed — and as of June 2026, nine co-defendants have pleaded guilty and been sentenced to 70–78 months, while Lam and co-lead Jeandiel Serrano remain in pre-trial proceedings.

The 'Social Engineering Enterprise' (SE Enterprise) is a DOJ-designated RICO criminal organization that stole over $263 million in cryptocurrency — primarily 4,100 BTC from a single Washington, D.C. victim in August 2024 — through a combination of database breaches, impersonation calls, and residential burglaries targeting hardware wallets. The enterprise grew from friendships formed on online gaming platforms and operated from October 2023 through at least May 2025, with at least 17 defendants charged across multiple superseding indictments, nine of whom have pleaded guilty as of early 2026. A second superseding indictment unsealed in June 2026 added three new defendants — Nicholas Dellecave, Mustafa Ibrahim, and Danish Zulfiqar — expanding the prosecution and marking ongoing international coordination with Dubai law enforcement.

Misam M. Abidi, 47, of Nolensville, Tennessee, faces an 11-count federal indictment unsealed June 13, 2026, for allegedly operating a cryptocurrency investment Ponzi scheme through Star Credit Holdings between 2020 and 2024. Prosecutors allege he diverted over $1.9 million of investor funds to himself and family members, and the broader enterprise involving co-defendants Ali Raza Galani and Anisha Abidi allegedly caused losses exceeding $6.3 million across 17 states. Related state regulatory actions by the Tennessee Department of Commerce and Insurance and the Tennessee Attorney General resulted in a temporary injunction and asset freeze in May 2024.

On June 1, 2026, an attacker leveraged a compromised admin key on BNB Chain to mint 99 million TSR tokens outside TesseraDAO's normal supply controls, swapping them for approximately $2.5 million in USDT and collapsing the TSR token price by approximately 99%. The exploiter subsequently bridged the stolen proceeds to Ethereum and laundered approximately 1,285.5 ETH through Tornado Cash. As of the date of reporting, TesseraDAO issued no public statement, raising unresolved questions about whether the incident constituted an external key compromise or an insider-orchestrated exit.

Atomic Arch is a large-scale software supply chain attack disclosed on June 11, 2026, in which threat actors systematically adopted orphaned packages in the Arch User Repository (AUR) and modified their PKGBUILD build scripts to silently install malicious npm packages. The malicious packages deployed a Rust-based credential infostealer and an eBPF kernel rootkit targeting developer secrets, cloud credentials, and cryptocurrency wallet data. Within 24 hours of initial disclosure, the compromised package count escalated from roughly 408 to an estimated 1,500+, making this one of the largest AUR incidents on record.

On June 8-9, 2026, Humanity Protocol suffered a coordinated cross-chain exploit in which attackers compromised seven private keys stored on a single malware-infected employee laptop, draining approximately 447 million H tokens — valued at $32-36 million — across Ethereum and BNB Smart Chain. Blockchain investigator ZachXBT initially alleged the incident was 'possibly staged' based on pre-funded attacker wallets, suspicious market-making activity, and DEX-only token dumps, though he subsequently revised his assessment, concluding the private key compromise and the earlier suspicious market-making were independent events. The H token crashed between 87-89% within hours of the attack and remained deeply depressed ahead of a 266.5 million token unlock scheduled for June 25, 2026.

Step Finance was a Solana-based DeFi portfolio management and analytics platform founded by George Harrap that operated from 2021 until February 2026. On January 31, 2026, attackers compromised executive team devices and drained approximately $40 million in treasury assets, representing a catastrophic operational security failure. The platform was unable to secure financing or an acquisition to continue operating and formally shut down on February 23, 2026, along with affiliated projects SolanaFloor and Remora Markets.

Sonne Finance is a Compound V2 fork deployed on Optimism that was exploited for approximately $20 million on May 14, 2024, in what became the largest exploit in Optimism's history. The attack exploited a well-known precision-loss donation vulnerability in Compound V2 forks, triggered during the rollout of a new VELO token market; the attacker leveraged a multi-transaction deployment architecture and a two-day timelock window to manipulate exchange rates and drain user funds.

Zabu Finance was an Avalanche-based yield farming protocol that suffered a $3.2 million flash loan exploit on September 12, 2021, marking what was widely described as the first major DeFi hack on the Avalanche blockchain. The vulnerability — a known deflationary token accounting flaw that had already been exploited on Polygon two months prior — drained the protocol's SPORE staking pool and caused the ZABU token to collapse from approximately $0.004 to near-zero. The protocol attempted a v2 token relaunch but has since gone effectively dormant, with a TVL of approximately $5,000 and a website SSL certificate that expired in August 2022.

Ronin Bridge is the cross-chain bridge that connected the Axie Infinity gaming ecosystem's Ronin sidechain to Ethereum, operated by Sky Mavis. In March 2022 it suffered the largest DeFi hack in history at the time — $625 million in ETH and USDC stolen by North Korea's Lazarus Group via compromised validator private keys obtained through social engineering. A second, smaller exploit occurred in August 2024. The legacy bridge was deprecated in April 2025 and migrated to Chainlink CCIP infrastructure.

WazirX, operated in India by Zanmai Labs Pvt. Ltd., suffered a $234.9 million hack attributed to North Korea's Lazarus Group on July 18, 2024, freezing user funds and triggering multiple Indian regulatory investigations. India's Supreme Court dismissed a victims' petition in April 2025 citing a lack of crypto regulatory framework, while the Enforcement Directorate, Financial Intelligence Unit, and other agencies have opened probes into the exchange's operations, ownership structure, and alleged links to terror financing. A Singapore court approved a restructuring plan in October 2025, offering partial recovery to creditors.

Slope Wallet (Slope Finance) was a Solana-based mobile cryptocurrency wallet that suffered a catastrophic security breach on August 2, 2022, in which over 9,200 wallets were drained of approximately $4–8 million in assets due to the app transmitting users' unencrypted seed phrases to a third-party telemetry service (Sentry). The root cause was a severe security misconfiguration by Slope Finance, in which the mobile application logged plaintext private key material without proper scrubbing. No formal victim compensation was established, the team declined to publicly accept responsibility, and founder Leal Cheung subsequently launched a new project (zkME) without resolution for affected users.

DMM Bitcoin was a licensed Japanese cryptocurrency exchange operated by DMM Group (DMM.com) that launched in January 2018. In May 2024 it suffered the eighth-largest crypto theft in history when North Korean state-sponsored hackers attributed to the TraderTraitor subgroup of Lazarus Group stole 4,502.9 BTC (approximately $305–308 million USD) through a sophisticated supply-chain attack targeting Ginco, a third-party wallet management provider. Following the hack, Japan's Financial Services Agency issued a business improvement order, the exchange restricted operations, and in December 2024 announced full closure with all customer assets transferred to SBI VC Trade by March 2025.

Agave was a decentralized lending protocol on Gnosis Chain forked from Aave v2, developed by members of the 1Hive community. On March 15, 2022, the protocol suffered a reentrancy exploit that drained approximately $5.5 million in user funds, part of a coordinated $11.7 million attack that simultaneously hit Hundred Finance. The protocol paused operations following the hack and formally closed down in March 2024 with no documented user compensation.

The Southeast Asia pig-butchering network is a constellation of transnational organized crime syndicates — primarily Chinese-language criminal organizations — operating forced-labor scam compounds across Cambodia, Myanmar (Burma), and Laos that have stolen an estimated $10 billion or more annually from American victims through cryptocurrency investment fraud. In November 2025, the U.S. Department of Justice established the Scam Center Strike Force, a multi-agency interagency task force headquartered in the District of Columbia, to coordinate criminal prosecution, civil asset forfeiture, Treasury sanctions, and private-sector disruption against these networks. By mid-2026, the Strike Force had restrained approximately $725.9 million in cryptocurrency, coordinated at least 276 arrests across an international operation in April–May 2026, and partnered with nine private technology companies during a dedicated 'Disruption Week' that disabled more than 1.4 million fraudulent accounts globally.

Miasma is a self-propagating credential-stealing worm that compromised 32 official npm packages under the @redhat-cloud-services namespace on June 1, 2026, affecting an estimated 80,000 to 117,000 weekly downloads. The attack was facilitated by a compromised Red Hat employee GitHub account and used GitHub Actions OIDC trusted publishing to inject a 4.2 MB obfuscated preinstall payload derived from the publicly released Mini Shai-Hulud malware framework attributed to the threat actor group TeamPCP. While not a cryptocurrency-specific attack, the worm harvests cloud credentials, CI/CD secrets, and developer tokens — including Anthropic API keys — from any environment running the affected packages, and it is highly relevant to crypto developers who use these packages in their build pipelines.

Predatory Sparrow, known in Persian as Gonjeshke Darande, is a hacking group active since at least July 2021 that has claimed responsibility for a series of destructive cyberattacks against Iranian critical infrastructure, financial institutions, and cryptocurrency exchanges. The group is widely believed by security researchers, Israeli media, and anonymous U.S. defense officials to have links to the Israeli government, though Israel has never formally acknowledged any connection. Their operations are politically motivated, targeting entities alleged to support Iran's Islamic Revolutionary Guard Corps (IRGC) and facilitate sanctions evasion, and have extended directly into the cryptocurrency space with the June 2025 destruction of approximately $90 million in digital assets stolen from Iran's largest crypto exchange, Nobitex.

The 2026 FIFA World Cup has attracted a coordinated wave of crypto-linked fraud operating across multiple typologies, including typosquatting domain networks, fake ticket portals demanding cryptocurrency payment, fixed-match betting schemes, pump-and-dump fan meme coins, and Android banking malware bundled in fake streaming apps. Law enforcement agencies including the FBI Cyber Division and the Los Angeles County Sheriff's Department have issued public warnings, while blockchain analytics firm TRM Labs and cybersecurity vendors Malwarebytes, CybelAngel, and The Hacker News have documented active infrastructure running since at least August 2025, months before the first match.

An international online fraud syndicate operating under the cover of PT Digi Global Konsultan in Sukoharjo District, Central Java, conducted a pig-butchering romance-and-crypto-investment scam from July 2025 to May 2026, defrauding at least 133 US citizens of approximately $2.32 million. Central Java Police arrested 39 suspects of Indonesian, Nepalese, and Myanmar nationality on May 20, 2026, in coordination with the US Federal Bureau of Investigation. Separately, US federal charges were filed in the Southern District of California in April 2026 against Indonesian nationals linked to related pig-butchering organizations.

Jimmy Donaldson, known as MrBeast and the most-subscribed individual creator on YouTube, has been the subject of on-chain investigations alleging that wallets attributed to him generated approximately $23 million in profits through participation in crypto token presales followed by coordinated liquidations, including an alleged $11.4 million from the SuperVerse (SUPER) token in 2021. No formal regulatory charges had been filed against Donaldson as of mid-2026, though Senator Elizabeth Warren and Representative Warren Davidson opened a congressional inquiry in March 2026 targeting Beast Industries over crypto plans directed at minors. Donaldson has denied wrongdoing, attributing relevant financial activity to third-party managers, and no independent court or regulatory body has verified the on-chain attribution.

On June 1, 2026, Phala Network disclosed and patched a vulnerability in the Phala Cloud API that permitted unauthorized modification of Confidential Virtual Machines (CVMs) using Offchain KMS key management. An attacker deployed a malicious pre-launch script beginning May 31, 2026, potentially exfiltrating decrypted environment variables including AWS credentials and ECR registry keys from affected CVMs. Phala patched the vulnerability within approximately 17 hours and notified affected users directly, though the incident exposed a structural gap between the platform's confidentiality marketing and the actual security boundary enforced by its Offchain KMS configuration.

A multi-firm criminal enterprise spanning four crypto market-making companies — Gotbit, Vortex, Contrarian, and Antier Solutions — was dismantled through a coordinated FBI and IRS-Criminal Investigation undercover operation known as Operation Token Mirrors. Ten executives and employees across the four firms were indicted between March and September 2025 in the Northern District of California on charges of wire fraud and wire fraud conspiracy for orchestrating wash-trading and pump-and-dump schemes against retail investors. Gotbit founder Aleksei Andriunin was separately convicted in the District of Massachusetts, sentenced to eight months in prison, and his firm was ordered to forfeit $23 million in cryptocurrency; as of mid-2026 additional defendants remain in active criminal proceedings.

Axiom is a Solana-based crypto trading platform founded in 2024 by Henry Zhang ('Mist') and Preston Ellis ('Cal'), which completed Y Combinator's Winter 2025 batch and generated over $390 million in cumulative revenue. In February 2026, blockchain investigator ZachXBT published a documented investigation revealing that a senior business development employee, Broox Bauer, along with colleagues, systematically abused internal dashboard tools with insufficient access controls to access private user wallet data and conduct insider trading for over 10 months beginning in early 2025. Axiom confirmed the breach, removed access to the implicated tools, and pledged an internal investigation, but no formal legal charges had been publicly filed as of the date of reporting.

