Avoid your next
big mistake

Saddle Finance was an Ethereum-based automated market maker (AMM) optimized for pegged-value assets such as stablecoins and wrapped BTC, founded in 2020 and launched in January 2021. The protocol suffered a critical exploit on April 30, 2022, when an attacker leveraged an unpatched MetaSwapUtils library bug to drain approximately $11 million via flash-loan-assisted price manipulation, with $3.8 million subsequently rescued by security firm BlockSec. The protocol formally wound down in September 2023 following a DAO vote (SIP-54) triggered in part by the broader DeFi security climate after the Curve Finance hack.

Nomad was a cross-chain messaging bridge operated by Illusory Systems, Inc. that suffered one of the largest DeFi exploits in history on August 1–2, 2022, when a smart contract initialization bug allowed approximately $190 million in user funds to be drained in a chaotic free-for-all involving over 300 wallet addresses. The protocol never recovered meaningful user adoption after a December 2022 relaunch, faced a class action lawsuit and an FTC enforcement action, and in December 2025 agreed to a settlement requiring repayment of $37.5 million to affected users.

Curve Finance is a major decentralized exchange and automated market maker (AMM) on Ethereum, optimized for low-slippage swaps of pegged assets such as stablecoins. On July 30, 2023, several of its liquidity pools were drained of approximately $70 million due to a reentrancy vulnerability in the Vyper smart contract compiler (versions 0.2.15, 0.2.16, and 0.3.0), one of the largest DeFi exploits of 2023. Separately, founder Michael Egorov's practice of using large CRV holdings as loan collateral across multiple DeFi protocols created systemic risk that culminated in a $140 million liquidation event in June 2024, generating over $10 million in bad debt across connected protocols.

Wintermute is a London-headquartered algorithmic trading firm and cryptocurrency market maker founded in 2017 by Evgeny Gaevoy. On September 20, 2022, the firm's DeFi operations were exploited for approximately $160 million after an attacker leveraged a known cryptographic vulnerability in the Profanity vanity address tool to compromise Wintermute's admin private key. The stolen funds were never recovered, though the firm remained solvent, repaid its outstanding DeFi loans, and has continued operating and expanding into U.S. markets.

Harmony's Horizon Bridge is a cross-chain bridge connecting the Harmony (ONE) blockchain to Ethereum and Binance Smart Chain, launched in October 2020. In June 2022, it was exploited for approximately $100 million by the Lazarus Group, a North Korea-affiliated state-sponsored hacking collective, through compromise of a 2-of-5 multisig scheme controlling bridge funds. The FBI formally confirmed Lazarus Group attribution in January 2023; as of 2025, full victim restitution has not been achieved.

Badger DAO is a decentralized autonomous organization and DeFi protocol launched in December 2020 focused on generating yield on Bitcoin-backed assets via Ethereum-based vaults. In December 2021, a front-end attack exploiting a compromised Cloudflare API key resulted in approximately $120–130 million in user funds being drained across roughly 500 wallets. As of 2025, the protocol has seen significant decline: its flagship eBTC product was sunset, BADGER was delisted from Binance, and total value locked has fallen to low single-digit millions.

Deribit is a crypto options and futures exchange founded in 2016 in the Netherlands by John and Marius Jansen, historically operated through a Panama-registered entity and now licensed under Dubai's VARA framework as Deribit FZE. The exchange suffered a $28 million hot wallet compromise on November 1, 2022, covering the loss entirely from its own balance sheet. Coinbase completed the acquisition of Deribit for approximately $2.9 billion on August 14, 2025, making it a subsidiary of a publicly traded, NASDAQ-listed U.S. company.

Euler Finance V1 was a permissionless DeFi lending protocol on Ethereum that launched in December 2021 and was exploited for approximately $197 million on March 13, 2023, in what was the largest DeFi hack of that year. The attack exploited a missing health check in the donateToReserves function introduced in EIP-14, despite the codebase having undergone multiple external audits. In a highly unusual outcome, the pseudonymous attacker known as 'Jacob' returned all recoverable funds by April 3, 2023, with the total recovered value reaching approximately $240 million due to ETH price appreciation during the recovery period.

Binance Bridge (BSC Token Hub) was the official cross-chain bridge connecting the BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20), operated by Binance. On October 6-7, 2022, an attacker exploited a critical flaw in the bridge's IAVL Merkle proof verification logic inherited from Cosmos SDK, forging deposit proofs to mint 2 million BNB (approximately $586 million at time of exploit). Although the BNB Chain was halted by validators to contain the damage — trapping roughly $430 million on-chain — approximately $110–137 million escaped to other networks before the halt took effect.

Mango Markets V3 was a Solana-based decentralized margin trading protocol that suffered a $116 million oracle manipulation attack in October 2022 executed by Avraham Eisenberg, who artificially inflated the MNGO token price to extract funds against fabricated collateral. The protocol subsequently reached a partial recovery settlement, faced SEC and CFTC enforcement actions, and formally wound down operations by January 2025.

Arbix Finance was a yield farming protocol on Binance Smart Chain (BSC) that executed a deliberate rug pull on January 4, 2022, draining approximately $10 million in user funds. The anonymous development team minted 10 million unbacked ARBX tokens, dumped them on PancakeSwap to collapse the price, drained all user vaults, bridged the stolen assets to Ethereum via AnySwap, laundered them through Tornado Cash, and deleted the project website, Twitter, and Telegram accounts. Despite holding a CertiK audit from November 2021, the exploited contract fell entirely outside the audit scope.

Bitrue is a Singapore-incorporated centralized cryptocurrency exchange founded in 2018 that suffered a confirmed $23 million hot wallet exploit in April 2023, with stolen funds subsequently laundered through Tornado Cash as recently as June 2025. The exchange holds no license from Singapore's Monetary Authority (MAS) and relies on a VASP registration in Lithuania — a lower-tier regulatory framework — while accumulating a persistent record of user complaints alleging unjustified account freezes and asset seizures.

Atomic Wallet is a non-custodial multi-asset cryptocurrency wallet founded in 2017 and headquartered in Tallinn, Estonia. In June 2023, the platform suffered one of the largest individual wallet hacks in cryptocurrency history when attackers — subsequently attributed with high confidence to North Korea's Lazarus Group — drained over $100 million from approximately 5,500 user wallets. A 2022 third-party security audit had publicly identified critical vulnerabilities that the company allegedly failed to remediate prior to the attack.

GDAC was a South Korean cryptocurrency exchange operated by Peertec Co., Ltd. that launched in May 2018 and was registered as a Virtual Asset Service Provider (VASP) with Korea's Financial Intelligence Unit (KoFIU). On April 9, 2023, attackers drained approximately $13–14 million from its hot wallets — representing 23% of total custodial assets — causing the exchange to permanently shut down with no compensation offered to affected users.

Transit Swap is a cross-chain DEX aggregator incubated by TokenPocket, supporting swaps across Ethereum, BNB Chain, Polygon, Tron, Solana, and other networks. On October 1–2, 2022, an attacker exploited an input validation vulnerability in the platform's swap contract, draining approximately $21–28.9 million in user funds across Ethereum and BNB Chain. The attacker subsequently returned roughly 70% of stolen assets after security firms identified the exploiter's IP address and email, though an estimated 30% of funds — including amounts routed through Tornado Cash — remain unrecovered.

MonoX was a decentralized exchange protocol built on Ethereum and Polygon using a novel single-token liquidity model, which raised $5M in September 2021 and launched mainnet shortly before suffering a critical smart contract exploit on November 30, 2021. The attacker exploited a missing validation check in the swap function — using the MONO token as both input and output — to artificially inflate its price and drain approximately $31M in user funds across both chains. The protocol attempted a relaunch via MonoX 2.0 with a debt-token compensation mechanism, but MONO has since collapsed to near-zero value with negligible trading activity.

Stake.com is a Curaçao-licensed cryptocurrency gambling and sports betting platform co-founded in 2017 by Australians Ed Craven and Bijan Tehrani, operating as one of the largest crypto casinos globally with reported 2024 revenue of $4.7 billion. On September 4, 2023, the platform suffered a critical security breach in which approximately $41.35 million in cryptocurrency was drained from its hot wallets across Ethereum, BNB Smart Chain, and Polygon networks; the FBI formally attributed the attack to North Korea's Lazarus Group (APT38) within 48 hours. Stake.com restored full operations within five hours of the incident and stated that user funds were not affected, though the root cause — a likely hot wallet private key compromise — has never been officially confirmed by the company.

Mixin Network is a Hong Kong-based layer-2 cross-chain payment protocol that suffered the largest single crypto hack of 2023 when attackers compromised its cloud service provider's database and drained approximately $200 million in ETH, BTC, and USDT. The network remains operational but has only partially compensated users, the majority of stolen funds remain unrecovered, and a dormant attacker wallet moved funds to Tornado Cash in February 2026.

Multichain (formerly AnySwap) was a cross-chain bridge protocol that collapsed in mid-2023 following the arrest of its CEO Zhaojun by Chinese police in May 2023, which resulted in the seizure of private keys controlling over $1.5 billion in user assets. On July 7, 2023, approximately $126–127 million was drained from Multichain bridge reserves in transfers widely attributed to Chinese authorities or insiders with access to the CEO's confiscated key material. The protocol formally ceased operations on July 14, 2023, leaving users with unrecoverable losses.

Balancer V2 is a decentralized automated market maker (AMM) protocol launched in 2021 on Ethereum and multiple chains that separates AMM logic from token custody via a central Vault architecture. The protocol has experienced at least four documented security incidents across its V1 and V2 deployments, including a November 2025 exploit that drained approximately $128 million and directly led to the dissolution of Balancer Labs, the corporate entity behind the protocol, announced in March 2026.

Poloniex is a cryptocurrency exchange founded in 2014 and acquired in 2019 by an investor group led by Tron founder Justin Sun. On November 10, 2023, the exchange suffered one of the largest hot wallet compromises in crypto history, with attackers draining approximately $126 million across Ethereum, TRON, and Bitcoin networks in an attack attributed by multiple blockchain security firms to North Korea's Lazarus Group. The exchange has also faced significant regulatory enforcement actions, including a $7.59 million OFAC sanctions settlement and a $10.4 million SEC settlement for operating an unregistered national securities exchange.

Orbit Bridge is a cross-chain interoperability protocol developed by South Korean blockchain firm Ozys that suffered one of the largest bridge exploits in crypto history on December 31, 2023, losing approximately $81.5 million in ETH, WBTC, USDT, USDC, and DAI. The attacker allegedly compromised seven of ten multisig signatories after a former chief information security officer allegedly weakened the company firewall before departing, and blockchain analysts have linked the attack's patterns to North Korea's Lazarus Group, though no formal attribution has been confirmed by authorities. As of 2025, the majority of stolen funds remain unrecovered, with the attacker having laundered over 17,000 ETH through Tornado Cash.

Munchables is a Blast-chain NFT game that suffered a $62.5 million exploit on March 26, 2024, when a contractor later attributed to North Korea exploited a backdoor they had embedded in the project's upgradeable smart contracts before launch. The developer surrendered private keys and the full sum was recovered within approximately 24 hours, but the incident exposed fundamental failures in contractor due diligence and smart contract architecture.

Kronos Research is a Taipei-based cryptocurrency quantitative trading firm and market maker founded in 2018 by Mark Pimentel and Jack Tan. The firm experienced two serious security incidents within months of each other in 2023: an insider sabotage case in which two disgruntled engineers tampered with trading code causing $1.4 million in losses, and an external hack in November 2023 where compromised API keys led to the theft of approximately $25–26 million. The November hack cascaded onto WOO X, an exchange Kronos incubated and served as primary liquidity provider, causing a temporary trading halt and liquidations for 227 users.

KyberSwap Elastic is the concentrated liquidity automated market maker (AMM) component of Kyber Network, a decentralized exchange protocol deployed across more than a dozen EVM-compatible blockchains. On November 22–23, 2023, it suffered the largest DeFi exploit of that year — approximately $48–56 million drained via a precision rounding bug in its tick-crossing swap logic — after which the alleged attacker issued an on-chain ultimatum demanding full executive control of the company. Canadian national Andean Medjedovic was indicted by U.S. prosecutors in February 2025 on charges including wire fraud, computer hacking, and extortion; he remains a fugitive as of mid-2026.

Prisma Finance is a Liquity-forked, Ethereum-based DeFi protocol that allowed users to mint overcollateralized stablecoins (mkUSD and ULTRA) against liquid staking tokens (LSTs) such as wstETH, rETH, sfrxETH, and cbETH. On March 28, 2024, a critical vulnerability in the protocol's MigrateTroveZap helper contract was exploited for approximately $11.6 million, with a total loss across all attacker wallets of roughly $12.3 million; the primary exploiter sent the majority of stolen funds through Tornado Cash while claiming a 'whitehat rescue,' and as of 2026 the protocol's TVL has collapsed from a pre-exploit peak of approximately $220 million to under $300K.

