Avoid your next
big mistake

Paraluni is a metaverse DeFi yield-farming protocol deployed on Binance Smart Chain (BSC). On March 13, 2022, its MasterChef smart contract was exploited via a reentrancy vulnerability in the depositByAddLiquidity function, resulting in approximately $1.7 million in losses. The attacker laundered the proceeds through Tornado Cash and never returned funds despite a public appeal from the Paraluni team.

Merlin DEX was a decentralized exchange built on zkSync Era that suffered a confirmed insider rug pull on April 26-27, 2023, during its MAGE token Liquidity Generation Event. Rogue backend developers exploited excessive smart contract permissions granted to a privileged 'Feeto' address to drain approximately $1.82 million in user funds. Despite a prior CertiK audit, centralization risks flagged during review were not effectively remediated; CertiK subsequently acknowledged partial responsibility and launched a compensation plan, recovering only $160,000 of the stolen amount.

Swaprum was an Arbitrum-based decentralized exchange (DEX) that launched in early 2023 and operated briefly before its anonymous development team executed a deliberate exit scam on May 18, 2023. The team exploited a backdoor function embedded in an upgraded smart contract to drain approximately 1,628 ETH (roughly $3 million) from user liquidity pools, then laundered the proceeds through Tornado Cash and deleted all official communication channels. No funds have been recovered and no arrests have been publicly reported.

0VIX was a DeFi lending protocol built on Polygon PoS and Polygon zkEVM, forked from the Compound v2 codebase, that launched as one of Polygon zkEVM's inaugural partners. On April 28, 2023, an attacker exploited a price oracle vulnerability in the protocol's vGHST market using a flash loan, draining approximately $2 million in user funds from a total TVL of $6.4 million. Stolen funds were bridged to Ethereum via Stargate Finance and deposited into Tornado Cash; the attacker did not respond to a $125,000 bounty offer. The protocol subsequently rebranded as Keom in August 2023.

Sentiment is an undercollateralized DeFi lending protocol originally deployed on Arbitrum, later migrating activity to HyperLiquid L1. On April 4, 2023, the protocol suffered a read-only reentrancy exploit resulting in approximately $1 million in losses, of which 90% was returned by the attacker following a negotiated $95,000 bounty. ZachXBT has flagged the entity for elevated risk; the protocol remains operational with a low TVL of roughly $518,000 as of 2025.

On May 26, 2026, Manuel Aráoz, co-founder of smart contract security firm OpenZeppelin, issued a public warning on X declaring that he considers 'all of DeFi unsafe,' citing the emergence of AI coding agents that are 'superhuman' at discovering and weaponizing smart contract vulnerabilities. The warning coincided with more than $1.1 billion lost to DeFi hacks in the prior 12 months and was substantiated by Anthropic research published in late 2025 demonstrating that frontier AI models can autonomously exploit known smart contract vulnerabilities at scale. This entry tracks the AI-assisted DeFi exploit surface as a forward-looking threat category, documenting the evidence base, industry response, and structural security asymmetry that Aráoz and corroborating researchers describe.

Jimbos Protocol was an Arbitrum-based DeFi liquidity protocol designed to provide a semi-stable floor price for its native JIMBO token. On May 28, 2023, just three days after launching its V2, the protocol was exploited via a flash loan attack that drained approximately 4,090 ETH (~$7.5 million) by exploiting a lack of slippage control in the JimboController contract. The attacker rejected a $800,000 bounty offer, laundered the full amount through Tornado Cash, and remains unidentified; no funds have been recovered.

Kannagi Finance was a decentralized yield aggregation protocol launched on zkSync Era in June 2023. On July 29, 2023, the project's anonymous team executed an exit scam, draining approximately $2.13 million in user funds and reducing TVL from $2.13 million to $0.17. The stolen funds were subsequently laundered through the Tornado Cash crypto mixer, and all project infrastructure — website, Twitter, and GitHub repositories — was deleted.

EraLend (formerly Nexon Finance) is a decentralized lending protocol on zkSync Era that suffered a $3.4 million read-only reentrancy exploit on July 25, 2023, draining its USDC pool due to a vulnerability in inherited SyncSwap oracle code. The protocol's pre-hack audit by PeckShield explicitly assumed a trusted price oracle, leaving the vulnerable oracle mechanism unexamined. EraLend relaunched post-hack with a fee-based compensation plan but has seen its TVL decline sharply to approximately $138,000 as of 2025-2026.

Conic Finance was a DeFi liquidity-diversification protocol built on Curve Finance that allowed users to deposit assets into Omnipools across multiple Curve pools. On July 21, 2023, the protocol suffered two separate exploits totaling approximately $4.2 million — a $3.26 million read-only reentrancy attack on its ETH Omnipool and a subsequent $300,000 sandwich attack on its crvUSD Omnipool — after which TVL never recovered. In March 2025, the team formally shut down the protocol, citing an inability to fix critical security issues in a planned v2 upgrade.

Agave was a decentralized lending protocol on Gnosis Chain forked from Aave v2, developed by members of the 1Hive community. On March 15, 2022, the protocol suffered a reentrancy exploit that drained approximately $5.5 million in user funds, part of a coordinated $11.7 million attack that simultaneously hit Hundred Finance. The protocol paused operations following the hack and formally closed down in March 2024 with no documented user compensation.

Cypher Protocol was a Solana-based cross-margin decentralized exchange (DEX) and perpetuals trading platform that suffered a critical smart contract exploit in August 2023 resulting in approximately $1 million in losses. Following the exploit, an insider contributor known as 'Hoak' systematically drained over $314,000 from the community redemption fund established to reimburse hack victims, admitting publicly to gambling the funds away. The protocol appears effectively defunct, having failed to deliver meaningful restitution to users who received roughly 31 cents on the dollar from the original exploit fund before that fund itself was embezzled.

Remitano is a peer-to-peer cryptocurrency exchange operated by Babylon Solutions Limited, incorporated in Seychelles and active since 2015. The platform suffered a confirmed hot wallet hack in September 2023 resulting in approximately $2.7 million in losses, with the Lazarus Group (North Korea-linked) alleged as a probable suspect. Regulatory authorities in Malaysia, the United Kingdom, and Seychelles have issued warnings or taken enforcement actions against Remitano for operating without authorization, and the operating entity Babylon Solutions Limited was dissolved and struck off as of January 1, 2023.

Exactly Protocol is a decentralized, non-custodial fixed-rate and variable-rate lending protocol deployed on the Optimism Layer 2 network. On August 18, 2023, the protocol suffered a critical exploit resulting in approximately $7.3–$12 million in ETH stolen from 117 user accounts due to insufficient input validation in its DebtManager periphery contract. The protocol has since resumed operations, engaged law enforcement, offered a $700,000 bounty, and passed a governance proposal to compensate affected users with EXA tokens.

Lodestar V0 is the original deployment of Lodestar Finance, an algorithmic money market lending protocol on Arbitrum. On December 10, 2022, the protocol suffered a critical flash loan exploit in which an attacker manipulated the plvGLP price oracle to drain approximately $6.9 million in user funds. The protocol was subsequently relaunched as Lodestar V1 in July 2023; V0 remains abandoned with negligible TVL (~$95K) and the attacker was never publicly identified.

Steadefi is a decentralized leveraged yield farming protocol operating on Arbitrum and Avalanche. On August 7, 2023, an attacker exploited a compromised deployer private key to drain approximately $1.14 million from the protocol's lending vaults across both chains. The protocol subsequently relaunched with enhanced security measures and issued a token-based compensation plan for affected users, though roughly 70% of stolen funds were never recovered.

SuperFarm, rebranded to SuperVerse in 2023, is an Ethereum-based Web3 gaming and NFT ecosystem founded by crypto influencer Elliot Wainman (EllioTrades). The project launched its SUPER token in February 2021, reached an all-time high of $4.73 before declining over 97%, and became central to high-profile allegations that YouTuber MrBeast received and sold approximately $9–19 million worth of SUPER tokens after promoting the project to his audience of hundreds of millions. No formal SEC enforcement action has been confirmed against the project itself, though Senator Elizabeth Warren formally questioned MrBeast in 2026 regarding these promotions.

HTX (formerly Huobi Global) is one of the world's largest cryptocurrency exchanges, rebranded in September 2023 following the de facto acquisition of Huobi by interests linked to Justin Sun in late 2022. The exchange has suffered at least three significant security incidents totaling over $130 million in losses since September 2023, and in May 2026 was sanctioned by the UK government for alleged facilitation of Russian sanctions evasion — the first such crypto-exchange designation under the UK Russia sanctions framework. HTX also faces FCA legal proceedings over illegal financial promotions to UK consumers, has withdrawn its Hong Kong licensing applications twice, and has been publicly criticized for opaque reserve practices.

Florence Finance is a DeFi real-world asset (RWA) lending protocol built on Arbitrum that tokenizes euro-denominated loans to European small and medium enterprises (SMEs). In November 2023 the protocol lost $1.45 million in USDC to an address poisoning attack, and notably failed to publicly acknowledge the theft for at least five days after it was reported by security firms. As of 2025-2026 the protocol's TVL has collapsed to approximately zero and the official website indicates the project is shutting down.

Levana Perps is a decentralized perpetual-swap protocol originally deployed on Osmosis (Cosmos ecosystem) and later expanded to Sei and Injective. In December 2023, the protocol suffered a confirmed oracle-manipulation exploit spanning 13 days that drained approximately $1.14 million (roughly 10% of liquidity provider funds). The protocol subsequently underwent a strategic rebrand and token migration into the Rujira (RUJI) ecosystem in 2025, effectively sunsetting the standalone LVN token.

Onyx Protocol is a DeFi lending protocol forked from Compound Finance v2, operating on Ethereum and issuing the XCN (Onyxcoin) token. The protocol suffered two major exploits in under twelve months — $2.1 million in October/November 2023 and $3.8 million in September 2024 — both stemming from the same known precision vulnerability in the Compound v2 codebase that the team had been warned about by auditor CertiK in February 2023 and chose not to remediate. Following the second hack the Ethereum-based lending market was shut down and the protocol relaunched as Onyx Core.

dYdX V3 was a decentralized perpetual futures exchange built on Ethereum using StarkWare's StarkEx Layer-2 technology, operated by dYdX Trading Inc. The platform suffered a $9 million insurance fund drain in November 2023 due to an alleged coordinated market manipulation attack targeting YFI and SUSHI markets, a DNS hijacking attack in July 2024, and a software supply chain compromise in September 2022. The V3 product was formally sunset on October 28, 2024, with trading migrated to the dYdX Chain (V4) on Cosmos.

MangoFarmSOL was a purported yield-farming protocol on the Solana blockchain that executed an exit scam in January 2024, draining approximately $1.32 million from users who had deposited SOL tokens in anticipation of a promised MANGO token airdrop. The perpetrators deployed a malicious frontend under the guise of an 'emergency migration,' bridged stolen funds to Ethereum, and laundered proceeds through privacy tools including Railgun and instant exchanges before all social media accounts, the project website, and the Telegram channel were abandoned. No perpetrators have been publicly identified and no regulatory or law enforcement actions are known to have followed.

RiskOnBlast was a GambleFi (gambling and exchange) platform launched on the Blast Layer-2 network in February 2024. Its anonymous team executed an exit scam (rug pull) on February 24, 2024, draining approximately 420 ETH (~$1.3 million) from over 750 investor wallets immediately after the IDO cap was reached. The project is linked by on-chain evidence to a serial fraud group responsible for more than $20 million in losses across multiple DeFi protocols.

DuelBits is a Curacao-licensed crypto casino and sportsbook operated by Liquid Entertainment N.V., launched in 2020. The platform suffered a confirmed $4.6 million private key compromise on February 13, 2024, affecting wallets on both the Ethereum and BNB Chain networks. DuelBits has also been flagged in broader contexts related to unlicensed gambling promotion, Twitch's 2022 ban on unlicensed gambling streams, and mixed user reports of withdrawal delays and account-closure disputes.

Bungee Exchange is a cross-chain bridge aggregator and liquidity routing protocol developed by Socket (formerly SocketDotTech), founded in 2021 by Vaibhav Chellani and Rishabh Khurana. On January 16, 2024, the underlying Socket infrastructure was exploited via an inadequately validated smart contract route, resulting in approximately $3.3 million stolen from roughly 700 wallets with infinite token approvals. The protocol recovered approximately $2.23 million of the stolen funds one week later and resumed operations; it remains active as of 2026.

Seneca is a decentralized stablecoin lending protocol that allowed users to mint senUSD against collateral. On February 28, 2024, attackers exploited a critical arbitrary external-call vulnerability in its Chamber contract, draining approximately $6.4 million from user wallets across Ethereum and Arbitrum. Approximately 80% of stolen funds were recovered after an on-chain bounty offer; however, the vulnerability had been publicly identified months before the exploit and the team proceeded to launch without patching it.