A coordinated international law enforcement operation conducted in April–May 2026 by the FBI, Dubai Police, Chinese Ministry of Public Security, and Royal Thai Police resulted in at least 276 arrests and the dismantlement of at least nine cryptocurrency investment fraud centers operating in Southeast Asia and the UAE. The operation targeted three named scam organizations — Ko Thet Company, Sanduo Group, and Giant Company — charged in the Southern District of California, alongside a parallel Scam Center Strike Force action on April 23, 2026, that seized 503 fraudulent domains, charged two Chinese nationals for managing Myanmar's Shunda Park compound, sanctioned Cambodian Senator Kok An and 28 associates, and restrained $701.96 million in cryptocurrency. A $10 million State Department reward was simultaneously announced for information on the Tai Chang scam centers in Burma's Karen State.

The U.S. Treasury's Office of Foreign Assets Control (OFAC) has designated multiple Ethereum wallet addresses linked to the Sinaloa Cartel's fentanyl trafficking and cryptocurrency money laundering operations. The most recent action, on May 20, 2026, added six Ethereum addresses and 11 individuals to the Specially Designated Nationals (SDN) list, marking the eighth Sinaloa Cartel designation linked to cryptocurrency since September 2023. All designated addresses are subject to strict-liability blocking obligations for U.S. persons and entities.

On June 18, 2025, the U.S. Attorney's Office for the District of Columbia filed a civil forfeiture complaint seeking $225,364,961 in USDT linked to a sophisticated cryptocurrency investment fraud and money laundering network, marking the largest cryptocurrency seizure in U.S. Secret Service history. The funds were traced via blockchain analysis to pig-butchering scam operations allegedly run from compounds in the Philippines and Vietnam, affecting over 430 suspected victims globally. The action is part of a broader 2025-2026 federal crackdown that includes the D.C. Scam Center Strike Force, Operation Level Up, and a coordinated international sweep resulting in 276 arrests and $701 million in restrained assets.

ATM Token is an obscure BEP-20 token deployed on BNB Smart Chain that suffered a confirmed exploit on June 4, 2026, resulting in approximately $243,500 in losses. The attack was made possible by a flawed custom transferFrom() function that automatically swapped 20% of each token transfer into BSC-USD, which an attacker abused repeatedly within a single transaction. The project has no verified security audit, no public whitepaper or website, and issued no statement following the incident.

In March 2026, on-chain investigator ZachXBT exposed a coordinated network of at least 11 X accounts that manufactured fake geopolitical panic — primarily around the Iran war and Cuban humanitarian crises — to funnel followers into pump-and-dump cryptocurrency schemes. The network used purchased aged accounts, AI-generated fake personas, and mass cross-reposting to artificially inflate reach, culminating in the coordinated promotion of the $ORAMAMA token on Solana's PumpSwap on February 22, 2026, generating alleged six-figure on-chain profits. X suspended all 16 identified accounts by the evening of March 23, 2026.

Fluid, formerly known as Instadapp, is a DeFi lending, borrowing, and trading protocol founded in 2018 by brothers Samyak and Sowmay Jain. The protocol rebranded from Instadapp to Fluid in December 2024 following the launch of its DEX product. As of mid-2026, Fluid operates with approximately $720 million in TVL across multiple chains and has been subject to two notable security incidents: a March 2026 bad-debt event stemming from a third-party hack of the Resolv protocol (~$19.3 million absorbed), and a May 2026 off-chain key compromise of its Merkle rewards distribution infrastructure that drained approximately 125,000 FLUID and 51,900 GHO.

Sweat Economy is a move-to-earn protocol on NEAR Protocol that rewards users with SWEAT tokens for physical activity, built on top of the Sweatcoin app which has over 120 million registered users. On April 29, 2026, the SWEAT token contract on NEAR was exploited via a Rust smart contract vulnerability, allowing an attacker to drain approximately 13.71 billion SWEAT tokens — roughly 65% of total supply — valued at approximately $3.5 million, within 30 seconds. The Sweat Foundation coordinated with MEXC exchange and Rhea Finance to freeze attacker funds and ultimately restored all external user balances, with a patched contract subsequently deployed.

Nathan Fuller, a Cypress, Texas resident, is the subject of a May 28, 2026 SEC civil complaint alleging he raised approximately $12.3 million from roughly 150 investors across nine U.S. states and two foreign countries through fabricated AI-powered crypto trading bots operated under Privvy Investments LLC and Gateway Digital Investments. The SEC alleges Fuller misappropriated at least $6.2 million for personal expenses and used approximately $5.5 million for Ponzi-like payments to earlier investors, while deploying only about $380,000 (3%) in actual cryptocurrency purchases. In a related proceeding, a Texas bankruptcy court denied Fuller a discharge of over $12.5 million in debt on August 1, 2025, after Fuller admitted to operating a Ponzi scheme and fabricating documents.

Dritan Kapllani Jr. is an 18-year-old US resident publicly identified by on-chain investigator ZachXBT on May 12, 2026 as allegedly connected to approximately $19 million in social engineering cryptocurrency thefts, including a 185 BTC theft on March 14, 2026 worth roughly $13 million. Federal prosecutors named him as 'Co-Conspirator 1' in a criminal complaint unsealed May 11, 2026 against charged co-defendant Trenton Johnston; as of mid-June 2026 Kapllani himself has not been formally charged. Following public exposure, on-chain analysts observed him moving approximately $2.59 million in funds through new wallet hops, raising concerns about potential asset concealment.

Operation Atlantic was a week-long multinational law enforcement operation conducted in late March and early April 2026, co-hosted by the U.S. Secret Service, the UK National Crime Agency, the Ontario Provincial Police, and the Ontario Securities Commission. The operation targeted cryptocurrency approval phishing fraud networks spanning more than 30 countries, resulting in $12 million in stolen funds frozen, over 20,000 compromised wallet addresses identified, 120 scam domains disrupted, and $45 million in total fraud identified. No criminal arrests or indictments were publicly announced as part of this operation; its primary mandate was disruption, victim outreach, and asset freezing.

Robert Dunlap, 55, of Houston, Texas, operated Meta-1 Coin Trust from 2018 to 2023, raising more than $20 million from nearly 1,000 investors by falsely claiming a digital asset called 'Meta-1 Coin' was backed by $44 billion in gold and $1 billion in artwork. Dunlap fabricated audit documents and manipulated trading prices using automated bots. He was convicted by a federal jury in November 2025 on two counts of mail fraud and sentenced on April 17, 2026, to 23 years in federal prison by U.S. District Judge LaShonda A. Hunt in the Northern District of Illinois.

Bernard L. Madoff (1938–2021) was an American financier and former NASDAQ chairman who operated the largest Ponzi scheme in recorded history through his firm Bernard L. Madoff Investment Securities LLC (BLMIS), defrauding approximately 4,800 client accounts of an estimated $64.8 billion over several decades before his arrest in December 2008. Madoff pleaded guilty to 11 federal felonies in 2009 and died in federal prison in 2021 while serving a 150-year sentence. His name is widely invoked in the cryptocurrency industry as the archetypal benchmark for large-scale Ponzi fraud, with figures including Sam Bankman-Fried, Do Kwon, and Ruja Ignatova frequently compared to Madoff by regulators, prosecutors, and commentators.

BitClub Network was a fraudulent cryptocurrency mining investment scheme that operated from April 2014 through December 2019, raising at least $722 million from investors worldwide by falsely promising returns from shared bitcoin mining pools. Five individuals were indicted by a US federal grand jury in December 2019; multiple co-defendants have pleaded guilty while principal operator Matthew Brent Goettsche rejected a plea deal and awaits trial as of mid-2026.

Centra Tech was a Miami-based cryptocurrency startup that conducted a fraudulent initial coin offering (ICO) in mid-2017, raising over $32 million from thousands of investors through an extensive web of fabricated executives, fake partnerships with Visa and Mastercard, and undisclosed celebrity endorsements from Floyd Mayweather Jr. and DJ Khaled. All three co-founders — Sohrab Sharma, Robert Farkas, and Raymond Trapani — pleaded guilty to federal securities fraud, wire fraud, and mail fraud charges; Sharma was sentenced to eight years in federal prison. The case remains one of the most significant ICO enforcement actions in U.S. history.

Shai-Hulud is a self-replicating supply chain worm attributed to the financially motivated threat group TeamPCP (also tracked as DeadCatx3, PCPcat, ShellForce, CipherForce, and UNC6780 by Google's Threat Intelligence Group). Active since September 2025, the campaign has compromised hundreds of npm and PyPI packages by harvesting CI/CD credentials through malicious preinstall lifecycle hooks, directly enabling the Trust Wallet Chrome extension hack of December 2025 in which approximately $8.5 million was stolen from 2,520 wallets. As of June 2026, the campaign remains active through copycat variants following TeamPCP's public open-sourcing of the worm's source code on May 12–13, 2026.

A coordinated phishing campaign active in late May 2026 impersonated MetaMask by sending fake 'mandatory 2026 system upgrade' notifications via email and push alerts, directing victims to pixel-accurate clone sites that solicited a single Permit/token-approval signature draining wallets within seconds. On-chain investigator ZachXBT placed total losses at more than $9 million across 400+ addresses on Ethereum, Polygon, Arbitrum, and Base as of May 30, 2026. The campaign is part of a sustained multi-variant operation against MetaMask users that began at least as early as January 2026; MetaMask itself is an impersonation victim and is not at fault.

AudiA6 was a professional cryptocurrency mixing and laundering service that operated from 2021 until its dismantlement on June 10, 2026, in a coordinated international law enforcement operation. The service processed approximately 10,333 Bitcoin — valued at roughly $389 million at the time of transactions — for ransomware groups, darknet market operators, and other cybercriminals, charging commissions of 3–10%. Two alleged operators, Ruslan Igorevich Tkachuk (Ukrainian, 37) and Alexander Vladimirovich Ledenev (Russian, 25), were arrested in Batumi, Georgia, and face U.S. federal charges in the Eastern District of Pennsylvania carrying up to 20 years in prison each.

UNK_DeadDrop is a suspected North Korea-aligned threat actor campaign disclosed by Proofpoint on June 8, 2026, in which attackers sent more than 250 phishing emails to software developers at approximately 100 organizations — with a heavy focus on cryptocurrency firms — over a six-week period in April and May 2026. Victims were directed to actor-controlled GitHub and GitLab repositories disguised as coding assignments or code-review projects; opening these repositories silently deployed cross-platform malware including the Go-based Overlord remote-access framework and malicious VS Code extensions (VSIX) capable of stealing browser credentials, cryptocurrency wallets, and API tokens. Proofpoint tracks UNK_DeadDrop as a distinct cluster from the previously documented Contagious Interview / Lazarus campaigns, noting industrialized repository creation and an email-first delivery model as differentiating characteristics.

PT Digi Global Konsultan is an Indonesian company used as a front for an international pig-butchering cryptocurrency fraud syndicate dismantled by Central Java Police in May 2026. The operation ran from July 2025 to May 2026 out of Sukoharjo District, Central Java, defrauding at least 133 victims — predominantly US citizens — of approximately $2.33 million USD (Rp41.1 billion). Thirty-nine suspects were arrested, including foreign nationals from Nepal and Myanmar, and Indonesian authorities are collaborating with the FBI.

UNK_DeadDrop is a threat cluster designation assigned by Proofpoint Threat Research to a likely North Korea-aligned cyber threat actor that conducted a sustained phishing campaign targeting software developers between April and May 2026. The campaign used fake job offers and code-review requests linked to malicious GitHub and GitLab repositories to deliver cross-platform malware designed to steal cryptocurrency wallets and developer credentials. The actor is tracked as a distinct cluster from the previously documented Contagious Interview operation, though significant tactical and objective overlap is noted.

The Verus-Ethereum Bridge is a cross-chain infrastructure component enabling asset transfers between the Verus (VRSC) network and Ethereum. On May 18, 2026, the bridge was exploited for approximately $11.58 million through a business-logic validation flaw that allowed an attacker to withdraw far more value on the Ethereum side than was deposited on the Verus side. Following negotiations, the attacker returned approximately 75% of the stolen funds (4,052 ETH) in exchange for a 1,350 ETH bounty and an agreement to halt investigations.

Star Credit Holdings is an alleged fraudulent cryptocurrency investment firm operated by Misam M. Abidi, 47, of Nolensville, Tennessee. Federal prosecutors indicted Abidi on June 12, 2026, on an 11-count indictment covering wire fraud, money laundering, unlicensed money transmission, and tax offenses. The scheme allegedly ran from 2020 to 2024 and diverted over $1.9 million in investor funds to Abidi and his family members.