Gala Games is a blockchain gaming platform founded in 2019 by Eric Schiermeyer and Wright Thurston whose GALA token has been at the center of two major controversies: a 2023 civil lawsuit alleging Thurston stole 8.6 billion GALA tokens (~$130M) from company wallets, and a separate May 2024 smart contract exploit in which an unauthorized minter minted 5 billion tokens worth approximately $200M. Both co-founders have filed competing civil suits alleging misappropriation of hundreds of millions of dollars, while Thurston also faces an unrelated SEC fraud action over a separate crypto mining venture.

DMM Bitcoin was a licensed Japanese cryptocurrency exchange operated by DMM Group (DMM.com) that launched in January 2018. In May 2024 it suffered the eighth-largest crypto theft in history when North Korean state-sponsored hackers attributed to the TraderTraitor subgroup of Lazarus Group stole 4,502.9 BTC (approximately $305–308 million USD) through a sophisticated supply-chain attack targeting Ginco, a third-party wallet management provider. Following the hack, Japan's Financial Services Agency issued a business improvement order, the exchange restricted operations, and in December 2024 announced full closure with all customer assets transferred to SBI VC Trade by March 2025.

Hedgey is a token vesting, lockup, and claims protocol that served over 100 on-chain projects before suffering a critical smart contract exploit on April 19, 2024, resulting in the theft of approximately $44.7 million across Ethereum and Arbitrum. The vulnerability — a missing input validation check in the ClaimCampaigns.sol contract — was present despite two prior audits by ConsenSys Diligence. No confirmed recovery of stolen funds has been reported; Hedgey was subsequently acquired by Anchorage Digital in late 2025.

Sonne Finance is a Compound V2 fork deployed on Optimism that was exploited for approximately $20 million on May 14, 2024, in what became the largest exploit in Optimism's history. The attack exploited a well-known precision-loss donation vulnerability in Compound V2 forks, triggered during the rollout of a new VELO token market; the attacker leveraged a multi-transaction deployment architecture and a two-day timelock window to manipulate exchange rates and drain user funds.

UwU Lend is an Ethereum-based DeFi lending protocol forked from Aave V2, launched in September 2022 and operated by Michael Patryn (known pseudonymously as 0xSifu), a co-founder of the collapsed Canadian crypto exchange QuadrigaCX and a convicted felon. In June 2024, the protocol was exploited twice by the same attacker — first for approximately $19.3 million on June 10 and again for $3.7 million on June 13 — via oracle price manipulation using flash loans, bringing combined losses to approximately $23 million.

Indodax (formerly Bitcoin Indonesia) is Indonesia's largest licensed cryptocurrency exchange, founded in 2014 by Oscar Darmawan and William Sutanto and serving over 9.6 million users. In September 2024, the exchange suffered a major security breach attributed to North Korea's Lazarus Group, resulting in approximately $22–25 million in losses across multiple blockchains. The exchange pledged full reimbursement to affected users, resumed operations within roughly 80 hours, and has since undergone a leadership restructuring.

BingX is a Singapore-headquartered centralized cryptocurrency exchange founded in 2018 (originally as Bingbon), operating across 160+ countries with over 10 million reported users. In September 2024, the exchange suffered a confirmed hot wallet breach totaling approximately $52 million across at least seven blockchain networks, with on-chain forensics subsequently linking the attack to North Korea's Lazarus Group. The exchange pledged full user compensation from reserves and resumed withdrawals within days, but independently unverified regulatory claims and initial opacity around the breach raise ongoing due-diligence concerns.

WazirX, operated in India by Zanmai Labs Pvt. Ltd., suffered a $234.9 million hack attributed to North Korea's Lazarus Group on July 18, 2024, freezing user funds and triggering multiple Indian regulatory investigations. India's Supreme Court dismissed a victims' petition in April 2025 citing a lack of crypto regulatory framework, while the Enforcement Directorate, Financial Intelligence Unit, and other agencies have opened probes into the exchange's operations, ownership structure, and alleged links to terror financing. A Singapore court approved a restructuring plan in October 2025, offering partial recovery to creditors.

Penpie is a yield-boosting DeFi protocol built on Pendle Finance by the Magpie DAO ecosystem, allowing users to earn boosted yields on Pendle liquidity pools without directly locking PENDLE tokens. On September 3, 2024, an attacker exploited a reentrancy vulnerability in Penpie's staking contract to drain approximately $27.3 million across Ethereum and Arbitrum, subsequently laundering all stolen funds through Tornado Cash and ignoring recovery appeals. The protocol filed reports with the FBI and Singapore Police but recovered no funds; a partial community compensation plan was proposed but not fully executed.

The US government holds one of the largest concentrations of seized cryptocurrency in the world, accumulated through major law enforcement actions including the 2016 Bitfinex hack and the Silk Road darknet marketplace. In October 2024, a government-controlled wallet linked to Bitfinex seizure funds was drained of approximately $20 million in what was subsequently attributed to alleged insider theft by John Daghita, son of a US Marshals Service contractor, who was arrested in Saint Martin in March 2026 after a blockchain investigation by ZachXBT exposed the scheme.

Phemex is a centralized cryptocurrency derivatives exchange founded in November 2019 by former Morgan Stanley executives and registered in the British Virgin Islands. In January 2025, the exchange suffered one of the largest crypto hacks of that year, with an estimated $69–85 million drained from hot wallets across 16 blockchains, subsequently attributed to North Korea's Lazarus Group through on-chain evidence linking the same wallets to the February 2025 Bybit hack. Phemex has also faced formal regulatory enforcement actions in Ontario, Canada, and operates without authorization in the United Kingdom.

Infini is a Hong Kong-based stablecoin neobank offering yield-bearing accounts and a global payment card. On February 24, 2025, a former developer who had covertly retained administrative privileges over Infini's smart contracts drained approximately $49.5 million in USDC from the Morpho MEVCapital vault, converting the funds to ETH and routing them through Tornado Cash. As of May 2026, no funds have been recovered, and the attacker's wallet remained active through at least February 2026.

M2 Exchange is an Abu Dhabi-based centralized cryptocurrency exchange licensed by the ADGM FSRA that suffered a $13.7 million hot wallet breach on October 31, 2024, attributed to an access control vulnerability spanning Bitcoin, Ethereum, and Solana. The exchange claims to have covered all customer losses from company reserves within hours of the incident, though the lack of a public post-mortem and two CEO transitions within eighteen months raise unresolved transparency questions.

Polter Finance was a decentralized lending protocol on the Fantom blockchain that suffered a critical oracle price manipulation exploit on November 16, 2024, resulting in losses estimated between $8.7 million and $12 million. The protocol was an unaudited fork of Geist Finance that relied on spot prices from SpookySwap liquidity pools as its oracle, a fundamental design flaw that allowed an attacker using funds originating from Tornado Cash to drain nearly all protocol TVL. The platform ceased operations following the hack, with no confirmed recovery of stolen assets as of mid-2026.

Injective Protocol is a Layer 1 blockchain built on the Cosmos SDK, designed for decentralized finance applications including derivatives, perpetuals, and spot trading via a fully on-chain order book. Founded in 2018 by Eric Chen and Albert Chon and backed by Binance Labs, Pantera Capital, and Mark Cuban, it launched its canonical mainnet in November 2021 and has grown to a top-tier DeFi chain. No regulatory enforcement actions have been identified against Injective; however, concerns exist around a 2025-2026 bug bounty dispute involving an alleged $500 million critical vulnerability, validator stake concentration, and third-party scams impersonating the protocol.

Celestia is a modular blockchain network that provides a dedicated data availability (DA) layer, allowing rollups and other chains to post transaction data cheaply and verifiably. Its native token TIA launched via mainnet and airdrop on October 31, 2023, and reached an all-time high near $20.85 in early 2024 before declining approximately 95% from peak. The project has faced serious community criticism over aggressive token unlock schedules, alleged insider selling by founders and early investors, airdrop manipulation by sybil attackers, and questions about whether its ecosystem has achieved real developer adoption.

Sei Network is a Layer 1 blockchain developed by Sei Labs, co-founded in 2021 by Jayendra Jog and Jeff Feng, designed to optimize high-throughput trading and DeFi with a parallelized EVM architecture. The project raised $35 million across seed and Series A rounds from prominent crypto VCs, launched its mainnet in August 2023, and has grown to over $600 million in TVL as of mid-2025. While no regulatory enforcement actions have been brought against Sei Labs or the Sei Foundation directly, the project faced community backlash over its 2023 airdrop distribution and carries structural risk concerns related to token unlock schedules, insider allocation concentration, and a low validator decentralization score.

Polygon (formerly Matic Network) is a Layer 2 scaling solution for Ethereum, originally founded in 2017 by Jaynti Kanani, Sandeep Nailwal, and Anurag Arjun. The project rebranded from Matic Network to Polygon in February 2021 and has grown into one of the most widely used Ethereum scaling platforms, though it has faced regulatory scrutiny from the SEC, allegations of token misallocation by on-chain analytics firm ChainArgos, and a significant undisclosed security vulnerability patched in 2021. The network's native token migrated from MATIC to POL in September 2024 as part of a broader Polygon 2.0 roadmap.

Cetus Protocol is a concentrated liquidity market maker (CLMM) and the dominant decentralized exchange on the Sui Network, launched in 2023. On May 22, 2025, an arithmetic overflow vulnerability in its fixed-point math library enabled an attacker to drain approximately $223 million from liquidity pools in the largest DeFi exploit of 2025, of which roughly $162 million was subsequently frozen by Sui validators and later returned to affected users via an on-chain governance vote. The incident raised significant concerns about smart contract security, audit effectiveness, and the degree of decentralization on the Sui network.

DEXX is a Solana-based on-chain memecoin trading terminal that suffered a catastrophic private key compromise on November 16, 2024, resulting in approximately $30 million in user losses across more than 8,600 wallets. Despite marketing itself as non-custodial, DEXX stored user private keys in plaintext on its own servers — a centralization risk that CertiK had flagged as unresolved prior to the breach. A partial compensation initiative led by LBank was announced in early 2025, but full recovery of stolen funds remains unlikely as the attacker laundered substantial ETH through Tornado Cash.

WOO X is a centralized cryptocurrency exchange founded in 2019 and incubated by Taiwanese quantitative trading firm Kronos Research, offering spot and derivatives trading with a focus on deep liquidity and low fees. The exchange has experienced two significant security events: a November 2023 liquidity crisis triggered by a $26 million hack of its primary market maker Kronos Research, and a July 2025 $14 million breach of nine user accounts attributed to a North Korean state-sponsored group (UNC4899/Lazarus) via phishing of a developer. Both incidents resulted in user compensation from company reserves, though the pattern of security failures and structural dependency on Kronos Research represent elevated counterparty and operational risk.

Cork V1 is a DeFi depeg protection protocol built on Ethereum that launched its public beta on March 4, 2025 and was exploited for approximately $12 million on May 28, 2025, less than three months after launch. The exploit resulted from a lack of input validation in the CorkHook smart contract and permissionless market creation logic, a vulnerability that slipped past four separate security audits from Quantstamp, Cantina, Sherlock, and Runtime Verification — three of which explicitly excluded the vulnerable contract from scope. All protocol functions were paused following the incident, stolen funds were laundered through Tornado Cash, and no user compensation plan has been publicly confirmed.

ThalaSwap is the decentralized exchange component of Thala Labs, an Aptos-based DeFi protocol offering an AMM, the Move Dollar (MOD) overcollateralized stablecoin, liquid staking, and a launchpad. On November 15, 2024, an input-validation bug introduced in a two-line patch to the v1 farming contract allowed an attacker to drain $25.5 million in liquidity pool tokens; funds were fully recovered within hours after SEAL 911 identified the exploiter via on-chain evidence and the attacker returned assets in exchange for a $300,000 bounty.

SwissBorg is a Swiss-based crypto wealth management and exchange aggregator founded in 2017, holding MiCA authorization from France's AMF and VQF membership in Switzerland. In September 2025, the platform suffered a $41.5 million loss when its staking partner Kiln's API was compromised via a GitHub token theft and Kubernetes pod injection, resulting in the unauthorized transfer of 192,600 SOL from SwissBorg's SOL Earn program; the company subsequently pledged full reimbursement from treasury funds. While SwissBorg maintains legitimate regulatory standing and transparency measures including Proof of Liabilities, the third-party supply chain failure exposes material counterparty risk in its Earn product architecture.

Truebit is an Ethereum-based protocol for verifiable off-chain computation, co-founded by mathematician Jason Teutsch and Solidity creator Christian Reitwiessner. On January 8, 2026, an integer overflow vulnerability in a five-year-old, closed-source legacy Purchase contract was exploited, draining 8,535 ETH (approximately $26.44 million) and causing the TRU token to collapse by over 99.9%; the attacker subsequently laundered all stolen funds through Tornado Cash.

