Avoid your next
big mistake

Seedify (Seedify.fund) is a blockchain gaming incubator and IDO/IGO launchpad founded in February 2021 by Levent Cem Aydan, operating on BNB Chain, Ethereum, and Avalanche with its native SFUND token. The platform suffered a critical $1.2–1.7 million bridge exploit in September 2025 attributed by ZachXBT and CZ (Binance) to the North Korean DPRK-affiliated 'Contagious Interview' hacking campaign, causing SFUND to collapse approximately 80–99% and affecting approximately 64,000 token holders. The platform's SFUND token has declined more than 99% from its November 2021 all-time high of approximately $17.67, and the project has been flagged by ZachXBT in connection with the on-chain forensics tying the exploit to state-sponsored theft infrastructure.

FOOM Cash (foom.cash) is a pseudonymous, privacy-focused decentralized lottery protocol built on Ethereum and Base, marketed as an 'upgraded Tornado Cash' using zk-SNARKs cryptography. On February 26, 2026, the protocol suffered a $2.26 million exploit caused by a critical deployment error in its Groth16 trusted setup — a flaw publicly known from an identical exploit on Veil Cash days earlier that the team failed to patch. The team had been silent for approximately three months prior to the attack and was subsequently flagged as a notable risk by AVOID.NET due to compounding concerns: anonymous founders, serious operational negligence, misleading post-incident communications, and unverifiable audit claims.

Ranger Finance was a Solana-based perpetual contract aggregator that raised $1.9M in seed funding in January 2025 and launched its RNGR token in January 2026. Within two months of token launch, community governance voted to liquidate the project treasury following allegations that the team made materially misleading claims about trading volume and revenue during its ICO. The project formally shut down in May 2026 after the treasury liquidation and approximately $900,000 in exposure from the DPRK-linked Drift Protocol exploit left operations unsustainable, with employees and vendors not fully compensated.

Ooki Protocol (formerly bZx Protocol) is a decentralized margin trading and lending protocol on Ethereum that was the subject of the first-ever CFTC enforcement action against a DAO, resulting in a 2023 default judgment ordering the protocol to cease operations and pay $643,542 in penalties. The protocol suffered four separate security incidents between 2020 and 2021 totaling over $64 million in losses, including a $55 million phishing-based hack attributed by Kaspersky to the North Korean state-linked BlueNoroff group. Following the CFTC judgment, the Ooki DAO's website was ordered shut down and the protocol has been effectively defunct.

Gate.io (formerly Bter.com) is a centralized cryptocurrency exchange founded in 2013 by Han Lin, serving over 30 million users across 224 countries. The exchange has been flagged by on-chain investigator ZachXBT for allegedly concealing a $230 million hack attributed to North Korean state-sponsored hackers (Lazarus Group) that occurred in April 2018 and was never publicly disclosed to users. Additional concerns include a manipulated futures price feed incident causing millions in user losses in 2025, an AML-based ban by India's Financial Intelligence Unit in 2024, persistent user complaints about frozen withdrawals, and alleged wash trading activity inflating reported volumes.

Pickle Finance was an Ethereum-based DeFi yield aggregator launched in September 2020 that suffered a critical smart contract exploit on November 21, 2020, resulting in the theft of approximately 19.76 million DAI (roughly $19.7 million) from its pDAI PickleJar. The exploit, known as the 'Evil Jar Attack,' combined three design flaws in unaudited contract code and led to a 50% collapse in the PICKLE token price, with hack proceeds later laundered through Tornado Cash. The protocol subsequently merged with Yearn Finance but never meaningfully recovered; it officially announced its shutdown in 2025 with the UI disabled on October 1, 2025.

Solana MEV sandwich bots are automated programs that exploit Solana's transaction ordering mechanisms to front-run and back-run retail user trades, extracting an estimated $370 million to $500 million from users between January 2024 and May 2025. The practice has drawn enforcement responses from the Solana Foundation, Jito Labs, and Marinade Finance, and is the subject of an active federal class-action lawsuit in the Southern District of New York naming Pump.fun, Solana Labs, and related entities. While coordinated countermeasures reduced attack profitability by an estimated 60-70% in 2025, attacks continue and disproportionately harm memecoin traders using high slippage settings on Raydium and Pump.fun.

xToken (XTK) was a DeFi protocol offering wrapped staking tokens and liquidity management on Ethereum, founded by Michael J. Cohen in 2020. The protocol suffered two major flash loan exploits in 2021 — a $24.5 million attack in May and a $4.5 million attack in August — resulting in total losses exceeding $29 million and the permanent retirement of its flagship xSNX product. The XTK governance token subsequently lost approximately 99.84% of its value, and compensation paid to victims was significantly below the amounts stolen.

StableMagnet was a stablecoin yield and DEX protocol launched on Binance Smart Chain (BSC) that executed a deliberate rug pull on June 23-24, 2021, stealing approximately $27 million in USDT, USDC, and BUSD from over 1,000 users. The team concealed a malicious backdoor by substituting an unverified SwapUtils library for the one shown in publicly audited source code — a novel attack vector that exposed a critical gap in how block explorers verify linked library code. Following an anonymous white-hat investigation and Manchester police arrests, most of the stolen funds were eventually returned by late 2022.

Spartan Protocol is a decentralized liquidity and synthetic-asset protocol that launched on Binance Smart Chain (BSC) in 2020 and was operated by a fully anonymous, community-driven team. On May 2, 2021, a critical vulnerability in the protocol's liquidity-share calculation logic was exploited via flash loan, resulting in approximately $30 million in stolen funds — ranking it among the largest DeFi exploits of that era. The protocol attempted a v2 rebuild with re-audited contracts but has since fallen to near-zero TVL and market cap, with no meaningful development activity recorded after 2024.

Trenton Richard David Johnston is a 19-year-old Canadian national indicted by a federal grand jury in the Southern District of Florida on May 11, 2026, on charges of conspiracy to commit wire fraud and conspiracy to commit money laundering. Johnston allegedly led a support-impersonation scheme targeting cryptocurrency users that caused losses exceeding $13 million. He was residing in the United States unlawfully on an overstayed visa and is alleged to have spent over $1 million in stolen funds on luxury vehicles, jewelry, and nightlife in Miami.

Kelsier Ventures (also operated as Kelsier Labs LLC) is a Delaware-registered crypto venture capital and marketing firm controlled by the Davis family — Hayden Davis (CEO), Gideon Davis (COO), and Tom Davis (Chairman) — with Charles Thomas Davis also named in litigation. The firm is a co-defendant in two active federal class-action lawsuits in the U.S. District Court for the Southern District of New York alleging it served as the marketing and execution arm for a coordinated serial pump-and-dump scheme spanning at least 15 Solana-based memecoins, including MELANIA, LIBRA, M3M3, ENRON, and TRUST, resulting in alleged investor losses exceeding $69 million across the five focal tokens and an estimated $251–280 million in LIBRA alone. Hayden Davis publicly admitted to sniping both the MELANIA and LIBRA tokens, and blockchain analytics firm Bubblemaps documented on-chain evidence linking Davis-controlled wallets to more than $100 million in alleged liquidity extraction.

Riscoin is an alleged cryptocurrency copy-trading investment scheme operated under the corporate umbrella of League of Seagull Ltd. and its associated brand Seagull Alliance. On May 14, 2026, the Philippine Securities and Exchange Commission issued a cease-and-desist order against Riscoin, Riscoin Exchange, Riscoin Trading, League of Seagull Ltd., and Seagull Alliance for soliciting unregistered securities and operating a fraudulent, Ponzi-like scheme. Multiple regulators in New Zealand, Australia, and the Philippines have independently warned the public against the platform, and the scheme is alleged to have collapsed in May 2026 when withdrawal fees were raised to 99.8 percent, effectively blocking all investor redemptions.

ElementalDeFi is a Solana-based DeFi fund and lending platform founded in September 2022 that offers yield products including Elemental Lend, the Geyser Fund, and the Geodium Fund. On April 7, 2026, blockchain investigator ZachXBT publicly disclosed that an individual identified as Keisuke Watanabe — an alleged North Korean IT operative — had been employed at the project for multiple years, and that the same individual served as CTO at the related Solana DEX Stabble. As of May 22, 2026, ElementalDeFi has issued no public response, audit findings, or remediation plan, leaving unresolved the risk that the operative may have introduced backdoors or malicious code into the protocol's production smart contracts.

Stabble is a Solana-based decentralized exchange (DEX) that specializes in stablecoin liquidity pools. On April 7, 2026, onchain investigator ZachXBT publicly identified the protocol's former CTO, operating under the name Keisuke Watanabe, as an alleged North Korean DPRK IT operative who had also worked at Solana DeFi project ElementalDeFi. Following the disclosure, Stabble's new management team issued an emergency alert urging all liquidity providers to withdraw funds immediately, citing the unquantified risk of planted backdoor code; TVL collapsed 62% within hours and the protocol halted operations pending fresh security audits.

A coordinated international law enforcement operation announced on April 29, 2026, dismantled at least nine cryptocurrency investment fraud compounds operating across Southeast Asia and Dubai, resulting in 276 arrests and the restraint of over $701 million in cryptocurrency. The operation was led by Dubai Police in cooperation with the FBI, China's Ministry of Public Security, and Royal Thai Police, targeting 'pig-butchering' romance fraud schemes operated by three alleged criminal organizations—Ko Thet Company, Sanduo Group, and Giant Company—whose compounds employed trafficked workers held under coercive conditions. The U.S. Department of Justice charged six defendants in the Southern District of California, and separately charged two Chinese nationals for managing the Shunda compound in Myanmar; related OFAC sanctions targeted a Cambodian senator and 28 associates for protecting scam compound networks.

Meteora is a Solana-based decentralized exchange and liquidity protocol, originally founded as Mercurial Finance before rebranding in 2023. Its co-founder Benjamin Chow resigned in February 2025 amid allegations that the platform's infrastructure was used to orchestrate coordinated pump-and-dump schemes across at least 15 tokens including LIBRA, MELANIA, M3M3, ENRON, and TRUST, causing an estimated $69 million or more in retail investor losses. Multiple class-action lawsuits are active in the Southern District of New York asserting fraud, RICO violations, and market manipulation; the protocol also issued a $4.2 million MET token airdrop to wallets linked to the Trump team hours after the amended complaint was filed, with all tokens immediately sent to OKX.

John Daghita, age 25, known online as 'Lick,' is a US national arrested on March 4, 2026, on the Caribbean island of Saint Martin in a joint FBI and French Gendarmerie operation. He is alleged to have stolen more than $46 million in cryptocurrency from wallets managed by the US Marshals Service through insider access tied to CMDSS, a Virginia-based private contractor operated by his father, Dean Daghita. Following his public identification by blockchain investigator ZachXBT in January 2026, Daghita launched the $LICK meme coin on Pump.fun while allegedly controlling approximately 40% of total supply; the token surged before crashing 97%, and Pump.fun delisted it mid-trading.

A fraudulent meme coin operating under the ticker ERICTRUMP launched on Pump.fun (Solana) on May 16, 2025, surging approximately 6,200% to a peak market cap of $160 million before collapsing to roughly $30,000 in a confirmed rug pull. No affiliation with Eric Trump was established. The deployer wallet, partially identified on-chain by the prefix 'BjTm', had previously deployed at least three other failed Eric Trump-themed tokens on Pump.fun, indicating a serial impersonation operation. Blockchain analytics firm Bubblemaps issued a public pre-collapse warning citing greater than 80% supply concentration in ten wallets.

Vulcan Forged is a UK-based blockchain gaming studio and NFT marketplace operating on Polygon and its own Elysium Layer-1 blockchain, best known for VulcanVerse and its native PYR token. In December 2021 the platform suffered one of the largest gaming-sector hacks on record: an attacker exploited Vulcan Forged's servers to extract private keys from 96 semi-custodial wallets, stealing approximately 4.5 million PYR tokens then valued at roughly $140 million. The platform subsequently refunded affected users from its treasury and pledged to migrate to non-custodial wallets, but the incident exposed fundamental centralization and custodial risks in its architecture.

Parity Multisig was a multi-signature wallet implementation developed by Parity Technologies, founded by Ethereum co-founder Gavin Wood. The software suffered two catastrophic security failures in 2017: a July hack in which 153,037 ETH (approximately $30–32 million at the time) was stolen from three Ethereum project wallets via an unguarded initialization function, and a November incident in which GitHub user devops199 accidentally triggered a self-destruct on the shared library contract, permanently freezing 513,774 ETH (approximately $150–280 million at the time) across 587 wallets. The frozen funds have never been recovered, and the July 2017 attacker resumed laundering stolen ETH through the exchange eXch in May 2024 after seven years of inactivity.

Portal (PORTAL) is a Web3 gaming platform and cross-chain token project that launched on Binance Launchpool on February 29, 2024, reaching an all-time high of approximately $4.41 before collapsing over 99% to below $0.01 by late 2025. The project has been flagged due to concerns including extreme token holder concentration, a low audited code coverage percentage, a pre-seed investor price roughly 30x below the listing price creating immediate sell pressure, active phishing and wallet-drainer campaigns impersonating the project, and a partially anonymous founding team. No formal regulatory action by the SEC, CFTC, or DOJ has been publicly confirmed as of May 2026.

pNetwork is a cross-chain bridge and interoperability protocol built on the pTokens architecture, enabling assets to move between Bitcoin, Ethereum, BNB Chain, and other networks via wrapped synthetic tokens. The protocol has suffered two major security incidents — a September 2021 pBTC-on-BSC hack losing approximately $12 million, and a November 2022 pGALA incident that triggered a $28 million lawsuit by Gala Games and Huobi alleging pNetwork's own engineers caused the vulnerability through a leaked private key, then allegedly profited from a self-described 'white hat' rescue. As of 2025, the PNT governance token trades at a fraction of its 2021 peak and the protocol operates with negligible market capitalization and trading volume.