Ambient Finance (formerly CrocSwap, operated by Crocodile Labs) is a decentralized exchange protocol running its entire DEX inside a single smart contract, deployed on Ethereum and several Layer 2 networks. The project raised $6.5 million in a seed round in July 2023 from credible institutional investors including BlockTower Capital, Jane Street, and Circle Ventures. It has experienced two notable security incidents: a DNS hijacking attack in October 2024 that compromised its frontend, and an on-chain smart contract exploit in June 2026 that resulted in approximately $110,600 in losses.

Basis Markets was a UK-based project that raised approximately $28 million from retail investors in late 2021 through NFT membership sales and a BASIS token offering, marketing itself as a decentralized algorithmic hedge fund offering delta-neutral arbitrage returns. The UK Serious Fraud Office (SFO) opened a formal investigation and, on 20 November 2025, arrested two men on suspicion of fraud and money laundering in what the SFO described as its first major cryptocurrency case. The project shut down in June 2022 citing proposed US regulatory changes, and on-chain analysis by independent researchers alleged that investor funds were routed directly to founders' personal wallets rather than a project treasury.

Privvy Investments LLC was a Texas-based cryptocurrency investment company operated by Nathan Fuller of Cypress, Texas, that the SEC alleges raised approximately $12.3 million from roughly 150 investors between October 2022 and mid-2024 using false claims about proprietary AI-powered trading bots. Fuller admitted in September 2025 Texas bankruptcy proceedings that the scheme was a Ponzi operation, and the SEC filed a civil complaint against him on May 28, 2026, in the U.S. District Court for the Southern District of Texas, alleging misappropriation of at least $6.2 million for personal use and $5.5 million in Ponzi-style payouts to earlier investors.

Broox Bauer, a senior business development employee at Axiom Exchange, was publicly identified in February 2026 by on-chain investigator ZachXBT as the alleged orchestrator of an insider trading scheme running from early 2025. Bauer allegedly abused internal access to Axiom's customer support dashboard to extract private wallet data belonging to users and key opinion leaders, sharing that data with a small group to front-run trades. Axiom, a Y Combinator-backed Solana trading terminal that generated over $390 million in cumulative revenue, acknowledged the misconduct, terminated access to the relevant tools, and stated it would investigate and hold the responsible parties accountable.

Volo Protocol is a liquid staking and DeFi vaults platform built on the Sui blockchain, offering voloSUI (vSUI) as a liquid staking token and multi-asset yield vaults. In January 2024, it was acquired by NAVI Protocol, a leading Sui lending protocol. On April 22, 2026, Volo suffered a $3.5 million exploit targeting three isolated vaults holding WBTC, XAUm, and USDC; the team pledged to absorb all user losses and approximately $500,000 was frozen on-chain, while the root cause — attributed by security researchers to a compromised privileged operator key rather than a smart contract flaw — remained under investigation at time of writing.

Tether is the issuer of USDT, the world's largest stablecoin by market capitalization. The company has faced ongoing regulatory scrutiny, transparency concerns, and legal challenges regarding its reserves and business practices, though it continues to operate as a major cryptocurrency infrastructure provider.

Binance is the world's largest cryptocurrency exchange by trading volume, founded in 2017 by Changpeng Zhao (CZ). In November 2023, Binance and CZ pleaded guilty to U.S. federal charges and agreed to pay $4.3 billion in combined penalties for Bank Secrecy Act violations, unlicensed money transmission, and sanctions evasion — the largest financial penalty ever imposed on a cryptocurrency company. CZ resigned as CEO, served a four-month prison sentence in 2024, and was controversially pardoned by President Trump in October 2025. Under CEO Richard Teng, Binance has pursued an aggressive global licensing strategy while remaining subject to ongoing compliance monitoring and new civil litigation tied to terrorist financing allegations.

OKX (formerly OKEx) is one of the world's largest centralized cryptocurrency exchanges by trading volume, founded in 2017 by Mingxing 'Star' Xu and operated by Aux Cayes Fintech Co. Ltd, incorporated in the Seychelles. In February 2025 its Seychelles operating entity pleaded guilty in U.S. federal court to operating an unlicensed money transmitting business for over seven years, agreeing to pay more than $504 million in fines and forfeitures. The exchange carries a moderate-to-elevated risk profile due to this criminal conviction, a pattern of AML failures across multiple jurisdictions, and historical incidents including a 42-day withdrawal freeze in 2020; it has taken substantive remediation steps including monthly proof-of-reserves publication since 2022, a MiCA license in the EU, and a US relaunch in April 2025 under new regional leadership.

Balancer is a decentralized automated market maker (AMM) protocol on Ethereum, founded in 2018 by Fernando Martinelli and Mike McDonald, that allows multi-token liquidity pools with customizable weighting. The protocol has suffered six documented security incidents between 2020 and 2025, resulting in cumulative losses exceeding $140 million, including a catastrophic $128 million exploit in November 2025 caused by an arithmetic precision flaw in Composable Stable Pool contracts. Despite multiple audits by major firms including Trail of Bits, OpenZeppelin, and Certora, systemic smart contract vulnerabilities and a highly complex protocol architecture have repeatedly exposed user funds to loss.

Huobi, rebranded to HTX in September 2023, is a major centralized cryptocurrency exchange founded in 2013 that came under the de facto control of Tron founder Justin Sun in late 2022. The exchange has suffered three significant security incidents since September 2023, faces extensive regulatory non-compliance across multiple jurisdictions, and its proof-of-reserves methodology has been subject to credible allegations of double-counting and asset manipulation by investigative outlets.

TRON (TRX) is a blockchain platform founded by Justin Sun, ranked #8 by market cap (~$33B). The SEC filed securities fraud, market manipulation, and illegal celebrity promotion charges in March 2023, settled in March 2026 for $10 million. TRON hosted over $26 billion of $45 billion in global illicit crypto volumes in 2024 (58%). Sun's $75M investment in Trump's WLFI raised conflict-of-interest concerns, with the SEC case halted shortly after Trump's inauguration. Sun-affiliated exchanges Poloniex and HTX suffered $215M+ in combined hacks in November 2023.

Synthetix is an Ethereum-based decentralized derivatives liquidity protocol originally launched in 2017 as Havven by Australian entrepreneur Kain Warwick, rebranding in 2018 to enable the creation of synthetic assets tracking real-world prices. The protocol reached a peak total value locked during the 2021 DeFi bull market and has been a pioneer in on-chain derivatives, but has faced recurring issues including a critical oracle exploit in 2019, persistent front-running vulnerabilities, a contentious DWF Labs market-maker arrangement, and a prolonged sUSD stablecoin depeg crisis beginning in 2025 triggered by the SIP-420 protocol overhaul.

Mantle is a modular Ethereum Layer 2 network launched in July 2023, emerging from a merger of the BitDAO DAO and the Mantle L2 project. The MNT token was converted 1:1 from BitDAO's BIT token following a May 2023 community vote. The protocol holds a treasury of over $6 billion in assets and ranked approximately #43 by market cap as of mid-2026, but carries notable centralization risks including a single sequencer, zero-delay contract upgrade capability, and deep strategic and financial dependence on Bybit, the centralized exchange that held approximately 60% of the initial BIT token supply and suffered a $1.5 billion North Korean hack in February 2025.

Berachain is an EVM-identical Layer 1 blockchain launched on February 6, 2025, built around a novel 'Proof of Liquidity' (PoL) consensus mechanism designed to align validators, applications, and users around on-chain economic activity. The project raised $142 million across two funding rounds, achieved a peak TVL of over $3.3 billion at mainnet launch, and distributed approximately 79 million BERA tokens via airdrop. Since launch, the project has faced significant controversies including alleged insider token selling by a co-founder, a preferential refund arrangement for institutional investor Brevan Howard, a $12.8 million BEX exploit requiring an emergency hard fork in November 2025, and a prolonged token price decline of over 97% from its all-time high.

Token of Power (TOP) is an Ethereum-based ERC-20 governance token created in March 2021 as a financial art experiment built around fractionalized ownership of a MetaMask-themed NFT, with liquidity and governance managed through a Balancer V1 pool and an Aragon DAO. On June 9, 2026, the project suffered a catastrophic governance-takeover exploit in which an attacker acquired a majority of the token's 16,384-token supply, used the Aragon DAO's absence of timelock protections to create, vote on, and execute a malicious proposal in a single transaction, minted 10 billion new TOP tokens, and drained 944.2 WETH (approximately $1.58 million) from the Balancer V1 liquidity pool. Stolen funds were laundered through Tornado Cash and no official project response had been issued as of June 10, 2026.

LayerZero is a major omnichain interoperability protocol operated by LayerZero Labs, deployed across 130+ blockchains and processing over 200 million cross-chain messages as of early 2026. The protocol gained institutional backing from Citadel Securities, ARK Invest, Tether, and Sequoia Capital, and is the infrastructure behind USDT0, which processed over $70 billion in cross-chain USDT transfers. In April 2026, LayerZero's off-chain DVN infrastructure was compromised via a social engineering attack attributed to North Korea's Lazarus Group (TraderTraitor), enabling the $292 million KelpDAO rsETH bridge exploit — the largest DeFi hack of 2026 — and triggering a multi-billion-dollar client exodus to competing bridge providers.

Gala Games is a blockchain gaming platform founded in 2019 by Eric Schiermeyer (co-founder of Zynga) and Wright Thurston, issuing the GALA utility and governance token. The company has been beset by a high-profile inter-founder legal dispute alleging $130 million in token theft, a May 2024 smart contract exploit in which 5 billion GALA tokens worth approximately $200–240 million were minted by a compromised admin wallet, and co-founder Wright Thurston's prior SEC lawsuit over an unrelated $18 million unregistered securities offering. These compounding governance failures, security incidents, and legal controversies place the platform among the more heavily scrutinized projects in the blockchain gaming sector.

Gate.io (formerly Bter.com) is a centralized cryptocurrency exchange founded in 2013 by Han Lin, serving over 30 million users across 224 countries. The exchange has been flagged by on-chain investigator ZachXBT for allegedly concealing a $230 million hack attributed to North Korean state-sponsored hackers (Lazarus Group) that occurred in April 2018 and was never publicly disclosed to users. Additional concerns include a manipulated futures price feed incident causing millions in user losses in 2025, an AML-based ban by India's Financial Intelligence Unit in 2024, persistent user complaints about frozen withdrawals, and alleged wash trading activity inflating reported volumes.

Balancer V2 is a decentralized automated market maker (AMM) protocol launched in 2021 on Ethereum and multiple chains that separates AMM logic from token custody via a central Vault architecture. The protocol has experienced at least four documented security incidents across its V1 and V2 deployments, including a November 2025 exploit that drained approximately $128 million and directly led to the dissolution of Balancer Labs, the corporate entity behind the protocol, announced in March 2026.

Meteora is a Solana-based decentralized exchange and liquidity protocol, originally founded as Mercurial Finance before rebranding in 2023. Its co-founder Benjamin Chow resigned in February 2025 amid allegations that the platform's infrastructure was used to orchestrate coordinated pump-and-dump schemes across at least 15 tokens including LIBRA, MELANIA, M3M3, ENRON, and TRUST, causing an estimated $69 million or more in retail investor losses. Multiple class-action lawsuits are active in the Southern District of New York asserting fraud, RICO violations, and market manipulation; the protocol also issued a $4.2 million MET token airdrop to wallets linked to the Trump team hours after the amended complaint was filed, with all tokens immediately sent to OKX.

THORChain is a decentralized cross-chain liquidity protocol that enables native asset swaps across blockchains without wrapped tokens, using its RUNE token as settlement collateral. Since its mainnet launch, the protocol has suffered three significant exploit events totaling over $25 million in losses, became the primary laundering conduit for North Korea's Lazarus Group following the 2025 Bybit hack ($1.2 billion routed through the network), and its THORFi lending product collapsed in January 2025 with approximately $200 million in user funds frozen. The protocol faces ongoing legal action from creditors, has lost key developers over ethical disputes about blocking illicit transactions, and experienced a further $10.8 million vault breach in May 2026.

Linea is a zkEVM Layer 2 rollup built by Consensys that launched on Ethereum mainnet in July–August 2023 and uses a proprietary zk-SNARK proving library called gnark. The network is classified as Stage 0 by L2BEAT, operates a single centralized sequencer with no permissionless fallback, and demonstrated this centralization risk in June 2024 when it unilaterally halted block production during the Velocore DEX hack. The LINEA token launched in September 2025 and suffered a 93% price collapse within hours amid a delayed community airdrop contract, sequencer outage, and allegations of treasury wallet selling pressure.

Gemini is a New York-based cryptocurrency exchange and custodian bank founded in 2015 by Cameron and Tyler Winklevoss, regulated under a NYDFS Limited Purpose Trust Charter. The exchange gained significant notoriety following the collapse of its Gemini Earn lending program in late 2022, which left approximately 340,000 users with roughly $900 million in frozen assets; subsequent SEC and NYDFS enforcement actions were resolved by early 2024 and 2026 respectively with full customer restitution. Gemini went public on the Nasdaq in September 2025 under the ticker GEMI, but its stock has since declined more than 80% amid deepening losses, executive departures, mass layoffs, and a contested post-IPO strategic pivot to prediction markets.