Matcha (matcha.xyz) is a DEX aggregator built and operated by 0x Labs, launched in 2020, that routes trades across 130+ liquidity sources on 15+ blockchains using the 0x Protocol. The core Matcha platform has no history of direct exploits; however, Matcha Meta — a related but distinct meta-aggregator product launched later by the same team — suffered a $13.4M exploit in January 2026 via a third-party SwapNet contract, affecting users who had disabled the platform's default one-time approval security setting. 0x Labs is a well-funded, established entity whose protocol contracts have been audited by Trail of Bits, OpenZeppelin, and Ouroboros, and whose bug bounty program offers up to $1M via Immunefi.

UXLINK is a Singapore-based Web3 social infrastructure protocol that suffered a critical $11.3 million multisig exploit in September 2025, in which an attacker used deepfake video technology to socially engineer a team member, then minted up to 10 trillion unauthorized tokens — collapsing the token price by over 90%. The project has raised over $15 million from credible VCs including HashKey Capital and SevenX Ventures, but centralization risks in its smart contract architecture and persistent post-hack selling pressure have left the token trading at roughly 99% below its pre-hack highs as of May 2026.

Garden Finance (garden.finance) is a Bitcoin cross-chain bridge and swap protocol launched in December 2023 by former Ren Protocol core team members, using Hashed Timelock Contracts (HTLCs) and an intents-based solver network to enable non-custodial Bitcoin swaps across chains. In October 2025, a compromised solver operator lost approximately $11.4 million in a security incident attributed by forensic investigators to a North Korea-linked threat actor. Prior to the exploit, blockchain investigator ZachXBT alleged that a substantial portion of Garden's volume — with estimates ranging from 25% to over 75% — originated from illicit sources including funds stolen in the $1.46 billion Bybit hack by Lazarus Group, allegations the team disputed but did not fully refute.

Blend Pools V2 is a modular, permissionless lending protocol built on the Stellar blockchain by Script3, launched as an upgrade to Blend V1 with additions including flash loans and a reduced backstop threshold. In February 2026, a community-managed pool built on top of the protocol (YieldBlox DAO Pool) suffered a $10.8 million oracle manipulation exploit; Script3 stated the core V2 contracts were not at fault, attributing the incident to pool-operator misconfiguration of the Reflector VWAP oracle.

BALD was a memecoin launched on Coinbase's Base Layer 2 network on July 29, 2023, allegedly named as a reference to Coinbase CEO Brian Armstrong's appearance. After attracting over $66 million in ETH to its liquidity pool through aggressive liquidity additions and a price surge of approximately 4,000,000% within 24 hours, the anonymous deployer removed approximately $25.6 million in liquidity on July 31, 2023, causing the token price to collapse by roughly 90%. On-chain investigators linked the deployer's wallet to addresses with documented interactions with Alameda Research, with Wintermute's head of research publicly identifying former Alameda co-CEO Sam Trabucco as the most likely suspect — though no conclusive proof of identity was ever established.

Blizz Finance was a decentralized lending protocol on Avalanche, forked from Aave v2, that launched in November 2021 and was rendered insolvent in May 2022 when the Terra LUNA collapse triggered a Chainlink oracle circuit breaker that froze the LUNA price at $0.10 while the token's actual market price fell to near zero. Attackers exploited the stale price feed to borrow approximately $8.3 million in protocol assets using nearly worthless LUNA as collateral, draining the protocol entirely. The team announced permanent shutdown shortly after, recovering and distributing only approximately $1.5 million to affected users.

AlphaPo is a cryptocurrency payment processor incorporated in Panama and operating primarily in the online gambling sector, serving clients such as HypeDrop, Bovada, and Ignition. On July 22, 2023, attackers drained approximately $60 million in ETH, BTC, and TRX from its hot wallets via a private key compromise, disrupting withdrawals across multiple dependent platforms. On-chain investigator ZachXBT and subsequently the FBI attributed the attack to the DPRK-affiliated Lazarus Group (also designated TraderTraitor and APT38), placing the incident within a broader 2023 North Korean cryptocurrency theft campaign that totaled over $200 million.

GMX V1 was a decentralized perpetual exchange on Arbitrum and Avalanche that operated from September 2021 until July 2025, when a reentrancy exploit drained approximately $42 million from its GLP liquidity pool. The protocol has since disabled all V1 trading and GLP minting; it is no longer an active product, with users directed to GMX V2, which was unaffected by the exploit.

Team Finance is a DeFi token-locking and vesting platform operated by TrustSwap Inc. that suffered a critical $14.5 million exploit on October 27, 2022, when an attacker abused a validation flaw in its Uniswap V2-to-V3 migration function. The attacker ultimately returned approximately $7 million, retaining roughly 10% as a self-declared bug bounty; Team Finance subsequently switched auditors to CertiK and reported full user reimbursement by June 2023.

Radiant Capital is a decentralized cross-chain lending protocol built on LayerZero that suffered two significant security incidents in 2024: a $4.5 million flash loan exploit in January 2024 and a far more devastating $50 million multisig compromise in October 2024. The October hack, attributed by Mandiant with high confidence to North Korean state-sponsored group UNC4736 (Citrine Sleet / AppleJeus), involved a months-long social engineering campaign, macOS malware deployment on developer devices, and manipulation of hardware wallet signing interfaces to drain funds across BNB Chain and Arbitrum.

Furucombo is an Ethereum-based DeFi composability protocol launched in March 2020 that enables users to batch complex multi-protocol transactions via a drag-and-drop interface. On February 27, 2021, the protocol suffered a critical 'evil contract' exploit in which an attacker spoofed a new Aave v2 implementation via Furucombo's proxy, draining approximately $14–15 million in ETH and ERC-20 tokens from 22 users who had granted standing token approvals to the platform. The team responded with a compensation plan issuing iouCOMBO tokens subject to a 360-day vesting schedule, but the incident exposed fundamental risks in delegatecall-based proxy architectures and broad token approval models.

Huobi, rebranded to HTX in September 2023, is a major centralized cryptocurrency exchange founded in 2013 that came under the de facto control of Tron founder Justin Sun in late 2022. The exchange has suffered three significant security incidents since September 2023, faces extensive regulatory non-compliance across multiple jurisdictions, and its proof-of-reserves methodology has been subject to credible allegations of double-counting and asset manipulation by investigative outlets.

Beanstalk is an Ethereum-based algorithmic stablecoin protocol that on April 17, 2022 suffered one of DeFi's largest governance exploits, losing approximately $182 million after an attacker used flash loans to acquire a supermajority vote and pass a malicious proposal draining the protocol's treasury. The protocol relaunched in August 2022 following a community fundraiser called the Barn Raise, but its BEAN stablecoin has never recovered its peg and total value locked remains a fraction of pre-exploit levels.

Heco Bridge was the official cross-chain bridge connecting the HECO Chain (HTX Eco Chain) to Ethereum, operated by HTX (formerly Huobi) and associated with Justin Sun. On November 22, 2023, the bridge operator's private key was compromised, resulting in the theft of approximately $86.6 million in crypto assets; combined with a simultaneous HTX hot wallet breach, total losses reached approximately $99 million. Blockchain analytics firm Elliptic attributed the attack to North Korea's Lazarus Group, which subsequently laundered over $100 million of the proceeds through Tornado Cash. The HECO Network was permanently shut down on January 15, 2025.

FixedFloat (ff.io) is a non-custodial, no-KYC cryptocurrency swap exchange launched in 2018 that suffered two confirmed security breaches in 2024 totaling approximately $28.9 million in stolen assets. Both attacks were attributed to the same threat actor exploiting vulnerabilities in FixedFloat's third-party hosting provider, Time4VPS, and stolen funds were routed through the eXch mixer — a service subsequently shut down by German authorities for laundering proceeds from major crypto thefts. The platform resumed operations after a two-month suspension but has faced ongoing scrutiny for its anonymity-first model, opaque team structure, and inadequate incident disclosure.

Bitget is a Seychelles-incorporated centralized cryptocurrency exchange founded in 2018, offering spot, futures, and copy trading to a claimed user base exceeding 150 million. While the exchange has never suffered a direct hack of user funds and publishes monthly proof-of-reserves attestations, it faces a pattern of serious regulatory actions across multiple jurisdictions — including blacklisting by France's AMF, warnings from Australia's ASIC and Japan's FSA, and a ban by the Philippines SEC — and has attracted allegations from blockchain investigator ZachXBT that it knowingly enabled supply-control market manipulation schemes targeting retail traders in 2026.

Elephant Money is a Binance Smart Chain DeFi protocol offering the ELEPHANT reward token and TRUNK stablecoin that suffered a $22.2 million flash loan price-manipulation exploit in April 2022, with stolen funds laundered through Tornado Cash. Independent analysts have additionally alleged that the protocol's yield mechanics constitute a structurally unsustainable Ponzi scheme dependent on continuous new capital inflows.

Pando Rings is an algorithmic lending and borrowing protocol built on the Mixin Network by Fox One, modeled on Compound Finance. On November 5, 2022, an attacker exploited a price oracle vulnerability tied to the sBTC-WBTC LP token on 4swap to drain approximately $21.9 million in ETH, BTC, and EOS from the protocol; an additional ~$50 million remained frozen in the attacker's wallets. The protocol subsequently suffered further losses in the September 2023 Mixin Network infrastructure breach, and as of late 2023 remained in a limited operational state with interest accrual and liquidations suspended.

DogWifTools is a Solana-based memecoin tooling platform that markets features explicitly designed to simulate artificial trading volume, conceal supply concentration across hundreds of wallets, and inflate engagement metrics on pump.fun — capabilities that security researchers and blockchain analysts characterize as enabling wash trading and coordinated pump-and-dump schemes. In January 2025, the platform suffered a supply-chain attack in which threat actors trojaned versions 1.6.3 through 1.6.6 with a Remote Access Trojan, draining an estimated $10 million from users' wallets; the attacker group framed the theft as vigilante justice against scammers. No known regulatory action has been taken against DogWifTools operators, who remain anonymous.

Resolv is a DeFi protocol issuing USR, a delta-neutral stablecoin backed by ETH with perpetual futures hedging, developed by Resolv Labs. On March 22, 2026, the protocol suffered a critical exploit in which an attacker compromised Resolv's AWS key management infrastructure to mint 80 million unbacked USR tokens, extracting approximately $23–25 million in ETH and triggering a severe stablecoin depeg. The protocol remains paused as of May 2026 while recovery and infrastructure remediation are underway.

Rhea Lend is the lending arm of Rhea Finance, a DeFi protocol on NEAR Protocol formed in early 2025 through the merger of Ref Finance and Burrow Finance. In April 2026, Rhea Lend suffered a major exploit in which an attacker drained approximately $18.4 million by exploiting a flaw in the protocol's slippage protection mechanism via a fake-token pool manipulation scheme. Partial recovery of approximately $9–13 million was achieved through voluntary returns and asset freezes, but the incident represents a critical security failure on an audited protocol.

Curio (CurioDAO) is a multi-chain real-world asset (RWA) DeFi protocol that suffered a critical smart contract exploit on March 23, 2024, resulting in approximately $16 million in losses after an attacker exploited a voting-power privilege escalation vulnerability to mint approximately 1 billion unauthorized CGT governance tokens. The protocol had no known third-party security audits prior to the exploit and relied on internal reviews. Curio announced a recovery plan including a new CGT 2.0 token and a phased compensation program, though independent verification of full compensation delivery remains limited.

Upbit is South Korea's largest cryptocurrency exchange by trading volume, operated by Dunamu and commanding approximately 70–80% of the domestic market. The exchange has suffered two significant security breaches — a $49M ETH theft in 2019 and a $36M Solana breach in November 2025, both attributed to North Korea's Lazarus Group — and has faced substantial regulatory sanctions including a $25M AML/KYC fine and a court-contested three-month partial business suspension. While Upbit has consistently reimbursed users from its own assets after security incidents and retains official VASP registration, its pattern of compliance failures, market dominance concerns, and repeated hacks present elevated risk.

Abracadabra.money is a multi-chain DeFi lending protocol that allows users to mint the MIM (Magic Internet Money) USD-pegged stablecoin using interest-bearing tokens as collateral. The protocol has been compromised three times since January 2024, losing a combined total of over $21 million, and its founding ecosystem was shaken in January 2022 when co-founder Daniele Sestagalli's associate — Wonderland's pseudonymous treasury manager known as 0xSifu — was publicly identified as Michael Patryn, a convicted felon and co-founder of the fraudulent exchange QuadrigaCX. The SPELL token has declined approximately 99.5% from its November 2021 all-time high, and the protocol's total value locked has collapsed from over $776 million to under $30 million.

Grinex is a Kyrgyzstan-registered cryptocurrency exchange widely assessed by blockchain intelligence firms and U.S. regulators as a direct successor to Garantex, a sanctioned Russian exchange seized in March 2025. Grinex was formally sanctioned by OFAC in August 2025 for facilitating billions in cryptocurrency transactions linked to ransomware groups, darknet markets, and Russian sanctions evasion. In April 2026, the exchange suspended operations following a reported $13.7 million hack it attributed to Western intelligence agencies — a claim for which no technical evidence was presented and which analysts have suggested may mask an internal exit scam.