The DAO was a decentralized autonomous organization launched on the Ethereum blockchain in April 2016 that raised approximately $150 million in Ether — the largest crowdfunding to date at the time — before being drained of 3.6 million ETH (roughly $50–60 million) on June 17, 2016, via a reentrancy vulnerability in its smart contract code. The hack triggered an acrimonious debate over blockchain immutability and led to a contentious hard fork of the Ethereum network on July 20, 2016, splitting it into Ethereum (ETH) and Ethereum Classic (ETC). In 2017 the U.S. SEC concluded that DAO tokens constituted unregistered securities, marking a landmark regulatory precedent for the entire crypto industry.

BONK.fun (also styled LetsBonk.fun) is a Solana-based meme coin launchpad that launched on April 25, 2025, as a joint initiative between the BONK community and the Raydium protocol, enabling no-code token creation with automatic BONK buyback-and-burn mechanics. On March 11–12, 2026, the platform suffered a domain hijack via social engineering against its domain registrar; attackers deployed a wallet drainer disguised as a fake terms-of-service modal, resulting in approximately $30,000 in confirmed losses before the site was taken offline. The platform relaunched on March 19–20, 2026, with a 110% refund commitment to affected users and enhanced security measures.

MAP Protocol is a cross-chain omnichain infrastructure project founded in 2019, issuing the MAPO token and operating the Butter Bridge for cross-chain asset transfers. On May 21, 2026, an attacker exploited an abi.encodePacked hash-collision vulnerability in Butter Bridge V3.1's retry-message path, minting approximately 1 quadrillion MAPO tokens — roughly 4.8 million times the legitimate circulating supply — causing a 96% token price collapse and extracting approximately $290,000 in combined ETH and liquidity. MAP Protocol subsequently paused all bridge operations and announced plans to patch, audit, and redeploy the bridge infrastructure.

Coincheck is a Tokyo-based cryptocurrency exchange that suffered what was, at the time, the largest cryptocurrency hack in history on January 26, 2018, when approximately 523 million NEM (XEM) tokens valued at roughly $534 million were stolen from a low-security hot wallet. The exchange was operating without a Financial Services Agency (FSA) license at the time of the breach, had failed to implement standard multisignature security for NEM holdings, and received multiple business improvement orders from Japanese regulators in the aftermath. Coincheck was subsequently acquired by Monex Group in April 2018, obtained its FSA license in January 2019, and listed on the Nasdaq in December 2024 via a SPAC merger under the ticker CNCK.

dForce Lending (operating as Lendf.Me) is a Chinese-founded DeFi lending protocol that suffered a landmark ~$25 million ERC-777 reentrancy exploit in April 2020 — one of the largest DeFi hacks of that year — and a second reentrancy attack in February 2023 that drained $3.65 million. In both incidents, stolen funds were ultimately returned after the attackers were identified or negotiated with. The protocol has also faced persistent allegations of plagiarizing Compound Finance's open-source smart contract code without attribution, and a 2021 ConsenSys Diligence audit flagged centralised owner controls capable of draining user funds. ZachXBT has flagged dForce as a high-risk entity.

KuCoin is a global cryptocurrency exchange founded in 2017 that has accumulated one of the most serious regulatory and security records in the industry. The exchange suffered a $285 million hot-wallet hack in September 2020 attributed to North Korea's Lazarus Group, and in January 2025 pleaded guilty to operating an unlicensed money transmitting business in the United States, agreeing to pay over $297 million in fines and forfeitures and exit the US market for at least two years. On-chain investigator ZachXBT has publicly alleged that KuCoin continues to enable illicit fund flows by ignoring victim and law enforcement requests.

Eminence Finance (EMN) was an unfinished, unaudited NFT gaming protocol being developed by Yearn Finance founder Andre Cronje that was exploited on September 29, 2020, resulting in the theft of approximately $15 million in DAI from its bonding curve contracts. The contracts had never been officially announced or released to the public, but community members discovered and deposited into them after Cronje's cryptic tweets; the attacker returned $8 million to Cronje's deployer address but $7 million was never recovered. The incident became a defining case study in DeFi's 'degen' culture and the risks of deploying unaudited smart contracts to Ethereum mainnet.

Dritan Kapllani Jr. is an 18-year-old US-based individual publicly identified by on-chain investigator ZachXBT on May 12, 2026, as allegedly responsible for approximately $19 million in cryptocurrency social engineering thefts spanning August 2025 through March 2026. He is named as 'Co-Conspirator 1' in a federal criminal complaint (case no. 26-cr-20181, S.D. Fla.) unsealed May 11, 2026, charging associates Trenton Richard David Johnston and Brandon Michael Tardibone, though Kapllani himself had not been formally charged as of May 15, 2026. Following ZachXBT's public exposure, Kapllani allegedly moved $2.59 million in funds into harder-to-freeze assets through a newly created wallet.

Harvest Finance is a decentralized yield-aggregation protocol (token: FARM) that suffered a landmark $33.8 million flash loan-based price manipulation attack on October 26, 2020, one of the largest DeFi exploits of that year. Pre-attack, the protocol held over $1 billion in TVL while being governed by a single anonymous admin key—a concentration of power flagged by multiple security auditors and researchers. The protocol continues to operate with substantially reduced TVL (~$12 million as of 2025), though the stolen funds were never recovered and the attacker was never publicly identified or charged.

Yearn Finance is a decentralized yield aggregator on Ethereum that routes user deposits into lending protocols to maximize returns. Founded by Andre Cronje in 2020, the protocol has suffered at least four documented security exploits between 2021 and 2025, with aggregate losses exceeding $20 million, and its founder departed in 2022 citing sustained pressure from an SEC investigation. Governance concerns, an interconnected web of affiliated DeFi protocols implicated in their own major hacks, and repeated failures to deprecate vulnerable legacy code compound the protocol's risk profile.

LuBian (lubian.com) was a China-based Bitcoin mining pool that briefly ranked among the world's six largest before ceasing operations in early 2021. The pool is alleged to have functioned as a money laundering vehicle for Chen Zhi's Prince Group, a transnational criminal organization that operated forced-labor pig-butchering scam compounds in Cambodia. In October 2025, the U.S. Department of Justice announced the largest forfeiture in its history — approximately 127,271 BTC (~$15 billion) — directly linked to LuBian and Chen Zhi's criminal enterprise.

Compounder Finance was an Ethereum-based DeFi yield aggregator that launched in November 2020 and executed a deliberate rug pull approximately 22 days later, stealing between $10.8 million and $12.5 million from investors. Anonymous developers embedded hidden 'Evil Strategy' smart contracts behind a publicly visible but unmonitored 24-hour timelock, then drained all user funds and deleted the project's website and social media accounts. No funds were recovered and the perpetrators have never been publicly identified.

Value DeFi (formerly YFValue/YFV) was a DeFi yield aggregation and AMM protocol that suffered three documented security exploits between August 2020 and May 2021, resulting in combined losses of approximately $24 million. Beyond the technical failures, the project was found to have used a paid actress from Fiverr to impersonate a co-founder named 'Anna Tanaka,' raising severe concerns about team identity, transparency, and intent. The VALUE token is effectively defunct, trading at a fraction of a cent with a near-zero market cap.

BlockFills (operated by Reliz Technology Group Holdings, Inc.) was a Chicago-based institutional cryptocurrency trading and lending firm that processed $61.1 billion in volume in 2025 before filing for Chapter 11 bankruptcy in the U.S. Bankruptcy Court for the District of Delaware on March 15, 2026. The firm suspended client withdrawals and deposits on February 11, 2026, amid approximately $75 million in accumulated lending losses, and subsequently faced two civil lawsuits alleging misappropriation of customer assets and commingling of client funds with company funds. At the time of filing, BlockFills reported assets of $50 million to $100 million against liabilities of $100 million to $500 million, with approximately $145 million in general unsecured obligations.

LAB is the native token of an AI-powered multi-chain trading terminal that launched via a Binance Wallet exclusive Token Generation Event in October 2025. In May 2026, on-chain investigator ZachXBT published two investigations alleging that insiders controlled more than 95% of the token supply, coordinated a pump to a $6 billion fully diluted valuation, and withdrew approximately 100 million LAB tokens worth $480 million through 10 freshly created wallets before the price crashed more than 65%. The alleged scheme involved a BVI-registered shell company, predatory OTC loan agreements, unilateral vesting changes, and on-chain links to a broader pattern of exchange-facilitated supply-control manipulation attributed to an unknown market maker operating primarily through Bitget.

BlockDAG Network (BDAG) is a cryptocurrency project that ran a presale from December 2023 through February 2026, claiming to raise over $442 million, though its CEO stated publicly the actual figure was approximately $200 million. On-chain investigator ZachXBT and a DL News investigation have alleged that the project's true co-founder, Gurhan Kiziloz, operated behind the scenes while using a paid frontman as public CEO, transferred presale funds through Middle Eastern OTC brokers, and commingled at least $25 million in presale proceeds from BlockDAG and a sister project (ZKP) to pay influencers promoting Kiziloz's casino venture. Following its February 2026 token launch, BDAG fell approximately 99.98% from its all-time high within two months.

DSJEX (DSJ Exchange PTY Ltd) and its sister recruitment platform BG Wealth Sharing LTD operated for approximately twelve months as a coordinated fake AI trading platform and multi-level marketing Ponzi scheme, collapsing in late April and early May 2026 with estimated investor losses exceeding $150 million. The scheme attracted victims through promises of 1.3%–2.6% daily returns, a fabricated CEO persona, and MLM referral commissions, while operators ran simulated trading on a fraudulent backend. Following a U.S. domain seizure and law enforcement action on April 23, 2026, operators laundered over $92 million across Ethereum and Tron before a coordinated effort by on-chain investigator ZachXBT, Tether, Binance, OKX, and U.S. law enforcement froze $41.5 million in stolen funds.

The Verus-Ethereum Bridge is a cross-chain asset transfer protocol connecting the Verus blockchain to Ethereum, launched in October 2023. On May 18, 2026, a critical validation flaw in the bridge's checkCCEValues function was exploited, allowing an attacker to drain approximately $11.58 million in assets — comprising 103.6 tBTC, 1,625 ETH, and 147,000 USDC — at a cost of roughly $10 in transaction fees. All stolen funds were converted to approximately 5,402 ETH and subsequently moved through Tornado Cash.

Echo Protocol is a Bitcoin liquidity aggregation and yield infrastructure protocol operating on the Monad and Aptos blockchains, offering liquid staking, restaking, and cross-chain DeFi services through its wrapped Bitcoin asset eBTC. On May 19, 2026, the protocol suffered a critical admin key compromise on its Monad deployment, enabling an attacker to mint approximately 1,000 unauthorized eBTC tokens worth $76.7 million and borrow $3.45 million in WBTC through the Curvance lending protocol, ultimately laundering roughly $822,000 through Tornado Cash. The incident exposed severe centralized access-control failures in a protocol marketed as trustless Bitcoin DeFi infrastructure.

Alpha Finance Lab (later rebranded to Alpha Venture DAO, then Stella) is a DeFi protocol best known for its leveraged yield farming product Alpha Homora. On February 13, 2021, Alpha Homora V2 was exploited for approximately $37.5 million via a sophisticated attack that required insider knowledge of an unannounced smart contract, draining funds from its Iron Bank (Cream Finance) integration. By March 2023, the protocol had repaid less than 2% of the resulting $32 million debt to Iron Bank despite a formal repayment agreement, triggering a second crisis in which user funds were frozen.

EasyFi was a Layer 2 DeFi lending protocol operating on Polygon Network, forked from Compound Finance, that suffered one of the largest DeFi hacks of 2021 when an attacker compromised the CEO's MetaMask admin keys on April 19, 2021, stealing approximately $81 million in EASY tokens and stablecoins. The protocol attempted a hard fork and compensation plan, but a significant portion of token holders on decentralized exchanges alleged they remained uncompensated, and community members raised concerns about transparency, censorship of dissent, and the fundamental security failure of managing over $100 million in assets through a single admin key held in a browser extension. ZachXBT has flagged EasyFi as a high-risk entity.

Uranium Finance was a Binance Smart Chain-based automated market maker (AMM) that was exploited twice in April 2021, resulting in total losses of approximately $54.7 million. The larger exploit on April 28, 2021, drained roughly $53.3 million across 26 liquidity pools due to a mathematical error in its forked Uniswap v2 pair contracts; the protocol subsequently shut down permanently. In March 2026, U.S. authorities indicted Jonathan Spalletta, a Maryland resident, on computer fraud and money laundering charges in connection with both attacks, after previously seizing approximately $31 million in cryptocurrency in February 2025.