Bitget is a Seychelles-incorporated centralized cryptocurrency exchange founded in 2018, offering spot, futures, and copy trading to a claimed user base exceeding 150 million. While the exchange has never suffered a direct hack of user funds and publishes monthly proof-of-reserves attestations, it faces a pattern of serious regulatory actions across multiple jurisdictions — including blacklisting by France's AMF, warnings from Australia's ASIC and Japan's FSA, and a ban by the Philippines SEC — and has attracted allegations from blockchain investigator ZachXBT that it knowingly enabled supply-control market manipulation schemes targeting retail traders in 2026.

LayerZero is an omnichain messaging protocol developed by LayerZero Labs that enables cross-chain communication across 90+ blockchains. On April 18, 2026, a $292 million exploit of the KelpDAO rsETH bridge — the largest DeFi hack of 2026 — exposed a critical single-point-of-failure in the protocol's Decentralized Verifier Network (DVN) configuration, attributed by LayerZero to North Korea's TraderTraitor (Lazarus Group). LayerZero initially blamed KelpDAO for the configuration before reversing course in May 2026 and admitting fault, triggering a mass client exodus exceeding $1 billion in migrated assets.

Axiom (axiom.trade) is a Y Combinator-backed Solana trading terminal launched in January 2025 by co-founders Henry Zhang and Preston Ellis. The platform grew rapidly to become the dominant Solana memecoin trading interface, generating over $300 million in fees within 263 days. In February 2026, crypto investigator ZachXBT published an exposé alleging that multiple Axiom employees abused internal 'admin dashboard' access controls to surveil private user wallet data and conduct insider trading over a period of approximately 13 months.

KuCoin is a global cryptocurrency exchange founded in 2017 that has accumulated one of the most serious regulatory and security records in the industry. The exchange suffered a $285 million hot-wallet hack in September 2020 attributed to North Korea's Lazarus Group, and in January 2025 pleaded guilty to operating an unlicensed money transmitting business in the United States, agreeing to pay over $297 million in fines and forfeitures and exit the US market for at least two years. On-chain investigator ZachXBT has publicly alleged that KuCoin continues to enable illicit fund flows by ignoring victim and law enforcement requests.

Polkadot (DOT) is a multi-chain protocol founded by Gavin Wood, ranked #41 by market cap (~$2.3B). The project faces significant headwinds: a $133M treasury overspending crisis (projected 2-year depletion), the 2017 Parity wallet freeze that locked ~$98M of ICO proceeds, an April 2026 Hyperbridge exploit minting $1B in fake bridged DOT (losses ~$2.5M), and steep ecosystem decline with active parachains dropping from 200+ to ~30. No SEC enforcement actions exist, and ETF applications are under review.

Raydium is an automated market maker (AMM) and decentralized exchange built on the Solana blockchain, launched in February 2021 and widely regarded as Solana's primary liquidity hub. On December 16, 2022, the protocol suffered a major security incident in which an attacker compromised an admin private key — suspected to be via a trojan on a team virtual machine — and drained approximately $4.4 million from eight constant product liquidity pools. Raydium responded with a patched program, a community-approved compensation plan funded by team-held RAY tokens, and has since migrated authority to a Squads multisig with hardware wallet and timelock protections.

Scroll is an Ethereum Layer 2 ZK rollup that launched its mainnet in October 2023, offering bytecode-level EVM compatibility via zero-knowledge proofs. The project raised $83 million in venture funding and launched its SCR governance token in October 2024, but faced significant community backlash over airdrop distribution mechanics, concentrated whale allocations, and a 32% same-day price decline. By early 2026, Scroll's TVL had collapsed approximately 96% from its peak and the project triggered further controversy by proposing to dissolve its Security Council and reduce DAO contributor roles.

Cosmos Hub (ATOM) is the flagship chain of the Cosmos ecosystem, built on Tendermint/CometBFT with IBC protocol. Founded by Jae Kwon and Ethan Buchman, the project has endured severe governance crises: ATOM 2.0 rejected (37.4% NoWithVeto), Jae Kwon's AtomOne fork, a no-confidence vote against ICF leadership, and North Korean-linked developers contributing to the Liquid Staking Module. ATOM was named a security in SEC lawsuits against Binance and Kraken (both dropped without adjudication). Three critical IBC vulnerabilities were disclosed but patched without exploitation. Ecosystem health is declining with key projects departing.

Phantom Wallet is a self-custody, non-custodial cryptocurrency wallet developed by Phantom Technologies, Inc., headquartered in San Francisco. Originally launched in 2021 as a Solana-focused browser extension, it has expanded to support Ethereum, Bitcoin, Polygon, Base, and Sui across browser extensions and mobile apps, with approximately 15 million monthly active users and $25 billion in self-custodied assets as of early 2025. The company is well-funded and has engaged constructively with US regulators, though it faces an active civil lawsuit alleging a browser-extension security flaw, and its users have been materially targeted by phishing impersonators and fake app-store clones.

Ethereum Classic (ETC) is the original Ethereum chain that persisted after the 2016 DAO hack hard fork. It has suffered three documented 51% attacks totaling over $7M in double-spend losses (2019 and 2020), has minimal DeFi ecosystem depth (~$150K TVL), and faces unresolved governance controversy over the Olympia treasury proposal. Post-Merge hashrate improvements have raised the cost of attack substantially. Grayscale's ETCG trust is SEC-filed with ~$283M NAV. No explicit SEC/CFTC classification exists for ETC.

Monero (XMR) is a legitimate, open-source, community-funded privacy cryptocurrency launched in 2014 with no premine and a clean protocol-level security track record. However, it carries significant third-party risk: Archetyp Market ($267M, Monero-exclusive) was dismantled by DOJ/Europol in June 2025; $330M+ in stolen BTC was laundered via XMR in 2025; Binance, Kraken EEA, OKX, and 60+ exchanges have delisted it; and the EU AMLR bans CASP handling of privacy coins by July 2027. Former lead maintainer Riccardo Spagni faces 378 fraud/forgery charges in South Africa (pre-dating Monero).

Upbit is South Korea's largest cryptocurrency exchange by trading volume, operated by Dunamu and commanding approximately 70–80% of the domestic market. The exchange has suffered two significant security breaches — a $49M ETH theft in 2019 and a $36M Solana breach in November 2025, both attributed to North Korea's Lazarus Group — and has faced substantial regulatory sanctions including a $25M AML/KYC fine and a court-contested three-month partial business suspension. While Upbit has consistently reimbursed users from its own assets after security incidents and retains official VASP registration, its pattern of compliance failures, market dominance concerns, and repeated hacks present elevated risk.

On April 9, 2023, SushiSwap's RouteProcessor2 contract — deployed just one day earlier across 14 blockchain networks — was exploited due to a failure to validate user-supplied pool addresses, allowing an attacker to redirect token transfers from wallets that had approved the contract. Approximately $3.3 million (roughly 1,800 WETH) was drained, with a single high-profile victim (@0xsifu) accounting for the majority of losses. Whitehat security teams front-ran further exploitation and recovered over $750,000, while SushiSwap committed to making all affected users whole through a two-tier compensation process.

HTX, formerly Huobi Global, is one of the world's largest centralized cryptocurrency exchanges by trading volume, rebranded in September 2023 under the influence of TRON founder Justin Sun. On May 26, 2026, the UK Foreign, Commonwealth and Development Office designated Huobi Global S.A. — the Panama-registered legal entity behind the exchange — under Regulation 17A of the Russia (Sanctions) (EU Exit) Regulations 2019, making HTX the first major global crypto exchange to receive banking-style sanctions from UK authorities. Blockchain analytics firms TRM Labs and Elliptic documented over $4.9 billion in direct flows from HTX to sanctioned Russia-linked entities since 2021, and UK authorities allege the platform channeled over $1.5 billion to Russia through connections to previously sanctioned entities Garantex and the A7 payments network.

Starknet is a permissionless ZK-rollup Layer 2 network on Ethereum, developed by Israeli cryptography firm StarkWare Industries. It uses STARK-based validity proofs and the Cairo programming language to scale Ethereum throughput. The project launched its STRK token in February 2024 and reached L2Beat Stage 1 decentralization in May 2025, but has faced significant community criticism over its airdrop eligibility criteria and an early, aggressive token unlock schedule for investors and early contributors.

Blast is an Ethereum Layer 2 optimistic rollup that launched in November 2023, distinguished by its 'native yield' mechanism routing bridged ETH and stablecoins through Lido and MakerDAO respectively. Founded by Tieshun Roquerre ('Pacman'), the creator of the Blur NFT marketplace, Blast raised $20 million from Paradigm and others, attracted over $2 billion in TVL before its February 2024 mainnet launch, and airdropped the BLAST token in June 2024. The network has since experienced a dramatic decline, losing approximately 97% of its peak TVL and facing persistent criticism over centralization, lack of fraud proofs, a controversial airdrop distribution, and multiple high-profile exploits on ecosystem applications.

Raydium is a leading Solana-based automated market maker (AMM) and decentralized exchange (DEX) launched in February 2021 by a pseudonymous team. On December 16, 2022, a compromise of the protocol's admin private key enabled an attacker to drain approximately $4.4 million from eight liquidity pools; the stolen funds were subsequently laundered through Tornado Cash in January 2023. The team implemented a phased compensation plan and post-incident security upgrades, including migration of admin authority to a Squads multisig, but the incident exposed significant centralization risks that were not apparent prior to the exploit.

KyberSwap is a multi-chain decentralized exchange aggregator and concentrated liquidity protocol operated by Kyber Network. On November 22, 2023, its Elastic liquidity pool contracts were exploited via a sophisticated tick-manipulation and liquidity double-counting attack, resulting in approximately $48.8 million in losses across 13 chains. The alleged attacker, Canadian national Andean Medjedovic, subsequently attempted to extort full corporate and governance control of Kyber Network in exchange for returning 50% of stolen funds; he was indicted by the U.S. Department of Justice in February 2025 and remains a fugitive.

Gala Games is a blockchain gaming platform founded in 2019 by Eric Schiermeyer and Wright Thurston whose GALA token has been at the center of two major controversies: a 2023 civil lawsuit alleging Thurston stole 8.6 billion GALA tokens (~$130M) from company wallets, and a separate May 2024 smart contract exploit in which an unauthorized minter minted 5 billion tokens worth approximately $200M. Both co-founders have filed competing civil suits alleging misappropriation of hundreds of millions of dollars, while Thurston also faces an unrelated SEC fraud action over a separate crypto mining venture.

Celestia is a modular blockchain network that provides a dedicated data availability (DA) and consensus layer for rollups and application-specific chains, using data availability sampling to allow light nodes to verify block data without downloading full blocks. Developed by Celestia Labs and launched on mainnet on October 31, 2023, the project raised $155 million from prominent venture capital firms including Bain Capital Crypto and Polychain Capital. The project has faced significant controversy over its tokenomics, alleged insider token selling, and a 95%+ decline in the TIA token from its June 2024 all-time high of approximately $20.91.

Helium Mobile is a Mobile Virtual Network Operator (MVNO) launched by Nova Labs, Inc. in 2023, marketed as the world's first crypto-powered consumer cellular service. It provides coverage primarily via T-Mobile's wholesale 5G network, supplemented by a community-built Wi-Fi hotspot layer, and issues MOBILE token rewards to subscribers and hotspot operators. Parent company Nova Labs settled a $200,000 SEC fraud charge in April 2025 over misrepresentations made to investors about enterprise partnerships, while the MOBILE token has been deprecated in favor of HNT under community governance proposal HIP 138.

BitMEX (Bitcoin Mercantile Exchange) is a cryptocurrency derivatives exchange founded in 2014 by Arthur Hayes, Ben Delo, and Samuel Reed that pioneered the perpetual swap contract and at its peak was one of the largest crypto derivatives platforms in the world. In October 2020, the CFTC and DOJ charged the exchange and its co-founders with operating an unregistered trading platform and willfully failing to implement anti-money laundering and know-your-customer programs in violation of the Bank Secrecy Act. All three co-founders subsequently pleaded guilty, the exchange paid a $100 million civil settlement, and in March 2025 the founders and the corporate entity received presidential pardons from Donald Trump.

On February 4, 2021, an attacker exploited Yearn Finance's v1 yDAI vault using a multi-protocol flash loan to manipulate exchange rates in Curve Finance's 3pool, causing approximately $11 million in vault losses while the attacker personally profited roughly $2.8 million. Yearn Finance's security team contained the exploit within eleven minutes, preserving $24 million of the vault's $35 million under management. Yearn subsequently reimbursed affected depositors by minting 9.7 million DAI against YFI collateral in a MakerDAO vault, with the intent to repay the debt from ongoing protocol revenue.