Kelp (also known as Kelp DAO) is a liquid restaking protocol built on Ethereum and EigenLayer that issues rsETH, a liquid restaked token. In April 2026 the protocol suffered the largest DeFi exploit of 2026 to date when attackers, attributed to North Korea's Lazarus Group, drained approximately $292 million in rsETH through a compromised LayerZero cross-chain bridge configuration. The protocol and an industry coalition dubbed DeFi United are actively working to restore collateral and resume operations as of May 2026.

Step Finance was a Solana-based DeFi portfolio management and analytics platform founded by George Harrap that operated from 2021 until February 2026. On January 31, 2026, attackers compromised executive team devices and drained approximately $40 million in treasury assets, representing a catastrophic operational security failure. The platform was unable to secure financing or an acquisition to continue operating and formally shut down on February 23, 2026, along with affiliated projects SolanaFloor and Remora Markets.

Cashio was a Solana-based algorithmic stablecoin protocol that issued the CASH token, collateralized by Saber LP tokens. On March 23, 2022, an attacker exploited a critical missing validation flaw in the smart contract to mint approximately 2 billion CASH tokens backed by worthless fake collateral, draining roughly $52 million in real assets and permanently destroying the token's USD peg. The protocol was unaudited, never compensated victims in full, and its pseudonymous creator later admitted the code was rushed and insecure.

Cod3x (CDX) is a rebranded DeFi and AI-agent platform launched in February 2025, consolidating several prior protocols built by the Byte Masons development collective — including Reaper Farm, Granary Finance, and the OATH Foundation — under a unified 'DeFAI' vision. The team has operated continuously since 2021, is publicly identified under founder Justin Bebis, and previously managed billions in TVL across Fantom and Optimism. The project carries material historical risk: Reaper Farm suffered a $1.7 million access-control exploit in August 2022, and the Ironclad protocol — a remaining Byte Masons-adjacent lending market — was affected by the February 2025 Ionic Money exploit contagion. CDX launched at an all-time high of approximately $0.25 in February 2025 and had fallen over 80% to an all-time low near $0.017 by May 2025, as of the time of this investigation.

Pokemon itself is a legitimate intellectual property owned by The Pokemon Company International, Nintendo, and Game Freak. However, the brand has been extensively exploited in various scam operations including fraudulent NFT projects, trading card fraud schemes, counterfeit merchandise sales, and cryptocurrency investment scams that have collectively resulted in millions of dollars in losses.

Dogecoin (DOGE) is a cryptocurrency created in December 2013 by Billy Markus and Jackson Palmer as a deliberate parody of Bitcoin. It has grown to a top-10 cryptocurrency by market cap (~$17B). While the protocol itself has no documented exploits, Dogecoin carries risks from Elon Musk's outsized price influence (an $258B class action was filed and dismissed), significant whale concentration (149 wallets hold ~108.5B DOGE), and documented illicit use including PlusToken seizures and darknet market acceptance.

Mad Lads is a Solana-based NFT collection launched in April 2023 by Coral, the development company behind Backpack wallet. Created by former Alameda Research and FTX employees Armani Ferrante and Tristan Yver, the project gained significant attention for its innovative mint process that used honeypot tactics to deter bots and for being the first major xNFT collection.

Amazon Web Services is a leading cloud computing platform that controls 38% of the cloud infrastructure market. While generally reliable and secure, AWS has experienced multiple significant outages and faces ongoing privacy lawsuits, though no major regulatory sanctions have been identified in recent searches.

Tesla, Inc. is a publicly traded electric vehicle and clean energy company led by CEO Elon Musk. While the company has achieved significant market success and technological advances, it faces ongoing regulatory scrutiny regarding securities disclosures, workplace safety allegations, and autonomous driving claims.

Amazon is a major e-commerce and technology company that has faced significant regulatory challenges and consumer protection issues. While not itself a scam, Amazon's scale has made it a frequent target for impersonation scams and has led to multiple regulatory actions including a $2.5 billion FTC settlement for deceptive Prime subscription practices.

Ethereum (ETH) is the second-largest cryptocurrency by market capitalization (~$278 billion as of May 2026) and the leading smart-contract platform, hosting the majority of decentralized finance (DeFi) and NFT activity. The protocol has a documented history of governance controversy stemming from the 2016 DAO hack hard fork, ongoing centralization concerns around liquid staking and MEV infrastructure, and persistent smart-contract and phishing-based fraud targeting end users, though Ethereum itself has not been the subject of any regulatory enforcement action and its spot ETFs have received SEC approval.

Kaspa is a proof-of-work cryptocurrency launched in November 2021 that implements the GHOSTDAG blockDAG protocol, developed from academic research by Yonatan Sompolinsky at the Hebrew University of Jerusalem. The project claims a fair launch with no premine, no ICO, and no venture capital allocation to insiders, though pre-launch R&D was funded by Polychain Capital through the now-dissolved DAGLabs entity. Kaspa has a credible technical foundation and transparent governance, but faces centralization concerns from institutional ASIC miners and carries unresolved questions about the erasure of early transaction history following a genesis reset in November 2021.

Chainlink is a decentralized blockchain oracle network founded in 2017 by Sergey Nazarov and Steve Ellis, with Cornell University professor Ari Juels co-authoring the whitepaper. The protocol provides smart contracts with tamper-resistant access to off-chain data and computation, holding an estimated 69–70% share of the oracle market and enabling over $26 trillion in cumulative transaction value as of 2025. No regulatory actions have been filed against Chainlink or its parent entity, Chainlink Labs; the primary documented concerns center on token-supply centralization and a 2020 campaign by an anonymous entity publishing unverified fraud allegations that were subsequently discredited.

Canton Network (CC) is an enterprise-grade Layer-1 blockchain developed by Digital Asset Holdings, designed for tokenizing real-world assets with configurable privacy features and institutional-grade compliance. Ranked approximately #18 by market cap at roughly $5.9 billion as of May 2026, the network has attracted major institutional validators including DTCC, Goldman Sachs, Visa, and Euroclear, and its parent company Digital Asset is pursuing a reported $300 million fundraise at a $2 billion valuation led by a16z crypto. The network faces documented criticism from crypto-native observers over centralization trade-offs, data mutability departing from traditional blockchain immutability norms, and concentrated influence held by co-founder DRW Trading Group.

Uniswap is a decentralized exchange (DEX) protocol built on Ethereum, founded in November 2018 by Hayden Adams and operated commercially by Uniswap Labs. It is the largest DEX by trading volume globally, using an automated market maker (AMM) model. The protocol has faced significant regulatory scrutiny — including an SEC Wells notice in April 2024 (closed without action in February 2025), a CFTC settlement resulting in a $175,000 penalty in September 2024, and a multi-year scam-token class action dismissed with prejudice in March 2026 — while remaining operationally active and technologically mature through its v4 release.

BCAP is the world's first tokenized venture capital fund interest, issued in April 2017 as a Regulation D security token. It represents a non-voting economic interest in Blockchain Capital's Fund III. The firm manages $2B+ AUM with portfolio companies including Coinbase, Kraken, and Circle. Key risks include a $6.3M SIM-swap attack on co-founder Bart Stephens, Brock Pierce founding controversy, Epstein/Coinbase periphery connections, and effectively zero secondary market liquidity despite the token wrapper. No SEC enforcement actions exist.

Quant Network (QNT) is a UK-incorporated enterprise blockchain interoperability platform built on proprietary Overledger technology. Founded by Gilbert Verdian, the company has verified partnerships with major UK banks (Barclays, HSBC, Lloyds, NatWest) through the UK Regulated Liability Network, and completed Project Rosalind with the Bank of England and BIS. No SEC enforcement actions exist. Key concerns include closed-source code limiting auditability, centralized governance, a pay-to-play developer licensing model, and some partnership announcements with limited verifiable follow-through.

Bitcoin (BTC) is the world's first decentralized cryptocurrency, introduced in a 2008 whitepaper by the pseudonymous Satoshi Nakamoto and launched in January 2009. As of May 2026, it is the largest cryptocurrency by market capitalization (~$1.6T), classified as a digital commodity by U.S. regulators, and backed by institutional infrastructure including 11 SEC-approved spot ETFs. Bitcoin's established protocol and regulatory clarity distinguish it from most crypto assets, though it carries material risks including market volatility, mining centralization, illicit-use association, and exchange counterparty exposure.

Render Network (RENDER) is a decentralized GPU rendering network for AI and 3D graphics founded by Jules Urbach (OTOY CEO, 70+ patents). $30M raised in December 2021 from Multicoin Capital, Solana Foundation, and Alameda Research. Migrated from Ethereum to Solana in November 2023. No protocol-level exploits recorded. Key concerns include Alameda Research co-investment, OTOY's 5% perpetual fee and dual governance role, ~50% treasury/escrow token concentration, and 86% decline from ATH. OctaneX featured in Apple M4 keynote.

Stellar (XLM) is a payments-focused blockchain co-founded by Jed McCaleb in 2014, ranked #22 by market cap (~$5.4B). The Stellar Development Foundation (SDF) is a non-profit with active institutional adoption including Franklin Templeton's BENJI fund ($1.98B AUM) and MoneyGram integration. No regulatory enforcement actions exist. Key risks include McCaleb's prior associations (Mt. Gox, eDonkey), SDF centralization (~30B XLM retained), a 35-day undetected Soroban Protocol 23 bug in October 2025, and third-party wallet/phishing incidents.

XDC Network is an enterprise-grade, EVM-compatible Layer-1 blockchain co-founded in 2017 by Atul Khekade and Ritesh Kakkad through XinFin, focused on trade finance, payments, and RWA tokenization. The mainnet has been operational since 2019 with 801M+ transactions processed and 178K+ smart contracts deployed. XDC 2.0 upgrade (Q4 2024) introduced Byzantine fault tolerance security. ISO 20022-aligned for institutional interoperability. Co-founders operate a $125M XVC Tech investment fund. No major security incidents or regulatory actions found. Limited independent media coverage and relatively low public scrutiny for its market cap.

Zcash (ZEC) is a privacy-focused proof-of-work cryptocurrency launched on October 28, 2016, notable as one of the first large-scale deployments of zero-knowledge proofs (zk-SNARKs) outside academia. The project has a transparent organizational history, credentialed academic founders, and a resolved SEC investigation, but has faced significant controversies including a critical counterfeiting vulnerability disclosed in 2019, ongoing governance disputes that caused the entire Electric Coin Company development team to resign in January 2026, and regulatory pressure in multiple jurisdictions resulting in exchange delistings.

PaintSwap is a decentralized NFT marketplace and DeFi protocol originally launched on the Fantom Opera blockchain in May 2021, which migrated to the Sonic chain (formerly Fantom) in late 2024. The platform operates an open NFT marketplace, an AMM DEX, yield farming, and an on-chain idle MMORPG called Estfor Kingdom, all powered by its native BRUSH token. No confirmed rug pull, hack, or regulatory action has been identified; the primary documented incident is a domain hijacking by a third-party registrar in October 2025.

Arbitrum is an Ethereum Layer-2 optimistic rollup developed by Offchain Labs, co-founded in 2018 by Princeton academics Steven Goldfeder, Ed Felten (former U.S. Deputy Chief Technology Officer), and Harry Kalodner. It is the largest Layer-2 by total value locked and has achieved L2BEAT Stage 1 decentralization through its BoLD permissionless validation protocol launched in early 2025. The protocol has faced significant governance controversies since its March 2023 ARB token launch, including the AIP-1 pre-ratification scandal, a Gaming Catalyst Program funding dispute, vote-buying incidents, and a high-profile April 2026 Security Council emergency freeze of $71M in ETH linked to North Korean hackers that reignited centralization debates.

Avalanche (AVAX) is a Layer-1 proof-of-stake blockchain launched in September 2020 by Ava Labs, a company co-founded by Cornell University computer scientist Emin Gün Sirer alongside Maofan 'Ted' Yin and Kevin Sekniqi. The network is distinguished by its tri-chain architecture (X-Chain, P-Chain, C-Chain) and the Avalanche Consensus Protocol, which targets sub-second transaction finality. While the project has accumulated significant institutional backing, ETF filings, and a March 2026 CFTC/SEC commodity classification, it has also faced a significant 2022 whistleblower scandal alleging weaponization of litigation against competitors, multiple DeFi exploits on its ecosystem, and two disclosed critical infrastructure vulnerabilities.

Ondo Finance is a real-world asset (RWA) tokenization protocol founded in 2021 by former Goldman Sachs executives Nathan Allman and Justin Schmidt. The platform offers tokenized exposure to U.S. Treasury securities (OUSG, USDY) and, since September 2025, a broader set of tokenized equities via Ondo Global Markets. The protocol held over $1.8 billion in TVL as of late 2025 and received formal notice in November 2025 that a two-year SEC investigation had been closed without charges.