Unizen is a cross-chain DEX aggregator and smart exchange ecosystem operating on Ethereum and multiple other networks, with a native utility token ZCX. On March 8, 2024, the platform suffered a $2.1 million exploit caused by an unsafe external call vulnerability introduced during a smart contract upgrade; the attacker subsequently laundered the stolen funds through Tornado Cash in August 2024. Despite a CEO-funded reimbursement covering approximately 99% of affected users, the incident raised significant questions about upgrade security practices given that two prior audits (Halborn, Verichain 2022) had not caught the flaw.

Shido Network (SHIDO) is a Layer-1 proof-of-stake blockchain project founded in Sweden in 2021. On February 29, 2024, an attacker exploited the Ethereum-based SHIDO staking contract by transferring ownership to a new address and upgrading it with a hidden token-withdrawal function, draining over 4.3 billion tokens and causing the price to collapse 94% within 30 minutes. On-chain investigator ZachXBT linked the exploit to a serial hacker responsible for the OKX (December 2023) and Concentric Finance (January 2024) hacks, with the attack vector in each case being private key compromise via social engineering.

Adshares is a Warsaw-based decentralized advertising protocol operating a proprietary dPoS blockchain with cross-chain bridges to Ethereum, BSC, Base, and Polygon. In May 2026 its Ethereum bridge was exploited for approximately $628,000 through fake wrapped-token minting, making it one of eight bridge exploits tracked by PeckShield that month. Approximately 86% of stolen funds were returned after the team offered a 10% whitehat bounty, but no public post-mortem has been published and the root cause of the bridge compromise remains unconfirmed.

5CLYzCRa2E8p3NHNrRSs2w5NkHzj5WGmqCF8zYd3PRD7 is a standard Solana wallet account (owned by the System Program), not a token mint. On-chain data shows 643 transactions between May 2024 and November 2025, predominantly consisting of inbound 1-lamport dust transfers sent by automated batch senders to groups of 15-20 wallets simultaneously, and inbound unsolicited SPL token airdrops from a known mass-distributor address. The wallet has also sent modest outbound SOL transfers and closed its own token accounts using a sweep program. No association with a named project, DEX listing, or public fraud report has been identified.

Rapira Group LLC and Aifory LLC (operating as Aifory Pro) are Georgia-incorporated cryptocurrency exchanges that operated primarily as ruble-to-crypto fiat on-ramps targeting Russian and CIS retail users. On May 26, 2026, the UK Foreign, Commonwealth and Development Office designated both entities under the Russia (Sanctions) (EU Exit) Regulations 2019 as part of an 18-entity package targeting the A7 sanctions-evasion network. UK sanctions impose full asset freezes, Regulation 17A correspondent banking prohibitions, and internet access restrictions — representing the first application of banking-style sanctions to crypto exchanges under the UK Russia sanctions regime. Georgian courts separately convicted individuals connected to the fictitious registration scheme used to incorporate both entities, with the alleged organizer receiving a 9-year sentence in April 2026.

Dolomite is a decentralized money market and trading protocol originally launched on Ethereum in 2019 and migrated to Arbitrum in 2022. The protocol suffered a $1.8 million exploit in March 2024 due to a reentrancy vulnerability in a legacy 2019 Ethereum contract. The platform drew significant controversy in 2026 when Trump-affiliated World Liberty Financial (WLFI) used 5 billion WLFI tokens as collateral to borrow $75 million on Dolomite — a platform co-founded by WLFI's own chief technology officer — driving USD1 pool utilization to 93% and trapping ordinary depositors.

Grand Base was a decentralized real-world asset (RWA) synthetic trading protocol launched on Coinbase's Base layer-2 blockchain in early 2024. On April 15, 2024, the protocol suffered a critical security incident in which its deployer wallet was compromised, allowing an attacker to mint approximately 32.5 million unauthorized GB tokens and drain roughly $2 million in liquidity. The GB token subsequently lost over 99% of its value; no verified recovery or compensation plan has been confirmed, and the project's long-term operational status remains uncertain.

Super Sushi Samurai (SSS) is a Telegram-based blockchain game launched on the Blast layer-2 network in March 2024. On March 21, 2024 — four days after launch — a critical infinite-mint vulnerability in the SSS token contract was exploited, draining approximately $4.6–4.8 million (1,310 ETH) from its liquidity pool and causing the token to lose over 99% of its value. The attacker claimed to be a white-hat actor, and most funds were returned minus a 5% bounty; however, approximately 40 ETH were separately stolen by a distinct black-hat actor and the failed audit by Verichains raises material security governance concerns.

An ongoing phishing campaign impersonates Jupiter Exchange (Solana DEX aggregator) by airdropping counterfeit tokens labeled '$CJUP' directly into Solana wallets, then directing recipients to wallet-draining websites that automatically empty connected wallets. First documented in early 2024 and still active as of May 2026, the campaign exploits the widespread recognition of Jupiter's legitimate annual 'Jupuary' airdrop program, which has distributed over $1 billion in real $JUP tokens since 2024.

SKP (SKIPPY) is a BEP-20 token on BNB Smart Chain deployed in October 2021 and originally presented as a utility token for an Australian e-commerce and travel business. On May 27, 2026, blockchain security firm TenArmor detected an active exploit draining approximately $212,000 from SKP-linked liquidity pools across PancakeSwap, Venus, and Lista DAO on BNB Chain, with the attacker exiting with approximately 162,854 BSC-USD and 74.877 BNB. As of the date of this investigation, the root cause of the exploit is unconfirmed, no official post-mortem or team response has been issued, and the token exhibits extreme supply concentration and no active trading volume.

XBridge is a cross-chain bridge protocol built by SaitaChain (formerly Saitama Inu), designed to connect Ethereum Mainnet and BNB Chain. On April 24, 2024, the protocol suffered a $1.44 million exploit caused by a critical access-control vulnerability in its smart contracts, with stolen funds subsequently routed through Tornado Cash. The parent company, Saitama LLC, faces U.S. federal charges of wire fraud and market manipulation, with CEO Manpreet Kohli arrested in the UK in October 2024 and facing extradition proceedings.

Velocore V2 was a ve(3,3) decentralized exchange (DEX) deployed on the Linea and zkSync Era layer-2 blockchains. On June 2, 2024, the protocol suffered a critical smart contract exploit that drained approximately $6.8 million in ETH from its volatile liquidity pools. The attacker laundered stolen funds through Tornado Cash, no recovery was achieved, and the team subsequently announced a treasury liquidation rather than a protocol relaunch.

ALEX (Automated Liquidity Exchange) is a decentralized finance protocol built on the Stacks blockchain, designed to bring DeFi capabilities to Bitcoin. The protocol has suffered two major security exploits: a $4.3 million hack in May 2024 attributed to North Korea's Lazarus Group via a private key compromise of its XLink bridge, and an $8.3 million exploit in June 2025 caused by a smart contract access control vulnerability. In both cases, ALEX Lab Foundation pledged full user reimbursement, though partial recovery of 2024 stolen funds remained ongoing as of mid-2025, and the native ALEX token has declined approximately 99.9% from its all-time high.

Pike V1 (also known as Pike Beta) was a cross-chain DeFi lending protocol built by Nuts Finance that suffered two smart contract exploits within four days in April 2024, resulting in approximately $1.98 million in user losses. A vulnerability identified by auditing partner OtterSec prior to launch was never remediated, and a subsequent botched patch introduced even more severe vulnerabilities. The project's October 2024 token generation event further damaged investor trust after the team launched the $P token with only $10,000 in initial liquidity despite having raised $6.45 million in a presale.

Bitcoin Latinum (LTNM) is a cryptocurrency token launched in 2020 by Donald G. Basile through his companies GIBF GP, Inc. and Monsoon Blockchain Corporation. In April 2026, the U.S. Securities and Exchange Commission charged Basile with orchestrating a $16 million investor fraud scheme, alleging he raised funds through Simple Agreements for Future Tokens (SAFTs) using fabricated insurance coverage claims and nonexistent asset-backing structures, then diverted millions to personal expenses. The token, which peaked near $9,336 in December 2021, has since collapsed to near zero, and multiple civil lawsuits from defrauded investors preceded the SEC action.

YOLO Games is an on-chain gambling platform built on the Blast Layer 2 network, offering high-risk games such as YOLO, Moon or Doom, and Poke the Bear, with a native $YOLO token as its reward mechanism. In June 2024, an access control vulnerability in a third-party Liquidity Bootstrapping Pool (LBP) contract was exploited, resulting in the extraction of approximately $1.387 million, of which 90% was subsequently returned by the attacker acting as a whitehat. The $YOLO token has since collapsed approximately 99.6% from its all-time high and the protocol shows near-zero fee activity as of 2025-2026, suggesting severe user attrition or effective abandonment.

ParaSpace Lending V1 was an Ethereum-based cross-margin NFT and fungible token lending protocol launched in December 2022. In March 2023, a price manipulation exploit targeting the AutoCompoundApe contract nearly drained $5 million (2,909 ETH) from the protocol; blockchain security firm BlockSec intervened in a white-hat operation to recover the funds. In May 2023, a separate internal governance crisis erupted when over 19 team members accused CEO Yubo Ruan of misappropriating approximately 1,454.5 ETH (~$2.7M) from the recovered funds, allegations Ruan denied. The protocol subsequently rebranded through a merger with Parallel Finance, forming ParaX in August 2023, while the original V1 contracts were wound down and remain at minimal TVL as of 2026.

CoinStats is an Armenian-founded cryptocurrency portfolio tracking application with approximately 1.5 million users, founded in 2017 by Narek Gevorgyan. On June 22, 2024, the platform suffered a significant security breach in which 1,590 internally-hosted wallets were compromised and approximately $2.2 million in cryptocurrency was stolen, with attribution pointing to North Korea's Lazarus Group. The platform has since rebuilt its infrastructure and restored operations, but no confirmed compensation program for affected users has been publicly documented.

Holograph is an omnichain tokenization protocol that enables cross-chain asset transfers, launched in 2022 by CXIP Labs with $6.5 million in seed funding. On June 13, 2024, a former technical contractor exploited admin-level access to the protocol's operator contract to mint 1 billion unauthorized HLG tokens worth approximately $14.4 million, crashing the token price by over 80%. Four suspects were subsequently arrested in Italy and extradited to France, where criminal proceedings are ongoing; approximately 80% of stolen tokens were reported recovered by law enforcement.

Orion Pools is the automated market maker (AMM) and liquidity pool component of Orion Protocol, a DeFi liquidity aggregator founded in 2018 by Alexey Koloskov. On February 2, 2023, the protocol suffered a $3 million reentrancy exploit targeting its core exchange contract across Ethereum and BNB Chain, with stolen funds subsequently laundered through Tornado Cash. The project later rebranded to Lumia in late 2024, pivoting from a liquidity aggregator to a Layer 2 blockchain.

An industrial-scale pattern of fraud on the Solana blockchain exploits the Token-2022 Permanent Delegate extension, a legitimate feature that grants a mint-level authority the unconditional ability to burn or transfer any holder's tokens without their signature. First publicly documented in September 2024 by a Jupiter Core Working Group member, the exploit has since scaled into an automated rug pull factory pattern where scammers burn victim tokens seconds after purchase. RugCheck.xyz identifies the Permanent Delegate extension as a significant risk indicator on a substantial fraction of newly launched Solana tokens.

Dough Finance was an Ethereum-based DeFi lending and margin-trading protocol co-founded by Chase Herro and Zachary Folkman. On July 12, 2024, the protocol was exploited via a flash loan attack that drained approximately $2.1–2.5 million in user funds due to unvalidated calldata in its ConnectorDeleverageParaswap smart contract. The protocol's website is shut down, the vast majority of the approximately 2,700 affected users have received no meaningful compensation, and the co-founders have since launched World Liberty Financial alongside Donald Trump, earning an alleged $65 million in revenues from that new venture.

Rho Markets is a DeFi lending protocol (Compound V2 fork) deployed on Scroll, an Ethereum Layer 2 ZK-rollup network. On July 19, 2024, a misconfigured price oracle allowed an MEV bot to extract approximately $7.6 million in user funds; the operator voluntarily returned all funds after demanding a public acknowledgment of the misconfiguration. Despite full fund recovery, the protocol's TVL collapsed to near-zero and remains essentially inactive as of 2026.

LI.FI is a Berlin-based cross-chain bridge and DEX aggregation protocol founded in 2021 by Philipp Zentner and Max Klenk. The protocol has suffered two significant smart contract exploits — a $600,000 loss in March 2022 and an $11.6 million loss in July 2024 — both stemming from the same class of arbitrary-call vulnerability, prompting criticism from security researchers that lessons were not learned. Separately, blockchain investigator ZachXBT alleged in June 2025 that North Korean (DPRK) actors accounted for an estimated 15–25% of the protocol's volume during May 2025, using LI.FI to launder funds from the Bybit hack.

Minterest (formerly using the MNT token, later rebranded to MINTY) was a cross-chain DeFi lending and borrowing protocol founded by Josh Rogers and incorporated as Minterest Labs OÜ in Estonia. The protocol suffered a $1.4 million reentrancy exploit on July 14, 2024 — in a market that went live without a completed security audit — and subsequently announced the sunsetting of all operations in November 2025, explicitly stating that hack victims would receive no refund or token compensation as part of the wind-down.