Curve Finance is a major decentralized exchange (DEX) on Ethereum optimized for stablecoin and pegged-asset trading, operating since January 2020. On July 30, 2023, a latent vulnerability in the Vyper smart-contract compiler (versions 0.2.15, 0.2.16, and 0.3.0) was exploited across multiple Curve liquidity pools, draining approximately $70 million and triggering a near-systemic crisis when the resulting CRV price drop threatened to cascade-liquidate founder Michael Egorov's heavily collateralized on-chain loans. Roughly 73% of stolen funds were ultimately recovered or returned, and in December 2023 the Curve DAO voted to disburse approximately $49 million in compensation to affected liquidity providers.

Circle Internet Group (NYSE: CRCL) is the issuer of USDC, the second-largest stablecoin by market capitalization at approximately $78 billion in circulation as of May 2026. Circle operates under a strict court-order-only freeze policy that drew intense scrutiny following the April 2026 Drift Protocol hack, in which $232 million in USDC was bridged via Circle's own Cross-Chain Transfer Protocol (CCTP) over six hours without intervention, despite Circle being alerted within an hour. The resulting McCollum v. Circle class action, Drift's subsequent switch to USDT, on-chain analyst ZachXBT's documentation of $420 million in alleged prior missed freezes, and an AMLBot report showing Tether freezes assets at roughly 30 times Circle's rate have placed Circle's compliance posture at the center of a significant policy debate.

ZKsync is an Ethereum Layer 2 scaling protocol built on zero-knowledge rollup technology, developed by Matter Labs, which has raised approximately $458 million in venture capital. The protocol has faced multiple significant controversies including a $5 million airdrop contract exploit in April 2025, a contentious 2024 token airdrop marred by sybil attack failures and community backlash, a South Korean regulatory probe into alleged price manipulation, compromised social media accounts spreading false SEC investigation claims, and an intellectual property theft lawsuit filed against Matter Labs by defunct firm BANKEX. User funds in the core protocol have not been directly compromised, but the pattern of incidents has substantially eroded community trust.

Ankr is a Web3 infrastructure and liquid staking protocol founded in 2017, providing RPC endpoints for over 75 blockchains and BNB Chain-based liquid staking products. In December 2022, a former employee executed a supply chain attack that compromised Ankr's private deployer key, enabling unlimited minting of aBNBc tokens and resulting in approximately $5 million in direct losses, with cascading secondary losses of roughly $19 million through Helio Protocol's HAY stablecoin depeg. Ankr subsequently compensated affected users, implemented multi-signature controls, and continues to operate, though questions persist over the completeness of user reimbursement.

SushiSwap is a decentralized exchange (DEX) and DeFi protocol launched in August 2020 as a fork of Uniswap, offering an automated market maker (AMM), governance token (SUSHI), and multi-chain liquidity pools. The protocol has endured a series of serious controversies spanning its entire history: a founding exit-scam attempt by anonymous creator Chef Nomi, early operational control handed to convicted fraudster Sam Bankman-Fried, an SEC subpoena issued to the protocol and its CEO in 2023, a $3.3 million smart contract exploit the same year, allegations that North Korean IT workers were embedded in its developer team, disputed DAO treasury centralization in 2024, and a governance process in late 2025 where a single wallet controlled 99.9% of a vote. TVL has declined approximately 98.7% from its 2022 peak of over $8 billion to roughly $100 million as of late 2025.

Wormhole Bridge is a cross-chain messaging and token bridge protocol originally developed by Certus One, later owned by Jump Crypto, enabling asset transfers between Solana, Ethereum, and other blockchains. On February 2, 2022, an attacker exploited a signature verification flaw in the Solana-side smart contract to fraudulently mint 120,000 wrapped ETH (wETH) worth approximately $320–326 million without posting collateral, making it the second-largest DeFi exploit in history at the time. Jump Crypto replenished the stolen ETH within 24 hours to prevent ecosystem collapse, and a court-authorized counter-exploit in February 2023 recovered approximately $140 million of the remaining stolen funds.

Loopring is an Ethereum Layer-2 zkRollup-based decentralized exchange protocol founded in 2017 by Daniel Wang. The protocol suffered a critical June 2024 security breach in which an attacker compromised the Official Guardian two-factor authentication server, draining approximately $5 million from 58 smart wallet accounts. Subsequent to the hack, Loopring wound down its consumer wallet product, shut down DeFi services, lost listings on major exchanges including Binance, Upbit, and Bithumb, and saw its CEO resign in August 2025, leaving the project's long-term viability in serious question.

TD Bank is a major North American financial institution formed in 1955 from the merger of two Canadian banks. In October 2024, the bank faced historic penalties totaling over $3 billion after pleading guilty to money laundering conspiracy charges, resulting in severe business restrictions and regulatory oversight.

VeChain (VET) is an enterprise-focused Layer-1 blockchain founded by Sunny Lu (former CIO of Louis Vuitton China). Launched in 2015 as a subsidiary of Bitse, rebranded and mainnet launched in 2018. The VeChain Foundation's buyback wallet was hacked in December 2019 due to employee negligence, losing 1.1 billion VET (~$6.5M). The Foundation held 27.3% of total token supply as of September 2019. VeChain's official X account was compromised in January 2024 for a scam giveaway. The blockchain has built-in fund freezing capabilities. Enterprise partnerships include Walmart China, BMW, and UFC. VeChain was among the first to proactively comply with MiCAR regulations.

Ondo Finance is a real-world asset (RWA) tokenization protocol founded in 2021 by former Goldman Sachs executives Nathan Allman and Justin Schmidt. The platform offers tokenized exposure to U.S. Treasury securities (OUSG, USDY) and, since September 2025, a broader set of tokenized equities via Ondo Global Markets. The protocol held over $1.8 billion in TVL as of late 2025 and received formal notice in November 2025 that a two-year SEC investigation had been closed without charges.

1inch is a decentralized exchange (DEX) aggregator and liquidity protocol founded in 2019 by Sergej Kunz and Anton Bukov, operating across Ethereum and multiple EVM-compatible chains. The platform has experienced a series of security incidents between late 2024 and mid-2025, including a front-end supply chain attack, a private key compromise, a $5 million Fusion v1 resolver exploit, and a separate $5.87 million attack on a partner resolver — raising questions about operational security and smart contract lifecycle management. Additional concerns include alleged connections between co-founder Anton Bukov and the Russian FSS Academy, governance centralization risks, and sustained token value erosion since the 2021 peak.

HTX (formerly Huobi Global) is one of the world's largest cryptocurrency exchanges, rebranded in September 2023 following the de facto acquisition of Huobi by interests linked to Justin Sun in late 2022. The exchange has suffered at least three significant security incidents totaling over $130 million in losses since September 2023, and in May 2026 was sanctioned by the UK government for alleged facilitation of Russian sanctions evasion — the first such crypto-exchange designation under the UK Russia sanctions framework. HTX also faces FCA legal proceedings over illegal financial promotions to UK consumers, has withdrawn its Hong Kong licensing applications twice, and has been publicly criticized for opaque reserve practices.

Deribit is a crypto options and futures exchange founded in 2016 in the Netherlands by John and Marius Jansen, historically operated through a Panama-registered entity and now licensed under Dubai's VARA framework as Deribit FZE. The exchange suffered a $28 million hot wallet compromise on November 1, 2022, covering the loss entirely from its own balance sheet. Coinbase completed the acquisition of Deribit for approximately $2.9 billion on August 14, 2025, making it a subsidiary of a publicly traded, NASDAQ-listed U.S. company.

Flow is a layer-1 proof-of-stake blockchain created by Dapper Labs, the company behind NBA Top Shot and CryptoKitties, with FLOW as its native token. The project has faced a serious 2025 protocol-level exploit ($3.9M stolen), a controversial rollback proposal that drew community backlash, multiple rounds of company layoffs, a $4M securities class-action settlement, a separate $7.05M privacy lawsuit settlement, SEC investigation, and delisting from major South Korean exchanges following the breach. The FLOW token has lost over 99% of value from its April 2021 all-time high of $46.16, trading near $0.033 as of mid-2026.

Internet Computer (ICP) is a layer-1 blockchain protocol developed by the DFINITY Foundation, designed to host decentralized applications and web services natively on a distributed compute network. The protocol launched publicly in May 2021 and attracted significant controversy after its token lost approximately 95% of its value within weeks of listing, coinciding with on-chain evidence of large-scale token transfers from addresses linked to project insiders and the foundation treasury. Multiple class-action lawsuits alleging unregistered securities sales and market manipulation were subsequently dismissed on procedural grounds rather than their merits. The protocol remains operational with ongoing development activity, a 2026 tokenomics reform (Mission 70), and a ~$1.7 billion market capitalization as of May 2026.

Audius is a decentralized music streaming protocol and its native AUDIO token, launched in 2020 on Ethereum and subsequently migrated to Solana. On July 23, 2022, an attacker exploited a critical re-initialization vulnerability in Audius governance smart contracts, draining 18.56 million AUDIO tokens (valued at approximately $6 million at the time) from the community treasury before swapping them for approximately $1.08 million in ETH via Uniswap and routing funds through Tornado Cash. The platform has continued to operate since the exploit, deploying patched contracts and expanding user and artist partnerships, but the AUDIO token has declined approximately 99.6% from its all-time high and the exploit raised serious questions about audit quality.

Gate.io (rebranded to Gate.com in May 2025) is a major global cryptocurrency exchange founded in 2013 as Bter.com by Lin Han, currently incorporated in the Cayman Islands and serving over 52 million users across more than 4,600 assets. The exchange has faced significant scrutiny including an alleged undisclosed $230 million hack in 2018 attributed to North Korean state actors, a 2025 public notice from the Cayman Islands Monetary Authority (CIMA) confirming it has never been licensed in its ostensible home jurisdiction, and a pattern of user complaints regarding account freezes, withdrawal blocks, and a disputed $LA futures incident in 2025. The exchange publishes monthly proof-of-reserves reports audited by Hacken and holds licenses in several jurisdictions including Malta (MiCA), Dubai (VARA), Cyprus (CySEC), and Australia (AUSTRAC).

Solana is a high-performance blockchain platform that has experienced significant technical instability, ecosystem fraud, and regulatory challenges since its 2020 launch. While positioned as an "Ethereum killer," the network has suffered from multiple outages, massive meme coin scams, and legal scrutiny regarding its centralization and potential securities classification.

Bottled water contains significantly more micro- and nanoplastics than previously thought. Each time you screw a plastic bottle cap on and off, it generates 553 microplastic par…

Wormhole is a cross-chain messaging and token bridge protocol enabling interoperability across more than 30 blockchain networks, originally developed by Certus One and later backed by Jump Crypto. On February 2, 2022, Wormhole suffered a $326 million exploit — the largest hack in Solana ecosystem history at the time — when an attacker exploited a deprecated Solana function to forge guardian signatures and mint 120,000 wETH without locking any collateral. Jump Crypto immediately replenished the stolen funds to keep users whole, and the project subsequently raised $225 million at a $2.5 billion valuation, separated from Jump Trading as an independent entity, and launched the W governance token in April 2024; as of 2026, the stolen funds remain substantially unrecovered despite a partial $140 million counter-exploit via English court order.

Superteam is a community-run talent network and grant accelerator operating as the contributor layer of the Solana ecosystem, founded by Tanmay Bhat and Akshay BD and active across 23+ global chapters. The organization has been flagged for investigation by ZachXBT, though no published, verifiable ZachXBT post or report specifically naming Superteam as a fraudulent entity was located during this investigation; the exact nature and basis of that flag remains unconfirmed. Separately, Superteam Earn — the organization's public freelance bounty and job platform — operates within a segment of the Solana ecosystem that regulators, Google Cloud threat intelligence, and on-chain investigators have identified as systematically targeted by DPRK-linked IT workers using false identities.

THORChain is a decentralized cross-chain liquidity protocol built on the Cosmos SDK that enables native asset swaps across major blockchains without wrapped tokens. The protocol has suffered at least six significant security incidents since 2021, including a May 15, 2026 exploit in which a malicious validator node exploited a GG20 threshold signature scheme vulnerability to drain approximately $10.7–10.8 million across nine chains. THORChain has also faced documented use by the North Korean Lazarus Group as a primary money laundering channel, a $200 million insolvency crisis in early 2025 requiring a debt-to-equity restructuring, and ongoing questions about its permissionless design and unwillingness to block illicit flows.

Yearn Ether (yETH) is a liquid staking token aggregation vault developed by Yearn Finance, launched under YIP-72 as a self-governed, permissionless product. On November 30, 2025, the yETH weighted stableswap pool was exploited via an arithmetic underflow and stale cache vulnerability, resulting in approximately $9 million in losses — the third major security incident involving a Yearn product since 2021. Approximately $2.4 million was partially recovered; roughly $6.6 million remains unrecovered, with a significant portion laundered through Tornado Cash.