Sky (formerly MakerDAO) is a DeFi lending protocol founded by Rune Christensen that governs the DAI/USDS stablecoin system. Rebranded in August 2024 with USDS and SKY token migration. Key risks include the March 2020 Black Thursday oracle failure ($8.32M in losses, $28M class action dismissed), governance centralization (top 3 holders controlled 78%+ of votes per academic research), DAI depeg events, and USDS freeze function controversy. No SEC/CFTC enforcement actions exist. USDS supply grew ~86% to ~$9.86B through 2025.

Aptos is a Layer-1 proof-of-stake blockchain founded in 2021 by Mo Shaikh and Avery Ching, former employees of Meta's Diem (Libra) project, using the Move programming language originally developed for Diem. The project raised $350 million across two rounds in 2022 from investors including a16z, FTX Ventures, Jump Crypto, and Three Arrows Capital, launching its mainnet in October 2022 amid significant criticism over opaque tokenomics, low initial throughput, and heavy insider allocations. While Aptos has since grown its DeFi TVL above $1 billion, attracted institutional partnerships with BlackRock, Microsoft, and Brevan Howard, and received digital commodity classification from the SEC and CFTC in 2026, early controversies around token distribution, FTX investor exposure, a 5-hour network outage in October 2023, and the departure of co-founder CEO Mo Shaikh in December 2024 remain part of the project's documented record.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

The Blockchain Bandit is an unidentified threat actor or group that systematically exploited Ethereum wallets holding cryptographically weak private keys between approximately 2015 and 2018, accumulating more than 45,000 ETH (worth over $54 million at peak 2018 valuations) through a technique researchers later termed 'Ethercombing.' The actor compromised 732 private keys across 49,060 transactions, draining wallets in near-real-time using automated blockchain monitoring. Dormant since 2018, the actor re-emerged in January 2023 and again in December 2024, consolidating approximately 51,000 ETH (valued at roughly $172 million) into a single multisig wallet, as tracked by on-chain investigator ZachXBT.

Inferno Drainer is a scam-as-a-service (drainer-as-a-service) platform that provided phishing infrastructure and malicious wallet-draining scripts to criminal affiliates in exchange for a percentage of stolen funds. Active from November 2022 through at least early 2025, it is attributed to stealing over $80 million from approximately 137,000 victims during its initial operational phase, with operators claiming a cumulative total exceeding $250 million across all periods including a covert post-shutdown phase. It operates by luring victims to phishing websites impersonating legitimate crypto brands, tricking users into signing malicious transactions that drain wallets across multiple EVM-compatible blockchains.

The Democratic People's Republic of Korea (DPRK), operating primarily through state-sponsored hacking units designated as the Lazarus Group, TraderTraitor, and APT38, has stolen an estimated $6.75 billion in cryptocurrency since 2016 across dozens of major exploits. These operations are attributed by the FBI, OFAC, CISA, and allied governments to North Korea's Reconnaissance General Bureau and are conducted to fund the regime's weapons of mass destruction and ballistic missile programs in circumvention of international sanctions. DPRK-linked hackers are responsible for the largest single crypto theft in history — the $1.5 billion Bybit hack in February 2025 — and continue to operate at unprecedented scale and sophistication.

Malone Lam Yu Xuan (born July 19, 2004), a Singaporean national residing in Miami and Los Angeles, is the alleged ringleader of a crypto theft and money laundering enterprise responsible for stealing over $263 million across multiple victims between 2023 and 2025. He was arrested by the FBI on September 18, 2024, and faces RICO conspiracy charges in what prosecutors describe as the first Bitcoin-related RICO prosecution in U.S. history. As of early 2026, he remains in pretrial detention while negotiating a plea deal.

BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebranding of the Royal ransomware gang, itself a successor to the Conti cybercrime syndicate believed to be operated by Russian-speaking threat actors. The group employed double-extortion tactics across critical infrastructure sectors including healthcare, automotive, education, and government, compromising over 450 U.S. victims and demanding more than $500 million in ransom, primarily in Bitcoin, before international law enforcement dismantled its infrastructure in July 2025 under Operation Checkmate.

An unidentified threat actor or group breached LastPass in August–November 2022, exfiltrating encrypted customer password vaults containing cryptocurrency seed phrases and private keys stored by an estimated 25–30 million users. Beginning in late 2022 and continuing at least through late 2025, the actors allegedly cracked weak master passwords offline and drained cryptocurrency wallets in coordinated waves, with documented losses exceeding $250 million across hundreds of victims and a single high-profile $150 million XRP theft attributed to Ripple co-founder Chris Larsen. TRM Labs on-chain analysis and law enforcement investigations link the laundering activity to Russian cybercriminal infrastructure, including OFAC-sanctioned exchange Cryptex.

Chris Larsen is the co-founder and Executive Chairman of Ripple, one of the most prominent figures in the XRP ecosystem. On January 30, 2024, attackers drained an estimated 213–283 million XRP (valued at $112.5–$150 million) from his personal cryptocurrency accounts — not Ripple corporate wallets — in what became the largest individual crypto theft of 2024. A U.S. government forfeiture complaint filed in March 2025 linked the breach to the 2022 LastPass password manager hack, alleging that private keys had been stored in an online vault subsequently compromised by attackers.

Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.

Compound Finance is an Ethereum-based decentralized lending protocol founded in 2017 by Robert Leshner and Geoffrey Hayes that allows users to lend and borrow cryptocurrencies algorithmically. The protocol has been subject to multiple significant security and governance incidents, including a 2021 smart contract bug that placed up to ~280,000 COMP tokens (approximately $80–90 million) at risk, a 2024 alleged governance takeover by a whale known as 'Humpy,' and a July 2024 front-end DNS hijacking attack tied to the Squarespace registrar migration. Despite these incidents, the core smart contract protocol has not been exploited; the recurring issues have primarily affected token distribution, governance integrity, and front-end infrastructure.

Velodrome Finance is an automated market maker (AMM) and decentralized exchange (DEX) launched on June 2, 2022, on the Optimism Layer 2 network. It is a fork and improvement of Andre Cronje's Solidly Exchange, implementing a ve(3,3) governance and liquidity incentive model. The protocol has experienced three documented security incidents: an insider theft of $350,000 by a team member in August 2022, a DNS/frontend social-engineering attack in November–December 2023 resulting in approximately $250,000 in user losses, and a second DNS hijacking in November 2025 attributed to a NameSilo registrar insider, resulting in estimated losses of $700,000–$1,000,000. Smart contracts have not been directly exploited; all monetary losses have stemmed from front-end and operational security failures.

Ledger SAS is a Paris-based hardware cryptocurrency wallet manufacturer founded in 2014, producing the Nano S and Nano X devices used by millions worldwide. Despite its status as a legitimate and established company, Ledger has been involved in two major security incidents: a 2020 customer database breach exposing over 1 million email addresses and 272,000 physical addresses, and a December 2023 supply chain attack on its @ledgerhq/connect-kit npm package that drained approximately $600,000–$850,000 from users of multiple DeFi protocols via the Angel Drainer malware-as-a-service. A third-party data breach via payment processor Global-e was disclosed in January 2026.

Pink Drainer was a Drainer-as-a-Service (DaaS) phishing toolkit that operated from approximately July 2023 to May 2024, facilitating the theft of over $85.3 million in cryptocurrency from more than 21,000 victims across Ethereum and other networks. The operators ran the service by licensing a sophisticated wallet-draining script to affiliate phishers for a 20-30% cut of stolen proceeds, then announced a voluntary shutdown on May 17, 2024, citing their goal as 'accomplished.'

WazirX is an Indian cryptocurrency exchange co-founded in 2018 by Nischal Shetty, Sameer Mhatre, and Siddharth Menon that suffered the largest crypto hack in Indian history on July 18, 2024, when approximately $234.9 million in user assets were stolen from a Gnosis Safe multisig wallet via a sophisticated supply-chain-style attack attributed by Elliptic, ZachXBT, and a joint US-Japan-South Korea government statement to North Korea's Lazarus Group. The hack triggered suspension of all withdrawals, a Singapore court-supervised restructuring process in which users are expected to recover approximately 55% of their assets, and ongoing regulatory and law enforcement scrutiny in India.

Glori Finance was an alleged DeFi lending protocol deployed on the Arbitrum network in early 2024, operating as a Compound V2 fork with approximately $1.4 million in total value locked (TVL) at the time of its exposure. On April 14, 2024, blockchain investigator ZachXBT identified that the top GLORI token holders had seeded liquidity using funds stolen from prior scams — specifically the Crolend, Hash DAO, and HellHoundFi frauds — linking Glori Finance to a serial scam ring responsible for over $20 million in cumulative losses. Following ZachXBT's public disclosure, the Glori Finance X account was deactivated and the protocol's website went offline, consistent with an exit scam.

Magnate Finance was a DeFi lending and borrowing protocol deployed on Coinbase's Base Layer 2 network that executed an exit scam on August 25, 2023, stealing approximately $6.4–6.5 million in user funds by manipulating its price oracle. On-chain investigator ZachXBT issued a public warning hours before the rug pull, having traced the deployer address to at least two prior exit scams: Solfire ($4.8M, January 2022) and Kokomo Finance ($5.5M, March 2023), establishing this as the work of a repeat-offender scam ring responsible for over $16.7 million in total losses.

eXch (exch.cx) was a no-KYC instant cryptocurrency swap service operating from 2014 until its forced shutdown in May 2025. Registered in Belize under the name Private Project Facilitators LTD, the platform processed an estimated $1.9 billion in total volume, deliberately advertising its absence of anti-money laundering controls on criminal underground forums. German federal law enforcement seized approximately $38 million in cryptocurrency assets and 8 terabytes of data from the platform in April 2025, following evidence linking eXch to laundering roughly $200 million of funds stolen in the $1.46 billion Bybit hack carried out by North Korea's Lazarus Group.

Vkevin is a pseudonymous threat actor known for operating fake Safeguard Telegram bot phishing campaigns that have allegedly drained seven figures from victims' cryptocurrency wallets. On January 23, 2025, blockchain investigator ZachXBT published a 31-minute video exposing Vkevin in the act of running these scams from what was described as a New York school, and confirmed the individual had been doxxed. Vkevin is additionally alleged to have conducted a 2022 Discord attack against DigikongNFT using a spoofed MEE6 bot, resulting in over $300,000 in NFT losses.

Aqua (also known as AquaBot) was a Solana-based Telegram trading bot that conducted a presale in September 2025, raising approximately 21,770 SOL ($4.65 million) from retail investors before executing an apparent exit scam. On-chain investigator ZachXBT flagged the project after presale funds were split into four tranches, routed through intermediary wallets, and sent to instant exchanges hours before the scheduled token generation event. The project had secured endorsements from multiple established Solana ecosystem participants — including Meteora, Helius, Dialect, SYMMIO — and had received a near-perfect audit score from QuillAudits just days before the alleged rug pull.

Veer Chetal, known online as 'Wiz,' is a 19-year-old from Danbury, Connecticut who pleaded guilty in November 2024 to conspiracy to commit wire fraud and conspiracy to launder monetary instruments in connection with a $243–245 million Bitcoin theft targeting a single Genesis creditor via social engineering. He was identified and exposed by blockchain investigator ZachXBT, who traced stolen funds on-chain and publicly named the perpetrators before law enforcement arrests were made. Chetal was re-arrested in early 2025 after committing additional crypto thefts while released on bond and faces a federal sentencing guideline range of 19–24 years imprisonment.

On November 3, 2024, unidentified scammers compromised the X (Twitter) account of rapper Wiz Khalifa (35.7 million followers) and used it to promote two fraudulent Solana meme coins — $WIZ and $WIZZLE — launched on pump.fun. The $WIZ token reached a peak market cap of approximately $2.5 million within 15 minutes before collapsing over 95% in under one hour, with at least two insider wallets extracting a combined $160,000 in profit. Blockchain investigator ZachXBT linked the incident to a broader campaign of celebrity account takeovers that allegedly stole over $3.5 million in total, and subsequently accused a former professional Fortnite player known as 'Serpent' of involvement in the coordinated scheme.

NFTMachine is the online alias of Tyler Gaye, a Denver, Colorado resident who allegedly orchestrated a presale fraud in early 2021 by raising approximately $500,000 (reportedly 277 ETH from 130+ investors) for a promised NFT marketplace called opeNFT (also stylized ONFT), which was never launched. A Denver District Court judge entered a default judgment of $275,000 against Gaye in November 2022, classifying the conduct as civil theft. On-chain investigator ZachXBT has subsequently alleged Gaye continued launching new crypto projects — including Arcade DAO and Gamegear — under the alias 'scaredofboobs' without satisfying the court-ordered judgment.