Transit Finance (also known as Transit Swap) is a cross-chain DEX aggregator supporting over 122 decentralized exchanges across Ethereum, BNB Chain, TRON, Solana, Polygon, and other networks. The protocol has suffered two confirmed security exploits: a $28.9 million hack in October 2022 due to an arbitrary external call vulnerability in its routing contract, with approximately $18.9 million recovered; and a second $1.88 million exploit in May 2026 via a deprecated TRON smart contract that remained on-chain and exploitable years after official deprecation. ZachXBT flagged the protocol amid broader DeFi monitoring, and the 2022 attacker routed funds through OFAC-sanctioned Tornado Cash.

Elijah Armstrong (21), Nino Chindavanh (21), and Jayden Rucker (25), all from the Nashville, Tennessee area, were federally indicted on March 31, 2026 in the Northern District of California for a violent cryptocurrency robbery and kidnapping spree carried out across the San Francisco Bay Area and Los Angeles between November 22 and December 31, 2025. The three men allegedly posed as delivery workers to gain entry into victims' homes, then used firearms, duct tape, and zip ties to restrain and assault victims before forcing cryptocurrency transfers; in at least one documented incident, $6.5 million in digital assets was transferred at gunpoint. All three defendants remain in federal custody without bond.

DeltaPrime is a decentralized leveraged farming and lending protocol deployed on Arbitrum and Avalanche. The protocol suffered two major security exploits in 2024 — a $5.98 million private key compromise in September and a $4.8 million smart contract vulnerability in November — totaling over $10.7 million in losses. On-chain investigator ZachXBT alleged that DeltaPrime had previously employed North Korean IT workers with alleged ties to the DPRK-linked Lazarus Group, raising concerns about insider access as a contributing factor to the first exploit.

Rubic is a cross-chain DEX aggregator founded in 2020 by Vladimir Tikhomirov and Alexandra Korneva, supporting swaps across 90+ blockchains. The protocol suffered two significant security incidents within two months in late 2022: a private key compromise in November that drained approximately $1.2 million in RBC tokens, followed by a smart contract exploit on December 25, 2022 that stole roughly $1.4 million in user USDC. Both events caused severe token price collapses, though the platform subsequently implemented new security architecture and remained operational into 2025.

Kokomo Finance was a purported non-custodial lending and borrowing protocol launched on the Optimism blockchain on March 25, 2023. Within approximately 24 hours of launch, its developers executed a deliberate exit scam, stealing approximately $4 to $4.5 million in user funds through smart contract manipulation. The project was subsequently linked by on-chain investigator ZachXBT to a serial scam ring responsible for over $20 million in losses across multiple DeFi protocols.

MonoSwap is a decentralized exchange (DEX) and launchpad built on the Blast L2 network that launched in late February 2024. On July 24, 2024, the protocol was compromised via a social engineering attack in which a developer was tricked into installing infostealer malware disguised as a video conferencing app, allowing attackers to drain approximately $1.3 million in staked liquidity. The stolen funds were subsequently laundered through Tornado Cash, and the protocol has remained largely inactive with negligible TVL since the incident.

Terra 2.0 (LUNA) is a replacement blockchain launched in May 2022 by Terraform Labs following the catastrophic collapse of the original Terra network and its algorithmic stablecoin TerraUSD (UST), which erased approximately $40–60 billion in market value in one week. The project's founder, Do Kwon, was arrested in March 2023, found liable for securities fraud in a U.S. civil trial in April 2024, pleaded guilty to wire fraud and conspiracy in August 2025, and was sentenced to 15 years in federal prison in December 2025. Terraform Labs itself filed for Chapter 11 bankruptcy in January 2024 and received court approval to wind down operations by September 2024, leaving Terra 2.0 as a severely diminished chain with minimal developer activity and an approximately 79% year-over-year decline in token value.

Wasabi Protocol is a decentralized perpetual futures and leverage trading protocol founded in 2022, enabling users to trade memecoins, NFTs, and other long-tail assets with leverage on Ethereum, Base, Blast, and Berachain. On April 30, 2026, the protocol suffered a critical exploit in which an attacker compromised the deployer EOA private key (wasabideployer.eth), granted ADMIN_ROLE to a malicious orchestrator contract with zero timelock delay, and executed UUPS proxy upgrades across all four chains to drain approximately $5.9 million in user funds. The stolen assets were subsequently consolidated into ETH and routed through Tornado Cash across five attacker wallets.

Poly Network was a cross-chain interoperability protocol launched in August 2020 by Neo, Ontology, and Switcheo. It suffered two major security breaches: a $610 million exploit in August 2021 (the largest DeFi hack at the time, with funds ultimately returned) and a second exploit in July 2023 in which attackers minted billions in notional value of tokens, extracting an estimated $10–20 million in real assets. The protocol permanently terminated all services on September 30, 2024.

Onyx Protocol is a Compound Finance fork and DeFi lending platform on Ethereum that launched a V2 iteration in 2024 following two devastating exploits — one in November 2023 ($2.1M) and a second in September 2024 ($3.8M) — both exploiting the same known vulnerability in the Compound V2 codebase. After the second hack, the community voted to shut down the Ethereum lending market and relaunch as Onyx Core; V2 targeting compliance with the U.S. CLARITY Act launched in Q3 2025 on a new XCN Ledger infrastructure. Total confirmed losses across both exploits exceed $5.9 million.

uniBTC is a synthetic Bitcoin liquid restaking token issued by Bedrock protocol, enabling wBTC holders to earn BTC-native yield via the Babylon staking protocol while retaining liquidity. In September 2024, a critical minting vulnerability in multiple uniBTC vault smart contracts across eight blockchains was exploited for approximately $2 million after a third-party security firm disclosed the flaw hours before the attack. Post-incident forensics by Fuzzland, disclosed in June 2025, attributed the exploit to an insider threat — a former employee who embedded malware into Fuzzland's internal codebase and used privileged access to execute the attack; Bedrock has since integrated Chainlink Proof of Reserve and expanded to multiple new chains.

Banana Gun is a Telegram-based crypto trading bot launched in 2023 that allows users to snipe token launches on EVM chains and Solana. The project has experienced two major security incidents: a smart contract bug at token launch in September 2023 that caused the BANANA token to crash 99.7%, and a $3 million exploit in September 2024 in which attackers leveraged a Telegram message oracle vulnerability to drain 11 users. Separate, unresolved allegations from on-chain researchers claim the team arranged an exclusive order flow deal with block builder Titan that funneled millions of dollars in user bribe payments away from Ethereum validators.

Level Finance (also marketed as Level Perps) is a decentralized perpetual derivatives exchange that launched on BNB Chain in Q4 2022 and later expanded to Arbitrum. In May 2023 the protocol suffered a $1.1 million exploit caused by a logic bug in its referral reward contract that was missed by two prior security audits. The protocol's LVL token has declined approximately 99.9% from its all-time high, and as of 2025-2026 the protocol shows near-zero TVL ($32K), zero fees, and zero revenue, indicating effective dormancy.

TAC Protocol is an EVM-compatible Layer-1 blockchain built on Cosmos SDK that bridges Ethereum DeFi applications to the TON blockchain and Telegram ecosystem. On May 12, 2026, its cross-chain bridge was exploited for approximately $2.86 million — the protocol's entire TVL at the time — due to missing validation in sequencer software that allowed attackers to forge Jetton wallets. The attacker subsequently accepted a 10% white-hat bounty, returning roughly 90% of stolen funds to TAC's multisig; the bridge remains paused pending an independent security audit as of late May 2026.

CrossCurve Bridge is a cross-chain liquidity protocol formerly known as EYWA, built in partnership with Curve Finance and backed by Curve founder Michael Egorov. On February 2, 2026, the protocol was exploited for approximately $3 million after attackers discovered that its ReceiverAxelar smart contract failed to validate the origin of cross-chain messages, allowing fabricated instructions to drain PortalV2 contracts across multiple networks. The team invoked a SafeHarbor WhiteHat policy offering a 10% bounty, while threatening legal escalation if funds were not returned within 72 hours.

XT Exchange (XT.com), founded in 2018 and registered in Seychelles, is a centralized cryptocurrency exchange that has been flagged by multiple regulatory authorities — including the UK FCA, Dubai VARA, Thailand SEC, and the Seychelles FSA — for operating without proper licensing. The exchange suffered a $1.7 million hot wallet exploit in November 2024 due to a compromised private key, and has accumulated substantial user complaints alleging unjustified account freezing, asset seizure, and blocked withdrawals. Independent analysis has also raised concerns about inflated trading volumes and inadequate proof-of-reserves transparency.

Moby Trade (moby.trade) is an on-chain options protocol built on Arbitrum and Berachain, launched in 2024 and backed by an Arbitrum Foundation grant. On January 8, 2025, the protocol suffered a critical security breach when a private key controlling proxy admin contracts was compromised, resulting in approximately $2.5 million in user funds being drained; roughly $1.5 million was subsequently recovered through an intervention by the SEAL911 security team. The protocol resumed operations after the incident and expanded to Berachain mainnet in February 2025, but the unrecovered ~$1 million in ETH and WBTC was routed through privacy mixers including Railgun and Tornado Cash, leaving those funds effectively unrecoverable.

Sirio Finance is a DeFAI lending and borrowing protocol built on the Hedera blockchain that launched on January 27, 2025 and suffered a flashloan exploit on February 1, 2025, resulting in an estimated $2–3 million in stolen funds. The exploit occurred within five days of mainnet launch, with post-incident analysis indicating the vulnerability was introduced when the team followed an audit directive from QuillAudits to remove a reentrancy guard from the protocol's smart contracts. The protocol's TVL collapsed to near zero following the hack, and no confirmed recovery of stolen funds or full user compensation has been publicly documented.

Sunray Finance was a perpetual-trading DEX protocol on Arbitrum that suffered a critical exploit on October 30, 2024, resulting in approximately $2.7–2.9 million in losses. An attacker — using what the team attributed to a compromised private key — upgraded the protocol's management contract and minted 200 sextillion SUN tokens, then swapped a portion for USDT before the token price collapsed to zero. The project website subsequently went offline with no confirmed fund recovery, and the protocol's pre-exploit marketing included unverified claims of SoftBank backing and unsustainable 299% annual yield promises.

CATFI is a Solana-based memecoin launched in early 2025 via Pump.fun that was the subject of a coordinated rug pull orchestrated by a South Korean operator known online as 'Eth Father,' identified by prosecutors only as Mr. Park. The scheme artificially inflated the token 1,001-fold within 26 hours before a mass exit drained investor funds, causing approximately 900 million KRW (~$600,000) in losses across at least 256 victims. In May 2026 the Seoul Southern District Prosecutors' Office charged five individuals, marking South Korea's first criminal prosecution of a decentralized-exchange rug pull under the Virtual Asset User Protection Act.

Superteam (formerly SuperteamDAO) is a Solana Foundation-backed talent network and ecosystem growth organization founded in 2021, operating 23+ regional chapters globally. It runs Superteam Earn, an open-source bounty and grant platform, and facilitates community earnings exceeding $1.7 million across the Solana ecosystem. No confirmed fraud, regulatory actions, or security exploits have been identified; primary risk factors relate to its dependency on Solana Foundation funding and the inherent volatility of the broader Solana ecosystem.

Ionic Protocol (also known as Ionic Money) is a decentralized non-custodial lending and borrowing protocol deployed on the Mode Network (OP Superchain). It is a rebrand of Midas Capital, which suffered two separate exploits in 2023 totaling approximately $1.26 million. In February 2025, Ionic itself was exploited via a social engineering attack involving a counterfeit LBTC token, resulting in losses estimated between $8.6 million and $12.3 million; funds were partially laundered through Tornado Cash and have not been recovered.

Venus Core Pool is the primary lending market of Venus Protocol, the largest decentralized money market on BNB Chain. The protocol has accumulated over $112 million in cumulative losses across at least five separate security incidents since 2021, including oracle manipulation, a phishing attack draining $27 million from the Core Pool itself in September 2025, and a donation-attack exploit in March 2026 that left $2.15 million in unrecoverable bad debt. A critical vulnerability flagged during a 2023 Code4rena security audit was dismissed by the development team and subsequently exploited twice.

KiloEx is a decentralized perpetual futures exchange (DEX) backed by YZi Labs (formerly Binance Labs), deployed across opBNB, Base, BNB Chain, Taiko, and other networks. In April 2025, the platform suffered a $7.5–8.44 million oracle price manipulation exploit caused by an access control vulnerability in its TrustedForwarder contract; the attacker subsequently returned all stolen funds within 3.5 days after accepting a $750,000 white-hat bounty. The platform relaunched on April 24, 2025 after a partial security audit, with a full comprehensive audit still pending at that time.

zkLend was a decentralized money-market lending protocol built on Starknet (Ethereum Layer 2), founded in 2022 by Brian Fu and Jane Ma and backed by Delphi Digital, Three Arrows Capital, and StarkWare. On February 11–12, 2025, the protocol suffered a critical flash-loan exploit that drained approximately $9.57 million in user funds through manipulation of the lending_accumulator variable and precision-loss rounding errors. The protocol permanently ceased operations in June 2025, allocating a $200,000 treasury remnant to a user recovery fund — leaving the vast majority of affected users uncompensated.