Meerkat Finance was a Binance Smart Chain yield-vault protocol that launched on March 3, 2021 and was drained of approximately $31.56 million in BUSD and BNB less than 24 hours later. On-chain evidence indicates the project's own deployer address executed the exploit, pointing to an intentional exit scam rather than an external hack. A developer identifying as 'Jamboo' subsequently claimed the drain was a 'trial' testing user greed, promised full refunds, and approximately 95% of funds were eventually recovered under heavy pressure from Binance and the BSC community.

PAID Network is an Ethereum-based DeFi launchpad and legal-contract protocol whose native PAID token suffered a catastrophic infinite mint exploit on March 5, 2021, resulting in approximately 59.5 million tokens being minted and ~2,040 ETH (~$3 million at the time) extracted before the team intervened. Significant on-chain evidence and community investigators raised allegations that the attack was an insider job or was enabled by gross negligence over a known vulnerability, though the team maintained it was an external private-key compromise. The token has since declined over 99% from its all-time high and retains a negligible market capitalization as of 2025-2026.

y00ts is a generative art NFT collection of 15,000 pieces created by Rohun Vora (known as 'Frank') and DeLabs, originally launched on Solana in September 2022. The project became notable not only for its peak valuations during the 2022 NFT boom but for an unusually turbulent migration history — leaving Solana for Polygon with a $3M grant, then abandoning Polygon for Ethereum after just four months and returning the grant, before ultimately migrating back to Solana in 2024. The project's credibility has been repeatedly questioned by its community following these pivots, the founder's May 2025 resignation, and a disputed wallet breach incident.

Rari Capital was a DeFi yield-aggregation and lending protocol launched in July 2020 by teenage co-founders Jai Bhavnani, Jack Lipstone, and David Lucid. It suffered two major security exploits — a $11 million hack in May 2021 and an $80 million reentrancy hack in April 2022 — and subsequently merged with Fei Protocol to form Tribe DAO before winding down in 2022. In September 2024, the SEC secured final court judgments against the company and all three co-founders for misleading investors and operating as unregistered brokers.

Popsicle Finance is a cross-chain automated yield optimization protocol, launched in March 2021, that suffered a critical $20.7 million exploit in August 2021 due to a reward-tracking vulnerability in its Sorbetto Fragola pools. The protocol is part of Daniele Sestagalli's 'Frog Nation' ecosystem alongside Wonderland (TIME) and Abracadabra Money (MIM), which was later engulfed in a major scandal when the treasury manager of Wonderland was revealed to be Michael Patryn, a convicted felon and co-founder of the fraudulent QuadrigaCX exchange. The project subsequently rebranded as WAGMI in 2023 but remains a high-risk entity given the severity of the 2021 exploit, the laundering of stolen funds through Tornado Cash, and the broader Frog Nation governance failures.

Poly Network was a cross-chain interoperability protocol launched in August 2020 by Neo, Ontology, and Switcheo. It suffered the largest DeFi hack in history in August 2021 (~$611M stolen, nearly all returned), followed by a second exploit in July 2023 (~$10M realized losses) attributed to compromised multisig private keys. The protocol permanently shut down all services on September 30, 2024.

bEarn.fi (BearnFi) is a Binance Smart Chain-based cross-chain yield farming and algorithmic stablecoin protocol that launched in late 2020. On May 16, 2021, an attacker exploited a smart contract denomination mismatch to drain approximately $10.85 million in BUSD from the protocol's bVaults via a flash loan attack. The project subsequently became inactive, with its native BFI token recording no price data after mid-2023 and a market capitalization of effectively zero. The entity has been flagged by ZachXBT.

PancakeBunny (Bunny Finance) was a Binance Smart Chain yield-optimizer developed by the anonymous team MOUND (Mound Inc.), which received a $1.6 million seed round led by Binance Labs in April 2021. The protocol suffered three separate exploits across 2021–2022 totaling over $127 million in losses, including a $45 million flash loan attack in May 2021, a $2.4 million polyBUNNY exploit on Polygon in July 2021, and an $80 million hack of its affiliated lending protocol Qubit Finance in January 2022. The BUNNY token has lost more than 99% of its all-time high value, the protocol transitioned to a DAO structure in early 2022, and no stolen funds from any exploit were publicly confirmed as recovered.

DeGods is a 10,000-piece NFT collection originally launched on Solana in October 2021 by Rohun Vora (known publicly as 'Frank DeGods'), which rose to become one of the most prominent Solana NFT projects before a series of controversial chain migrations, leadership changes, and product missteps substantially eroded community trust and floor value. The project migrated from Solana to Ethereum in early 2023, its sister collection y00ts moved to and then departed from Polygon, and both collections later bridged back to Solana in 2024. Rohun Vora resigned as CEO in May 2025 amid falling floor prices, a suspicious wallet incident, and unresolved community grievances around governance and tokenomics.

C.R.E.A.M. Finance (Crypto Rules Everything Around Me) is a decentralized lending and borrowing protocol launched in August 2020, forked from Compound Finance. The protocol suffered three major exploits in 2021 totaling approximately $185 million in losses, making it one of the most frequently and severely hacked DeFi protocols in history. On-chain investigator ZachXBT flagged the protocol and its founders, and the CREAM token has collapsed more than 99% from its all-time high.

Mirror Protocol was a Terra-based DeFi platform enabling synthetic assets (mAssets) that tracked prices of US stocks. The protocol suffered a $90 million exploit in October 2021 that went undetected for seven months, a governance attack campaign in December 2021 targeting $40 million in community funds, and a second $2 million oracle exploit in May 2022. It became permanently inactive in August 2022 following the catastrophic collapse of the Terra/LUNA/UST ecosystem, which was orchestrated by its parent company Terraform Labs under Do Kwon, who was subsequently convicted of fraud and sentenced to 15 years in prison.

Indexed Finance was an Ethereum-based decentralized protocol offering passively managed index pools, launched in late 2020. On October 14, 2021, the protocol suffered a sophisticated $16 million flash loan exploit targeting its DEFI5 and CC10 pools, destroying most user funds. The alleged attacker, Canadian mathematics prodigy Andean Medjedovic, was later charged by U.S. prosecutors in February 2025 in connection with $65 million in combined DeFi thefts and remains a fugitive as of early 2026.

Frank DeGods, the pseudonym of Rohun Vora, is the founder and former CEO of DeLabs, the company behind the DeGods and y00ts NFT collections. He stepped down as CEO in May 2025 after a period of sustained controversy including allegations of mismanagement, insider trading accusations tied to the LIBRA token scandal, a disputed post-resignation wallet compromise, and a series of contentious cross-chain migrations. No formal charges or regulatory actions have been filed against Vora as of the time of this report.

Vee Finance is a decentralized lending and leveraged trading protocol deployed on the Avalanche blockchain that launched its mainnet on September 14, 2021. Within one week of launch, on September 20-21, 2021, an attacker exploited price oracle manipulation and a decimal calculation error in the protocol's smart contracts, draining approximately $35 million in ETH and BTC — a hack that ranks among the largest DeFi exploits on Avalanche. The protocol relaunched as V2 with improved security measures including Chainlink oracle integration, but the stolen funds were never recovered, and activity and token value have declined precipitously since the incident.

Compound V2 is a legacy Ethereum-based decentralized lending protocol launched in May 2019 and formally deprecated in December 2025 in favor of Compound V3 (Comet). The protocol has experienced a series of material incidents including a ~$80M COMP token distribution bug in October 2021, a $89M oracle-driven liquidation cascade in November 2020, a confirmed website hijack flagged by ZachXBT in July 2024, a social media phishing hack in 2023 that resulted in $4.4M in losses, and an alleged governance attack in July 2024 in which a whale coordinated the passage of a $24M treasury transfer. V2 is now in wind-down mode with new borrows and mints paused.

AnubisDAO was an OlympusDAO fork that launched on October 28, 2021, and raised approximately 13,556 WETH (roughly $60 million) in under 20 hours through a Copper Liquidity Bootstrapping Pool. Before the sale concluded, the entire pool was drained to an external wallet, wiping investors to zero; on-chain investigator ZachXBT later identified two pseudonymous actors — Beerus and Ersan — as the likely perpetrators, and traced the stolen funds through Tornado Cash in 2023. No criminal charges have been publicly confirmed, no investor recovery has occurred, and the ANKH token is worthless.

AscendEX (formerly BitMAX) is a Singapore-based cryptocurrency exchange founded in 2018 that suffered one of the largest centralized exchange hot wallet hacks on record in December 2021, with approximately $77.7 million stolen across Ethereum, Binance Smart Chain, and Polygon networks. The exchange operates without regulatory authorization in major jurisdictions including the UK (FCA warning issued) and France (AMF blacklisted), and has accumulated a Trustpilot rating of 1.3/5 driven by user reports of frozen funds, unannounced token delistings, and unresponsive customer support. The exchange received a $50 million Series B investment in November 2021 — just weeks before the hack — from backers including Alameda Research, a firm later implicated in the collapse of FTX.

Grim Finance was a Fantom-based DeFi yield optimizer (fork of Beefy Finance) that suffered a devastating reentrancy exploit on December 19, 2021, resulting in approximately $30 million in user funds stolen. The vulnerability — a missing reentrancy guard in the depositFor() function — had existed in an audited codebase and was classified by security researchers as an entirely preventable, well-understood attack class. The protocol has since collapsed to a near-zero TVL of roughly $29,000 and its proposed compensation plan yielded no meaningful restitution for affected users.

Snowdog (SDOG) was an Avalanche-based OlympusDAO fork launched in November 2021 as a self-described '8-day decentralized reserve meme coin experiment' by the anonymous team behind Snowbank DAO. The project accumulated a $44 million MIM treasury before a planned token buyback on November 25, 2021, collapsed the token price by over 90% within seconds, with alleged insiders exploiting a hidden 'challengeKey' mechanism to extract approximately $20 million in profits while ordinary holders were locked out. The team declined to acknowledge deliberate wrongdoing, characterizing the event as a 'game-theory experiment gone wrong,' and subsequently renounced ownership, leaving investors with near-total losses.

BitMart is a centralized cryptocurrency exchange founded in 2017 by Sheldon Xia, incorporated in the Cayman Islands and operated by Bachi.Tech Corporation. In December 2021, the exchange suffered one of the largest crypto exchange hacks in history, with approximately $196 million in customer funds stolen after attackers compromised a private key to two hot wallets; reimbursement was promised but reported as slow and incomplete by many victims. The exchange has subsequently faced an FTC investigation, a UK FCA unauthorized-firm warning, an alleged 2025 data breach affecting 1.2 million users, recurring user complaints about frozen withdrawals, and its platform was used as a venue for DOJ-charged wash-trading schemes targeting retail investors.

Qubit Finance was a Binance Smart Chain lending and cross-chain bridge protocol developed by South Korean firm Mound Inc., the same team behind PancakeBunny. On January 27, 2022, an attacker exploited a logic error in the QBridge Ethereum-BSC bridge to mint approximately 77,162 qXETH tokens without depositing any ETH, then drained roughly $80 million in protocol assets; no funds were ever recovered and the attacker was never identified.

Inverse Finance Frontier (originally called Anchor) was a variable-rate lending market on Ethereum operated by Inverse Finance DAO, founded by Nour Haridy in 2020. The protocol suffered two separate oracle manipulation exploits in 2022 — one in April resulting in $15.6 million in losses and a second in June resulting in $5.8 million in bad debt — both attributed to vulnerabilities in how Frontier priced collateral assets. The protocol is now deprecated in favor of Inverse Finance's FiRM fixed-rate market, and the DAO continues to work down residual bad debt from both incidents.

DEUS Finance is a decentralized derivatives and synthetic asset protocol built primarily on Fantom, co-founded by Lafayette Tabor and Mohammad Abrishami. The protocol suffered three separate security exploits between March 2022 and May 2023, resulting in combined losses exceeding $22 million across flash loan oracle attacks and a smart contract implementation flaw, with stolen funds routed through Tornado Cash in the 2022 incidents. Repeated security failures across distinct vulnerability classes raise severe concerns about the protocol's security practices and long-term viability.

Dego Finance is a multi-chain NFT and DeFi aggregator protocol launched in September 2020 by an anonymous team. On February 10, 2022, an attacker compromised the team's deployer private keys and drained approximately $10 million from liquidity pools on Uniswap and PancakeSwap across Ethereum, Binance Smart Chain, and Cronos. No stolen funds were recovered; the project responded with a token migration but offered no direct restitution to affected liquidity providers.

Ronin Bridge is the cross-chain bridge that connected the Axie Infinity gaming ecosystem's Ronin sidechain to Ethereum, operated by Sky Mavis. In March 2022 it suffered the largest DeFi hack in history at the time — $625 million in ETH and USDC stolen by North Korea's Lazarus Group via compromised validator private keys obtained through social engineering. A second, smaller exploit occurred in August 2024. The legacy bridge was deprecated in April 2025 and migrated to Chainlink CCIP infrastructure.

Saddle Finance was an Ethereum-based automated market maker (AMM) optimized for pegged-value assets such as stablecoins and wrapped BTC, founded in 2020 and launched in January 2021. The protocol suffered a critical exploit on April 30, 2022, when an attacker leveraged an unpatched MetaSwapUtils library bug to drain approximately $11 million via flash-loan-assisted price manipulation, with $3.8 million subsequently rescued by security firm BlockSec. The protocol formally wound down in September 2023 following a DAO vote (SIP-54) triggered in part by the broader DeFi security climate after the Curve Finance hack.