Bitforex was a cryptocurrency exchange founded in 2017, registered in Seychelles and operating under a Hong Kong address, which collapsed in February 2024 after approximately $56.5 million was drained from its hot wallets across Ethereum, Tron, and Bitcoin in a controlled fund extraction widely characterized as an exit scam. The exchange had a documented history of wash trading allegations dating to 2018, a prior unexplained withdrawal freeze in 2022, regulatory warnings from Japan's FSA and Hong Kong's SFC, and operated without a license in the jurisdictions it claimed as home. Following the collapse, team members were allegedly detained by Jiangsu Province police in China, and the exchange briefly reopened for KYC-verified withdrawals in July 2024 before announcing permanent closure.

TradeOgre was an unregistered, no-KYC cryptocurrency exchange founded around 2018 and known for listing privacy coins including Monero (XMR) and Pirate Chain. On September 18, 2025, the RCMP executed Canada's largest-ever cryptocurrency seizure, dismantling the platform and seizing over CAD $56 million (approximately USD $40 million) in digital assets. Investigators determined that the majority of funds transacted on the platform came from criminal sources, including ransomware proceeds, darknet market activity, hacking exploits, and fraud schemes.

Friend.tech was a SocialFi application launched on Coinbase's Base L2 in August 2023 that allowed users to buy and sell tokenized 'keys' (shares) of social media influencers. The platform suffered a wave of SIM-swap attacks draining at least 343 ETH from users, exposed wallet addresses of 101,000 users via an API data breach, launched its FRIEND token in May 2024 which collapsed 98% within months, and was ultimately abandoned by its pseudonymous founders in September 2024 after they extracted approximately $44 million in protocol fees.

JELLY (JellyJelly / JELLYJELLY) is a Solana memecoin launched in January 2025 by Venmo co-founder Iqram Magdon-Ismail that became the center of a major market manipulation incident on Hyperliquid on March 26, 2025. A coordinated trader used a self-liquidation strategy — opening large opposing long and short positions — to force Hyperliquid's HLP liquidity vault to absorb a toxic short, causing up to $13.5 million in unrealized losses before validators emergency-delisted the token and force-settled all positions at a fixed price. The incident triggered widespread criticism of Hyperliquid's decentralization claims and raised systemic questions about perpetuals DEX risk management.

Avalanche C-Chain address 0x327a81d0d128db8886d265be73c9fdda97194f30 was flagged by on-chain investigator ZachXBT in June 2024 as the primary launderer for the BTCTurk exchange hack, having transferred approximately 1.96 million AVAX (valued at ~$54.2 million) to Coinbase, Binance, Gate.io, and THORChain. ZachXBT's timing analysis linked subsequent BTC withdrawals of approximately $45.96 million to the same threat actor, who was also allegedly responsible for a concurrent $2.9 million theft from Sportsbet. The address currently holds negligible funds, consistent with successful laundering of proceeds.

The 'WallStreetBets' brand has been exploited in at least two distinct crypto fraud incidents: a 2021 Telegram pre-mine scam using a fake 'WallStreetBets – Crypto Pumps' channel that stole over $2.1 million in BNB and ETH, and a 2023 Ethereum meme token (WSB Coin) that surged to a $50 million market cap before insiders allegedly dumped $635,000 worth of tokens within days of launch, collapsing the price by over 90%. Neither token was authorized by Reddit or the r/WallStreetBets subreddit, and ZachXBT publicly identified the alleged perpetrators in the 2023 incident.

GANA Payment was a BNB Smart Chain payment-focused DeFi project (BEP-20 token) that launched on November 11, 2025 and was exploited nine days later on November 20, 2025, resulting in losses exceeding $3.1 million. On-chain investigator ZachXBT confirmed the attack, which involved a compromised deployer private key combined with abuse of EIP-7702 to drain the project's staking contract; stolen funds were subsequently laundered through Tornado Cash on both BSC and Ethereum. The GANA token lost over 90% of its value within 24 hours of the exploit.

Nobitex is Iran's largest cryptocurrency exchange, founded in 2017, claiming over 11 million users and handling approximately 70% of Iran's on-chain crypto volume. A March 2025 Reuters investigation identified its founders as brothers Ali and Mohammad Kharrazi — members of a family with documented ties to Iran's Supreme Leaders and the founding of the Islamic Revolutionary Guard Corps — who operated the exchange under an alternative surname. Blockchain analytics firms including Elliptic, Chainalysis, and TRM Labs have documented billions of dollars in flows through Nobitex connected to sanctioned Iranian state entities including the Central Bank of Iran and the IRGC, making the platform a critical node in Iran's sanctions evasion infrastructure.

Sportsbet.io is a cryptocurrency gambling and sports betting platform operated by mBet Solutions N.V. under the Yolo Group umbrella, licensed in Curaçao. On June 22, 2024, blockchain investigator ZachXBT publicly identified that the platform's hot wallets were drained of approximately $3.5 million in USDT and TRX, attributing the attack to the same threat actor who hours later stole an estimated $55 million from Turkish exchange BtcTurk, with stolen funds allegedly commingled between both hacks. The platform has drawn ongoing scrutiny for operating in regulatory grey markets, serving users in jurisdictions where it holds no local license, and for systemic user complaints involving account closures and fund seizures following wins. Yolo Group founder Tim Heath confirmed in 2025 that the brand is being wound down in favor of fully regulated markets.

TON (The Open Network) is a layer-1 blockchain originally developed by Telegram, abandoned in 2020 following an SEC enforcement action that compelled a $18.5 million penalty and $1.22 billion investor return, and subsequently revived by an independent TON Foundation. By 2024, rapid ecosystem growth attracted a significant wave of phishing campaigns, wallet drainer toolkits, pyramid schemes, and rug pull activity, with over 1,200 fraud cases reported in H1 2024 alone. In May 2026, Pavel Durov announced Telegram would reassume control as the network's largest validator, reintroducing centralization risk to a network already under scrutiny for facilitating illicit marketplaces.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

Wallex is an Iranian cryptocurrency exchange founded in 2018 in Tehran by graduates of Sharif University of Technology, serving approximately 1 million users as of 2022 and operating as a major domestic crypto-to-rial on/off-ramp. On March 25, 2026, blockchain investigator ZachXBT flagged suspicious fund consolidation activity, prompting both Tether (USDT) and Circle (USDC) to simultaneously blacklist Wallex-linked wallet addresses, leaving approximately $2.49 million stranded on-chain. Wallex operates in a jurisdiction under comprehensive U.S. OFAC sanctions, has been linked by Chainalysis to transactions with a U.S.-sanctioned individual, and suffered a confirmed data breach in 2021 that exposed user credentials.

C&M Software (also styled CMSW) is a Brazilian financial technology company authorized by the Banco Central do Brasil to provide connectivity between smaller financial institutions and Brazil's national payment infrastructure, including the PIX instant-payment system. On June 30, 2025, hackers exploited credentials sold by an insider employee to drain approximately R$800 million (roughly USD 140–148 million) from reserve accounts of at least six financial institutions, in what became Brazil's largest recorded banking cyberattack. A portion of the stolen funds—estimated at USD 30–40 million—was subsequently laundered through Latin American OTC desks and crypto exchanges using Bitcoin, Ethereum, and Tether USDT, with on-chain investigator ZachXBT playing a central role in tracing and partially freezing the laundered assets.

Masa (also known as Masa Finance, later rebranded as Gopher) is a Web3 data and identity protocol that launched a soulbound token standard on Ethereum in 2023 before pivoting to a decentralized AI data network. The MASA token, sold via CoinList in March 2024 at $0.079 and hitting an all-time high of approximately $0.4697 on its April 11, 2024 listing date, subsequently collapsed by over 99.9% to trade near $0.00002 by mid-2026. ZachXBT publicly accused the project of concealing a six-figure security exploit in September 2024, which the team later confirmed only after the allegation was made public.

LastPass is a widely used password manager that suffered a catastrophic two-stage data breach in 2022, resulting in the theft of encrypted customer password vaults containing cryptocurrency seed phrases and private keys. Threat actors subsequently cracked these vaults offline over the following years, draining crypto wallets in waves totaling more than $438 million across hundreds of victims by late 2025. The breach has led to a £1.2 million UK ICO regulatory fine, a $24.45 million US class action settlement, US federal seizures, and on-chain attribution by TRM Labs and blockchain researcher ZachXBT to Russian cybercriminal infrastructure.

Tapioca DAO is an omnichain DeFi money market built on LayerZero, offering a CDP stablecoin (USDO) and isolated lending markets (Singularity/Big Bang) across Arbitrum and BNB Chain. On October 18, 2024, the protocol suffered a critical security breach when a team member was targeted by a social engineering attack attributed to North Korea's Contagious Interview campaign, resulting in private key compromise, drainage of TAP token vesting contracts, and the minting of 5 quintillion USDO. Approximately $4.4–4.7 million was stolen before a partial counter-exploit recovered roughly 996 ETH (~$2.7 million), leaving the protocol treasury down approximately 45% and the TAP token price collapsed over 95%.

Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.

Bitcoin Depot was once the largest Bitcoin ATM operator in North America, operating more than 9,000 kiosks before filing for Chapter 11 bankruptcy on May 18, 2026. The company faces lawsuits from the attorneys general of Iowa and Massachusetts alleging it knowingly facilitated crypto scams, with one state finding that more than 80% of high-value transactions at its kiosks were linked to fraud. Multiple data breaches, a $3.6 million wallet theft, regulatory enforcement in California, and on-chain evidence flagged by ZachXBT further document systemic compliance and security failures.

HyperCycle (HYPC) is an Ethereum ERC-20 token marketed as infrastructure for decentralized AI-to-AI transactions, co-founded by SingularityNET's Ben Goertzel and TODA inventor Toufi Saliba. The token has lost approximately 99% of its value from its all-time high of $1.29, and its smart contract contains a PAUSER_ROLE that allows a designated admin to halt all token transfers at will. No independent smart contract security audit has been publicly submitted, and the tokenomics structure — which allocates 20% to team, advisors, and partners with a relatively short vesting cliff — has been cited by multiple analysts as generating sustained selling pressure that disadvantages retail participants. ZachXBT has broadly flagged AI-narrative token projects as high-risk.

Wasabi Protocol is a decentralized perpetual futures and leveraged trading platform for memecoins and long-tail assets, deployed on Ethereum, Base, Berachain, and Blast. On April 30, 2026, the protocol suffered a critical multi-chain exploit in which a compromised admin deployer key was used to execute malicious UUPS proxy upgrades across core contracts, draining over $5 million in user funds. Security firm BlockSec reported that the attacker's wallets had been funded via Tornado Cash, and on-chain investigator ZachXBT publicly criticized the protocol for single-EOA admin control, absence of a timelock or multisig, and alleged misappropriation of project funds on influencer marketing.

Noones is a peer-to-peer cryptocurrency trading platform targeting Africa and the Global South, founded and initially led by Ray Youssef, co-founder of the now-defunct Paxful. In January 2025, the platform suffered an $8 million hot-wallet exploit that was concealed for nearly three weeks before on-chain investigator ZachXBT publicly exposed the breach. Compounding platform risk, Youssef was subsequently indicted by the DOJ in early 2026 on federal AML charges stemming from his leadership of Paxful, and stepped down as Noones CEO shortly thereafter.

MEXC is a centralized cryptocurrency exchange founded in 2018, incorporated in Seychelles, that has accumulated a significant regulatory record across multiple jurisdictions including warnings or cease orders from authorities in Hong Kong, Germany, Belgium, Japan, Estonia, and South Korea. The exchange gained widespread notoriety in late 2025 after on-chain investigator ZachXBT amplified user reports of frozen funds, including a high-profile case in which a trader known as 'The White Whale' had approximately $3 million frozen without adequate explanation, eventually prompting a public apology from the exchange's Chief Strategy Officer. MEXC's parent entity MEXC Global Ltd was struck off by the Seychelles registry in August 2023, dissolved in December 2024, and never obtained a license under the Seychelles VASP Act 2024, leaving its current operational and legal standing opaque.

Kroll Restructuring Administration LLC served as the court-appointed claims and noticing agent for the FTX, BlockFi, and Genesis bankruptcy proceedings. On August 19, 2023, a threat actor executed a SIM swap attack against a Kroll employee's T-Mobile account, gaining unauthorized access to files containing the personal data of tens of thousands of crypto bankruptcy claimants. The exposed data was subsequently exploited in large-scale phishing and social engineering campaigns, with blockchain investigator ZachXBT estimating total losses attributable to the breach at eight to nine figures, and at least one alleged perpetrator — Danish Zulfiqar, also known as 'Danny' — was arrested in Dubai in late 2025 on RICO charges related to a broader $263 million social engineering conspiracy.

1EU2pMence1UfifCco2UHJCdoqorAtpT7 is a legacy P2PKH Bitcoin address holding approximately 9,999.99 BTC that has never had any outgoing transactions, marking it as a dormant high-value wallet. The address has been publicly circulated in attacker-community repositories as a brute-force cracking target, appearing in GitHub issue lists of 'rich wallet addresses for BTC crack' alongside automated key-collision tools. No verifiable private-key compromise or confirmed theft has been documented as of the investigation date; however, the address's inclusion in brute-force tooling databases and its indexing on privatekeys.pw elevates its risk profile considerably.