Zoth is a Dubai-based real-world asset (RWA) restaking protocol and the issuer of ZeUSD, a CDP-style stablecoin backed by tokenized fixed-income assets including U.S. T-Bills and ETFs. In March 2025, the protocol suffered two separate security incidents within three weeks: a $285,000 logic-flaw exploit on March 1 and a critical $8.4–8.85 million admin key compromise on March 21, the latter resulting in the theft of 8.85 million USD0++ tokens. The stolen funds remain largely unrecovered as of mid-2025, with Zoth offering a $500,000 bounty and engaging Crystal Blockchain BV for forensic investigation.

Trifleck is a shell company with no verifiable business registration used as a front in an active LinkedIn-based malware campaign targeting crypto and Web3 developers, first publicly disclosed in May 2026. The campaign delivers a malicious 'pre-interview code review' ZIP file containing infostealers after recruiters posing as Trifleck employees contact developers with frontend job offers. The attack pattern, infrastructure, and malware families are consistent with tactics attributed by Microsoft, Mandiant, Palo Alto Unit 42, and the FBI to DPRK-aligned threat actors operating under the cluster known as Contagious Interview.

ZKsync is an Ethereum Layer 2 scaling protocol built on zero-knowledge rollup technology, developed by Matter Labs, which has raised approximately $458 million in venture capital. The protocol has faced multiple significant controversies including a $5 million airdrop contract exploit in April 2025, a contentious 2024 token airdrop marred by sybil attack failures and community backlash, a South Korean regulatory probe into alleged price manipulation, compromised social media accounts spreading false SEC investigation claims, and an intellectual property theft lawsuit filed against Matter Labs by defunct firm BANKEX. User funds in the core protocol have not been directly compromised, but the pattern of incidents has substantially eroded community trust.

Mobius Token (ticker: MBU) is a DeFi token that operated on BNB Chain. On May 11, 2025, an attacker exploited a critical decimal-precision bug in the project's unaudited smart contract, minting approximately 9.73 quadrillion MBU tokens with a deposit of only 0.001 BNB and draining $2.15 million in USDT from the protocol's liquidity pools. The stolen funds were laundered through Tornado Cash, no official team response was issued, and no funds have been recovered.

SushiSwap is a decentralized exchange (DEX) and DeFi protocol launched in August 2020 as a fork of Uniswap, offering an automated market maker (AMM), governance token (SUSHI), and multi-chain liquidity pools. The protocol has endured a series of serious controversies spanning its entire history: a founding exit-scam attempt by anonymous creator Chef Nomi, early operational control handed to convicted fraudster Sam Bankman-Fried, an SEC subpoena issued to the protocol and its CEO in 2023, a $3.3 million smart contract exploit the same year, allegations that North Korean IT workers were embedded in its developer team, disputed DAO treasury centralization in 2024, and a governance process in late 2025 where a single wallet controlled 99.9% of a vote. TVL has declined approximately 98.7% from its 2022 peak of over $8 billion to roughly $100 million as of late 2025.

Bitcoin Mission is an entity that has been flagged by on-chain investigator ZachXBT, though the specific nature, founding, and full scope of the entity could not be independently verified through publicly available Tier 1 or Tier 2 sources at the time of this investigation. Multiple unrelated legitimate entities share the name 'Bitcoin Mission' (including a Christian-focused Bitcoin podcast and a GitHub organization), making disambiguation difficult. The trust score of 25 reflects the ZachXBT flag combined with the absence of verifiable public transparency about the entity.

LND (lnd.fi) was a non-custodial, multichain DeFi lending protocol built on Sonic (a high-performance EVM chain) as a fork of Aave V3. On May 9, 2025, the protocol was drained of approximately $1.27–1.42 million by a developer who gained Pool Admin credentials and introduced a malicious access control modification 41 days before executing the exploit; the official postmortem attributed the attacker to a DPRK (North Korea) IT worker embedded in the team under false pretenses. As of mid-2025, the lnd.fi domain is no longer operated by the team and appears listed for resale, indicating the protocol ceased operations following the incident.

Between September 2025 and May 2026, a solo Russian-speaking threat actor operating under the handle 'bandcampro' conducted a sustained AI-assisted fraud and credential-theft campaign targeting MAGA and QAnon communities to steal cryptocurrency. The actor deployed a jailbroken Google Gemini CLI — with safety guardrails persistently disabled via a GEMINI.md context injection file — as the operational backbone of an automated social engineering, influence operation, and hacking pipeline. The campaign is documented in a May 2026 Trend Micro research report titled 'Inside the 5-Year Influence and Fraud Patriot Bait Campaign.'

Kinto was a KYC-enforced Ethereum Layer 2 built on the Arbitrum Nitro stack, marketing itself as a 'safety-first' DeFi protocol with built-in AML and identity verification. On July 10, 2025, an attacker exploited a CPIMP proxy vulnerability in the $K token contract on Arbitrum, minting 110,000 unauthorized tokens and draining approximately $1.55–1.9 million from Uniswap V4 and Morpho Blue liquidity pools. Despite a partial recovery effort dubbed 'Phoenix,' the project announced shutdown effective September 30, 2025, as fundraising options collapsed and the team ran unpaid for months.

Texture Finance is a Solana-based decentralized lending protocol founded in 2021 and backed by $5 million in venture funding from P2P Capital, Sino Global Capital, Wintermute, and Jane Street Capital. In July 2025, a missing ownership check in its USDC vault smart contract allowed an attacker to steal approximately $2.2 million in user funds; the protocol negotiated a 10% greyhat bounty and recovered roughly $1.98 million. User withdrawals remained disabled following the exploit, and a formal repayment timeline had not been published as of mid-2025.

OlaXBT (ticker: AIO) is a BNB Smart Chain-based AI trading platform that raised $3.38 million in seed funding led by Amber Group and launched publicly in July 2025. The project suffered a confirmed multi-signature wallet breach on September 1, 2025 that resulted in the theft of approximately 32 million AIO tokens (estimated $2 million at the time), forcing an emergency token contract migration that several exchanges declined to support. Additional risk factors include extreme holder concentration (approximately 96% of supply held by two addresses per CertiK Skynet data), an anonymous founding team with unverifiable claimed credentials, and multiple exchange delistings citing security concerns.

ForceBridge is a cross-chain bridge operated by Magickbase on the Nervos Network (CKB), enabling transfers between Nervos and Ethereum and BNB Chain. On June 2, 2025, the bridge was exploited via an access control vulnerability — likely a compromised private key — resulting in approximately $3.7–3.9 million in user funds being stolen and laundered through Tornado Cash. The exploit occurred just one day after Magickbase announced the bridge's sunset, raising questions about the timing and origin of the attack.

Bitpapa IC FZC LLC is a UAE-registered peer-to-peer cryptocurrency exchange primarily serving Russian and CIS markets that has been sanctioned by three separate national jurisdictions: OFAC (March 2024), Ukraine (July 2025), and the UK FCDO (May 2026). Authorities allege the platform facilitated millions of dollars in transactions with OFAC-designated entities including Garantex and Hydra Market, employed systematic wallet rotation to evade transaction monitoring, and provided financial services to the A7 LLC network accused of moving over $90 billion into Russia's war economy. The platform has continued operating through multiple sanctions designations, illustrating the limits of unilateral enforcement against P2P fiat-on-ramps.

EXMO Exchange Limited is a UK-registered cryptocurrency exchange founded circa 2013 by Russian nationals Eduard Bark and Ivan Petukhovskiy. The exchange suffered a hot wallet hack in December 2020 losing approximately $10.5 million in user funds, faced multiple regulatory failures including a failed FCA registration and a UK ASA ruling for misleading advertising, and was sanctioned by the UK government on May 26, 2026 under Russia (Sanctions) (EU Exit) Regulations 2019 for alleged facilitation of Russian sanctions evasion via transactions with sanctioned entities Garantex, Grinex, and Chatex totaling over $19.5 million. Blockchain analysis by TRM Labs found that EXMO's claimed operational separation from its Russia-facing spinoff EXMO.me was not reflected in actual custodial wallet infrastructure.

Shibarium is a layer-2 blockchain built on Ethereum, launched in August 2023 as the scaling solution for the Shiba Inu (SHIB) ecosystem. The network has faced a series of significant incidents including a failed initial launch that trapped $1.7 million in bridged funds, a September 2025 flash loan exploit that drained approximately $4.1 million from its cross-chain bridge via validator key compromise, persistent rug pull activity on its DeFi layer, allegations of code plagiarism, and ongoing transparency concerns stemming from fully pseudonymous leadership. Shibarium initiated a novel NFT-based restitution program following the 2025 exploit but as of early 2026 the recovery path remained unresolved.

YO Protocol (yo.xyz), operated by YO Labs, is a San Francisco-based multi-chain DeFi yield optimization protocol founded by former Uber and Amazon executives and backed by Paradigm, Coinbase Ventures, and Foundation Capital with $24 million in total funding. Independent security research published in September 2025 identified significant centralization risks, MEV attack vectors, and EIP-4626 compliance gaps that existing audits had not fully addressed. No hacks, exploits, or regulatory actions have been publicly confirmed against the protocol; a claimed ZachXBT flag has not been corroborated by any findable public source as of May 2026.

CrossCurve (formerly EYWA) is a cross-chain DeFi liquidity protocol built in partnership with Curve Finance, backed by $8.5 million in funding including a seed round led by Curve founder Michael Egorov. On February 1-2, 2026, the protocol suffered a critical smart contract exploit in its ReceiverAxelar bridge contract, resulting in an estimated $3 million in user losses across multiple chains; confirmed liquid losses were approximately $1.44 million after exchange freezes limited attacker liquidation. A subsequent Hashlock audit of separate OFT messaging contracts in March 2026 found and resolved additional vulnerabilities, and the protocol has not publicly confirmed full fund recovery from the February exploit.

Moonwell is a decentralized, non-custodial lending and borrowing protocol deployed on Base, Optimism, Moonbeam, and Moonriver, operating as a fork of Compound v2. The protocol has suffered at least five distinct security incidents between 2022 and 2026, resulting in combined losses and bad debt exceeding $5 million, including repeated oracle failures, a flash loan exploit, a near-successful governance attack, and an AI-assisted smart contract misconfiguration. Despite multiple audits by Halborn and Code4rena, the pattern of recurring vulnerabilities and the removal of its Immunefi bug bounty program in early 2025 have raised significant security concerns.

TMX TRIBE (also marketed as Tribe DEX) is a decentralized perpetual futures exchange operating on Arbitrum and Optimism that launched its TMX token in mid-2025. On January 5-7, 2026, an attacker exploited a critical logic flaw in unverified, unaudited smart contracts to drain approximately $1.4 million in user funds over 36 hours, with stolen assets subsequently bridged to Ethereum and laundered via Tornado Cash. The team deployed no emergency pause during the attack, issued no public statement for days afterward, and produced no post-mortem or user compensation plan, raising serious concerns about operational competence and transparency. ZachXBT has flagged the entity.

Vortex, Antier Solutions Private Limited, and Contrarian are three cryptocurrency market-making firms whose executives were charged in federal indictments unsealed March 30, 2026 as part of Operation Token Mirrors, a joint FBI and IRS Criminal Investigation undercover sting. Ten foreign nationals across these three firms and Gotbit face allegations of systematic wash trading and pump-and-dump schemes, with three defendants extradited from Singapore to face charges in the Northern District of California. All defendants face up to 20 years imprisonment and fines of up to $250,000 per violation if convicted.

HyperVault (also known as HyperVaultFi, ticker @hypervaultfi) was a yield optimization protocol built on the Hyperliquid Layer 1 blockchain that marketed itself as a multichain DeFi hub offering APRs of up to 95%. On September 26, 2025, approximately $3.6 million in user funds were drained from the protocol, bridged to Ethereum, converted to approximately 752 ETH, and funneled into Tornado Cash; the team then deleted all social media accounts and the website went offline, in what blockchain security firm PeckShield and multiple crypto news outlets characterized as a rug pull. No founders have been publicly identified by name; at least one team member operated under the pseudonym 0xnick.

Raft is a decentralized Ethereum CDP lending protocol that issued the R stablecoin, collateralized by liquid staking tokens (stETH, rETH). On November 10, 2023, an attacker exploited a precision loss vulnerability to mint approximately $6.7 million in unbacked R tokens, draining 1,577 ETH from the protocol and causing the R stablecoin to depeg by up to 50%. Due to a coding error the attacker burned 1,570 of the stolen ETH to an inaccessible burn address, effectively losing money on the attack; the protocol subsequently implemented a partial recovery plan offering approximately 42% restitution to affected users and announced plans to phase out the current version.