Nomad was a cross-chain messaging bridge operated by Illusory Systems, Inc. that suffered one of the largest DeFi exploits in history on August 1–2, 2022, when a smart contract initialization bug allowed approximately $190 million in user funds to be drained in a chaotic free-for-all involving over 300 wallet addresses. The protocol never recovered meaningful user adoption after a December 2022 relaunch, faced a class action lawsuit and an FTC enforcement action, and in December 2025 agreed to a settlement requiring repayment of $37.5 million to affected users.

Curve Finance is a major decentralized exchange and automated market maker (AMM) on Ethereum, optimized for low-slippage swaps of pegged assets such as stablecoins. On July 30, 2023, several of its liquidity pools were drained of approximately $70 million due to a reentrancy vulnerability in the Vyper smart contract compiler (versions 0.2.15, 0.2.16, and 0.3.0), one of the largest DeFi exploits of 2023. Separately, founder Michael Egorov's practice of using large CRV holdings as loan collateral across multiple DeFi protocols created systemic risk that culminated in a $140 million liquidation event in June 2024, generating over $10 million in bad debt across connected protocols.

Wintermute is a London-headquartered algorithmic trading firm and cryptocurrency market maker founded in 2017 by Evgeny Gaevoy. On September 20, 2022, the firm's DeFi operations were exploited for approximately $160 million after an attacker leveraged a known cryptographic vulnerability in the Profanity vanity address tool to compromise Wintermute's admin private key. The stolen funds were never recovered, though the firm remained solvent, repaid its outstanding DeFi loans, and has continued operating and expanding into U.S. markets.

Harmony's Horizon Bridge is a cross-chain bridge connecting the Harmony (ONE) blockchain to Ethereum and Binance Smart Chain, launched in October 2020. In June 2022, it was exploited for approximately $100 million by the Lazarus Group, a North Korea-affiliated state-sponsored hacking collective, through compromise of a 2-of-5 multisig scheme controlling bridge funds. The FBI formally confirmed Lazarus Group attribution in January 2023; as of 2025, full victim restitution has not been achieved.

Badger DAO is a decentralized autonomous organization and DeFi protocol launched in December 2020 focused on generating yield on Bitcoin-backed assets via Ethereum-based vaults. In December 2021, a front-end attack exploiting a compromised Cloudflare API key resulted in approximately $120–130 million in user funds being drained across roughly 500 wallets. As of 2025, the protocol has seen significant decline: its flagship eBTC product was sunset, BADGER was delisted from Binance, and total value locked has fallen to low single-digit millions.

Deribit is a crypto options and futures exchange founded in 2016 in the Netherlands by John and Marius Jansen, historically operated through a Panama-registered entity and now licensed under Dubai's VARA framework as Deribit FZE. The exchange suffered a $28 million hot wallet compromise on November 1, 2022, covering the loss entirely from its own balance sheet. Coinbase completed the acquisition of Deribit for approximately $2.9 billion on August 14, 2025, making it a subsidiary of a publicly traded, NASDAQ-listed U.S. company.

Euler Finance V1 was a permissionless DeFi lending protocol on Ethereum that launched in December 2021 and was exploited for approximately $197 million on March 13, 2023, in what was the largest DeFi hack of that year. The attack exploited a missing health check in the donateToReserves function introduced in EIP-14, despite the codebase having undergone multiple external audits. In a highly unusual outcome, the pseudonymous attacker known as 'Jacob' returned all recoverable funds by April 3, 2023, with the total recovered value reaching approximately $240 million due to ETH price appreciation during the recovery period.

Binance Bridge (BSC Token Hub) was the official cross-chain bridge connecting the BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20), operated by Binance. On October 6-7, 2022, an attacker exploited a critical flaw in the bridge's IAVL Merkle proof verification logic inherited from Cosmos SDK, forging deposit proofs to mint 2 million BNB (approximately $586 million at time of exploit). Although the BNB Chain was halted by validators to contain the damage — trapping roughly $430 million on-chain — approximately $110–137 million escaped to other networks before the halt took effect.

Mango Markets V3 was a Solana-based decentralized margin trading protocol that suffered a $116 million oracle manipulation attack in October 2022 executed by Avraham Eisenberg, who artificially inflated the MNGO token price to extract funds against fabricated collateral. The protocol subsequently reached a partial recovery settlement, faced SEC and CFTC enforcement actions, and formally wound down operations by January 2025.

Arbix Finance was a yield farming protocol on Binance Smart Chain (BSC) that executed a deliberate rug pull on January 4, 2022, draining approximately $10 million in user funds. The anonymous development team minted 10 million unbacked ARBX tokens, dumped them on PancakeSwap to collapse the price, drained all user vaults, bridged the stolen assets to Ethereum via AnySwap, laundered them through Tornado Cash, and deleted the project website, Twitter, and Telegram accounts. Despite holding a CertiK audit from November 2021, the exploited contract fell entirely outside the audit scope.

Bitrue is a Singapore-incorporated centralized cryptocurrency exchange founded in 2018 that suffered a confirmed $23 million hot wallet exploit in April 2023, with stolen funds subsequently laundered through Tornado Cash as recently as June 2025. The exchange holds no license from Singapore's Monetary Authority (MAS) and relies on a VASP registration in Lithuania — a lower-tier regulatory framework — while accumulating a persistent record of user complaints alleging unjustified account freezes and asset seizures.

Atomic Wallet is a non-custodial multi-asset cryptocurrency wallet founded in 2017 and headquartered in Tallinn, Estonia. In June 2023, the platform suffered one of the largest individual wallet hacks in cryptocurrency history when attackers — subsequently attributed with high confidence to North Korea's Lazarus Group — drained over $100 million from approximately 5,500 user wallets. A 2022 third-party security audit had publicly identified critical vulnerabilities that the company allegedly failed to remediate prior to the attack.

GDAC was a South Korean cryptocurrency exchange operated by Peertec Co., Ltd. that launched in May 2018 and was registered as a Virtual Asset Service Provider (VASP) with Korea's Financial Intelligence Unit (KoFIU). On April 9, 2023, attackers drained approximately $13–14 million from its hot wallets — representing 23% of total custodial assets — causing the exchange to permanently shut down with no compensation offered to affected users.

Transit Swap is a cross-chain DEX aggregator incubated by TokenPocket, supporting swaps across Ethereum, BNB Chain, Polygon, Tron, Solana, and other networks. On October 1–2, 2022, an attacker exploited an input validation vulnerability in the platform's swap contract, draining approximately $21–28.9 million in user funds across Ethereum and BNB Chain. The attacker subsequently returned roughly 70% of stolen assets after security firms identified the exploiter's IP address and email, though an estimated 30% of funds — including amounts routed through Tornado Cash — remain unrecovered.

MonoX was a decentralized exchange protocol built on Ethereum and Polygon using a novel single-token liquidity model, which raised $5M in September 2021 and launched mainnet shortly before suffering a critical smart contract exploit on November 30, 2021. The attacker exploited a missing validation check in the swap function — using the MONO token as both input and output — to artificially inflate its price and drain approximately $31M in user funds across both chains. The protocol attempted a relaunch via MonoX 2.0 with a debt-token compensation mechanism, but MONO has since collapsed to near-zero value with negligible trading activity.

Stake.com is a Curaçao-licensed cryptocurrency gambling and sports betting platform co-founded in 2017 by Australians Ed Craven and Bijan Tehrani, operating as one of the largest crypto casinos globally with reported 2024 revenue of $4.7 billion. On September 4, 2023, the platform suffered a critical security breach in which approximately $41.35 million in cryptocurrency was drained from its hot wallets across Ethereum, BNB Smart Chain, and Polygon networks; the FBI formally attributed the attack to North Korea's Lazarus Group (APT38) within 48 hours. Stake.com restored full operations within five hours of the incident and stated that user funds were not affected, though the root cause — a likely hot wallet private key compromise — has never been officially confirmed by the company.

Mixin Network is a Hong Kong-based layer-2 cross-chain payment protocol that suffered the largest single crypto hack of 2023 when attackers compromised its cloud service provider's database and drained approximately $200 million in ETH, BTC, and USDT. The network remains operational but has only partially compensated users, the majority of stolen funds remain unrecovered, and a dormant attacker wallet moved funds to Tornado Cash in February 2026.

Multichain (formerly AnySwap) was a cross-chain bridge protocol that collapsed in mid-2023 following the arrest of its CEO Zhaojun by Chinese police in May 2023, which resulted in the seizure of private keys controlling over $1.5 billion in user assets. On July 7, 2023, approximately $126–127 million was drained from Multichain bridge reserves in transfers widely attributed to Chinese authorities or insiders with access to the CEO's confiscated key material. The protocol formally ceased operations on July 14, 2023, leaving users with unrecoverable losses.

Balancer V2 is a decentralized automated market maker (AMM) protocol launched in 2021 on Ethereum and multiple chains that separates AMM logic from token custody via a central Vault architecture. The protocol has experienced at least four documented security incidents across its V1 and V2 deployments, including a November 2025 exploit that drained approximately $128 million and directly led to the dissolution of Balancer Labs, the corporate entity behind the protocol, announced in March 2026.

Poloniex is a cryptocurrency exchange founded in 2014 and acquired in 2019 by an investor group led by Tron founder Justin Sun. On November 10, 2023, the exchange suffered one of the largest hot wallet compromises in crypto history, with attackers draining approximately $126 million across Ethereum, TRON, and Bitcoin networks in an attack attributed by multiple blockchain security firms to North Korea's Lazarus Group. The exchange has also faced significant regulatory enforcement actions, including a $7.59 million OFAC sanctions settlement and a $10.4 million SEC settlement for operating an unregistered national securities exchange.

Orbit Bridge is a cross-chain interoperability protocol developed by South Korean blockchain firm Ozys that suffered one of the largest bridge exploits in crypto history on December 31, 2023, losing approximately $81.5 million in ETH, WBTC, USDT, USDC, and DAI. The attacker allegedly compromised seven of ten multisig signatories after a former chief information security officer allegedly weakened the company firewall before departing, and blockchain analysts have linked the attack's patterns to North Korea's Lazarus Group, though no formal attribution has been confirmed by authorities. As of 2025, the majority of stolen funds remain unrecovered, with the attacker having laundered over 17,000 ETH through Tornado Cash.

Munchables is a Blast-chain NFT game that suffered a $62.5 million exploit on March 26, 2024, when a contractor later attributed to North Korea exploited a backdoor they had embedded in the project's upgradeable smart contracts before launch. The developer surrendered private keys and the full sum was recovered within approximately 24 hours, but the incident exposed fundamental failures in contractor due diligence and smart contract architecture.

Kronos Research is a Taipei-based cryptocurrency quantitative trading firm and market maker founded in 2018 by Mark Pimentel and Jack Tan. The firm experienced two serious security incidents within months of each other in 2023: an insider sabotage case in which two disgruntled engineers tampered with trading code causing $1.4 million in losses, and an external hack in November 2023 where compromised API keys led to the theft of approximately $25–26 million. The November hack cascaded onto WOO X, an exchange Kronos incubated and served as primary liquidity provider, causing a temporary trading halt and liquidations for 227 users.

KyberSwap Elastic is the concentrated liquidity automated market maker (AMM) component of Kyber Network, a decentralized exchange protocol deployed across more than a dozen EVM-compatible blockchains. On November 22–23, 2023, it suffered the largest DeFi exploit of that year — approximately $48–56 million drained via a precision rounding bug in its tick-crossing swap logic — after which the alleged attacker issued an on-chain ultimatum demanding full executive control of the company. Canadian national Andean Medjedovic was indicted by U.S. prosecutors in February 2025 on charges including wire fraud, computer hacking, and extortion; he remains a fugitive as of mid-2026.

Prisma Finance is a Liquity-forked, Ethereum-based DeFi protocol that allowed users to mint overcollateralized stablecoins (mkUSD and ULTRA) against liquid staking tokens (LSTs) such as wstETH, rETH, sfrxETH, and cbETH. On March 28, 2024, a critical vulnerability in the protocol's MigrateTroveZap helper contract was exploited for approximately $11.6 million, with a total loss across all attacker wallets of roughly $12.3 million; the primary exploiter sent the majority of stolen funds through Tornado Cash while claiming a 'whitehat rescue,' and as of 2026 the protocol's TVL has collapsed from a pre-exploit peak of approximately $220 million to under $300K.

Gala Games is a blockchain gaming platform founded in 2019 by Eric Schiermeyer and Wright Thurston whose GALA token has been at the center of two major controversies: a 2023 civil lawsuit alleging Thurston stole 8.6 billion GALA tokens (~$130M) from company wallets, and a separate May 2024 smart contract exploit in which an unauthorized minter minted 5 billion tokens worth approximately $200M. Both co-founders have filed competing civil suits alleging misappropriation of hundreds of millions of dollars, while Thurston also faces an unrelated SEC fraud action over a separate crypto mining venture.

DMM Bitcoin was a licensed Japanese cryptocurrency exchange operated by DMM Group (DMM.com) that launched in January 2018. In May 2024 it suffered the eighth-largest crypto theft in history when North Korean state-sponsored hackers attributed to the TraderTraitor subgroup of Lazarus Group stole 4,502.9 BTC (approximately $305–308 million USD) through a sophisticated supply-chain attack targeting Ginco, a third-party wallet management provider. Following the hack, Japan's Financial Services Agency issued a business improvement order, the exchange restricted operations, and in December 2024 announced full closure with all customer assets transferred to SBI VC Trade by March 2025.