Renzo Protocol is an Ethereum liquid restaking protocol that issues ezETH, serving as an interface to the EigenLayer ecosystem. In April 2024, ezETH suffered a severe depeg event — dropping as low as $700 in under one hour — triggered by an unpopular REZ tokenomics announcement that concentrated approximately 65% of supply with insiders and investors. The event caused over $56 million in DeFi liquidations affecting more than 250 users, and the REZ token has since lost approximately 97% of its all-time high value.

Metawin is an offshore crypto casino and gaming platform licensed under the Anjouan (Comoros) gaming authority, operated by Asobi N.V. from Curacao, and founded by Richard 'Skel' Skelhorn. On November 3, 2024, the platform suffered a significant hot wallet exploit across Ethereum and Solana blockchains resulting in approximately $4 million in stolen funds, with blockchain investigator ZachXBT tracing the stolen assets to KuCoin and a nested HitBTC service across more than 115 attacker-linked addresses. The CEO subsequently claimed to have personally covered the losses, restoring withdrawals for approximately 95% of affected users, though the platform's offshore jurisdictional status and the underlying security vulnerability raise ongoing concerns.

Spartans Bet (spartans.com) is a crypto betting and casino platform launched in 2025, operated by Nexus International Entertainment Ltd, a company registered in Belize and licensed under the disputed Anjouan (Comoros) gaming authority. On-chain investigator ZachXBT alleged in 2025 that the platform's suspected co-founder, Gurhan Kiziloz, is also the hidden operator behind BlockDAG Network, a project ZachXBT claims raised over $300 million from retail investors through deceptive social media advertising and misappropriated presale funds via Middle Eastern OTC channels. Spartans makes prominent 'provably fair' claims that lack independently verifiable third-party audit documentation, and the platform carries a below-average safety index of 6.4/10 from casino.guru, with user complaints citing refused withdrawals and unfair bonus terms.

Mixin Network is a Hong Kong-based cross-chain Layer 2 protocol that suffered one of the largest cryptocurrency hacks of 2023, losing approximately $200 million when its cloud service provider's database was compromised on September 23, 2023. The hack exposed a fundamental contradiction in Mixin's self-described decentralized architecture: the majority of user funds were held in hot wallets backed by a centralized cloud database. As of early 2026, the majority of stolen assets remain unrecovered, with the attacker beginning to launder funds through Tornado Cash.

PAAL AI is an Ethereum ERC20 token launched in July 2023, marketed as an AI-powered chatbot and automation ecosystem for crypto communities. In September 2023, blockchain investigator ZachXBT published on-chain evidence and leaked Telegram messages alleging that four prominent crypto influencers — TraderSZ, TraderNJ1, PetaByte, and Trader_XO — received undisclosed token allocations from the PAAL AI team and engaged in a coordinated pump-and-dump scheme, collectively dumping hundreds of thousands of dollars in PAAL tokens on retail buyers. The token subsequently declined approximately 98.7% from its March 2024 all-time high of $0.8653 to below $0.013 by mid-2026, while the PAAL brand has also been exploited by third-party wallet-draining scams impersonating its staking platform.

Act I: The AI Prophecy (ACT) is a Solana-based AI-narrative memecoin launched via Pump.fun in October 2024 with no verified product utility. The token reached an all-time high of approximately $0.92 in November 2024 before declining over 98% to roughly $0.013 by mid-2026. It has been subject to a documented co-founder token dump, a suspicious 49% flash crash on Binance in April 2025 attributed to large coordinated sell orders, and broad sector criticism from on-chain investigator ZachXBT who labeled 99% of AI agent tokens as scams.

Token 2049 is one of the world's largest crypto conferences, held annually in Singapore and Dubai by Hong Kong-based BOB Group. The event has faced repeated criticism for insufficient sponsor vetting, most notably when OFAC- and UK-sanctioned Russia-linked stablecoin A7A5 was listed as a platinum sponsor and given a speaking slot at the October 2025 Singapore edition. Separately, in March 2025, on-chain investigator ZachXBT publicly flagged multiple Token 2049 sponsors — including DWF Labs, Bitunix, JuCoin, WEEX, and Spacecoin — for fraud, wash trading, and regulatory non-compliance, warning that conference sponsorship carries no implied credibility.

ANDY is a meme token launched on the Base (Ethereum L2) network in 2024, built around the 'boy's club' internet meme character. Blockchain investigator ZachXBT documented a theft of approximately $2 million in ANDY tokens from a victim's wallet in June 2024, with the perpetrator converting roughly half the stolen funds to Ethereum. CertiK's Skynet platform assigned the token a score of 2.7 out of 100, indicating serious security and governance deficiencies. Allegations that individuals associated with the token conducted SIM-swap attacks targeting Korean-American crypto holders have been attributed to ZachXBT's flagging but remain unconfirmed by independently verifiable Tier 1 or Tier 2 sources.

Netmind AI (netmind.ai) is a London-based decentralized GPU compute network that issues the NMT token on both Ethereum (ERC20) and BNB Smart Chain (BEP20) via upgradeable proxy contracts. In March 2024, 440,000 NMT tokens were sold in a sudden dump that caused a 76% price crash — attributed by the team to a compromised early miner wallet, though the mechanism remains disputed. The NMT contract is an upgradeable transparent proxy that grants the owner unilateral ability to disable sells, change fees, mint, or transfer tokens, representing a material centralization and rug-risk vector flagged by security tools and, according to AVOID.NET source tagging, by ZachXBT.

JRNY Crypto (real name allegedly Tony Spark) is a pseudonymous cryptocurrency and NFT influencer operating since 2017, with over 760,000 followers on X and 590,000 YouTube subscribers at peak activity. ZachXBT flagged the account in November 2024 after approximately $4 million in crypto assets were drained from associated wallets in a suspected private key compromise; JRNY did not publicly acknowledge the incident. Separate community-sourced allegations include undisclosed paid promotions, a paid strategic advisory role at BSC launchpad Seedify that critics allege was not consistently disclosed to audiences, and criticism over the JRNY Club and Planet Xolo NFT projects failing to meet roadmap commitments.

SBI Crypto is a cryptocurrency mining subsidiary of Japan's SBI Holdings, operating one of the top Bitcoin mining pools globally and offering related infrastructure services. On September 24, 2025, addresses linked to the company saw approximately $21–24 million in suspicious outflows across five cryptocurrencies; blockchain investigator ZachXBT and security firm Cyvers identified laundering patterns consistent with DPRK-affiliated Lazarus Group operations. SBI Group did not proactively disclose the breach and provided only minimal confirmation after independent researchers surfaced the incident publicly.

Truflation is a blockchain-based inflation data oracle protocol that provides real-time economic indices to DeFi applications via its Truflation Stream Network (TSN) and TRUF token. In September 2024, the project suffered a confirmed malware attack that compromised private keys across its treasury multisig and personal wallets, resulting in losses estimated between $4.6 million and $5.2 million — predominantly in TRUF tokens, ETH, and DAI. On-chain investigator ZachXBT was among the first to publicly identify and report the incident; the project subsequently initiated a full TRUF token migration as a remediation measure.

Crypto.com is a Singapore-headquartered centralized cryptocurrency exchange founded in 2016 (originally as Monaco) by Kris Marszalek, Bobby Bao, Gary Or, and Rafael Melo. The platform has been subject to multiple serious security incidents, including a confirmed January 2022 hack in which $34 million was stolen via a 2FA bypass and laundered through Tornado Cash, and an alleged 2023 data breach linked to the Scattered Spider hacking group that the company did not publicly disclose to affected users. Blockchain investigator ZachXBT has publicly accused Crypto.com of governance manipulation and tokenomics fraud, citing the March 2025 reissuance of 70 billion CRO tokens that had been permanently burned in 2021, and the company's controversial 2020 forced swap from its original MCO token to CRO at unfavorable rates.

BtcTurk is Turkey's oldest and largest centralized cryptocurrency exchange, founded in 2013 in Istanbul. The exchange has suffered two major hot wallet breaches in 14 months — approximately $55 million stolen in June 2024 and approximately $48–$49 million in August 2025 — both attributed to private key compromise, establishing a pattern of repeated critical security failures. Despite operating under Turkish regulatory frameworks (CMB and MASAK) and maintaining cold wallet protections, the exchange's inability to prevent a second near-identical attack within a year raises serious concerns about the adequacy of its security controls.

Renzo Protocol is an EigenLayer liquid restaking protocol that issues ezETH, a liquid restaking token (LRT) representing restaked ETH. In April 2024, ezETH suffered a severe depeg — falling from ~$3,100 to as low as $688 on Uniswap — triggered by a controversial REZ tokenomics announcement that allocated only 5% of tokens to the community airdrop while reserving over 60% for team, investors, and advisors, causing cascading liquidations exceeding $56 million across DeFi platforms. Eight high-severity vulnerabilities were identified in a concurrent Code4rena security audit, and the incident exposed structural risks including withdrawal restrictions that prevented users from redeeming ezETH directly for ETH.

Nexera (formerly AllianceBlock) is a blockchain infrastructure protocol focused on compliant real-world asset tokenization, operating primarily on Ethereum. In August 2024, a threat actor later attributed to North Korea's Lazarus Group used social engineering and BeaverTail malware to steal smart contract management credentials, enabling unauthorized transfer of 47.24 million NXRA tokens valued at approximately $1.9 million. The team mitigated further losses by zeroing out and subsequently burning the 32.5 million tokens that remained in the attacker's wallet, limiting confirmed liquidated losses to roughly $449,000.

Serenity Shield is a blockchain-based data storage and crypto inheritance protocol built on BNB Smart Chain, operating a product called StrongBox. On February 27, 2024, a team MetaMask wallet was compromised and 6.9 million SERSH tokens valued at approximately $5.6 million were stolen, causing the token price to collapse by over 95% within 24 hours. On-chain investigator ZachXBT linked the attacker to a serial hacker responsible for multiple private-key compromise incidents across at least six other protocols in late 2023 and early 2024.

CoinEx is a centralized cryptocurrency exchange that suffered a major hot wallet breach on September 12, 2023, with losses estimated between $54 million and $70 million across multiple blockchains. On-chain investigators ZachXBT and Elliptic attributed the attack to the Lazarus Group (TraderTraitor), a North Korean state-sponsored threat actor, based on wallet address overlap with the contemporaneous Stake.com hack. Stolen proceeds were subsequently laundered in part through the Sinbad Bitcoin mixer, which was sanctioned by the U.S. Treasury's OFAC on November 29, 2023.

Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.

EigenLayer is a legitimate Ethereum restaking protocol operated by Eigen Labs that became a high-value target for phishing campaigns, wallet drainer attacks, and social engineering in 2024 following the launch of its EIGEN token. In October 2024 alone, the protocol's official X account was compromised to promote a fake airdrop resulting in at least $800,000 lost by one victim, and a separate email-based social engineering attack redirected approximately $5.7 million in locked investor tokens to an attacker's wallet. EIGEN holders and restakers face an elevated and persistent threat surface from impersonation sites, fake airdrop claims, and token-approval drainer schemes that exploit the protocol's name and brand recognition.

Cardano (ADA) holders face a persistent and multi-vector threat landscape that includes deepfake giveaway scams impersonating founder Charles Hoskinson, social media account hijackings used to promote fraudulent tokens, phishing campaigns distributing credential-stealing malware disguised as wallet software, and NFT-based wallet drainers. The Cardano Foundation's own X account was compromised in December 2024, resulting in the promotion of a fake token and false regulatory claims. State-sponsored actors including the North Korean Lazarus Group have also targeted ADA holders through the Atomic Wallet supply chain attack.

Andy Ayrey is a New Zealand-based AI researcher and self-described performance artist who created Truth Terminal, an autonomous AI chatbot that became closely associated with the Goatseus Maximus (GOAT) memecoin, which briefly reached a $900M–$1B market cap in late 2024. Ayrey disclosed holding 1.25 million GOAT tokens gifted to him and pledged not to trade on insider knowledge, later establishing a non-profit foundation (Truth Collective) to manage the AI's holdings. ZachXBT's involvement concerns the October 2024 SIM-swap hack of Ayrey's X account — which third-party hackers exploited to deploy scam memecoins netting over $1.5M — rather than direct fraud allegations against Ayrey himself; however, broader ethical concerns persist around the gray-area ecosystem of AI-agent-driven memecoin promotion that Truth Terminal helped legitimize.