Cover Protocol was a decentralized insurance marketplace on Ethereum, launched in November 2020 after a troubled rebrand from the failed SAFE token project. On December 28, 2020, a critical smart contract vulnerability in its Blacksmith farming contract allowed an attacker to mint approximately 40 quintillion COVER tokens and extract over $4 million in assets, crashing the token price by more than 97%. After a failed merger with Yearn Finance and the abrupt departure of core developers, the protocol permanently shut down on September 5, 2021, distributing remaining treasury funds to token holders.

Zunami Protocol is an Ethereum-based DeFi yield aggregator and stablecoin issuer (UZD, zETH) that suffered at least four separate security incidents between January 2023 and May 2025, losing a combined estimated $2.86 million or more in user funds. The protocol is notable for ignoring a prior warning from SlowMist before its largest smart contract exploit, and for a May 2025 incident in which an admin key compromise allegedly drained $500,000, with the team subsequently going silent for weeks and development activity having ceased months prior.

TempleDAO is a DeFi yield protocol launched on Ethereum in August 2021, designed to offer low-volatility, fractionally backed yields on deposited assets. On October 11, 2022, an associated staking product, STAX Finance, suffered a smart contract exploit due to missing access control on the migrateStake() function, resulting in approximately $2.34 million in stolen funds that were subsequently laundered through Tornado Cash. The core TempleDAO vaults were not directly compromised, but the team's anonymous structure and the unrecovered stolen funds remain notable risk factors.

NEAR Protocol is a layer-1 proof-of-stake blockchain founded in 2018 by Illia Polosukhin and Alexander Skidanov, with a focus on developer accessibility, sharding-based scalability, and — as of 2024 — chain abstraction and AI infrastructure. The protocol has a credible founding team, significant institutional backing ($542M+ raised), and a largely clean regulatory record, tempered by a disclosed wallet seed phrase breach in 2022, a contested governance decision in 2025, and ongoing validator centralization concerns.

Evita Investments Inc. and Evita Pay Inc. are U.S.-registered cryptocurrency payment companies founded by Iurii Gugnin, a Russian citizen residing in New York. In June 2025, Gugnin was charged in a 22-count federal indictment in the Eastern District of New York for allegedly funneling more than $530 million through U.S. banks and crypto exchanges on behalf of customers at sanctioned Russian financial institutions, in violation of U.S. sanctions law, export controls, and Bank Secrecy Act obligations. Gugnin subsequently pleaded guilty in April 2026 to a narrower set of charges and agreed to forfeit over $1.2 million.

A7A5 is a Russian ruble-pegged stablecoin launched in January 2025 and issued by Old Vector LLC, a Kyrgyzstan-based entity controlled by A7 LLC — a company co-owned by sanctioned Moldovan oligarch Ilan Shor and Promsvyazbank, a Russian state-owned bank serving the defense sector. The stablecoin operates on the Ethereum and TRON blockchains and logged over $93 billion in cumulative trading volume in its first year despite having no listing on any major centralized exchange. A7 LLC and Old Vector LLC have been designated by the United Kingdom, United States, European Union, and multiple allied governments for alleged facilitation of Russian sanctions evasion and support for Russia's military procurement infrastructure.

HTX, formerly Huobi Global, is one of the world's largest centralized cryptocurrency exchanges by trading volume, rebranded in September 2023 under the influence of TRON founder Justin Sun. On May 26, 2026, the UK Foreign, Commonwealth and Development Office designated Huobi Global S.A. — the Panama-registered legal entity behind the exchange — under Regulation 17A of the Russia (Sanctions) (EU Exit) Regulations 2019, making HTX the first major global crypto exchange to receive banking-style sanctions from UK authorities. Blockchain analytics firms TRM Labs and Elliptic documented over $4.9 billion in direct flows from HTX to sanctioned Russia-linked entities since 2021, and UK authorities allege the platform channeled over $1.5 billion to Russia through connections to previously sanctioned entities Garantex and the A7 payments network.

Delio was South Korea's first VASP-licensed cryptocurrency deposit and lending platform, founded in 2018 by CEO Jeong Sang-ho. In June 2023, the platform abruptly froze approximately $169–180 million in customer withdrawals affecting roughly 2,800 investors, citing market volatility linked to the concurrent collapse of sister-platform Haru Invest and cascading losses from the November 2022 FTX bankruptcy. A Seoul court declared Delio bankrupt on November 22, 2024, and prosecutors at Seoul Southern District Court demanded a 20-year prison sentence for Jeong Sang-ho in April–May 2026, with a first-instance verdict scheduled for July 16, 2026.

Gotbit Consulting LLC was a Belize-registered cryptocurrency market-making firm that operated a multi-year wash trading enterprise from 2018 to 2024. Founder and CEO Aleksei Andriunin pleaded guilty in March 2025 and was sentenced to eight months in prison in June 2025, with Gotbit ordered to forfeit approximately $23 million in seized cryptocurrency and to cease operations permanently. The firm was part of a broader DOJ enforcement sweep — Operation Token Mirrors — charging ten foreign nationals from four firms in the Northern District of California.

Punk Protocol was an Ethereum-based DeFi project that positioned itself as a decentralized annuity and pension service. On August 10, 2021, it suffered a critical smart contract exploit due to a missing access-control modifier in its CompoundModel contract, resulting in approximately $8.95 million in stablecoin losses; roughly $5 million was partially recovered via a white-hat frontrunner who retained a $1 million bounty. The project launched without a security audit, has published no meaningful updates since late 2021, and its PUNK token currently trades at effectively zero volume, indicating the project is dormant or abandoned.

Gym Network (GYMNET) is a Binance Smart Chain-based DeFi protocol launched in March 2022 that operates an affiliate investment scheme with hallmarks of a Ponzi structure, requiring continuous recruitment to sustain promised returns of up to 250% annually. The project was founded by Claudio Catrini, who has prior involvement in the OneCoin fraud, and suffered a $2.1 million smart contract exploit in June 2022. The GYMNET token has declined approximately 99.8% from its all-time high of $1.90 to under $0.004 as of 2026.

Arena SocialFi (originally Stars Arena, rebranded to The Arena) is an Avalanche-based SocialFi platform launched September 2023. The platform suffered a critical reentrancy exploit on October 7, 2023, losing approximately $2.9 million in AVAX; it subsequently recovered ~90% of stolen funds via a bounty agreement. Following the hack, the original team dissolved and the platform was acquired and rebuilt under new leadership, launching the ARENA token in 2024 and raising $2 million in pre-seed funding.

MM Finance (also known as Mad Meerkat Finance) was the largest decentralized exchange on the Cronos blockchain. On May 4, 2022, the protocol suffered a frontend compromise in which an attacker injected a malicious router contract address, redirecting approximately $2 million in user funds to the attacker's wallet over roughly three hours. The stolen funds were laundered via Tornado Cash and routed through OKX; the team pledged reimbursement via trading fee airdrops, though full recovery of stolen assets was not confirmed. The MMF token subsequently lost approximately 99.9% of its value from its April 2022 all-time high.

Slope Wallet (Slope Finance) was a Solana-based mobile cryptocurrency wallet that suffered a catastrophic security breach on August 2, 2022, in which over 9,200 wallets were drained of approximately $4–8 million in assets due to the app transmitting users' unencrypted seed phrases to a third-party telemetry service (Sentry). The root cause was a severe security misconfiguration by Slope Finance, in which the mobile application logged plaintext private key material without proper scrubbing. No formal victim compensation was established, the team declined to publicly accept responsibility, and founder Leal Cheung subsequently launched a new project (zkME) without resolution for affected users.

Concentric (Concentric.fi) was an automated liquidity management protocol built on Camelot v3 on the Arbitrum network, offering vault-based yield optimization for concentrated liquidity positions. On January 22, 2024, the protocol suffered a critical security breach when a team member's deployer wallet was compromised through a targeted social engineering attack, resulting in approximately $1.85 million in losses and a 57% crash in the CONE token price. The protocol was subsequently halted entirely, and blockchain forensics firm CertiK linked the exploiter's wallets to prior incidents targeting OKX, UnoRe, and LunaFi, suggesting a sophisticated and recurring threat actor.

OKX DEX is the decentralized exchange aggregator operated by OKX (Aux Cayes FinTech Co. Ltd.), one of the world's largest centralized crypto exchanges. In December 2023, the DEX suffered a ~$2.7 million exploit caused by a suspected private key leak and a centralized proxy upgrade mechanism with no multi-signature protection. The broader OKX entity has faced severe regulatory sanctions including a $504 million U.S. DOJ settlement in February 2025 for operating an unlicensed money-transmitting business and facilitating over $5 billion in suspicious transactions, a €1.1 million Malta AML fine, and repeated scrutiny over its DEX aggregator being used by North Korea's Lazarus Group to launder stolen funds from the $1.5 billion Bybit hack in early 2025.

Blueberry Protocol is an Ethereum-based decentralized leveraged yield farming and prime brokerage protocol developed by Composable Corp. In February 2024, the protocol suffered a significant exploit caused by an oracle misconfiguration that allowed a flash loan attacker to drain approximately 457.7 ETH (~$1.35M) from three lending markets; most funds were rescued by white hat MEV operator c0ffeebabe.eth but ~91 ETH (~$265,000) was permanently lost to validator payments. Despite completing multiple Sherlock and Hacken audits and raising $2.5M in a June 2024 Series A, the protocol's security track record and history of audit findings raise material concerns for prospective users.

Bondly Finance is a DeFi and NFT protocol launched in September 2020 that suffered a major exploit on July 14-15, 2021, in which 373 million BONDLY tokens were minted via owner-level credentials and sold into liquidity pools, causing an 82% token price collapse and approximately $5.9-7.5 million in losses. The exploit originated from the protocol owner's address, prompting blockchain security firm PeckShield to allege a potential rug pull, though the team attributed it to compromised credentials belonging to CEO Brandon Smith. Following acquisition by Animoca Brands in September 2021 and a rebrand to Forj in May 2022, the project has undergone significant leadership changes; the original founder departed under a cloud of unresolved questions about the exploit's true origin.

Crema Finance is a Solana-based concentrated liquidity market maker (CLMM) DEX protocol that launched in January 2022. On July 2, 2022, the protocol suffered a critical exploit in which an attacker used a fake tick account and flash loans to drain approximately $8.78 million from multiple liquidity pools. Following on-chain negotiations, the attacker returned roughly $7.1 million and retained approximately $1.68 million as an agreed white-hat bounty; Crema subsequently issued a CRM token compensation plan for affected users and submitted a revised codebase for re-audit by SlowMist before reopening.

Syndicate Labs was an a16z-backed Ethereum rollup infrastructure company founded in 2021 by Will Papper and Ian Lee, raising over $28 million to build programmable smart sequencers and the Commons Chain L3. On April 29, 2026, its Commons cross-chain bridge was exploited via a compromised private key stored without multisig or hardware-signing protection, draining approximately 18.5 million SYND tokens (~$330,000) plus ~$50,000 in user funds; all affected users were subsequently made whole from treasury reserves. On May 21, 2026, the company announced a full wind-down, citing irrecoverable consolidation of the rollup market around Base and Arbitrum, causing SYND to fall to an all-time low of $0.01061.

WOOFi Swap is a decentralized exchange (DEX) built by WOO Network, operating on 12+ blockchain networks including Arbitrum, Avalanche, and Optimism, and using a proprietary synthetic Proactive Market Maker (sPMM) algorithm. On March 5, 2024, the protocol suffered a critical oracle manipulation exploit on Arbitrum in which an attacker used flash loans to manipulate WOO token pricing to near zero, stealing approximately $8.75 million; funds were not recovered. The parent platform WOO X also suffered a separate $14 million phishing-linked breach in July 2025 attributed to North Korean state-sponsored threat actors, compounding the ecosystem's security record.

1inch is a decentralized exchange (DEX) aggregator and liquidity protocol founded in 2019 by Sergej Kunz and Anton Bukov, operating across Ethereum and multiple EVM-compatible chains. The platform has experienced a series of security incidents between late 2024 and mid-2025, including a front-end supply chain attack, a private key compromise, a $5 million Fusion v1 resolver exploit, and a separate $5.87 million attack on a partner resolver — raising questions about operational security and smart contract lifecycle management. Additional concerns include alleged connections between co-founder Anton Bukov and the Russian FSS Academy, governance centralization risks, and sustained token value erosion since the 2021 peak.

GemPad is a multi-chain no-code token launchpad and crowdfunding platform operating primarily on BNB Smart Chain, Ethereum, and Base, launched around 2021. On December 17, 2024, a reentrancy vulnerability in its LP Locker V2 smart contract was exploited across three chains, draining approximately $1.9–$2.2 million in locked liquidity from at least 27 dependent projects. Stolen funds were routed through Tornado Cash, and GemPad issued no public compensation plan for affected projects.

Solareum was a Solana-based Telegram trading bot that shut down on March 30, 2024 following a security exploit that drained approximately $523,000 (2,800+ SOL) from over 300 user wallets. Prosecutors later revealed in a January 2025 court filing that the Solareum team had unknowingly hired a North Korean (DPRK) developer in December 2023, who subsequently facilitated the theft of 6,045 SOL worth roughly $1.4 million; the FBI seized approximately $950,000 in USDT two months after the hack. The project offered no compensation to victims, deleted its website and community channels, and is no longer operational.