Drift Protocol is a decentralized perpetual futures exchange built on the Solana blockchain, founded in 2021 by Cindy Leow, David Lu, and co-founders. The protocol has experienced two significant security incidents: a $14.5 million PnL accounting bug in May 2022 triggered by the LUNA collapse (fully reimbursed), and a catastrophic $285–286 million exploit on April 1, 2026, attributed with medium-high confidence to the North Korean state-sponsored threat actor UNC4736 (also tracked as Lazarus Group, AppleJeus, and Citrine Sleet), which constituted the largest DeFi hack of 2026. A $295 million recovery plan involving Tether-led financing and user-issued recovery tokens was announced in May 2026; a class action lawsuit was simultaneously filed against Circle Internet Financial.

Hyperliquid suffered a documented ecosystem incident with reported losses of $37K on Arbitrum. This page tracks DeFiLlama's record of the event.

Curve Finance is a major decentralized exchange and automated market maker (AMM) on Ethereum, optimized for low-slippage swaps of pegged assets such as stablecoins. On July 30, 2023, several of its liquidity pools were drained of approximately $70 million due to a reentrancy vulnerability in the Vyper smart contract compiler (versions 0.2.15, 0.2.16, and 0.3.0), one of the largest DeFi exploits of 2023. Separately, founder Michael Egorov's practice of using large CRV holdings as loan collateral across multiple DeFi protocols created systemic risk that culminated in a $140 million liquidation event in June 2024, generating over $10 million in bad debt across connected protocols.

Yearn Finance is a decentralized yield aggregator on Ethereum that routes user deposits into lending protocols to maximize returns. Founded by Andre Cronje in 2020, the protocol has suffered at least four documented security exploits between 2021 and 2025, with aggregate losses exceeding $20 million, and its founder departed in 2022 citing sustained pressure from an SEC investigation. Governance concerns, an interconnected web of affiliated DeFi protocols implicated in their own major hacks, and repeated failures to deprecate vulnerable legacy code compound the protocol's risk profile.

LetsBonk.fun, later rebranded as Bonk.fun, is a Solana-based memecoin launchpad launched on April 25, 2025 by the BONK community in partnership with Raydium Protocol. The platform rose to capture over 78% of Solana launchpad market share at its mid-2025 peak before experiencing steep decline, and suffered a domain hijack and wallet-drainer attack in March 2026. The platform's permissionless token creation model, built-in multi-wallet bundler tooling, and community reports alleging the platform hosted 'KOL-backed bundled scams' present elevated risk for retail investors.

AFI Protocol (Artificial Financial Intelligence) is a DeFi infrastructure project building Proof-of-Reserve systems for Real-World Assets (RWAs) on Ethereum, offering yield-bearing ERC-4626 vaults backed by tokenized off-chain collateral. The protocol reported over $225 million in total value locked as of mid-2026 and maintains institutional partnerships with Multipli, Pendle, Morpho, and others. On May 30, 2026, the protocol suffered a $480,000 exploit targeting its afiUSD vault, with stolen funds partially laundered through Tornado Cash; recovery efforts were ongoing as of June 2026.

Faris Ali (legal name reported as Faris Hassan in court proceedings) is a UK teenager from Sheffield who, at age 16, orchestrated a violent home-invasion robbery in Hoxton, East London on June 17, 2024, in which three masked attackers posing as Amazon delivery couriers forced a victim at knifepoint to transfer over $4.3 million in cryptocurrency. Blockchain investigator ZachXBT publicly exposed Ali in October 2024 through on-chain forensics and leaked Telegram chat logs; the Metropolitan Police recovered nearly all stolen funds within 72 hours. Ali and two accomplices were sentenced to a combined 16 years in youth detention at Sheffield Crown Court in November 2025.

Meteora is a Solana-based decentralized exchange and liquidity protocol that originated from Mercurial Finance in early 2023. Its co-founder Benjamin Chow resigned in February 2025 amid allegations of insider manipulation across at least 15 token launches, including M3M3, LIBRA, MELANIA, ENRON, and TRUST. Two separate federal class-action lawsuits filed in the Southern District of New York allege that Chow, Meteora, and co-defendants Kelsier Labs LLC collectively orchestrated pump-and-dump schemes causing at least $69 million in investor losses.

LAB is a Dubai-based AI trading terminal project whose native token surged over 350% in 72 hours to a $6 billion fully diluted valuation in May 2026 before collapsing 77% on June 2, 2026, erasing roughly $6 billion in market value. On-chain investigator ZachXBT published findings in May 2026 alleging that insiders — including founder Vova Sadkov (Vladimir Sadkov) and co-founder Mark X — controlled over 95% of the token's circulating supply through opaque OTC loans, unilateral vesting changes, and coordination with Bitget exchange infrastructure. No formal regulatory action has been confirmed as of June 2026; Sadkov and the LAB team did not issue a public rebuttal to the allegations.

ApeMars (APRZ) was an ERC-20 meme token that raised $532,969.34 from 1,884 presale investors across 23 stages before listing on Uniswap on June 6, 2026. On June 7, 2026, the APRZ/WETH price collapsed 99.95% — from $0.00580 to $0.00000032 — in minutes across only 11 trades as ETH was removed from the Uniswap liquidity pool, consistent with a coordinated liquidity drain. The project's official X account was suspended simultaneously, no team statement has been issued as of the investigation date, and approximately $532K in raised presale funds remain unaccounted for.

Syscoin Bridge is the cross-chain bridge infrastructure connecting Syscoin's UTXO chain and its Network Enhanced Virtual Machine (NEVM) EVM-compatible layer. In June 2026, an attacker exploited a proof-validation parsing flaw in the bridge relay, minting approximately 5 billion unauthorized SYS tokens valued at roughly $10 million and inflating the circulating supply by an estimated 568 percent. The bridge was paused immediately and the attacker subsequently returned the funds following private whitehat negotiations, though the incident raised serious questions about audit coverage of the relay component.

PlusToken was a cryptocurrency Ponzi scheme that defrauded an estimated 3 million investors of between $2 billion and $3 billion in digital assets.

Bitget is a centralized cryptocurrency exchange founded in 2018 and registered in the Seychelles, serving a self-reported user base in the tens of millions and recording $8.17 trillion in derivatives trading volume in 2025. Since April 2026, on-chain investigator ZachXBT has publicly alleged that Bitget functions as a node in a 'Chinese CEX cartel,' enabling a pattern of insider token supply manipulation across at least four named tokens (RAVE, RIVER, SIREN, and LAB) while naming Bitget's non-public-facing founder Shawn Liu as the alleged operative behind the schemes. No regulatory enforcement action had been filed as of June 2026, and neither Bitget nor Liu had publicly responded to the allegations.

On January 31, 2026, Step Finance, a Solana-based portfolio tracking and DeFi analytics platform, suffered a treasury theft in which an attacker drained approximately 261,854 SOL (valued at roughly $27.3 million at the time) after compromising executive team devices and seizing staking authority over protocol wallets. The incident led to a 93% collapse in the STEP governance token price and ultimately forced the permanent shutdown of Step Finance and its affiliated projects SolanaFloor and Remora Markets by February 24, 2026.

Shunda Park was an industrial-scale pig-butchering fraud compound located in Min Let Pan, Karen State, Myanmar, operated by Chinese criminal networks and employing over 3,500 workers from nearly 30 nations. The compound ran fraudulent cryptocurrency investment schemes targeting Americans and other international victims from at least early 2024 until its seizure by the Karen National Liberation Army in November 2025. The U.S. Department of Justice charged two Chinese national managers with wire fraud conspiracy in April 2026 and restrained over $701 million in related cryptocurrency.

Xinbi Marketplace (also known as Xinbi Guarantee) is a Chinese-language, Telegram-based illicit crypto marketplace that has processed an estimated $24.2 billion in total transaction volume since 2022, making it one of the largest known illicit online marketplaces ever tracked. Operating as an informal escrow provider and vendor platform primarily serving pig-butchering scam networks in Southeast Asia, it was sanctioned by the UK Foreign, Commonwealth and Development Office on 26 March 2026 — the first country-level sanction against the platform — under the Global Human Rights sanctions regime. The operator is formally incorporated as 'Xinbi Co., Ltd' in Colorado, USA, though its actual operations are believed to be based in the Golden Triangle region of Southeast Asia.

On June 5, 2026, Shielded Labs publicly disclosed a critical soundness bug in the Zcash Orchard shielded pool's zero-knowledge proof circuit that had existed undetected since Orchard's activation in May 2022. The flaw — an under-constrained element in the halo2_gadgets elliptic-curve multiplication gadget — could have allowed an attacker to mint unlimited counterfeit ZEC inside the shielded pool with no on-chain trace. An emergency hard fork (NU6.2) was deployed on June 3, 2026, patching the circuit before public disclosure, though Zcash's privacy architecture structurally prevents retrospective confirmation that no exploitation occurred during the four-year exposure window.

LAB is a multi-chain AI trading terminal token that launched its TGE in October 2025 and surged over 350% to a $6 billion fully diluted valuation in early May 2026 before crashing more than 65%. On-chain investigator ZachXBT published findings alleging that insiders control approximately 95% of the token supply, that 100 million LAB tokens worth roughly $480 million were withdrawn from Bitget to 10 freshly created wallets within a 12-hour window, and that the team orchestrated a coordinated retail extraction scheme involving OTC discount deals, unilateral vesting extensions, unpaid marketing obligations, and coercive KOL agreements. No public denial or response has been issued by the project's founders.

Rain Protocol (RAIN) is a decentralized prediction market infrastructure protocol built on Arbitrum that reached approximately $8.8–9 billion in fully diluted valuation by early June 2026, positioning it briefly among the top 15 cryptocurrencies globally. On June 5, 2026, on-chain investigator ZachXBT published findings alleging that addresses linked to the RAIN team share transaction trails with wallets connected to the failed Data Ownership Protocol (DOP) and TOMI projects, both previously linked to Israeli entrepreneur Moshe Hogeg, who faces criminal fraud charges in Israel. ZachXBT characterized the token as a likely insider-controlled pump with 99.97% of circulating supply held by 81 wallets and offered a $100,000 bounty for documentation of centralized exchange market manipulation; Rain Protocol had not issued a public response as of the date of these reports.

Humanity Protocol is a blockchain-based decentralized identity platform founded by Terence Kwok that uses palm-vein biometrics and zero-knowledge proofs to verify unique personhood. The project raised $50 million at a $1.1 billion valuation from institutional investors including Pantera Capital and Jump Crypto, and launched its $H token in June 2025. In June 2026, attackers drained approximately $32–36 million from the project via a compromised employee laptop holding multiple multisig private keys; on-chain investigator ZachXBT alleged the incident may have been staged, claims the team has not publicly rebutted with independent verification.

Morocoin Tech Corp., Berge Blockchain Technology Co. Ltd., Cirkor Inc., AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation Ltd., and Zenith Asset Tech Foundation are seven entities charged by the SEC on December 22, 2025 (Case No. 1:25-cv-04102, D. Colo.) with defrauding at least $14 million from U.S. retail investors in a coordinated pig-butchering and AI-themed investment confidence scheme operating from January 2024 through January 2025. The scheme used WhatsApp-based fake investment clubs, deepfake social media advertisements, fabricated AI-generated trading signals, and counterfeit trading platforms that conducted no actual trading, followed by advance fee demands to further extract funds from victims attempting withdrawals.

Amnokgang Technology Development Company is a North Korean state-controlled IT firm established in 1982 and headquartered in Pyongyang. The U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned it on March 12, 2026, for managing overseas DPRK IT worker delegations that allegedly generated nearly $800 million in illicit revenue in 2024 to fund North Korea's weapons of mass destruction programs. Seven cryptocurrency addresses across Ethereum and Tron networks were designated, with TRM Labs reporting over $12 million in tracked on-chain transactions through those addresses.

Cheil Credit Bank, also known as First Credit Bank and formerly as Kyongyong Credit Bank, is a North Korean state-controlled financial institution headquartered in Pyongyang with representative offices in Beijing, Shenyang, and Shanghai. First designated by OFAC in September 2017 under Executive Order 13810 for operating in North Korea's financial services sector, the bank was dramatically re-expanded on November 4, 2025, when OFAC added 53 cryptocurrency addresses to its Specially Designated Nationals listing, linking it to over $12.7 million in USDT-TRC20 flows between June 2023 and May 2025 — funds attributed primarily to DPRK overseas IT workers and cybercrime proceeds destined for the regime's weapons programs.

TraderTraitor (also tracked as UNC4899, Jade Sleet, Slow Pisces, and PUKCHONG) is a North Korean state-sponsored cyber threat cluster operating under the Reconnaissance General Bureau (RGB), formally designated by the FBI, CISA, and U.S. Treasury as responsible for stealing billions of dollars in cryptocurrency from blockchain companies, exchanges, and developers since at least 2020. The cluster is most prominently attributed to the February 2025 Bybit heist — the largest cryptocurrency theft in history at approximately $1.5 billion — as well as the May 2024 DMM Bitcoin theft ($308 million), the July 2023 JumpCloud supply chain attack, and the April 2022 Ronin Network compromise ($620 million). Chainalysis estimates North Korean actors, dominated by TraderTraitor operations, stole $2.02 billion in 2025 alone, pushing their all-time attributed total to approximately $6.75 billion since 2017.