Kiln is an institutional-grade, non-custodial staking infrastructure provider that manages over $14 billion in staked assets across 50+ proof-of-stake networks, including approximately 6% of the entire Ethereum validator set. In September 2025, Kiln suffered a sophisticated supply chain attack in which a threat actor compromised a GitHub access token belonging to a Kiln infrastructure engineer, injected malicious code into the Kiln Connect API, and caused the theft of approximately 192,600 SOL (~$41 million) from enterprise customer SwissBorg. The incident prompted Kiln to exit all 1.6 million ETH worth of its Ethereum validators as a precautionary measure, triggering the longest Ethereum exit queue backlog in the network's history.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

BONAD.fun is a permissionless meme token launchpad operating on the Monad blockchain, positioned as BONK's community-driven expansion from Solana into the EVM ecosystem via Monad. The platform is an independent community project not officially endorsed or vetted by the BONK Foundation, and no public smart contract audit has been documented. The platform shares brand identity and fee-recycling mechanics with Bonk.fun, the Solana-based predecessor that suffered a domain hijacking and wallet-drainer attack in March 2026 — a front-end attack vector that is directly relevant to BONAD.fun's risk surface as a structurally similar deployment.

Thunder Terminal is a Solana-based on-chain trading terminal that suffered a $240,000 exploit on December 27, 2023, when an attacker leveraged compromised MongoDB credentials to steal session tokens and drain 86.5 ETH and 439 SOL from 114 user wallets in under nine minutes. The attacker subsequently routed the stolen ETH through the Railgun privacy protocol and demanded a 50 ETH ransom for deletion of alleged user data, directly contradicting Thunder Terminal's public claim that no user data or private keys were compromised. Thunder Terminal pledged full reimbursement of stolen funds, engaged the FBI, and implemented additional security controls, though no public confirmation of completed reimbursements has been verified.

MustStopMurad is the X handle of Murad Mahmudov, a Princeton-educated former Goldman Sachs analyst and co-founder of the now-defunct Adaptive Capital hedge fund, who rose to prominence in 2024 as the primary advocate of the 'memecoin supercycle' thesis following a widely-circulated speech at TOKEN2049 Singapore. On-chain investigator ZachXBT published what he alleged to be 11 wallets linked to Mahmudov in October 2024, holding approximately $24 million in memecoins, raising concerns about undisclosed large holdings in tokens he publicly promotes to hundreds of thousands of followers. No regulatory action has been filed; the core allegations of supply control, potential front-running, and undisclosed conflicts of interest remain contested and unproven in any legal forum.

BitoPro is a Taiwanese centralized cryptocurrency exchange operated by BitoGroup, serving over 800,000 users with TWD (New Taiwan Dollar) fiat on/off-ramps. On May 8, 2025, the exchange suffered an approximately $11.5 million hot wallet theft attributed to North Korea's Lazarus Group via a social-engineering and AWS-token-hijacking attack. The exchange did not publicly disclose the breach for approximately 25 days, only confirming the incident after on-chain investigator ZachXBT flagged suspicious outflows on June 2, 2025.

Rain (rain.com / Rain Financial) is a Bahrain-headquartered cryptocurrency exchange founded in 2017, holding licenses from the Central Bank of Bahrain and the Abu Dhabi Global Market's Financial Services Regulatory Authority. In April 2024, the exchange suffered a confirmed security breach of approximately $14.8 million in BTC, ETH, SOL, and XRP, which went undisclosed for approximately two weeks until blockchain investigator ZachXBT publicly exposed it. Rain subsequently confirmed the incident and stated that all customer funds were covered from company reserves.

Sui is a Layer 1 blockchain developed by Mysten Labs, launched in May 2023 and built on the Move programming language. The network suffered one of the largest DeFi exploits of 2025 when Cetus Protocol — its primary DEX — was drained of approximately $223 million in May 2025, triggering a controversial emergency validator vote to freeze and reclaim stolen funds that exposed deep centralization concerns. Separately, ZachXBT investigated a $29 million SUI token theft in late 2024 involving Tornado Cash laundering and subsequently announced in July 2025 that he would no longer take Sui ecosystem cases due to inadequate incident-response infrastructure and lack of support from the ecosystem.

Ethena is a DeFi protocol founded in 2023 by Guy Young that issues USDe, a synthetic dollar stablecoin backed by delta-neutral perpetual futures hedges on centralized exchanges. The protocol reached $14 billion in supply at its 2025 peak before contracting sharply to approximately $5.9 billion following a flash crash in October 2025 and BaFin's enforcement action that forced Ethena GmbH to cease EU operations. Multiple concerns have been raised including: a German regulatory shutdown citing MiCA breaches and alleged unregistered securities offerings via sUSDe; insider airdrop farming allegations involving 180 million foundation-controlled ENA tokens; two separate security incidents (Discord hack July 2024 and domain registrar compromise September 2024); and structural risks tied to funding rate volatility, exchange counterparty exposure, and an undersized reserve fund relative to protocol TVL.

CoinDCX is one of India's largest cryptocurrency exchanges, founded in 2018 and valued at $2.45 billion following Coinbase investment. In July 2025, the exchange suffered a $44.2 million security breach attributed by cybersecurity firm Cyvers to North Korea's Lazarus Group, which was first publicly identified by blockchain investigator ZachXBT before official disclosure. While customer funds were not directly affected and the exchange covered losses from treasury, the incident compounded existing concerns including co-founder arrests over alleged fraud in March 2026 and ongoing user withdrawal complaints.

SafePal is a hardware and software cryptocurrency wallet founded in 2018 by Veronica Wong and incubated by Binance Labs, with over 10 million claimed users. The platform has been surrounded by multiple serious security incidents including a malicious Firefox extension that impersonated the wallet for seven months in 2021, a Binance-backed Launchpad token (SFP), hardware vulnerabilities disclosed by Kraken Security Labs, and a $6.5–7 million theft linked to a tampered hardware wallet sold via the Chinese platform Douyin (TikTok China). SafePal itself has not been hacked directly, but its brand has been repeatedly exploited by third-party threat actors, and ZachXBT has documented its wallets appearing in fund-laundering flows.

Across Protocol is a cross-chain bridge protocol built on UMA's optimistic oracle, founded by Hart Lambur and the UMA/Risk Labs team and launched in 2021. In June 2025, pseudonymous investigator Ogle alleged that protocol insiders used undisclosed wallets to push through two governance proposals transferring approximately 150 million ACX tokens ($23 million) from the DAO treasury to Risk Labs, the team's own organization, constituting alleged self-dealing and DAO manipulation. Separate allegations from LayerZero founder Bryan Pellegrino claimed insider trading preceded a surprise Binance listing of ACX in December 2024, with the protocol subsequently proposing in early 2026 to dissolve its DAO entirely and convert to a U.S. C-corporation.

CoinsPaid is an Estonia-based cryptocurrency payment processor founded by Max Krupyshev that was targeted in two major security breaches: a $37.3 million hack in July 2023 attributed by the company and the FBI to North Korea's Lazarus Group (achieved via a sophisticated social engineering campaign using fake job offers), and a second breach in January 2024 resulting in approximately $7.5 million in losses. Despite the company's stated transparency and rapid operational recovery, the consecutive incidents raise significant concerns about its security posture and its status as a repeated high-value target for state-sponsored threat actors.

KAITO is the native token of Kaito AI, an AI-powered 'InfoFi' (information finance) platform built on Base blockchain, founded by former Citadel quantitative trader Yu Hu and launched in February 2025. On March 15, 2025, both the official Kaito AI X account and Yu Hu's personal account were compromised by hackers who spread false claims of wallet breaches while simultaneously holding short positions on KAITO, netting an estimated $1 million in profit from the manufactured price panic. The platform faced additional scrutiny from blockchain investigator ZachXBT over alleged AI bot spam incentivized by its Yaps reward system, which was ultimately sunset in January 2026 after X revoked API access to all InfoFi applications.

Hypurr NFTs are a 4,600-piece cat-themed NFT collection airdropped by the Hyper Foundation on September 28, 2025, to early Hyperliquid users who participated in the November 2024 Genesis Event. On the day of launch, blockchain investigator ZachXBT flagged the theft of eight Hypurr NFTs from compromised HyperEVM wallets, yielding approximately $400,000 in profit for the attacker. The collection itself is a legitimate product of the Hyper Foundation, but the incident exposed wallet security vulnerabilities in the HyperEVM ecosystem and coincided with a broader pattern of exploits across Hyperliquid-based protocols in late September 2025.

Strike (operated by Zap Solutions, Inc.) is a Bitcoin and Lightning Network payments application founded by Jack Mallers. The platform has faced scrutiny over a 2023 data breach it initially denied, the use of Tether (USDT) as a backing for purported USD cash balances for non-US users, and a 2026 proposed merger with Twenty One Capital (XXI) that raises serious conflict-of-interest concerns given Mallers serves as CEO of both entities.

Coinbase (NASDAQ: COIN) is the largest publicly listed cryptocurrency exchange in the United States, founded in 2012 and regulated across multiple jurisdictions. Despite its regulated status, the platform has been the subject of significant documented concerns: a May 2025 insider-enabled data breach affecting approximately 70,000 users with estimated remediation costs of $180–400 million, ongoing documented losses exceeding $300 million per year from social engineering scams targeting Coinbase users (as reported by blockchain investigator ZachXBT), a $100 million AML compliance settlement with the NYDFS in 2023, and controversies surrounding its Base Layer-2 blockchain including a disputed token launch and a contentious departure from the Optimism OP Stack ecosystem.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Circle Internet Group is the issuer of USDC, the second-largest USD-pegged stablecoin by market capitalization. Circle has faced sustained criticism from blockchain investigator ZachXBT and others for its policy of refusing to freeze USDC linked to hacks or scams without a formal court order or law enforcement mandate, which critics allege has allowed over $420 million in illicit funds to flow freely since 2022. The company went public on the NYSE in June 2025 under the ticker CRCL and received conditional OCC approval for a national trust bank charter in December 2025.

Rapper Nelly (Cornell Iral Haynes Jr.) is flagged here not as a perpetrator of crypto fraud, but as a victim of an account compromise. In October 2023, an X (formerly Twitter) account associated with Nelly — handle @NellioETH — was hacked by an unknown third party who then used it to run a social engineering phishing campaign against crypto users. Blockchain investigator ZachXBT first identified and publicized the incident; specific amounts stolen from victims and detailed on-chain forensics have not been publicly confirmed.

M2 is a UAE-based cryptocurrency exchange licensed by the Abu Dhabi Global Market (ADGM) Financial Services Regulatory Authority, operating as a regulated Multilateral Trading Facility and custodian since late 2023. On October 31, 2024, the exchange suffered a $13.7 million hot wallet breach attributed to an access control vulnerability across the Bitcoin, Ethereum, and Solana networks. M2 subsequently reimbursed all affected customers from its own assets and stated it had engaged law enforcement and regulatory authorities.

Bittensor is a decentralized blockchain protocol functioning as a peer-to-peer marketplace for machine intelligence, using the TAO token to reward AI model contributors. In July 2024, the protocol was the target of a supply chain attack via a malicious version of its official PyPI package, resulting in the theft of approximately $28 million in TAO tokens from 32 wallets. A civil lawsuit filed in January 2025 alleges that former Opentensor Foundation employees orchestrated the attack, and on-chain investigator ZachXBT identified a key suspect through NFT wash-trade analysis and Railgun de-mixing.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Transak is a fiat-to-crypto on-ramp infrastructure provider founded in 2019 and serving over 8 million users across 160+ countries, with integrations into major platforms including MetaMask, Phantom, and Uniswap. In October 2024, a phishing attack on an employee's laptop led to unauthorized access to a third-party KYC vendor's dashboard, exposing the personal identity documents of approximately 92,554 users globally, including names, dates of birth, government-issued IDs, and selfie photos. The breach resulted in a $601,000 class action settlement covering U.S.-based affected users, and the Stormous ransomware group claimed responsibility, alleging extraction of over 300GB of data.

Pendle is a permissionless yield-trading protocol on Ethereum, launched in 2021 by TN Lee and Vu Nguyen, that allows users to separate and trade the principal and yield components of yield-bearing assets. In September 2024, Penpie — an independent yield optimizer built on top of Pendle — suffered a $27 million reentrancy exploit that was made possible in part by Pendle's permissionless market creation design. Although Pendle's own contracts were not directly exploited, the protocol's architecture contributed to the attack surface, and all 11,261 ETH in stolen funds were subsequently laundered through Tornado Cash.

Trezor is a legitimate Prague-based hardware wallet manufacturer (SatoshiLabs) and one of the oldest in the industry, but it has accumulated a significant threat ecosystem around its brand. A January 2024 breach of its third-party support portal exposed contact data for approximately 66,000 users, which subsequently fueled targeted phishing campaigns delivered via email, physical mail, and fake apps. Trezor hardware devices have also been subject to disclosed physical attack vectors, including an alleged unpatchable flaw in the STM32 microcontroller used in the Trezor T model.

CoinSpot is an Australian cryptocurrency exchange founded in 2013 by Russell Wilson and headquartered in Melbourne. It is registered with AUSTRAC as a Digital Currency Exchange (since May 2018) and holds ISO 27001 certification. On November 8, 2023, the platform suffered a suspected private key compromise resulting in the loss of approximately 1,283 ETH (~$2.4 million USD), with stolen funds bridged to Bitcoin via THORChain and Wan Bridge. No customer funds were reported lost in the incident.