Hedgey is a token vesting, lockup, and claims protocol that served over 100 on-chain projects before suffering a critical smart contract exploit on April 19, 2024, resulting in the theft of approximately $44.7 million across Ethereum and Arbitrum. The vulnerability — a missing input validation check in the ClaimCampaigns.sol contract — was present despite two prior audits by ConsenSys Diligence. No confirmed recovery of stolen funds has been reported; Hedgey was subsequently acquired by Anchorage Digital in late 2025.

Sonne Finance is a Compound V2 fork deployed on Optimism that was exploited for approximately $20 million on May 14, 2024, in what became the largest exploit in Optimism's history. The attack exploited a well-known precision-loss donation vulnerability in Compound V2 forks, triggered during the rollout of a new VELO token market; the attacker leveraged a multi-transaction deployment architecture and a two-day timelock window to manipulate exchange rates and drain user funds.

UwU Lend is an Ethereum-based DeFi lending protocol forked from Aave V2, launched in September 2022 and operated by Michael Patryn (known pseudonymously as 0xSifu), a co-founder of the collapsed Canadian crypto exchange QuadrigaCX and a convicted felon. In June 2024, the protocol was exploited twice by the same attacker — first for approximately $19.3 million on June 10 and again for $3.7 million on June 13 — via oracle price manipulation using flash loans, bringing combined losses to approximately $23 million.

Indodax (formerly Bitcoin Indonesia) is Indonesia's largest licensed cryptocurrency exchange, founded in 2014 by Oscar Darmawan and William Sutanto and serving over 9.6 million users. In September 2024, the exchange suffered a major security breach attributed to North Korea's Lazarus Group, resulting in approximately $22–25 million in losses across multiple blockchains. The exchange pledged full reimbursement to affected users, resumed operations within roughly 80 hours, and has since undergone a leadership restructuring.

BingX is a Singapore-headquartered centralized cryptocurrency exchange founded in 2018 (originally as Bingbon), operating across 160+ countries with over 10 million reported users. In September 2024, the exchange suffered a confirmed hot wallet breach totaling approximately $52 million across at least seven blockchain networks, with on-chain forensics subsequently linking the attack to North Korea's Lazarus Group. The exchange pledged full user compensation from reserves and resumed withdrawals within days, but independently unverified regulatory claims and initial opacity around the breach raise ongoing due-diligence concerns.

WazirX, operated in India by Zanmai Labs Pvt. Ltd., suffered a $234.9 million hack attributed to North Korea's Lazarus Group on July 18, 2024, freezing user funds and triggering multiple Indian regulatory investigations. India's Supreme Court dismissed a victims' petition in April 2025 citing a lack of crypto regulatory framework, while the Enforcement Directorate, Financial Intelligence Unit, and other agencies have opened probes into the exchange's operations, ownership structure, and alleged links to terror financing. A Singapore court approved a restructuring plan in October 2025, offering partial recovery to creditors.

Penpie is a yield-boosting DeFi protocol built on Pendle Finance by the Magpie DAO ecosystem, allowing users to earn boosted yields on Pendle liquidity pools without directly locking PENDLE tokens. On September 3, 2024, an attacker exploited a reentrancy vulnerability in Penpie's staking contract to drain approximately $27.3 million across Ethereum and Arbitrum, subsequently laundering all stolen funds through Tornado Cash and ignoring recovery appeals. The protocol filed reports with the FBI and Singapore Police but recovered no funds; a partial community compensation plan was proposed but not fully executed.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

Ledger SAS is a Paris-based hardware cryptocurrency wallet manufacturer founded in 2014, producing the Nano S and Nano X devices used by millions worldwide. Despite its status as a legitimate and established company, Ledger has been involved in two major security incidents: a 2020 customer database breach exposing over 1 million email addresses and 272,000 physical addresses, and a December 2023 supply chain attack on its @ledgerhq/connect-kit npm package that drained approximately $600,000–$850,000 from users of multiple DeFi protocols via the Angel Drainer malware-as-a-service. A third-party data breach via payment processor Global-e was disclosed in January 2026.

Chris Larsen is the co-founder and Executive Chairman of Ripple, one of the most prominent figures in the XRP ecosystem. On January 30, 2024, attackers drained an estimated 213–283 million XRP (valued at $112.5–$150 million) from his personal cryptocurrency accounts — not Ripple corporate wallets — in what became the largest individual crypto theft of 2024. A U.S. government forfeiture complaint filed in March 2025 linked the breach to the 2022 LastPass password manager hack, alleging that private keys had been stored in an online vault subsequently compromised by attackers.

Tornado Cash is a decentralized, non-custodial cryptocurrency mixing protocol deployed on Ethereum in December 2019, co-founded by Roman Storm, Roman Semenov, and Alexey Pertsev. It was sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) in August 2022 for allegedly laundering over $7 billion in virtual currency, including hundreds of millions stolen by North Korea's Lazarus Group; the sanctions were later lifted in March 2025 following a Fifth Circuit ruling that immutable smart contracts do not constitute sanctionable 'property' under IEEPA. All three co-founders face or have faced criminal proceedings: Pertsev was convicted in the Netherlands in May 2024 and sentenced to 64 months in prison, Storm was convicted on one of three counts in the U.S. in August 2025, and Semenov remains at large.

Inferno Drainer is a scam-as-a-service (drainer-as-a-service) platform that provided phishing infrastructure and malicious wallet-draining scripts to criminal affiliates in exchange for a percentage of stolen funds. Active from November 2022 through at least early 2025, it is attributed to stealing over $80 million from approximately 137,000 victims during its initial operational phase, with operators claiming a cumulative total exceeding $250 million across all periods including a covert post-shutdown phase. It operates by luring victims to phishing websites impersonating legitimate crypto brands, tricking users into signing malicious transactions that drain wallets across multiple EVM-compatible blockchains.

Velodrome Finance is an automated market maker (AMM) and decentralized exchange (DEX) launched on June 2, 2022, on the Optimism Layer 2 network. It is a fork and improvement of Andre Cronje's Solidly Exchange, implementing a ve(3,3) governance and liquidity incentive model. The protocol has experienced three documented security incidents: an insider theft of $350,000 by a team member in August 2022, a DNS/frontend social-engineering attack in November–December 2023 resulting in approximately $250,000 in user losses, and a second DNS hijacking in November 2025 attributed to a NameSilo registrar insider, resulting in estimated losses of $700,000–$1,000,000. Smart contracts have not been directly exploited; all monetary losses have stemmed from front-end and operational security failures.

Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.

BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebranding of the Royal ransomware gang, itself a successor to the Conti cybercrime syndicate believed to be operated by Russian-speaking threat actors. The group employed double-extortion tactics across critical infrastructure sectors including healthcare, automotive, education, and government, compromising over 450 U.S. victims and demanding more than $500 million in ransom, primarily in Bitcoin, before international law enforcement dismantled its infrastructure in July 2025 under Operation Checkmate.

Compound Finance is an Ethereum-based decentralized lending protocol founded in 2017 by Robert Leshner and Geoffrey Hayes that allows users to lend and borrow cryptocurrencies algorithmically. The protocol has been subject to multiple significant security and governance incidents, including a 2021 smart contract bug that placed up to ~280,000 COMP tokens (approximately $80–90 million) at risk, a 2024 alleged governance takeover by a whale known as 'Humpy,' and a July 2024 front-end DNS hijacking attack tied to the Squarespace registrar migration. Despite these incidents, the core smart contract protocol has not been exploited; the recurring issues have primarily affected token distribution, governance integrity, and front-end infrastructure.

The Blockchain Bandit is an unidentified threat actor or group that systematically exploited Ethereum wallets holding cryptographically weak private keys between approximately 2015 and 2018, accumulating more than 45,000 ETH (worth over $54 million at peak 2018 valuations) through a technique researchers later termed 'Ethercombing.' The actor compromised 732 private keys across 49,060 transactions, draining wallets in near-real-time using automated blockchain monitoring. Dormant since 2018, the actor re-emerged in January 2023 and again in December 2024, consolidating approximately 51,000 ETH (valued at roughly $172 million) into a single multisig wallet, as tracked by on-chain investigator ZachXBT.

The Democratic People's Republic of Korea (DPRK), operating primarily through state-sponsored hacking units designated as the Lazarus Group, TraderTraitor, and APT38, has stolen an estimated $6.75 billion in cryptocurrency since 2016 across dozens of major exploits. These operations are attributed by the FBI, OFAC, CISA, and allied governments to North Korea's Reconnaissance General Bureau and are conducted to fund the regime's weapons of mass destruction and ballistic missile programs in circumvention of international sanctions. DPRK-linked hackers are responsible for the largest single crypto theft in history — the $1.5 billion Bybit hack in February 2025 — and continue to operate at unprecedented scale and sophistication.

Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor, also tracked as APT38, TraderTraitor, BlueNorOff, Hidden Cobra, and ZINC, operating under the Reconnaissance General Bureau (RGB) of the Korean People's Army. Active since approximately 2009, the group has stolen an estimated $6.75 billion in cryptocurrency through targeted attacks on exchanges, bridges, and blockchain companies, using stolen funds to finance North Korea's weapons programs and circumvent international sanctions. The U.S. Department of Justice has indicted three named members, and OFAC placed the group on the Specially Designated Nationals (SDN) list in April 2022.

Veer Chetal, known online as 'Wiz,' is a 19-year-old from Danbury, Connecticut who pleaded guilty in November 2024 to conspiracy to commit wire fraud and conspiracy to launder monetary instruments in connection with a $243–245 million Bitcoin theft targeting a single Genesis creditor via social engineering. He was identified and exposed by blockchain investigator ZachXBT, who traced stolen funds on-chain and publicly named the perpetrators before law enforcement arrests were made. Chetal was re-arrested in early 2025 after committing additional crypto thefts while released on bond and faces a federal sentencing guideline range of 19–24 years imprisonment.

NFTMachine is the online alias of Tyler Gaye, a Denver, Colorado resident who allegedly orchestrated a presale fraud in early 2021 by raising approximately $500,000 (reportedly 277 ETH from 130+ investors) for a promised NFT marketplace called opeNFT (also stylized ONFT), which was never launched. A Denver District Court judge entered a default judgment of $275,000 against Gaye in November 2022, classifying the conduct as civil theft. On-chain investigator ZachXBT has subsequently alleged Gaye continued launching new crypto projects — including Arcade DAO and Gamegear — under the alias 'scaredofboobs' without satisfying the court-ordered judgment.

Vkevin is a pseudonymous threat actor known for operating fake Safeguard Telegram bot phishing campaigns that have allegedly drained seven figures from victims' cryptocurrency wallets. On January 23, 2025, blockchain investigator ZachXBT published a 31-minute video exposing Vkevin in the act of running these scams from what was described as a New York school, and confirmed the individual had been doxxed. Vkevin is additionally alleged to have conducted a 2022 Discord attack against DigikongNFT using a spoofed MEE6 bot, resulting in over $300,000 in NFT losses.

On November 3, 2024, unidentified scammers compromised the X (Twitter) account of rapper Wiz Khalifa (35.7 million followers) and used it to promote two fraudulent Solana meme coins — $WIZ and $WIZZLE — launched on pump.fun. The $WIZ token reached a peak market cap of approximately $2.5 million within 15 minutes before collapsing over 95% in under one hour, with at least two insider wallets extracting a combined $160,000 in profit. Blockchain investigator ZachXBT linked the incident to a broader campaign of celebrity account takeovers that allegedly stole over $3.5 million in total, and subsequently accused a former professional Fortnite player known as 'Serpent' of involvement in the coordinated scheme.

eXch (exch.cx) was a no-KYC instant cryptocurrency swap service operating from 2014 until its forced shutdown in May 2025. Registered in Belize under the name Private Project Facilitators LTD, the platform processed an estimated $1.9 billion in total volume, deliberately advertising its absence of anti-money laundering controls on criminal underground forums. German federal law enforcement seized approximately $38 million in cryptocurrency assets and 8 terabytes of data from the platform in April 2025, following evidence linking eXch to laundering roughly $200 million of funds stolen in the $1.46 billion Bybit hack carried out by North Korea's Lazarus Group.

WazirX is an Indian cryptocurrency exchange co-founded in 2018 by Nischal Shetty, Sameer Mhatre, and Siddharth Menon that suffered the largest crypto hack in Indian history on July 18, 2024, when approximately $234.9 million in user assets were stolen from a Gnosis Safe multisig wallet via a sophisticated supply-chain-style attack attributed by Elliptic, ZachXBT, and a joint US-Japan-South Korea government statement to North Korea's Lazarus Group. The hack triggered suspension of all withdrawals, a Singapore court-supervised restructuring process in which users are expected to recover approximately 55% of their assets, and ongoing regulatory and law enforcement scrutiny in India.

Glori Finance was an alleged DeFi lending protocol deployed on the Arbitrum network in early 2024, operating as a Compound V2 fork with approximately $1.4 million in total value locked (TVL) at the time of its exposure. On April 14, 2024, blockchain investigator ZachXBT identified that the top GLORI token holders had seeded liquidity using funds stolen from prior scams — specifically the Crolend, Hash DAO, and HellHoundFi frauds — linking Glori Finance to a serial scam ring responsible for over $20 million in cumulative losses. Following ZachXBT's public disclosure, the Glori Finance X account was deactivated and the protocol's website went offline, consistent with an exit scam.