Citrine Sleet (also tracked as AppleJeus, Gleaming Pisces, UNC4736, and Labyrinth Chollima) is a North Korean state-sponsored threat cluster attributed to Bureau 121 of the Reconnaissance General Bureau (RGB), active since at least 2018. The group specializes in financially motivated cyberattacks against cryptocurrency exchanges, DeFi protocols, and developer toolchains, deploying trojanized trading applications, supply chain compromises, and zero-day exploits to steal digital assets. Chainalysis estimates DPRK-linked actors have stolen at least $6.75 billion in cryptocurrency since 2016, with Citrine Sleet/UNC4736 operations accounting for multiple hundred-million-dollar individual incidents including the April 2026 Drift Protocol exploit ($285 million) and the October 2024 Radiant Capital breach ($50 million).

The DPRK IT Worker Network is a state-directed, multi-year operation run by the North Korean government that places thousands of fraudulently credentialed software developers inside U.S. and global technology and crypto companies using stolen identities, fake personas, and U.S.-based facilitators. Workers generate hundreds of millions of dollars annually in illicit wages funneled back to Pyongyang to fund weapons of mass destruction and ballistic missile programs, and have escalated to data theft and extortion. The operation has drawn DOJ indictments of dozens of individuals across multiple enforcement waves (2024–2026), OFAC sanctions designating front companies and facilitators in China, Vietnam, Laos, Russia, and Spain, and FBI warnings to private industry.

Beginning approximately January 2, 2026, blockchain investigator ZachXBT flagged an active, automated campaign draining hundreds of wallets across at least a dozen EVM-compatible chains, with over $107,000 stolen in mostly sub-$2,000 increments consolidated into a single aggregation address (0xAc2e5153170278e24667a580baEa056ad8Bf9bFB). The root cause was not confirmed at the time of ZachXBT's initial disclosure; suspected vectors included token-approval abuse, malicious signature exploits, a fake-MetaMask phishing email campaign, and possible spillover from the Trust Wallet browser-extension supply-chain compromise of December 2025. This entry serves as a consumer-protection warning and on-chain address flag.

OKX NFT Aggregator is the NFT marketplace and aggregation layer of OKX, one of the world's largest crypto exchanges, supporting over 21 blockchains and 32 aggregated markets. The product has been implicated in a smart contract storage-collision exploit (June 2024), operates within an exchange that pleaded guilty to U.S. AML violations and agreed to a $504 million DOJ settlement (February 2025), and saw its parent DEX aggregator suspended in March 2025 after North Korea's Lazarus Group used the broader OKX Web3 infrastructure to launder approximately $100 million from the Bybit hack. ZachXBT has flagged the entity in the context of these broader OKX platform concerns.

Jump Trading is a Chicago-based proprietary trading firm founded in 1999, operating one of the largest high-frequency trading operations globally across futures, equities, fixed income, FX, and cryptocurrency markets. Its crypto division, Jump Crypto, became a major force in DeFi infrastructure between 2021 and 2023, co-developing Wormhole, Pyth Network, and the Firedancer Solana validator client. The firm has faced significant regulatory and legal exposure: its subsidiary Tai Mo Shan settled with the SEC in December 2024 for $123 million over TerraUSD manipulation, the Terraform bankruptcy administrator filed a $4 billion civil lawsuit in December 2025 naming Jump and individual executives, and a separate CFTC investigation was reported in 2024 with no public resolution as of mid-2026.

DAO Maker is a crypto fundraising and launchpad platform founded in 2018 by Christoph Zaknun and Giorgio Marciano, known for its Strong Holder Offering (SHO) and Dynamic Coin Offering (DYCO) mechanisms. The platform suffered two confirmed exploits in August and September 2021 totaling approximately $11 million in losses, affecting over 5,200 users. A promised multi-phase compensation plan was subsequently undermined by an alleged governance vote manipulation, leaving a significant portion of hack victims unreimbursed as of 2024.

On September 25, 2020, the KuCoin cryptocurrency exchange suffered a major security breach in which hackers obtained the private keys to the exchange's hot wallets and stole approximately $281 million in Bitcoin, Ethereum, ERC-20 tokens, and other assets — the largest exchange hack of 2020. KuCoin subsequently recovered approximately 84% of stolen funds through on-chain tracking, project-team token swaps, and law enforcement cooperation, with the remaining 16% covered by the exchange's insurance fund. The hack was attributed to North Korea's Lazarus Group by blockchain analytics firm Chainalysis; separately, in March 2024 the U.S. Department of Justice criminally charged KuCoin and two of its founders for operating an unlicensed money transmitting business and Bank Secrecy Act violations, resulting in a $297.4 million guilty plea settlement in January 2025.

dYdX V3 was a decentralized perpetual futures exchange built on Ethereum using StarkWare's StarkEx Layer-2 technology, operated by dYdX Trading Inc. The platform suffered a $9 million insurance fund drain in November 2023 due to an alleged coordinated market manipulation attack targeting YFI and SUSHI markets, a DNS hijacking attack in July 2024, and a software supply chain compromise in September 2022. The V3 product was formally sunset on October 28, 2024, with trading migrated to the dYdX Chain (V4) on Cosmos.

Compound V2 is a legacy Ethereum-based decentralized lending protocol launched in May 2019 and formally deprecated in December 2025 in favor of Compound V3 (Comet). The protocol has experienced a series of material incidents including a ~$80M COMP token distribution bug in October 2021, a $89M oracle-driven liquidation cascade in November 2020, a confirmed website hijack flagged by ZachXBT in July 2024, a social media phishing hack in 2023 that resulted in $4.4M in losses, and an alleged governance attack in July 2024 in which a whale coordinated the passage of a $24M treasury transfer. V2 is now in wind-down mode with new borrows and mints paused.

OKX DEX is the decentralized exchange aggregator operated by OKX (Aux Cayes FinTech Co. Ltd.), one of the world's largest centralized crypto exchanges. In December 2023, the DEX suffered a ~$2.7 million exploit caused by a suspected private key leak and a centralized proxy upgrade mechanism with no multi-signature protection. The broader OKX entity has faced severe regulatory sanctions including a $504 million U.S. DOJ settlement in February 2025 for operating an unlicensed money-transmitting business and facilitating over $5 billion in suspicious transactions, a €1.1 million Malta AML fine, and repeated scrutiny over its DEX aggregator being used by North Korea's Lazarus Group to launder stolen funds from the $1.5 billion Bybit hack in early 2025.

The BSC Token Hub, BNB Chain's cross-chain bridge connecting BNB Beacon Chain and BNB Smart Chain, was exploited on October 6, 2022 via a forged IAVL Merkle proof that allowed an attacker to mint approximately 2 million BNB valued at roughly $566–570 million. Rapid validator coordination halted the chain and froze most funds on BSC, limiting the attacker's realized gain to an estimated $137 million, though the incident exposed deep structural centralization concerns about BNB Smart Chain's 21-validator Proof of Staked Authority model.

Bitfinex is a cryptocurrency exchange and Tether (USDT) is the world's largest stablecoin by market capitalization, both operated under the parent company iFinex Inc., incorporated in the British Virgin Islands. The two entities have faced multiple significant regulatory actions, including an $18.5 million settlement with the New York Attorney General over alleged concealment of an $850 million loss, a $42.5 million CFTC fine for misrepresenting USDT reserve backing, and an ongoing DOJ bank-fraud investigation. Tether's USDT reached approximately $188 billion in circulation as of May 2026, and the company engaged KPMG for its first full reserve audit in March 2026.

Bitcoin Mission is an entity that has been flagged by on-chain investigator ZachXBT, though the specific nature, founding, and full scope of the entity could not be independently verified through publicly available Tier 1 or Tier 2 sources at the time of this investigation. Multiple unrelated legitimate entities share the name 'Bitcoin Mission' (including a Christian-focused Bitcoin podcast and a GitHub organization), making disambiguation difficult. The trust score of 25 reflects the ZachXBT flag combined with the absence of verifiable public transparency about the entity.

DAO Maker Vesting refers to the smart contract infrastructure operated by DAO Maker, a crypto launchpad platform, that was compromised in two separate exploits in 2021 resulting in combined losses of approximately $11 million. The August 2021 incident drained $7 million in USDC from 5,251 user accounts via a compromised admin private key, and a second exploit in September 2021 extracted approximately $4 million from vesting contracts via an unauthenticated init() function vulnerability. Victims allege that DAO Maker has failed to honor its full compensation commitments over three years after the hacks, with governance manipulation alleged to have been used to cancel the USDR reimbursement program.

Aguilar v. Baton Corporation Ltd. (Case No. 1:25-cv-00880, S.D.N.Y.) is an active federal class action alleging that Pump.fun, Solana Labs, the Solana Foundation, and named executives operated a coordinated racketeering enterprise — referred to as the 'Solana-Pump.Fun Racketeering Enterprise' — that rigged its memecoin launchpad to benefit insiders while marketing it as a fair platform to retail investors. Plaintiffs allege aggregate retail losses between $4 billion and $5.5 billion, while the platform collected an alleged $722 million in fees. As of early 2026, defendants have filed motions to dismiss the Second Amended Complaint; no ruling on those motions has been publicly reported as of June 2026.

Changpeng Zhao (CZ), born February 10, 1977, is the founder and former CEO of Binance, the world's largest cryptocurrency exchange by trading volume. On November 21, 2023, Zhao pleaded guilty to a federal charge of failing to implement an effective anti-money laundering (AML) program under the Bank Secrecy Act, as part of a landmark $4.3 billion resolution between Binance and U.S. federal regulators. He was sentenced to four months in federal prison in April 2024, served that term, and was subsequently pardoned by President Donald Trump in October 2025.

Terra 2.0 (LUNA) is a replacement blockchain launched in May 2022 by Terraform Labs following the catastrophic collapse of the original Terra network and its algorithmic stablecoin TerraUSD (UST), which erased approximately $40–60 billion in market value in one week. The project's founder, Do Kwon, was arrested in March 2023, found liable for securities fraud in a U.S. civil trial in April 2024, pleaded guilty to wire fraud and conspiracy in August 2025, and was sentenced to 15 years in federal prison in December 2025. Terraform Labs itself filed for Chapter 11 bankruptcy in January 2024 and received court approval to wind down operations by September 2024, leaving Terra 2.0 as a severely diminished chain with minimal developer activity and an approximately 79% year-over-year decline in token value.

Justin Sun is the founder of the TRON blockchain and TRX token, and the controlling figure behind HTX (formerly Huobi) and Poloniex exchanges. In March 2023, the U.S. Securities and Exchange Commission charged Sun and three of his companies with fraud, market manipulation through wash trading, unregistered securities offerings, and orchestrating an undisclosed celebrity promotion scheme; the case partially settled in March 2026 with Rainberry Inc. paying a $10 million penalty while claims against Sun personally were dismissed. Sun has faced additional scrutiny including a reported FBI/DOJ criminal investigation, UK sanctions against an HTX entity over alleged Russia-linked transactions, a $114 million hot-wallet hack at Poloniex in November 2023, and disputed claims of diplomatic immunity through a Grenada WTO ambassadorship he held until mid-2022.

Solana MEV sandwich bots are automated programs that exploit Solana's transaction ordering mechanisms to front-run and back-run retail user trades, extracting an estimated $370 million to $500 million from users between January 2024 and May 2025. The practice has drawn enforcement responses from the Solana Foundation, Jito Labs, and Marinade Finance, and is the subject of an active federal class-action lawsuit in the Southern District of New York naming Pump.fun, Solana Labs, and related entities. While coordinated countermeasures reduced attack profitability by an estimated 60-70% in 2025, attacks continue and disproportionately harm memecoin traders using high slippage settings on Raydium and Pump.fun.

An industrial-scale pattern of fraud on the Solana blockchain exploits the Token-2022 Permanent Delegate extension, a legitimate feature that grants a mint-level authority the unconditional ability to burn or transfer any holder's tokens without their signature. First publicly documented in September 2024 by a Jupiter Core Working Group member, the exploit has since scaled into an automated rug pull factory pattern where scammers burn victim tokens seconds after purchase. RugCheck.xyz identifies the Permanent Delegate extension as a significant risk indicator on a substantial fraction of newly launched Solana tokens.