ETHTrustFund (ticker: ETF) was a decentralized autonomous organization (DAO) built on Coinbase's Base layer-2 network that marketed itself as an OHM (Olympus DAO) fork and decentralized crypto hedge fund. On July 20, 2024, the pseudonymous lead developer known only as 'Peng' drained approximately 607 ETH (worth ~$2.1–2.2 million) from the project treasury and laundered the funds through the privacy protocols Tornado Cash and Railgun before disappearing entirely. ZachXBT has flagged this entity as a fraudulent project. The project's website, Twitter, and Telegram accounts were permanently deleted following the exit.

bandcampro is a Russian-speaking threat actor who operated an 8-month AI-assisted crypto theft and influence campaign (September 2025–May 2026) via the Telegram channel @americanpatriotus, which had accumulated roughly 17,000 subscribers over a five-year run beginning February 2021. The actor distributed a trojanized self-custody wallet called StellarMonster that deployed the GoToResolve remote access tool, enabling seed phrase harvesting and full wallet compromise. A jailbroken Google Gemini instance and 73 stolen API keys automated content generation, credential attacks, and infrastructure management. The campaign was publicly exposed by Trend Micro researchers on or around May 22, 2026.

Rublevka Team is a Russian-speaking, affiliate-driven drainer-as-a-service operation active since 2023 that has documented over $10.9 million in cryptocurrency theft across at least 240,000 wallet drain events. The group operates primarily on the Solana blockchain as of spring 2025 and markets its tooling to low-skill affiliates through Telegram bots and Russian-language cybercrime forums. No law enforcement actions or sanctions had been publicly reported as of the date of this investigation.

GNUS.AI (Genius Ventures, Inc.) is a decentralized AI computing platform that issues the GNUS token across Ethereum, Polygon, and Fantom networks. On May 5, 2024, the project suffered a $1.27 million exploit in which an attacker leveraged a Discord breach to steal private key material, mint 100 million counterfeit GNUS tokens, and sell them into live liquidity pools — causing the token price to collapse. The token has traded 98-99% below its all-time high and ZachXBT has flagged the entity as a concern in the crypto community.

Loopring is an Ethereum Layer-2 zkRollup-based decentralized exchange protocol founded in 2017 by Daniel Wang. The protocol suffered a critical June 2024 security breach in which an attacker compromised the Official Guardian two-factor authentication server, draining approximately $5 million from 58 smart wallet accounts. Subsequent to the hack, Loopring wound down its consumer wallet product, shut down DeFi services, lost listings on major exchanges including Binance, Upbit, and Bithumb, and saw its CEO resign in August 2025, leaving the project's long-term viability in serious question.

Resupply (resupply.fi / resupply.finance) is a decentralized stablecoin lending protocol built by contributors from Convex Finance and Yearn Finance, succeeding the hacked Prisma Finance protocol after a March 2024 governance vote. The protocol suffered a critical $9.6 million exploit on June 26, 2025, caused by a donation-attack vulnerability in a newly deployed ERC-4626 vault, with stolen funds laundered through Tornado Cash. The team's post-exploit governance response generated significant community controversy, including alleged silencing of critics and a disputed insurance-pool burn proposal, before the bad debt was eventually fully repaid in August 2025.

OcelotDex is a decentralized exchange (DEX) operating as an automated market maker (AMM) on ZetaChain, a cross-chain interoperability blockchain. The protocol has an extremely low total value locked of approximately $4.57 as of mid-2026, indicating near-total user abandonment. A security incident reportedly resulting in approximately $4.9 million in losses via an infinite mint and dump vulnerability was attributed to the protocol in September 2024, though independent Tier 1 or Tier 2 confirmation of this specific event remains limited.

Loopscale is a Solana-based DeFi lending protocol (formerly Bridgesplit) launched on April 10, 2025, backed by Coinbase Ventures, Solana Labs, and CoinFund. On April 26, 2025 — just 16 days after launch — the protocol suffered a $5.8 million oracle pricing exploit affecting its Genesis Vaults, an attack vector that had been flagged in its pre-launch OShield security audit but was allegedly inadequately remediated. All stolen funds were ultimately recovered via negotiation with the exploiter, and user deposits suffered no permanent loss.

Arcadia V2 is a non-custodial leverage farming and liquidity management protocol operating primarily on Base, developed by Belgium-based Arcadia Finance (founded 2021, backed by Coinbase Ventures). The protocol has suffered two serious security exploits: a July 2023 reentrancy attack on its V1 codebase draining approximately $455K across Ethereum and Optimism, and a more severe July 2025 arbitrary calldata exploit on V2's Rebalancer contract that drained approximately $3.6M on Base despite multiple prior audits. ZachXBT has flagged the protocol as a high-risk entity given this pattern of repeated critical security failures.

Typus Perp is a GMX-style perpetuals DEX operating on the Sui blockchain, developed by Typus Finance (founded by Tommy Chen). On October 15, 2025, the protocol suffered a $3.44 million oracle manipulation exploit that drained its TLP liquidity pool entirely — caused by an unaudited smart contract module that was excluded from the project's May 2025 MoveBit security audit. As of May 2026, the protocol has minimal TVL ($126K) and the stolen funds have not been recovered.

Odin.Fun (ODIN•FUN) is a Bitcoin-based meme coin launchpad and automated market maker launched in January 2025 by Bioniq co-founder Bob Bodily, designed as a Pump.fun analogue for Bitcoin Runes tokens. The platform has suffered at least four confirmed security incidents within its first year of operation, including a critical $7 million (58.2 BTC) AMM liquidity manipulation exploit in August 2025 that left the treasury insolvent and unable to fully compensate affected users. As of the latest available reporting (August–September 2025), the platform remained halted pending security audits, with no committed reopening timeline.

TrustedVolumes is an independent DeFi liquidity provider and market maker operating as a resolver within the 1inch ecosystem on Ethereum. On May 7, 2026, the platform suffered a $6.7 million exploit caused by a critical authorization flaw in its custom RFQ swap proxy contract, which allowed any external party to self-register as an approved order signer. The attacker responsible has been linked by blockchain security firm Blockaid to the March 2025 1inch Fusion V1 hack that drained approximately $5 million, marking the same operator as a serial exploiter targeting the 1inch resolver ecosystem.

Ribbon Finance is an Ethereum-based DeFi protocol that pioneered Theta Vaults (DeFi Options Vaults) for structured yield products, later expanding into the Aevo derivatives exchange. The protocol has experienced multiple serious incidents including a $2.7 million oracle exploit in December 2025 whose recovery plan drew widespread community condemnation, a 2021 Sybil attack on its token airdrop by a connected venture capital firm, and a DNS hijacking in 2022. Its native token RBN lost approximately 90% of its value in 2025 alone and sits more than 99% below its all-time high.

CrediX Finance was a DeFi lending protocol launched in July 2025 on the Sonic blockchain that suffered a $4.5 million exploit on August 4, 2025, less than one month after launch. The exploit involved a compromised or insider-controlled admin wallet that minted unbacked synthetic tokens to drain liquidity pools; the team subsequently vanished, deleted all official channels, and failed to honor public recovery promises, prompting widespread allegations of a premeditated exit scam. Note: CrediX Finance (Sonic, 2025) is a distinct entity from Credix Finance (Solana, founded 2021), which is a separate legitimate RWA protocol.

Aperture LM (also marketed as Aperture Finance) is a multi-chain DeFi liquidity management protocol that launched in 2022 and raised $12 million at a reported $250 million valuation. On January 25, 2026, the protocol suffered a critical smart contract exploit due to insufficient input validation in its V3 and V4 helper modules, resulting in $3.67 million stolen from Aperture directly and contributing to a combined ~$17 million loss across a coordinated attack that also hit SwapNet. Stolen funds were laundered through Tornado Cash, no public compensation plan for affected users has been confirmed, and the protocol's closed-source contract architecture was identified as a compounding risk factor that hindered independent security review.

Makina Finance is a non-custodial DeFi execution engine that launched in late 2025 on Ethereum, enabling automated yield strategies via tokenized vaults called Machines. On January 20, 2026, the protocol suffered a $4.13 million oracle manipulation exploit targeting its DUSD/USDC Curve stableswap pool, despite having completed six independent security audits in the months prior. The team recovered approximately $3.65 million (89% of user losses) within one week and resumed operations on January 26, 2026, though a residual 11% shortfall remained subject to a revenue-share restitution plan.

Saga is a Layer 1 blockchain protocol built on Cosmos that allows developers to deploy parallelized, VM-agnostic dedicated chains called Chainlets, with a primary focus on gaming applications. The SAGA token launched on April 9, 2024 at an all-time high of approximately $7.53, but had declined roughly 99% from that peak by late 2025. In January 2026, the protocol's SagaEVM chainlet suffered a $7 million smart contract exploit that drained bridged assets, caused the Saga Dollar stablecoin to depeg, and led to a 55% TVL crash.

Matcha Meta is a DEX meta-aggregator built on the 0x protocol by 0x Labs, launched in 2020, that routes trades across 140+ DEXs on 10+ blockchains. On January 25, 2026, a vulnerability in the SwapNet routing module — an integrated third-party liquidity provider — was exploited via an arbitrary external call flaw, draining open token allowances from users who had disabled the platform's default One-Time Approval feature. PeckShield reported initial losses of approximately $16.8M; Matcha Meta's post-mortem confirmed $13.43M in net losses across 20 affected users, with the balance attributable to a separate, concurrent $3.4M Aperture Finance exploit. Users with persistent approvals to SwapNet contracts face ongoing residual exposure until those allowances are revoked.

US Permissionless Dollar (USPD) is a decentralized, over-collateralized stablecoin protocol built on Ethereum by Permissionless Technologies, the team behind the Morpher trading platform. In December 2025, the protocol suffered a critical exploit via a clandestine proxy deployment attack — later dubbed CPIMP — that had silently compromised admin privileges since September 2025, resulting in approximately $1 million in losses. The project has undergone audits by Nethermind and Resonance Security but the exploit bypassed audited code by targeting the deployment layer, raising unresolved questions about operational security and the viability of the planned V2 relaunch.

Unleash Protocol is a decentralized intellectual property finance (IPFi) platform built on the Story Protocol blockchain, launched in early 2024. On December 30, 2025, the protocol suffered a confirmed $3.9 million exploit in which an attacker gained unauthorized administrative control through its multisignature governance system, executed an unauthorized smart contract upgrade, and laundered 1,337 ETH through Tornado Cash. The protocol subsequently paused all operations; as of early 2026 no recovery or user compensation plan has been publicly confirmed.

IoTeX is a Layer 1 blockchain and DePIN (Decentralized Physical Infrastructure Network) platform founded in 2017 by Raullen Chai, Qevan Guo, Jing Sun, and Xinxin Fan, with its native IOTX token launched via ICO in 2018. In February 2026 the project suffered a significant security incident when a compromised private key on the Ethereum side of its ioTube cross-chain bridge allowed an attacker to drain approximately $4.3–$4.4 million in assets and mint 410 million unauthorized CIOTX tokens, with total estimated damages disputed between $4.4 million (official) and $8.8 million (PeckShield). Additional concerns include a prior market-maker-linked near-zero price anomaly on Binance in October 2025, governance centralization risks from its 36-delegate Roll-DPoS consensus model, and on-chain analyst reports alleging the attacker's wallet was funded by the same entity behind the $49 million Infini Finance hack of 2025.

Hyperbridge is a cross-chain interoperability protocol built by Polytope Labs (founded by Nigerian engineers Seun Lanlege and David Salami) that uses cryptographic proofs to facilitate asset and message transfers across blockchains. On April 13, 2026, an attacker exploited a Merkle Mountain Range (MMR) proof verification vulnerability in the Token Gateway contract, minting 1 billion fraudulent bridged DOT tokens and extracting losses initially reported at $237,000 but later revised to approximately $2.5 million across Ethereum, Base, BNB Chain, and Arbitrum. The exploit occurred less than two weeks after the project publicly mocked the possibility of being hacked in an April Fools joke, and followed alleged dismissals of security researchers who had flagged vulnerabilities beforehand.

Flow is a layer-1 proof-of-stake blockchain created by Dapper Labs, the company behind NBA Top Shot and CryptoKitties, with FLOW as its native token. The project has faced a serious 2025 protocol-level exploit ($3.9M stolen), a controversial rollback proposal that drew community backlash, multiple rounds of company layoffs, a $4M securities class-action settlement, a separate $7.05M privacy lawsuit settlement, SEC investigation, and delisting from major South Korean exchanges following the breach. The FLOW token has lost over 99% of value from its April 2021 all-time high of $46.16, trading near $0.033 as of mid-2026.

Giddy (also branded DefiQ, Inc.) was a Draper, Utah-based self-custody DeFi wallet and yield-farming platform that launched its GDDY token on the Polygon network in April 2022. The project raised over $15 million from VC investors including Pelion Venture Partners, but has since shut down — leaving the GIDDY token trading more than 99% below its all-time high of approximately $0.35 in May 2022. ZachXBT has flagged the entity as a concern in the crypto trust-intelligence space, and community reviews allege that team members sold tokens prior to the app's public launch and that advertised staking yields were never delivered.