Bitforex was a cryptocurrency exchange founded in 2017, registered in Seychelles and operating under a Hong Kong address, which collapsed in February 2024 after approximately $56.5 million was drained from its hot wallets across Ethereum, Tron, and Bitcoin in a controlled fund extraction widely characterized as an exit scam. The exchange had a documented history of wash trading allegations dating to 2018, a prior unexplained withdrawal freeze in 2022, regulatory warnings from Japan's FSA and Hong Kong's SFC, and operated without a license in the jurisdictions it claimed as home. Following the collapse, team members were allegedly detained by Jiangsu Province police in China, and the exchange briefly reopened for KYC-verified withdrawals in July 2024 before announcing permanent closure.

Aqua (also known as AquaBot) was a Solana-based Telegram trading bot that conducted a presale in September 2025, raising approximately 21,770 SOL ($4.65 million) from retail investors before executing an apparent exit scam. On-chain investigator ZachXBT flagged the project after presale funds were split into four tranches, routed through intermediary wallets, and sent to instant exchanges hours before the scheduled token generation event. The project had secured endorsements from multiple established Solana ecosystem participants — including Meteora, Helius, Dialect, SYMMIO — and had received a near-perfect audit score from QuillAudits just days before the alleged rug pull.

Magnate Finance was a DeFi lending and borrowing protocol deployed on Coinbase's Base Layer 2 network that executed an exit scam on August 25, 2023, stealing approximately $6.4–6.5 million in user funds by manipulating its price oracle. On-chain investigator ZachXBT issued a public warning hours before the rug pull, having traced the deployer address to at least two prior exit scams: Solfire ($4.8M, January 2022) and Kokomo Finance ($5.5M, March 2023), establishing this as the work of a repeat-offender scam ring responsible for over $16.7 million in total losses.

TradeOgre was an unregistered, no-KYC cryptocurrency exchange founded around 2018 and known for listing privacy coins including Monero (XMR) and Pirate Chain. On September 18, 2025, the RCMP executed Canada's largest-ever cryptocurrency seizure, dismantling the platform and seizing over CAD $56 million (approximately USD $40 million) in digital assets. Investigators determined that the majority of funds transacted on the platform came from criminal sources, including ransomware proceeds, darknet market activity, hacking exploits, and fraud schemes.

The 'WallStreetBets' brand has been exploited in at least two distinct crypto fraud incidents: a 2021 Telegram pre-mine scam using a fake 'WallStreetBets – Crypto Pumps' channel that stole over $2.1 million in BNB and ETH, and a 2023 Ethereum meme token (WSB Coin) that surged to a $50 million market cap before insiders allegedly dumped $635,000 worth of tokens within days of launch, collapsing the price by over 90%. Neither token was authorized by Reddit or the r/WallStreetBets subreddit, and ZachXBT publicly identified the alleged perpetrators in the 2023 incident.

JELLY (JellyJelly / JELLYJELLY) is a Solana memecoin launched in January 2025 by Venmo co-founder Iqram Magdon-Ismail that became the center of a major market manipulation incident on Hyperliquid on March 26, 2025. A coordinated trader used a self-liquidation strategy — opening large opposing long and short positions — to force Hyperliquid's HLP liquidity vault to absorb a toxic short, causing up to $13.5 million in unrealized losses before validators emergency-delisted the token and force-settled all positions at a fixed price. The incident triggered widespread criticism of Hyperliquid's decentralization claims and raised systemic questions about perpetuals DEX risk management.

Avalanche C-Chain address 0x327a81d0d128db8886d265be73c9fdda97194f30 was flagged by on-chain investigator ZachXBT in June 2024 as the primary launderer for the BTCTurk exchange hack, having transferred approximately 1.96 million AVAX (valued at ~$54.2 million) to Coinbase, Binance, Gate.io, and THORChain. ZachXBT's timing analysis linked subsequent BTC withdrawals of approximately $45.96 million to the same threat actor, who was also allegedly responsible for a concurrent $2.9 million theft from Sportsbet. The address currently holds negligible funds, consistent with successful laundering of proceeds.

Nobitex is Iran's largest cryptocurrency exchange, founded in 2017, claiming over 11 million users and handling approximately 70% of Iran's on-chain crypto volume. A March 2025 Reuters investigation identified its founders as brothers Ali and Mohammad Kharrazi — members of a family with documented ties to Iran's Supreme Leaders and the founding of the Islamic Revolutionary Guard Corps — who operated the exchange under an alternative surname. Blockchain analytics firms including Elliptic, Chainalysis, and TRM Labs have documented billions of dollars in flows through Nobitex connected to sanctioned Iranian state entities including the Central Bank of Iran and the IRGC, making the platform a critical node in Iran's sanctions evasion infrastructure.

GANA Payment was a BNB Smart Chain payment-focused DeFi project (BEP-20 token) that launched on November 11, 2025 and was exploited nine days later on November 20, 2025, resulting in losses exceeding $3.1 million. On-chain investigator ZachXBT confirmed the attack, which involved a compromised deployer private key combined with abuse of EIP-7702 to drain the project's staking contract; stolen funds were subsequently laundered through Tornado Cash on both BSC and Ethereum. The GANA token lost over 90% of its value within 24 hours of the exploit.

Sportsbet.io is a cryptocurrency gambling and sports betting platform operated by mBet Solutions N.V. under the Yolo Group umbrella, licensed in Curaçao. On June 22, 2024, blockchain investigator ZachXBT publicly identified that the platform's hot wallets were drained of approximately $3.5 million in USDT and TRX, attributing the attack to the same threat actor who hours later stole an estimated $55 million from Turkish exchange BtcTurk, with stolen funds allegedly commingled between both hacks. The platform has drawn ongoing scrutiny for operating in regulatory grey markets, serving users in jurisdictions where it holds no local license, and for systemic user complaints involving account closures and fund seizures following wins. Yolo Group founder Tim Heath confirmed in 2025 that the brand is being wound down in favor of fully regulated markets.

TON (The Open Network) is a layer-1 blockchain originally developed by Telegram, abandoned in 2020 following an SEC enforcement action that compelled a $18.5 million penalty and $1.22 billion investor return, and subsequently revived by an independent TON Foundation. By 2024, rapid ecosystem growth attracted a significant wave of phishing campaigns, wallet drainer toolkits, pyramid schemes, and rug pull activity, with over 1,200 fraud cases reported in H1 2024 alone. In May 2026, Pavel Durov announced Telegram would reassume control as the network's largest validator, reintroducing centralization risk to a network already under scrutiny for facilitating illicit marketplaces.

Wallex is an Iranian cryptocurrency exchange founded in 2018 in Tehran by graduates of Sharif University of Technology, serving approximately 1 million users as of 2022 and operating as a major domestic crypto-to-rial on/off-ramp. On March 25, 2026, blockchain investigator ZachXBT flagged suspicious fund consolidation activity, prompting both Tether (USDT) and Circle (USDC) to simultaneously blacklist Wallex-linked wallet addresses, leaving approximately $2.49 million stranded on-chain. Wallex operates in a jurisdiction under comprehensive U.S. OFAC sanctions, has been linked by Chainalysis to transactions with a U.S.-sanctioned individual, and suffered a confirmed data breach in 2021 that exposed user credentials.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

Masa (also known as Masa Finance, later rebranded as Gopher) is a Web3 data and identity protocol that launched a soulbound token standard on Ethereum in 2023 before pivoting to a decentralized AI data network. The MASA token, sold via CoinList in March 2024 at $0.079 and hitting an all-time high of approximately $0.4697 on its April 11, 2024 listing date, subsequently collapsed by over 99.9% to trade near $0.00002 by mid-2026. ZachXBT publicly accused the project of concealing a six-figure security exploit in September 2024, which the team later confirmed only after the allegation was made public.

Tapioca DAO is an omnichain DeFi money market built on LayerZero, offering a CDP stablecoin (USDO) and isolated lending markets (Singularity/Big Bang) across Arbitrum and BNB Chain. On October 18, 2024, the protocol suffered a critical security breach when a team member was targeted by a social engineering attack attributed to North Korea's Contagious Interview campaign, resulting in private key compromise, drainage of TAP token vesting contracts, and the minting of 5 quintillion USDO. Approximately $4.4–4.7 million was stolen before a partial counter-exploit recovered roughly 996 ETH (~$2.7 million), leaving the protocol treasury down approximately 45% and the TAP token price collapsed over 95%.

Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.

Bitcoin Depot was once the largest Bitcoin ATM operator in North America, operating more than 9,000 kiosks before filing for Chapter 11 bankruptcy on May 18, 2026. The company faces lawsuits from the attorneys general of Iowa and Massachusetts alleging it knowingly facilitated crypto scams, with one state finding that more than 80% of high-value transactions at its kiosks were linked to fraud. Multiple data breaches, a $3.6 million wallet theft, regulatory enforcement in California, and on-chain evidence flagged by ZachXBT further document systemic compliance and security failures.

Noones is a peer-to-peer cryptocurrency trading platform targeting Africa and the Global South, founded and initially led by Ray Youssef, co-founder of the now-defunct Paxful. In January 2025, the platform suffered an $8 million hot-wallet exploit that was concealed for nearly three weeks before on-chain investigator ZachXBT publicly exposed the breach. Compounding platform risk, Youssef was subsequently indicted by the DOJ in early 2026 on federal AML charges stemming from his leadership of Paxful, and stepped down as Noones CEO shortly thereafter.

HyperCycle (HYPC) is an Ethereum ERC-20 token marketed as infrastructure for decentralized AI-to-AI transactions, co-founded by SingularityNET's Ben Goertzel and TODA inventor Toufi Saliba. The token has lost approximately 99% of its value from its all-time high of $1.29, and its smart contract contains a PAUSER_ROLE that allows a designated admin to halt all token transfers at will. No independent smart contract security audit has been publicly submitted, and the tokenomics structure — which allocates 20% to team, advisors, and partners with a relatively short vesting cliff — has been cited by multiple analysts as generating sustained selling pressure that disadvantages retail participants. ZachXBT has broadly flagged AI-narrative token projects as high-risk.

Kroll Restructuring Administration LLC served as the court-appointed claims and noticing agent for the FTX, BlockFi, and Genesis bankruptcy proceedings. On August 19, 2023, a threat actor executed a SIM swap attack against a Kroll employee's T-Mobile account, gaining unauthorized access to files containing the personal data of tens of thousands of crypto bankruptcy claimants. The exposed data was subsequently exploited in large-scale phishing and social engineering campaigns, with blockchain investigator ZachXBT estimating total losses attributable to the breach at eight to nine figures, and at least one alleged perpetrator — Danish Zulfiqar, also known as 'Danny' — was arrested in Dubai in late 2025 on RICO charges related to a broader $263 million social engineering conspiracy.

MEXC is a centralized cryptocurrency exchange founded in 2018, incorporated in Seychelles, that has accumulated a significant regulatory record across multiple jurisdictions including warnings or cease orders from authorities in Hong Kong, Germany, Belgium, Japan, Estonia, and South Korea. The exchange gained widespread notoriety in late 2025 after on-chain investigator ZachXBT amplified user reports of frozen funds, including a high-profile case in which a trader known as 'The White Whale' had approximately $3 million frozen without adequate explanation, eventually prompting a public apology from the exchange's Chief Strategy Officer. MEXC's parent entity MEXC Global Ltd was struck off by the Seychelles registry in August 2023, dissolved in December 2024, and never obtained a license under the Seychelles VASP Act 2024, leaving its current operational and legal standing opaque.

Wasabi Protocol is a decentralized perpetual futures and leveraged trading platform for memecoins and long-tail assets, deployed on Ethereum, Base, Berachain, and Blast. On April 30, 2026, the protocol suffered a critical multi-chain exploit in which a compromised admin deployer key was used to execute malicious UUPS proxy upgrades across core contracts, draining over $5 million in user funds. Security firm BlockSec reported that the attacker's wallets had been funded via Tornado Cash, and on-chain investigator ZachXBT publicly criticized the protocol for single-EOA admin control, absence of a timelock or multisig, and alleged misappropriation of project funds on influencer marketing.

1EU2pMence1UfifCco2UHJCdoqorAtpT7 is a legacy P2PKH Bitcoin address holding approximately 9,999.99 BTC that has never had any outgoing transactions, marking it as a dormant high-value wallet. The address has been publicly circulated in attacker-community repositories as a brute-force cracking target, appearing in GitHub issue lists of 'rich wallet addresses for BTC crack' alongside automated key-collision tools. No verifiable private-key compromise or confirmed theft has been documented as of the investigation date; however, the address's inclusion in brute-force tooling databases and its indexing on privatekeys.pw elevates its risk profile considerably.

KelpDAO (also KernelDAO) is an Ethereum-based liquid restaking protocol that issues rsETH, a yield-bearing token representing restaked positions via EigenLayer. On April 18, 2026, attackers attributed to North Korea's Lazarus Group (TraderTraitor subunit) exploited a single-verifier bridge configuration to mint 116,500 unbacked rsETH tokens worth approximately $292 million, making it the largest single DeFi exploit of 2026. The attack triggered cascading losses across Aave, SparkLend, and Fluid, sparked a $300 million+ industry recovery coalition (DeFi United), a legal dispute over $71 million frozen by Arbitrum's Security Council, and a protracted public blame dispute between KelpDAO and bridge provider LayerZero.