Bitcoin Latinum (LTNM) is a cryptocurrency token launched in 2020 by Donald G. Basile through his companies GIBF GP, Inc. and Monsoon Blockchain Corporation. In April 2026, the U.S. Securities and Exchange Commission charged Basile with orchestrating a $16 million investor fraud scheme, alleging he raised funds through Simple Agreements for Future Tokens (SAFTs) using fabricated insurance coverage claims and nonexistent asset-backing structures, then diverted millions to personal expenses. The token, which peaked near $9,336 in December 2021, has since collapsed to near zero, and multiple civil lawsuits from defrauded investors preceded the SEC action.

Blur Finance (ticker: BLR) was a yield aggregator DeFi protocol that operated on BNB Chain and Polygon in mid-2022. In August 2022, developers allegedly executed a textbook rug pull, withdrawing approximately $600,000 from user-deposited funds before deleting all social media channels and abandoning the project. The BLR token collapsed 99%, and the protocol's smart contracts on both chains have since been formally flagged on BscScan and PolygonScan as rug pull addresses.

Donald G. Basile, founder of Bitcoin Latinum (LTNM) and CEO of Monsoon Blockchain Corporation, was charged by the SEC on April 17, 2026 with defrauding hundreds of U.S. investors of approximately $16 million through a SAFT offering that relied on fabricated insurance claims, a phantom asset-backed trust, and misrepresentations about how investor funds would be used. The token launched on overseas exchanges in October 2021 and subsequently collapsed by more than 90%, and the SEC alleges Basile diverted investor proceeds to personal real estate, credit card expenses, and a $160,000 horse while no underlying fund was ever created.

A family of increasingly sophisticated wallet-drainer toolkits targeting the Solana ecosystem that weaponize legitimate Solana protocol features — Blinks (blockchain action links), durable nonces, and the system 'assign' instruction — to bypass the transaction-simulation safety layer that most Solana wallets rely on as their primary defense. Documented in detail by security researchers from February 2024 onward and materially escalated in late 2025 and early 2026, these kits are distributed as scam-as-a-service products supporting 90+ wallet types; losses attributable to Solana phishing reached approximately $90 million in H1 2025 alone, before the simulation-bypass generation was widely deployed. A state-level durable-nonce attack on Drift Protocol (April 2026) demonstrated that the same primitive can scale to $285 million in a single operation.

In February 2026, Malwarebytes researcher Stefan Dasic documented a live fraudulent cryptocurrency presale site promoting a non-existent token called 'Google Coin.' The operation deployed a custom AI chatbot impersonating Google's Gemini assistant — using its sparkle icon, green 'Online' indicator, and name — to deliver scripted investment pitches, fabricated institutional endorsements from OpenAI, Binance, Coinbase, Squarespace, and SpaceX, and personalized return projections (e.g. $395 presale investment projected to become $2,755 at listing). Victims were directed to send irreversible cryptocurrency payments to six wallets spanning Bitcoin, Ethereum, Solana, TRON, and XRP Ledger. Google has never issued a cryptocurrency; the token, the chatbot persona, and all associated endorsements were entirely fabricated.

An industrialized, automated address poisoning campaign targeting Ethereum users accelerated sharply after the Fusaka protocol upgrade on December 3, 2025 reduced gas fees approximately sixfold, removing the prior economic barrier to mass-scale dust-transaction attacks. Security firm ScamSniffer documented at least $62.25 million in confirmed losses across two high-profile victims in December 2025 and January 2026 alone, while Blockaid flagged over 65.4 million poisoning transactions since January 2025 averaging 160,000 per day. The campaign represents a commercial, industrialized threat infrastructure sold as a service on Telegram rather than a single threat actor, and is ongoing as of the research date.

Arthur Hayes is the co-founder and former CEO of BitMEX, one of the world's largest cryptocurrency derivatives exchanges, who pleaded guilty in 2022 to a Bank Secrecy Act violation and received two years' probation and a $10 million fine, before being granted a full presidential pardon by Donald Trump in March 2025. He now operates as CIO of Maelstrom, his family office and investment fund, which manages a venture portfolio of over 30 crypto projects alongside a $250 million private equity vehicle targeting crypto infrastructure firms. In June 2026, on-chain investigator ZachXBT alleged that Hayes used his large public following as exit liquidity by promoting tokens — including HYPE, ZEC, NEAR, and WLD — and then exiting those positions within days; Hayes denied the characterization but the controversy attracted sustained industry scrutiny.

Detailed analysis of Monad\

MOTHER (ticker: MOTHER) is a Solana-based memecoin launched on May 28, 2024 by Australian rapper Iggy Azalea (legal name Amethyst Amelia Kelly). The token peaked at a market capitalization of approximately $136–200 million in mid-June 2024 before declining roughly 99.5% to approximately $1.3 million by May 2026. On May 5, 2026, plaintiff Kenneth Kolbrak filed a federal class action against Azalea in the U.S. District Court for the Southern District of New York, alleging she misled consumers about the token's real-world utility through promises regarding an online casino (MOTHERLAND), a telecommunications integration (Unreal Mobile), and a luxury marketplace (DreamVault) that allegedly were not delivered as represented; all claims in that suit are allegations and remain unadjudicated.

Flooring Protocol (fp.io) is an Ethereum-based NFT fractionalization platform that converts non-fungible tokens into fungible micro-tokens (μTokens and fpTokens) pegged to collection floor prices. The protocol launched in October 2023, was exploited twice — once in December 2023 (~$1.6M stolen) and again in June 2026 (~$570K in NFTs rescued by a Yuga Labs white-hat team — and entered formal sunset mode in September 2025 after liquidity and organizational failures. At the time of the June 2026 incident, the protocol was effectively defunct with a TVL of approximately $9.51.

Comprehensive guide to offshore crypto exchanges lacking proper regulatory oversight

PiggyBank Protocol is a Solana-based DeFi yield platform offering delta-neutral funding-rate arbitrage vaults across USDC, JitoSOL, and tokenized stock (xStocks) assets. On or around June 6, 2026 the protocol disclosed that a mid-cap basis trade involving locked LAB tokens had failed, producing NAV declines of approximately 15%, 12%, and 9% across its three active vaults. On-chain investigator ZachXBT publicly alleged that the protocol had exposed depositor funds to a token he characterized as a scam with over 95% insider-controlled supply, raising serious risk-management and disclosure concerns that remain unresolved as of the investigation date.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

MEXC is a centralized cryptocurrency exchange founded in 2018, incorporated in Seychelles, that has accumulated a significant regulatory record across multiple jurisdictions including warnings or cease orders from authorities in Hong Kong, Germany, Belgium, Japan, Estonia, and South Korea. The exchange gained widespread notoriety in late 2025 after on-chain investigator ZachXBT amplified user reports of frozen funds, including a high-profile case in which a trader known as 'The White Whale' had approximately $3 million frozen without adequate explanation, eventually prompting a public apology from the exchange's Chief Strategy Officer. MEXC's parent entity MEXC Global Ltd was struck off by the Seychelles registry in August 2023, dissolved in December 2024, and never obtained a license under the Seychelles VASP Act 2024, leaving its current operational and legal standing opaque.

KelpDAO is a liquid restaking protocol built on EigenLayer, founded in 2023, that issues rsETH as a yield-bearing liquid restaking token. On April 18, 2026, attackers attributed to North Korea's Lazarus Group (TraderTraitor / UNC4899) exploited a single-point-of-failure DVN configuration on KelpDAO's LayerZero bridge to drain 116,500 rsETH worth approximately $292 million — the largest single DeFi exploit of 2026. The attack triggered $13.21 billion in DeFi TVL outflows within 48 hours and precipitated an industry-wide bailout coalition called DeFi United, which ultimately restored rsETH to full backing by May 25, 2026.

No verifiable information about an entity named 'Burgeleth' was found across any indexed web source as of May 2026. Exhaustive searches across news outlets, blockchain explorers, social media platforms, regulatory databases, domain registries, and crypto-specific intelligence sources (ZachXBT, Chainalysis, Scam Sniffer) returned zero results matching this name in a crypto or financial context. The slug may refer to an extremely obscure or newly created entity, an alternate spelling of a different entity, or a name that has not yet generated any publicly indexed presence.

WazirX is an Indian cryptocurrency exchange co-founded in 2018 by Nischal Shetty, Sameer Mhatre, and Siddharth Menon that suffered the largest crypto hack in Indian history on July 18, 2024, when approximately $234.9 million in user assets were stolen from a Gnosis Safe multisig wallet via a sophisticated supply-chain-style attack attributed by Elliptic, ZachXBT, and a joint US-Japan-South Korea government statement to North Korea's Lazarus Group. The hack triggered suspension of all withdrawals, a Singapore court-supervised restructuring process in which users are expected to recover approximately 55% of their assets, and ongoing regulatory and law enforcement scrutiny in India.

Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.

Sui is a Layer 1 blockchain developed by Mysten Labs, launched in May 2023 and built on the Move programming language. The network suffered one of the largest DeFi exploits of 2025 when Cetus Protocol — its primary DEX — was drained of approximately $223 million in May 2025, triggering a controversial emergency validator vote to freeze and reclaim stolen funds that exposed deep centralization concerns. Separately, ZachXBT investigated a $29 million SUI token theft in late 2024 involving Tornado Cash laundering and subsequently announced in July 2025 that he would no longer take Sui ecosystem cases due to inadequate incident-response infrastructure and lack of support from the ecosystem.

Ethena is a DeFi protocol founded in 2023 by Guy Young that issues USDe, a synthetic dollar stablecoin backed by delta-neutral perpetual futures hedges on centralized exchanges. The protocol reached $14 billion in supply at its 2025 peak before contracting sharply to approximately $5.9 billion following a flash crash in October 2025 and BaFin's enforcement action that forced Ethena GmbH to cease EU operations. Multiple concerns have been raised including: a German regulatory shutdown citing MiCA breaches and alleged unregistered securities offerings via sUSDe; insider airdrop farming allegations involving 180 million foundation-controlled ENA tokens; two separate security incidents (Discord hack July 2024 and domain registrar compromise September 2024); and structural risks tied to funding rate volatility, exchange counterparty exposure, and an undersized reserve fund relative to protocol TVL.

EigenLayer is a legitimate Ethereum restaking protocol operated by Eigen Labs that became a high-value target for phishing campaigns, wallet drainer attacks, and social engineering in 2024 following the launch of its EIGEN token. In October 2024 alone, the protocol's official X account was compromised to promote a fake airdrop resulting in at least $800,000 lost by one victim, and a separate email-based social engineering attack redirected approximately $5.7 million in locked investor tokens to an attacker's wallet. EIGEN holders and restakers face an elevated and persistent threat surface from impersonation sites, fake airdrop claims, and token-approval drainer schemes that exploit the protocol's name and brand recognition.

Crypto.com is a Singapore-headquartered centralized cryptocurrency exchange founded in 2016 (originally as Monaco) by Kris Marszalek, Bobby Bao, Gary Or, and Rafael Melo. The platform has been subject to multiple serious security incidents, including a confirmed January 2022 hack in which $34 million was stolen via a 2FA bypass and laundered through Tornado Cash, and an alleged 2023 data breach linked to the Scattered Spider hacking group that the company did not publicly disclose to affected users. Blockchain investigator ZachXBT has publicly accused Crypto.com of governance manipulation and tokenomics fraud, citing the March 2025 reissuance of 70 billion CRO tokens that had been permanently burned in 2021, and the company's controversial 2020 forced swap from its original MCO token to CRO at unfavorable rates.

Circle Internet Group is the issuer of USDC, the second-largest USD-pegged stablecoin by market capitalization. Circle has faced sustained criticism from blockchain investigator ZachXBT and others for its policy of refusing to freeze USDC linked to hacks or scams without a formal court order or law enforcement mandate, which critics allege has allowed over $420 million in illicit funds to flow freely since 2022. The company went public on the NYSE in June 2025 under the ticker CRCL and received conditional OCC approval for a national trust bank charter in December 2025.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Coinbase (NASDAQ: COIN) is the largest publicly listed cryptocurrency exchange in the United States, founded in 2012 and regulated across multiple jurisdictions. Despite its regulated status, the platform has been the subject of significant documented concerns: a May 2025 insider-enabled data breach affecting approximately 70,000 users with estimated remediation costs of $180–400 million, ongoing documented losses exceeding $300 million per year from social engineering scams targeting Coinbase users (as reported by blockchain investigator ZachXBT), a $100 million AML compliance settlement with the NYDFS in 2023, and controversies surrounding its Base Layer-2 blockchain including a disputed token launch and a contentious departure from the Optimism OP Stack ecosystem.

Cardano (ADA) holders face a persistent and multi-vector threat landscape that includes deepfake giveaway scams impersonating founder Charles Hoskinson, social media account hijackings used to promote fraudulent tokens, phishing campaigns distributing credential-stealing malware disguised as wallet software, and NFT-based wallet drainers. The Cardano Foundation's own X account was compromised in December 2024, resulting in the promotion of a fake token and false regulatory claims. State-sponsored actors including the North Korean Lazarus Group have also targeted ADA holders through the Atomic Wallet supply chain attack.