SolvBTC is the flagship wrapped Bitcoin product of Solv Protocol, designed to represent Bitcoin in DeFi systems across multiple chains. In March 2026, the BRO vault component of the protocol suffered a $2.7 million exploit due to a double-mint logic flaw in the BitcoinReserveOffering smart contract. Separately, in January 2025, the protocol faced credible public allegations of TVL manipulation prior to its SOLV token launch.

Shunda Park was a fortified forced-labor fraud compound located in Min Let Pan village, Karen State, Myanmar, operated under the protection of the junta-affiliated Democratic Karen Benevolent Army (DKBA). Workers trafficked from multiple countries were coerced into running pig-butchering cryptocurrency investment fraud schemes primarily targeting Americans from at least January through November 2025, when the Karen National Union seized the site. In April 2026, the U.S. Department of Justice charged two Chinese nationals, Huang Xingshan and Jiang Wen Jie, with wire fraud conspiracy for managing the compound; both were arrested by Thai authorities on immigration charges in early 2026 and remain in custody pending extradition proceedings.

Griffin AI is a Web3 no-code AI agent builder on BNB Chain that launched its native GAIN token on Binance Alpha on September 24, 2025. Within hours of launch, an attacker exploited a misconfigured LayerZero cross-chain peer to mint 5 billion unauthorized GAIN tokens and dump approximately $3 million worth into the market, crashing the token 87-90% and erasing roughly $36 million in market capitalization. The team subsequently enacted a token migration, a $2.5 million recovery fund, and a re-launch on October 6, 2025, though GAIN continues to trade approximately 95% below its all-time high.

Cyrus Finance is a decentralized yield-optimizer protocol operating on the BNB Smart Chain that markets itself as a high-yield DeFi platform utilizing PancakeSwap liquidity pairs and single-sided vaults. On March 22, 2026, the protocol suffered a $5 million flash loan exploit attributed to flawed pool-share accounting in its smart contracts, with no reported fund recovery. Multiple secondary domains (cyrusfinance.xyz) associated with the Cyrus Finance brand have been independently flagged as potentially malicious fake-broker sites that simulate trading activity and block user withdrawals.

Yearn Ether (yETH) is a liquid staking token aggregation vault developed by Yearn Finance, launched under YIP-72 as a self-governed, permissionless product. On November 30, 2025, the yETH weighted stableswap pool was exploited via an arithmetic underflow and stale cache vulnerability, resulting in approximately $9 million in losses — the third major security incident involving a Yearn product since 2021. Approximately $2.4 million was partially recovered; roughly $6.6 million remains unrecovered, with a significant portion laundered through Tornado Cash.

Purrlend is a non-custodial DeFi lending and borrowing protocol deployed on HyperEVM and MegaETH, operating as an Aave-style fork designed for leveraged yield farming. On April 25, 2026, the protocol suffered a multisig permission exploit that drained approximately $1.52 million across both networks, collapsing its TVL by roughly 70%. As of late May 2026, the protocol remains paused with no published post-mortem, recovery plan, or user compensation details.

BSC TMM/USDT is a Binance Smart Chain token pair that was exploited on April 4, 2026, via a flash loan-based reserve manipulation attack, resulting in an estimated loss of $1.665 million USDT. The attacker burned TMM tokens to a dead address to artificially skew pool reserves, then extracted USDT through a Constant Product Market Maker (CPMM) pricing imbalance. The TMM token contract lacked reserve synchronization on burn operations and had no verified third-party security audit on file.

An active phishing campaign exploiting Google Search sponsored advertisements to impersonate the Uniswap decentralized exchange was publicly exposed on May 25, 2026, by on-chain analyst b_block_oficial. Attackers operating two identified Ethereum wallets have allegedly stolen over $400,000 from multiple victims by deploying wallet-drainer malware services (Inferno Drainer and Vanilla Drainer), which siphon assets after victims approve malicious smart contracts on cloned Uniswap interfaces. The Security Alliance (SEAL) has confirmed blocking 356+ related fraudulent advertisement URLs and describes the broader Google Ads phishing trend as active and ongoing for more than a year.

Kame Aggregator is a decentralized exchange (DEX) aggregator protocol built on the Sei blockchain, launched in late May 2025, designed to route token swaps across multiple liquidity sources for optimal pricing. On September 13, 2025, the protocol suffered a critical smart contract exploit in which approximately $1.325 million was drained from 830 user wallets via an arbitrary external call vulnerability in its swap() function. The primary exploiter returned approximately $946,000 after negotiations, while secondary exploiters retained approximately $357,000; the team initiated a compensation program that reached over $1 million USDC in distributions by November 2025.

BetterBank is a DeFi lending and borrowing protocol built on PulseChain, launched in August 2025, offering a dual-token system (ESTEEM and FAVOR) with high-yield savings and LP-backed credit. Approximately three weeks after launch, the protocol suffered a $5 million exploit on August 26-27, 2025, caused by an unvalidated bonus reward minting function that had been flagged as a critical vulnerability by auditor Zokyo one month prior but was downgraded to 'Informational' severity and left unpatched by the team. The attacker returned approximately $2.7 million following on-chain negotiations, leaving a net loss of roughly $1.4 million; the protocol subsequently froze trading and announced relaunch plans.

Nemo Protocol is a Sui-based DeFi yield trading platform that suffered a $2.6 million exploit on September 7, 2025, caused by an unnamed developer who deployed unaudited code to mainnet while bypassing internal review processes. A security auditor had flagged a related vulnerability 27 days before the attack, which the team acknowledged it failed to address in time. The protocol's TVL has since collapsed to zero and it has been flagged as high-risk by trust intelligence sources.

Volo Vault is a yield-generating vault product operated by Volo Protocol, a BTCFi and liquid staking platform built on the Sui blockchain. In April 2026, three of its vaults were exploited via a compromised admin private key, resulting in approximately $3.5 million in losses across WBTC, XAUm, and USDC holdings. The team committed to absorbing all user losses and ultimately recovered approximately 90% of the stolen funds through coordination with the Sui Foundation, ZachXBT, and ecosystem partners.

TrapDoor is an active cross-ecosystem software supply chain attack campaign first observed on May 22, 2026, distributing credential-stealing malware across 34+ malicious packages and 384+ artifact versions on npm, PyPI, and Crates.io. The campaign targets crypto, DeFi, Solana, and AI developers to steal cryptocurrency wallet keystores, SSH keys, AWS credentials, GitHub tokens, and browser secrets. A novel component of the campaign plants hidden instructions inside .cursorrules and CLAUDE.md files — using zero-width Unicode steganography — to manipulate AI coding assistants such as Cursor and Claude Code into performing covert data exfiltration routines disguised as security scans.

Bunni V2 was a decentralized exchange and liquidity layer built on Uniswap v4, developed by Timeless Finance. On September 1-2, 2025, the protocol suffered a critical exploit draining approximately $8.4 million across Ethereum and Unichain through a rounding-direction vulnerability in its withdrawal mechanism. The team permanently shut down the protocol on October 23, 2025, citing inability to finance a secure relaunch after the exploit erased 97% of TVL.

Seedify (Seedify.fund) is a blockchain gaming incubator and IDO/IGO launchpad founded in February 2021 by Levent Cem Aydan, operating on BNB Chain, Ethereum, and Avalanche with its native SFUND token. The platform suffered a critical $1.2–1.7 million bridge exploit in September 2025 attributed by ZachXBT and CZ (Binance) to the North Korean DPRK-affiliated 'Contagious Interview' hacking campaign, causing SFUND to collapse approximately 80–99% and affecting approximately 64,000 token holders. The platform's SFUND token has declined more than 99% from its November 2021 all-time high of approximately $17.67, and the project has been flagged by ZachXBT in connection with the on-chain forensics tying the exploit to state-sponsored theft infrastructure.

FOOM Cash (foom.cash) is a pseudonymous, privacy-focused decentralized lottery protocol built on Ethereum and Base, marketed as an 'upgraded Tornado Cash' using zk-SNARKs cryptography. On February 26, 2026, the protocol suffered a $2.26 million exploit caused by a critical deployment error in its Groth16 trusted setup — a flaw publicly known from an identical exploit on Veil Cash days earlier that the team failed to patch. The team had been silent for approximately three months prior to the attack and was subsequently flagged as a notable risk by AVOID.NET due to compounding concerns: anonymous founders, serious operational negligence, misleading post-incident communications, and unverifiable audit claims.

Ranger Finance was a Solana-based perpetual contract aggregator that raised $1.9M in seed funding in January 2025 and launched its RNGR token in January 2026. Within two months of token launch, community governance voted to liquidate the project treasury following allegations that the team made materially misleading claims about trading volume and revenue during its ICO. The project formally shut down in May 2026 after the treasury liquidation and approximately $900,000 in exposure from the DPRK-linked Drift Protocol exploit left operations unsustainable, with employees and vendors not fully compensated.

Ooki Protocol (formerly bZx Protocol) is a decentralized margin trading and lending protocol on Ethereum that was the subject of the first-ever CFTC enforcement action against a DAO, resulting in a 2023 default judgment ordering the protocol to cease operations and pay $643,542 in penalties. The protocol suffered four separate security incidents between 2020 and 2021 totaling over $64 million in losses, including a $55 million phishing-based hack attributed by Kaspersky to the North Korean state-linked BlueNoroff group. Following the CFTC judgment, the Ooki DAO's website was ordered shut down and the protocol has been effectively defunct.

Gate.io (formerly Bter.com) is a centralized cryptocurrency exchange founded in 2013 by Han Lin, serving over 30 million users across 224 countries. The exchange has been flagged by on-chain investigator ZachXBT for allegedly concealing a $230 million hack attributed to North Korean state-sponsored hackers (Lazarus Group) that occurred in April 2018 and was never publicly disclosed to users. Additional concerns include a manipulated futures price feed incident causing millions in user losses in 2025, an AML-based ban by India's Financial Intelligence Unit in 2024, persistent user complaints about frozen withdrawals, and alleged wash trading activity inflating reported volumes.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

Ledger SAS is a Paris-based hardware cryptocurrency wallet manufacturer founded in 2014, producing the Nano S and Nano X devices used by millions worldwide. Despite its status as a legitimate and established company, Ledger has been involved in two major security incidents: a 2020 customer database breach exposing over 1 million email addresses and 272,000 physical addresses, and a December 2023 supply chain attack on its @ledgerhq/connect-kit npm package that drained approximately $600,000–$850,000 from users of multiple DeFi protocols via the Angel Drainer malware-as-a-service. A third-party data breach via payment processor Global-e was disclosed in January 2026.

Chris Larsen is the co-founder and Executive Chairman of Ripple, one of the most prominent figures in the XRP ecosystem. On January 30, 2024, attackers drained an estimated 213–283 million XRP (valued at $112.5–$150 million) from his personal cryptocurrency accounts — not Ripple corporate wallets — in what became the largest individual crypto theft of 2024. A U.S. government forfeiture complaint filed in March 2025 linked the breach to the 2022 LastPass password manager hack, alleging that private keys had been stored in an online vault subsequently compromised by attackers.

Tornado Cash is a decentralized, non-custodial cryptocurrency mixing protocol deployed on Ethereum in December 2019, co-founded by Roman Storm, Roman Semenov, and Alexey Pertsev. It was sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) in August 2022 for allegedly laundering over $7 billion in virtual currency, including hundreds of millions stolen by North Korea's Lazarus Group; the sanctions were later lifted in March 2025 following a Fifth Circuit ruling that immutable smart contracts do not constitute sanctionable 'property' under IEEPA. All three co-founders face or have faced criminal proceedings: Pertsev was convicted in the Netherlands in May 2024 and sentenced to 64 months in prison, Storm was convicted on one of three counts in the U.S. in August 2025, and Semenov remains at large.

Inferno Drainer is a scam-as-a-service (drainer-as-a-service) platform that provided phishing infrastructure and malicious wallet-draining scripts to criminal affiliates in exchange for a percentage of stolen funds. Active from November 2022 through at least early 2025, it is attributed to stealing over $80 million from approximately 137,000 victims during its initial operational phase, with operators claiming a cumulative total exceeding $250 million across all periods including a covert post-shutdown phase. It operates by luring victims to phishing websites impersonating legitimate crypto brands, tricking users into signing malicious transactions that drain wallets across multiple EVM-compatible blockchains.

Velodrome Finance is an automated market maker (AMM) and decentralized exchange (DEX) launched on June 2, 2022, on the Optimism Layer 2 network. It is a fork and improvement of Andre Cronje's Solidly Exchange, implementing a ve(3,3) governance and liquidity incentive model. The protocol has experienced three documented security incidents: an insider theft of $350,000 by a team member in August 2022, a DNS/frontend social-engineering attack in November–December 2023 resulting in approximately $250,000 in user losses, and a second DNS hijacking in November 2025 attributed to a NameSilo registrar insider, resulting in estimated losses of $700,000–$1,000,000. Smart contracts have not been directly exploited; all monetary losses have stemmed from front-end and operational security failures.