Renzo Protocol is an Ethereum liquid restaking protocol that issues ezETH, serving as an interface to the EigenLayer ecosystem. In April 2024, ezETH suffered a severe depeg event — dropping as low as $700 in under one hour — triggered by an unpopular REZ tokenomics announcement that concentrated approximately 65% of supply with insiders and investors. The event caused over $56 million in DeFi liquidations affecting more than 250 users, and the REZ token has since lost approximately 97% of its all-time high value.

Metawin is an offshore crypto casino and gaming platform licensed under the Anjouan (Comoros) gaming authority, operated by Asobi N.V. from Curacao, and founded by Richard 'Skel' Skelhorn. On November 3, 2024, the platform suffered a significant hot wallet exploit across Ethereum and Solana blockchains resulting in approximately $4 million in stolen funds, with blockchain investigator ZachXBT tracing the stolen assets to KuCoin and a nested HitBTC service across more than 115 attacker-linked addresses. The CEO subsequently claimed to have personally covered the losses, restoring withdrawals for approximately 95% of affected users, though the platform's offshore jurisdictional status and the underlying security vulnerability raise ongoing concerns.

Spartans Bet (spartans.com) is a crypto betting and casino platform launched in 2025, operated by Nexus International Entertainment Ltd, a company registered in Belize and licensed under the disputed Anjouan (Comoros) gaming authority. On-chain investigator ZachXBT alleged in 2025 that the platform's suspected co-founder, Gurhan Kiziloz, is also the hidden operator behind BlockDAG Network, a project ZachXBT claims raised over $300 million from retail investors through deceptive social media advertising and misappropriated presale funds via Middle Eastern OTC channels. Spartans makes prominent 'provably fair' claims that lack independently verifiable third-party audit documentation, and the platform carries a below-average safety index of 6.4/10 from casino.guru, with user complaints citing refused withdrawals and unfair bonus terms.

Renzo Protocol is an EigenLayer liquid restaking protocol that issues ezETH, a liquid restaking token (LRT) representing restaked ETH. In April 2024, ezETH suffered a severe depeg — falling from ~$3,100 to as low as $688 on Uniswap — triggered by a controversial REZ tokenomics announcement that allocated only 5% of tokens to the community airdrop while reserving over 60% for team, investors, and advisors, causing cascading liquidations exceeding $56 million across DeFi platforms. Eight high-severity vulnerabilities were identified in a concurrent Code4rena security audit, and the incident exposed structural risks including withdrawal restrictions that prevented users from redeeming ezETH directly for ETH.

Netmind AI (netmind.ai) is a London-based decentralized GPU compute network that issues the NMT token on both Ethereum (ERC20) and BNB Smart Chain (BEP20) via upgradeable proxy contracts. In March 2024, 440,000 NMT tokens were sold in a sudden dump that caused a 76% price crash — attributed by the team to a compromised early miner wallet, though the mechanism remains disputed. The NMT contract is an upgradeable transparent proxy that grants the owner unilateral ability to disable sells, change fees, mint, or transfer tokens, representing a material centralization and rug-risk vector flagged by security tools and, according to AVOID.NET source tagging, by ZachXBT.

Token 2049 is one of the world's largest crypto conferences, held annually in Singapore and Dubai by Hong Kong-based BOB Group. The event has faced repeated criticism for insufficient sponsor vetting, most notably when OFAC- and UK-sanctioned Russia-linked stablecoin A7A5 was listed as a platinum sponsor and given a speaking slot at the October 2025 Singapore edition. Separately, in March 2025, on-chain investigator ZachXBT publicly flagged multiple Token 2049 sponsors — including DWF Labs, Bitunix, JuCoin, WEEX, and Spacecoin — for fraud, wash trading, and regulatory non-compliance, warning that conference sponsorship carries no implied credibility.

Act I: The AI Prophecy (ACT) is a Solana-based AI-narrative memecoin launched via Pump.fun in October 2024 with no verified product utility. The token reached an all-time high of approximately $0.92 in November 2024 before declining over 98% to roughly $0.013 by mid-2026. It has been subject to a documented co-founder token dump, a suspicious 49% flash crash on Binance in April 2025 attributed to large coordinated sell orders, and broad sector criticism from on-chain investigator ZachXBT who labeled 99% of AI agent tokens as scams.

Mixin Network is a Hong Kong-based cross-chain Layer 2 protocol that suffered one of the largest cryptocurrency hacks of 2023, losing approximately $200 million when its cloud service provider's database was compromised on September 23, 2023. The hack exposed a fundamental contradiction in Mixin's self-described decentralized architecture: the majority of user funds were held in hot wallets backed by a centralized cloud database. As of early 2026, the majority of stolen assets remain unrecovered, with the attacker beginning to launder funds through Tornado Cash.

JRNY Crypto (real name allegedly Tony Spark) is a pseudonymous cryptocurrency and NFT influencer operating since 2017, with over 760,000 followers on X and 590,000 YouTube subscribers at peak activity. ZachXBT flagged the account in November 2024 after approximately $4 million in crypto assets were drained from associated wallets in a suspected private key compromise; JRNY did not publicly acknowledge the incident. Separate community-sourced allegations include undisclosed paid promotions, a paid strategic advisory role at BSC launchpad Seedify that critics allege was not consistently disclosed to audiences, and criticism over the JRNY Club and Planet Xolo NFT projects failing to meet roadmap commitments.

PAAL AI is an Ethereum ERC20 token launched in July 2023, marketed as an AI-powered chatbot and automation ecosystem for crypto communities. In September 2023, blockchain investigator ZachXBT published on-chain evidence and leaked Telegram messages alleging that four prominent crypto influencers — TraderSZ, TraderNJ1, PetaByte, and Trader_XO — received undisclosed token allocations from the PAAL AI team and engaged in a coordinated pump-and-dump scheme, collectively dumping hundreds of thousands of dollars in PAAL tokens on retail buyers. The token subsequently declined approximately 98.7% from its March 2024 all-time high of $0.8653 to below $0.013 by mid-2026, while the PAAL brand has also been exploited by third-party wallet-draining scams impersonating its staking platform.

ANDY is a meme token launched on the Base (Ethereum L2) network in 2024, built around the 'boy's club' internet meme character. Blockchain investigator ZachXBT documented a theft of approximately $2 million in ANDY tokens from a victim's wallet in June 2024, with the perpetrator converting roughly half the stolen funds to Ethereum. CertiK's Skynet platform assigned the token a score of 2.7 out of 100, indicating serious security and governance deficiencies. Allegations that individuals associated with the token conducted SIM-swap attacks targeting Korean-American crypto holders have been attributed to ZachXBT's flagging but remain unconfirmed by independently verifiable Tier 1 or Tier 2 sources.

BtcTurk is Turkey's oldest and largest centralized cryptocurrency exchange, founded in 2013 in Istanbul. The exchange has suffered two major hot wallet breaches in 14 months — approximately $55 million stolen in June 2024 and approximately $48–$49 million in August 2025 — both attributed to private key compromise, establishing a pattern of repeated critical security failures. Despite operating under Turkish regulatory frameworks (CMB and MASAK) and maintaining cold wallet protections, the exchange's inability to prevent a second near-identical attack within a year raises serious concerns about the adequacy of its security controls.

Truflation is a blockchain-based inflation data oracle protocol that provides real-time economic indices to DeFi applications via its Truflation Stream Network (TSN) and TRUF token. In September 2024, the project suffered a confirmed malware attack that compromised private keys across its treasury multisig and personal wallets, resulting in losses estimated between $4.6 million and $5.2 million — predominantly in TRUF tokens, ETH, and DAI. On-chain investigator ZachXBT was among the first to publicly identify and report the incident; the project subsequently initiated a full TRUF token migration as a remediation measure.

SBI Crypto is a cryptocurrency mining subsidiary of Japan's SBI Holdings, operating one of the top Bitcoin mining pools globally and offering related infrastructure services. On September 24, 2025, addresses linked to the company saw approximately $21–24 million in suspicious outflows across five cryptocurrencies; blockchain investigator ZachXBT and security firm Cyvers identified laundering patterns consistent with DPRK-affiliated Lazarus Group operations. SBI Group did not proactively disclose the breach and provided only minimal confirmation after independent researchers surfaced the incident publicly.

Crypto.com is a Singapore-headquartered centralized cryptocurrency exchange founded in 2016 (originally as Monaco) by Kris Marszalek, Bobby Bao, Gary Or, and Rafael Melo. The platform has been subject to multiple serious security incidents, including a confirmed January 2022 hack in which $34 million was stolen via a 2FA bypass and laundered through Tornado Cash, and an alleged 2023 data breach linked to the Scattered Spider hacking group that the company did not publicly disclose to affected users. Blockchain investigator ZachXBT has publicly accused Crypto.com of governance manipulation and tokenomics fraud, citing the March 2025 reissuance of 70 billion CRO tokens that had been permanently burned in 2021, and the company's controversial 2020 forced swap from its original MCO token to CRO at unfavorable rates.

Cardano (ADA) holders face a persistent and multi-vector threat landscape that includes deepfake giveaway scams impersonating founder Charles Hoskinson, social media account hijackings used to promote fraudulent tokens, phishing campaigns distributing credential-stealing malware disguised as wallet software, and NFT-based wallet drainers. The Cardano Foundation's own X account was compromised in December 2024, resulting in the promotion of a fake token and false regulatory claims. State-sponsored actors including the North Korean Lazarus Group have also targeted ADA holders through the Atomic Wallet supply chain attack.

EigenLayer is a legitimate Ethereum restaking protocol operated by Eigen Labs that became a high-value target for phishing campaigns, wallet drainer attacks, and social engineering in 2024 following the launch of its EIGEN token. In October 2024 alone, the protocol's official X account was compromised to promote a fake airdrop resulting in at least $800,000 lost by one victim, and a separate email-based social engineering attack redirected approximately $5.7 million in locked investor tokens to an attacker's wallet. EIGEN holders and restakers face an elevated and persistent threat surface from impersonation sites, fake airdrop claims, and token-approval drainer schemes that exploit the protocol's name and brand recognition.

Serenity Shield is a blockchain-based data storage and crypto inheritance protocol built on BNB Smart Chain, operating a product called StrongBox. On February 27, 2024, a team MetaMask wallet was compromised and 6.9 million SERSH tokens valued at approximately $5.6 million were stolen, causing the token price to collapse by over 95% within 24 hours. On-chain investigator ZachXBT linked the attacker to a serial hacker responsible for multiple private-key compromise incidents across at least six other protocols in late 2023 and early 2024.

Nexera (formerly AllianceBlock) is a blockchain infrastructure protocol focused on compliant real-world asset tokenization, operating primarily on Ethereum. In August 2024, a threat actor later attributed to North Korea's Lazarus Group used social engineering and BeaverTail malware to steal smart contract management credentials, enabling unauthorized transfer of 47.24 million NXRA tokens valued at approximately $1.9 million. The team mitigated further losses by zeroing out and subsequently burning the 32.5 million tokens that remained in the attacker's wallet, limiting confirmed liquidated losses to roughly $449,000.

Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.

CoinEx is a centralized cryptocurrency exchange that suffered a major hot wallet breach on September 12, 2023, with losses estimated between $54 million and $70 million across multiple blockchains. On-chain investigators ZachXBT and Elliptic attributed the attack to the Lazarus Group (TraderTraitor), a North Korean state-sponsored threat actor, based on wallet address overlap with the contemporaneous Stake.com hack. Stolen proceeds were subsequently laundered in part through the Sinbad Bitcoin mixer, which was sanctioned by the U.S. Treasury's OFAC on November 29, 2023.

Andy Ayrey is a New Zealand-based AI researcher and self-described performance artist who created Truth Terminal, an autonomous AI chatbot that became closely associated with the Goatseus Maximus (GOAT) memecoin, which briefly reached a $900M–$1B market cap in late 2024. Ayrey disclosed holding 1.25 million GOAT tokens gifted to him and pledged not to trade on insider knowledge, later establishing a non-profit foundation (Truth Collective) to manage the AI's holdings. ZachXBT's involvement concerns the October 2024 SIM-swap hack of Ayrey's X account — which third-party hackers exploited to deploy scam memecoins netting over $1.5M — rather than direct fraud allegations against Ayrey himself; however, broader ethical concerns persist around the gray-area ecosystem of AI-agent-driven memecoin promotion that Truth Terminal helped legitimize.

Kiln is an institutional-grade, non-custodial staking infrastructure provider that manages over $14 billion in staked assets across 50+ proof-of-stake networks, including approximately 6% of the entire Ethereum validator set. In September 2025, Kiln suffered a sophisticated supply chain attack in which a threat actor compromised a GitHub access token belonging to a Kiln infrastructure engineer, injected malicious code into the Kiln Connect API, and caused the theft of approximately 192,600 SOL (~$41 million) from enterprise customer SwissBorg. The incident prompted Kiln to exit all 1.6 million ETH worth of its Ethereum validators as a precautionary measure, triggering the longest Ethereum exit queue backlog in the network's history.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

BitoPro is a Taiwanese centralized cryptocurrency exchange operated by BitoGroup, serving over 800,000 users with TWD (New Taiwan Dollar) fiat on/off-ramps. On May 8, 2025, the exchange suffered an approximately $11.5 million hot wallet theft attributed to North Korea's Lazarus Group via a social-engineering and AWS-token-hijacking attack. The exchange did not publicly disclose the breach for approximately 25 days, only confirming the incident after on-chain investigator ZachXBT flagged suspicious outflows on June 2, 2025.