Veer Chetal, known online as 'Wiz,' is a 19-year-old from Danbury, Connecticut who pleaded guilty in November 2024 to conspiracy to commit wire fraud and conspiracy to launder monetary instruments in connection with a $243–245 million Bitcoin theft targeting a single Genesis creditor via social engineering. He was identified and exposed by blockchain investigator ZachXBT, who traced stolen funds on-chain and publicly named the perpetrators before law enforcement arrests were made. Chetal was re-arrested in early 2025 after committing additional crypto thefts while released on bond and faces a federal sentencing guideline range of 19–24 years imprisonment.

NFTMachine is the online alias of Tyler Gaye, a Denver, Colorado resident who allegedly orchestrated a presale fraud in early 2021 by raising approximately $500,000 (reportedly 277 ETH from 130+ investors) for a promised NFT marketplace called opeNFT (also stylized ONFT), which was never launched. A Denver District Court judge entered a default judgment of $275,000 against Gaye in November 2022, classifying the conduct as civil theft. On-chain investigator ZachXBT has subsequently alleged Gaye continued launching new crypto projects — including Arcade DAO and Gamegear — under the alias 'scaredofboobs' without satisfying the court-ordered judgment.

Vkevin is a pseudonymous threat actor known for operating fake Safeguard Telegram bot phishing campaigns that have allegedly drained seven figures from victims' cryptocurrency wallets. On January 23, 2025, blockchain investigator ZachXBT published a 31-minute video exposing Vkevin in the act of running these scams from what was described as a New York school, and confirmed the individual had been doxxed. Vkevin is additionally alleged to have conducted a 2022 Discord attack against DigikongNFT using a spoofed MEE6 bot, resulting in over $300,000 in NFT losses.

TradeOgre was an unregistered, no-KYC cryptocurrency exchange founded around 2018 and known for listing privacy coins including Monero (XMR) and Pirate Chain. On September 18, 2025, the RCMP executed Canada's largest-ever cryptocurrency seizure, dismantling the platform and seizing over CAD $56 million (approximately USD $40 million) in digital assets. Investigators determined that the majority of funds transacted on the platform came from criminal sources, including ransomware proceeds, darknet market activity, hacking exploits, and fraud schemes.

Wallex is an Iranian cryptocurrency exchange founded in 2018 in Tehran by graduates of Sharif University of Technology, serving approximately 1 million users as of 2022 and operating as a major domestic crypto-to-rial on/off-ramp. On March 25, 2026, blockchain investigator ZachXBT flagged suspicious fund consolidation activity, prompting both Tether (USDT) and Circle (USDC) to simultaneously blacklist Wallex-linked wallet addresses, leaving approximately $2.49 million stranded on-chain. Wallex operates in a jurisdiction under comprehensive U.S. OFAC sanctions, has been linked by Chainalysis to transactions with a U.S.-sanctioned individual, and suffered a confirmed data breach in 2021 that exposed user credentials.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.

Bitcoin Depot was once the largest Bitcoin ATM operator in North America, operating more than 9,000 kiosks before filing for Chapter 11 bankruptcy on May 18, 2026. The company faces lawsuits from the attorneys general of Iowa and Massachusetts alleging it knowingly facilitated crypto scams, with one state finding that more than 80% of high-value transactions at its kiosks were linked to fraud. Multiple data breaches, a $3.6 million wallet theft, regulatory enforcement in California, and on-chain evidence flagged by ZachXBT further document systemic compliance and security failures.

Noones is a peer-to-peer cryptocurrency trading platform targeting Africa and the Global South, founded and initially led by Ray Youssef, co-founder of the now-defunct Paxful. In January 2025, the platform suffered an $8 million hot-wallet exploit that was concealed for nearly three weeks before on-chain investigator ZachXBT publicly exposed the breach. Compounding platform risk, Youssef was subsequently indicted by the DOJ in early 2026 on federal AML charges stemming from his leadership of Paxful, and stepped down as Noones CEO shortly thereafter.

HyperCycle (HYPC) is an Ethereum ERC-20 token marketed as infrastructure for decentralized AI-to-AI transactions, co-founded by SingularityNET's Ben Goertzel and TODA inventor Toufi Saliba. The token has lost approximately 99% of its value from its all-time high of $1.29, and its smart contract contains a PAUSER_ROLE that allows a designated admin to halt all token transfers at will. No independent smart contract security audit has been publicly submitted, and the tokenomics structure — which allocates 20% to team, advisors, and partners with a relatively short vesting cliff — has been cited by multiple analysts as generating sustained selling pressure that disadvantages retail participants. ZachXBT has broadly flagged AI-narrative token projects as high-risk.

Kroll Restructuring Administration LLC served as the court-appointed claims and noticing agent for the FTX, BlockFi, and Genesis bankruptcy proceedings. On August 19, 2023, a threat actor executed a SIM swap attack against a Kroll employee's T-Mobile account, gaining unauthorized access to files containing the personal data of tens of thousands of crypto bankruptcy claimants. The exposed data was subsequently exploited in large-scale phishing and social engineering campaigns, with blockchain investigator ZachXBT estimating total losses attributable to the breach at eight to nine figures, and at least one alleged perpetrator — Danish Zulfiqar, also known as 'Danny' — was arrested in Dubai in late 2025 on RICO charges related to a broader $263 million social engineering conspiracy.

Spartans Bet (spartans.com) is a crypto betting and casino platform launched in 2025, operated by Nexus International Entertainment Ltd, a company registered in Belize and licensed under the disputed Anjouan (Comoros) gaming authority. On-chain investigator ZachXBT alleged in 2025 that the platform's suspected co-founder, Gurhan Kiziloz, is also the hidden operator behind BlockDAG Network, a project ZachXBT claims raised over $300 million from retail investors through deceptive social media advertising and misappropriated presale funds via Middle Eastern OTC channels. Spartans makes prominent 'provably fair' claims that lack independently verifiable third-party audit documentation, and the platform carries a below-average safety index of 6.4/10 from casino.guru, with user complaints citing refused withdrawals and unfair bonus terms.

Renzo Protocol is an EigenLayer liquid restaking protocol that issues ezETH, a liquid restaking token (LRT) representing restaked ETH. In April 2024, ezETH suffered a severe depeg — falling from ~$3,100 to as low as $688 on Uniswap — triggered by a controversial REZ tokenomics announcement that allocated only 5% of tokens to the community airdrop while reserving over 60% for team, investors, and advisors, causing cascading liquidations exceeding $56 million across DeFi platforms. Eight high-severity vulnerabilities were identified in a concurrent Code4rena security audit, and the incident exposed structural risks including withdrawal restrictions that prevented users from redeeming ezETH directly for ETH.

Netmind AI (netmind.ai) is a London-based decentralized GPU compute network that issues the NMT token on both Ethereum (ERC20) and BNB Smart Chain (BEP20) via upgradeable proxy contracts. In March 2024, 440,000 NMT tokens were sold in a sudden dump that caused a 76% price crash — attributed by the team to a compromised early miner wallet, though the mechanism remains disputed. The NMT contract is an upgradeable transparent proxy that grants the owner unilateral ability to disable sells, change fees, mint, or transfer tokens, representing a material centralization and rug-risk vector flagged by security tools and, according to AVOID.NET source tagging, by ZachXBT.

Token 2049 is one of the world's largest crypto conferences, held annually in Singapore and Dubai by Hong Kong-based BOB Group. The event has faced repeated criticism for insufficient sponsor vetting, most notably when OFAC- and UK-sanctioned Russia-linked stablecoin A7A5 was listed as a platinum sponsor and given a speaking slot at the October 2025 Singapore edition. Separately, in March 2025, on-chain investigator ZachXBT publicly flagged multiple Token 2049 sponsors — including DWF Labs, Bitunix, JuCoin, WEEX, and Spacecoin — for fraud, wash trading, and regulatory non-compliance, warning that conference sponsorship carries no implied credibility.

Act I: The AI Prophecy (ACT) is a Solana-based AI-narrative memecoin launched via Pump.fun in October 2024 with no verified product utility. The token reached an all-time high of approximately $0.92 in November 2024 before declining over 98% to roughly $0.013 by mid-2026. It has been subject to a documented co-founder token dump, a suspicious 49% flash crash on Binance in April 2025 attributed to large coordinated sell orders, and broad sector criticism from on-chain investigator ZachXBT who labeled 99% of AI agent tokens as scams.

Mixin Network is a Hong Kong-based cross-chain Layer 2 protocol that suffered one of the largest cryptocurrency hacks of 2023, losing approximately $200 million when its cloud service provider's database was compromised on September 23, 2023. The hack exposed a fundamental contradiction in Mixin's self-described decentralized architecture: the majority of user funds were held in hot wallets backed by a centralized cloud database. As of early 2026, the majority of stolen assets remain unrecovered, with the attacker beginning to launder funds through Tornado Cash.

Kiln is an institutional-grade, non-custodial staking infrastructure provider that manages over $14 billion in staked assets across 50+ proof-of-stake networks, including approximately 6% of the entire Ethereum validator set. In September 2025, Kiln suffered a sophisticated supply chain attack in which a threat actor compromised a GitHub access token belonging to a Kiln infrastructure engineer, injected malicious code into the Kiln Connect API, and caused the theft of approximately 192,600 SOL (~$41 million) from enterprise customer SwissBorg. The incident prompted Kiln to exit all 1.6 million ETH worth of its Ethereum validators as a precautionary measure, triggering the longest Ethereum exit queue backlog in the network's history.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

BitoPro is a Taiwanese centralized cryptocurrency exchange operated by BitoGroup, serving over 800,000 users with TWD (New Taiwan Dollar) fiat on/off-ramps. On May 8, 2025, the exchange suffered an approximately $11.5 million hot wallet theft attributed to North Korea's Lazarus Group via a social-engineering and AWS-token-hijacking attack. The exchange did not publicly disclose the breach for approximately 25 days, only confirming the incident after on-chain investigator ZachXBT flagged suspicious outflows on June 2, 2025.

BONAD.fun is a permissionless meme token launchpad operating on the Monad blockchain, positioned as BONK's community-driven expansion from Solana into the EVM ecosystem via Monad. The platform is an independent community project not officially endorsed or vetted by the BONK Foundation, and no public smart contract audit has been documented. The platform shares brand identity and fee-recycling mechanics with Bonk.fun, the Solana-based predecessor that suffered a domain hijacking and wallet-drainer attack in March 2026 — a front-end attack vector that is directly relevant to BONAD.fun's risk surface as a structurally similar deployment.

Thunder Terminal is a Solana-based on-chain trading terminal that suffered a $240,000 exploit on December 27, 2023, when an attacker leveraged compromised MongoDB credentials to steal session tokens and drain 86.5 ETH and 439 SOL from 114 user wallets in under nine minutes. The attacker subsequently routed the stolen ETH through the Railgun privacy protocol and demanded a 50 ETH ransom for deletion of alleged user data, directly contradicting Thunder Terminal's public claim that no user data or private keys were compromised. Thunder Terminal pledged full reimbursement of stolen funds, engaged the FBI, and implemented additional security controls, though no public confirmation of completed reimbursements has been verified.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Strike (operated by Zap Solutions, Inc.) is a Bitcoin and Lightning Network payments application founded by Jack Mallers. The platform has faced scrutiny over a 2023 data breach it initially denied, the use of Tether (USDT) as a backing for purported USD cash balances for non-US users, and a 2026 proposed merger with Twenty One Capital (XXI) that raises serious conflict-of-interest concerns given Mallers serves as CEO of both entities.

Rapper Nelly (Cornell Iral Haynes Jr.) is flagged here not as a perpetrator of crypto fraud, but as a victim of an account compromise. In October 2023, an X (formerly Twitter) account associated with Nelly — handle @NellioETH — was hacked by an unknown third party who then used it to run a social engineering phishing campaign against crypto users. Blockchain investigator ZachXBT first identified and publicized the incident; specific amounts stolen from victims and detailed on-chain forensics have not been publicly confirmed.

No verifiable information about an entity named 'Burgeleth' was found across any indexed web source as of May 2026. Exhaustive searches across news outlets, blockchain explorers, social media platforms, regulatory databases, domain registries, and crypto-specific intelligence sources (ZachXBT, Chainalysis, Scam Sniffer) returned zero results matching this name in a crypto or financial context. The slug may refer to an extremely obscure or newly created entity, an alternate spelling of a different entity, or a name that has not yet generated any publicly indexed presence.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Trezor is a legitimate Prague-based hardware wallet manufacturer (SatoshiLabs) and one of the oldest in the industry, but it has accumulated a significant threat ecosystem around its brand. A January 2024 breach of its third-party support portal exposed contact data for approximately 66,000 users, which subsequently fueled targeted phishing campaigns delivered via email, physical mail, and fake apps. Trezor hardware devices have also been subject to disclosed physical attack vectors, including an alleged unpatchable flaw in the STM32 microcontroller used in the Trezor T model.