BONAD.fun is a permissionless meme token launchpad operating on the Monad blockchain, positioned as BONK's community-driven expansion from Solana into the EVM ecosystem via Monad. The platform is an independent community project not officially endorsed or vetted by the BONK Foundation, and no public smart contract audit has been documented. The platform shares brand identity and fee-recycling mechanics with Bonk.fun, the Solana-based predecessor that suffered a domain hijacking and wallet-drainer attack in March 2026 — a front-end attack vector that is directly relevant to BONAD.fun's risk surface as a structurally similar deployment.

Thunder Terminal is a Solana-based on-chain trading terminal that suffered a $240,000 exploit on December 27, 2023, when an attacker leveraged compromised MongoDB credentials to steal session tokens and drain 86.5 ETH and 439 SOL from 114 user wallets in under nine minutes. The attacker subsequently routed the stolen ETH through the Railgun privacy protocol and demanded a 50 ETH ransom for deletion of alleged user data, directly contradicting Thunder Terminal's public claim that no user data or private keys were compromised. Thunder Terminal pledged full reimbursement of stolen funds, engaged the FBI, and implemented additional security controls, though no public confirmation of completed reimbursements has been verified.

Sui is a Layer 1 blockchain developed by Mysten Labs, launched in May 2023 and built on the Move programming language. The network suffered one of the largest DeFi exploits of 2025 when Cetus Protocol — its primary DEX — was drained of approximately $223 million in May 2025, triggering a controversial emergency validator vote to freeze and reclaim stolen funds that exposed deep centralization concerns. Separately, ZachXBT investigated a $29 million SUI token theft in late 2024 involving Tornado Cash laundering and subsequently announced in July 2025 that he would no longer take Sui ecosystem cases due to inadequate incident-response infrastructure and lack of support from the ecosystem.

MustStopMurad is the X handle of Murad Mahmudov, a Princeton-educated former Goldman Sachs analyst and co-founder of the now-defunct Adaptive Capital hedge fund, who rose to prominence in 2024 as the primary advocate of the 'memecoin supercycle' thesis following a widely-circulated speech at TOKEN2049 Singapore. On-chain investigator ZachXBT published what he alleged to be 11 wallets linked to Mahmudov in October 2024, holding approximately $24 million in memecoins, raising concerns about undisclosed large holdings in tokens he publicly promotes to hundreds of thousands of followers. No regulatory action has been filed; the core allegations of supply control, potential front-running, and undisclosed conflicts of interest remain contested and unproven in any legal forum.

Rain (rain.com / Rain Financial) is a Bahrain-headquartered cryptocurrency exchange founded in 2017, holding licenses from the Central Bank of Bahrain and the Abu Dhabi Global Market's Financial Services Regulatory Authority. In April 2024, the exchange suffered a confirmed security breach of approximately $14.8 million in BTC, ETH, SOL, and XRP, which went undisclosed for approximately two weeks until blockchain investigator ZachXBT publicly exposed it. Rain subsequently confirmed the incident and stated that all customer funds were covered from company reserves.

CoinDCX is one of India's largest cryptocurrency exchanges, founded in 2018 and valued at $2.45 billion following Coinbase investment. In July 2025, the exchange suffered a $44.2 million security breach attributed by cybersecurity firm Cyvers to North Korea's Lazarus Group, which was first publicly identified by blockchain investigator ZachXBT before official disclosure. While customer funds were not directly affected and the exchange covered losses from treasury, the incident compounded existing concerns including co-founder arrests over alleged fraud in March 2026 and ongoing user withdrawal complaints.

KAITO is the native token of Kaito AI, an AI-powered 'InfoFi' (information finance) platform built on Base blockchain, founded by former Citadel quantitative trader Yu Hu and launched in February 2025. On March 15, 2025, both the official Kaito AI X account and Yu Hu's personal account were compromised by hackers who spread false claims of wallet breaches while simultaneously holding short positions on KAITO, netting an estimated $1 million in profit from the manufactured price panic. The platform faced additional scrutiny from blockchain investigator ZachXBT over alleged AI bot spam incentivized by its Yaps reward system, which was ultimately sunset in January 2026 after X revoked API access to all InfoFi applications.

Across Protocol is a cross-chain bridge protocol built on UMA's optimistic oracle, founded by Hart Lambur and the UMA/Risk Labs team and launched in 2021. In June 2025, pseudonymous investigator Ogle alleged that protocol insiders used undisclosed wallets to push through two governance proposals transferring approximately 150 million ACX tokens ($23 million) from the DAO treasury to Risk Labs, the team's own organization, constituting alleged self-dealing and DAO manipulation. Separate allegations from LayerZero founder Bryan Pellegrino claimed insider trading preceded a surprise Binance listing of ACX in December 2024, with the protocol subsequently proposing in early 2026 to dissolve its DAO entirely and convert to a U.S. C-corporation.

Hypurr NFTs are a 4,600-piece cat-themed NFT collection airdropped by the Hyper Foundation on September 28, 2025, to early Hyperliquid users who participated in the November 2024 Genesis Event. On the day of launch, blockchain investigator ZachXBT flagged the theft of eight Hypurr NFTs from compromised HyperEVM wallets, yielding approximately $400,000 in profit for the attacker. The collection itself is a legitimate product of the Hyper Foundation, but the incident exposed wallet security vulnerabilities in the HyperEVM ecosystem and coincided with a broader pattern of exploits across Hyperliquid-based protocols in late September 2025.

SafePal is a hardware and software cryptocurrency wallet founded in 2018 by Veronica Wong and incubated by Binance Labs, with over 10 million claimed users. The platform has been surrounded by multiple serious security incidents including a malicious Firefox extension that impersonated the wallet for seven months in 2021, a Binance-backed Launchpad token (SFP), hardware vulnerabilities disclosed by Kraken Security Labs, and a $6.5–7 million theft linked to a tampered hardware wallet sold via the Chinese platform Douyin (TikTok China). SafePal itself has not been hacked directly, but its brand has been repeatedly exploited by third-party threat actors, and ZachXBT has documented its wallets appearing in fund-laundering flows.

CoinsPaid is an Estonia-based cryptocurrency payment processor founded by Max Krupyshev that was targeted in two major security breaches: a $37.3 million hack in July 2023 attributed by the company and the FBI to North Korea's Lazarus Group (achieved via a sophisticated social engineering campaign using fake job offers), and a second breach in January 2024 resulting in approximately $7.5 million in losses. Despite the company's stated transparency and rapid operational recovery, the consecutive incidents raise significant concerns about its security posture and its status as a repeated high-value target for state-sponsored threat actors.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Strike (operated by Zap Solutions, Inc.) is a Bitcoin and Lightning Network payments application founded by Jack Mallers. The platform has faced scrutiny over a 2023 data breach it initially denied, the use of Tether (USDT) as a backing for purported USD cash balances for non-US users, and a 2026 proposed merger with Twenty One Capital (XXI) that raises serious conflict-of-interest concerns given Mallers serves as CEO of both entities.

Coinbase (NASDAQ: COIN) is the largest publicly listed cryptocurrency exchange in the United States, founded in 2012 and regulated across multiple jurisdictions. Despite its regulated status, the platform has been the subject of significant documented concerns: a May 2025 insider-enabled data breach affecting approximately 70,000 users with estimated remediation costs of $180–400 million, ongoing documented losses exceeding $300 million per year from social engineering scams targeting Coinbase users (as reported by blockchain investigator ZachXBT), a $100 million AML compliance settlement with the NYDFS in 2023, and controversies surrounding its Base Layer-2 blockchain including a disputed token launch and a contentious departure from the Optimism OP Stack ecosystem.

Rapper Nelly (Cornell Iral Haynes Jr.) is flagged here not as a perpetrator of crypto fraud, but as a victim of an account compromise. In October 2023, an X (formerly Twitter) account associated with Nelly — handle @NellioETH — was hacked by an unknown third party who then used it to run a social engineering phishing campaign against crypto users. Blockchain investigator ZachXBT first identified and publicized the incident; specific amounts stolen from victims and detailed on-chain forensics have not been publicly confirmed.

Circle Internet Group is the issuer of USDC, the second-largest USD-pegged stablecoin by market capitalization. Circle has faced sustained criticism from blockchain investigator ZachXBT and others for its policy of refusing to freeze USDC linked to hacks or scams without a formal court order or law enforcement mandate, which critics allege has allowed over $420 million in illicit funds to flow freely since 2022. The company went public on the NYSE in June 2025 under the ticker CRCL and received conditional OCC approval for a national trust bank charter in December 2025.

M2 is a UAE-based cryptocurrency exchange licensed by the Abu Dhabi Global Market (ADGM) Financial Services Regulatory Authority, operating as a regulated Multilateral Trading Facility and custodian since late 2023. On October 31, 2024, the exchange suffered a $13.7 million hot wallet breach attributed to an access control vulnerability across the Bitcoin, Ethereum, and Solana networks. M2 subsequently reimbursed all affected customers from its own assets and stated it had engaged law enforcement and regulatory authorities.

No verifiable information about an entity named 'Burgeleth' was found across any indexed web source as of May 2026. Exhaustive searches across news outlets, blockchain explorers, social media platforms, regulatory databases, domain registries, and crypto-specific intelligence sources (ZachXBT, Chainalysis, Scam Sniffer) returned zero results matching this name in a crypto or financial context. The slug may refer to an extremely obscure or newly created entity, an alternate spelling of a different entity, or a name that has not yet generated any publicly indexed presence.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Bittensor is a decentralized blockchain protocol functioning as a peer-to-peer marketplace for machine intelligence, using the TAO token to reward AI model contributors. In July 2024, the protocol was the target of a supply chain attack via a malicious version of its official PyPI package, resulting in the theft of approximately $28 million in TAO tokens from 32 wallets. A civil lawsuit filed in January 2025 alleges that former Opentensor Foundation employees orchestrated the attack, and on-chain investigator ZachXBT identified a key suspect through NFT wash-trade analysis and Railgun de-mixing.

Transak is a fiat-to-crypto on-ramp infrastructure provider founded in 2019 and serving over 8 million users across 160+ countries, with integrations into major platforms including MetaMask, Phantom, and Uniswap. In October 2024, a phishing attack on an employee's laptop led to unauthorized access to a third-party KYC vendor's dashboard, exposing the personal identity documents of approximately 92,554 users globally, including names, dates of birth, government-issued IDs, and selfie photos. The breach resulted in a $601,000 class action settlement covering U.S.-based affected users, and the Stormous ransomware group claimed responsibility, alleging extraction of over 300GB of data.

Pendle is a permissionless yield-trading protocol on Ethereum, launched in 2021 by TN Lee and Vu Nguyen, that allows users to separate and trade the principal and yield components of yield-bearing assets. In September 2024, Penpie — an independent yield optimizer built on top of Pendle — suffered a $27 million reentrancy exploit that was made possible in part by Pendle's permissionless market creation design. Although Pendle's own contracts were not directly exploited, the protocol's architecture contributed to the attack surface, and all 11,261 ETH in stolen funds were subsequently laundered through Tornado Cash.

Trezor is a legitimate Prague-based hardware wallet manufacturer (SatoshiLabs) and one of the oldest in the industry, but it has accumulated a significant threat ecosystem around its brand. A January 2024 breach of its third-party support portal exposed contact data for approximately 66,000 users, which subsequently fueled targeted phishing campaigns delivered via email, physical mail, and fake apps. Trezor hardware devices have also been subject to disclosed physical attack vectors, including an alleged unpatchable flaw in the STM32 microcontroller used in the Trezor T model.

CoinSpot is an Australian cryptocurrency exchange founded in 2013 by Russell Wilson and headquartered in Melbourne. It is registered with AUSTRAC as a Digital Currency Exchange (since May 2018) and holds ISO 27001 certification. On November 8, 2023, the platform suffered a suspected private key compromise resulting in the loss of approximately 1,283 ETH (~$2.4 million USD), with stolen funds bridged to Bitcoin via THORChain and Wan Bridge. No customer funds were reported lost in the incident.

Bybit is a Dubai-headquartered cryptocurrency derivatives and spot exchange founded in 2018 by Ben Zhou, serving over 80 million registered users globally. On February 21, 2025, the exchange suffered the largest cryptocurrency theft in recorded history when North Korean state-sponsored hackers attributed to the Lazarus Group (TraderTraitor) stole approximately $1.46 billion in Ethereum via a supply chain compromise of Safe{Wallet}'s frontend infrastructure. Separately, Bybit accounts have been cited in the ICIJ's 2025 Coin Laundry investigation into crypto exchanges facilitating international criminal money flows.

Ninamo is a purported crypto entity whose name was submitted for investigation on AVOID.NET. Exhaustive searches across regulatory databases, blockchain explorers, crypto news outlets, scam trackers, social media platforms, domain registries, and the Wayback Machine returned no verifiable information about any crypto project, exchange, token, or DeFi protocol operating under the name Ninamo. No wallet addresses, enforcement actions, community reports, or archived web presence could be located.