Avoid your next
big mistake

WOOFi Swap is a decentralized exchange (DEX) built by WOO Network, operating on 12+ blockchain networks including Arbitrum, Avalanche, and Optimism, and using a proprietary synthetic Proactive Market Maker (sPMM) algorithm. On March 5, 2024, the protocol suffered a critical oracle manipulation exploit on Arbitrum in which an attacker used flash loans to manipulate WOO token pricing to near zero, stealing approximately $8.75 million; funds were not recovered. The parent platform WOO X also suffered a separate $14 million phishing-linked breach in July 2025 attributed to North Korean state-sponsored threat actors, compounding the ecosystem's security record.

1inch is a decentralized exchange (DEX) aggregator and liquidity protocol founded in 2019 by Sergej Kunz and Anton Bukov, operating across Ethereum and multiple EVM-compatible chains. The platform has experienced a series of security incidents between late 2024 and mid-2025, including a front-end supply chain attack, a private key compromise, a $5 million Fusion v1 resolver exploit, and a separate $5.87 million attack on a partner resolver — raising questions about operational security and smart contract lifecycle management. Additional concerns include alleged connections between co-founder Anton Bukov and the Russian FSS Academy, governance centralization risks, and sustained token value erosion since the 2021 peak.

GemPad is a multi-chain no-code token launchpad and crowdfunding platform operating primarily on BNB Smart Chain, Ethereum, and Base, launched around 2021. On December 17, 2024, a reentrancy vulnerability in its LP Locker V2 smart contract was exploited across three chains, draining approximately $1.9–$2.2 million in locked liquidity from at least 27 dependent projects. Stolen funds were routed through Tornado Cash, and GemPad issued no public compensation plan for affected projects.

Solareum was a Solana-based Telegram trading bot that shut down on March 30, 2024 following a security exploit that drained approximately $523,000 (2,800+ SOL) from over 300 user wallets. Prosecutors later revealed in a January 2025 court filing that the Solareum team had unknowingly hired a North Korean (DPRK) developer in December 2023, who subsequently facilitated the theft of 6,045 SOL worth roughly $1.4 million; the FBI seized approximately $950,000 in USDT two months after the hack. The project offered no compensation to victims, deleted its website and community channels, and is no longer operational.

ETHTrustFund (ticker: ETF) was a decentralized autonomous organization (DAO) built on Coinbase's Base layer-2 network that marketed itself as an OHM (Olympus DAO) fork and decentralized crypto hedge fund. On July 20, 2024, the pseudonymous lead developer known only as 'Peng' drained approximately 607 ETH (worth ~$2.1–2.2 million) from the project treasury and laundered the funds through the privacy protocols Tornado Cash and Railgun before disappearing entirely. ZachXBT has flagged this entity as a fraudulent project. The project's website, Twitter, and Telegram accounts were permanently deleted following the exit.

bandcampro is a Russian-speaking threat actor who operated an 8-month AI-assisted crypto theft and influence campaign (September 2025–May 2026) via the Telegram channel @americanpatriotus, which had accumulated roughly 17,000 subscribers over a five-year run beginning February 2021. The actor distributed a trojanized self-custody wallet called StellarMonster that deployed the GoToResolve remote access tool, enabling seed phrase harvesting and full wallet compromise. A jailbroken Google Gemini instance and 73 stolen API keys automated content generation, credential attacks, and infrastructure management. The campaign was publicly exposed by Trend Micro researchers on or around May 22, 2026.

Rublevka Team is a Russian-speaking, affiliate-driven drainer-as-a-service operation active since 2023 that has documented over $10.9 million in cryptocurrency theft across at least 240,000 wallet drain events. The group operates primarily on the Solana blockchain as of spring 2025 and markets its tooling to low-skill affiliates through Telegram bots and Russian-language cybercrime forums. No law enforcement actions or sanctions had been publicly reported as of the date of this investigation.

GNUS.AI (Genius Ventures, Inc.) is a decentralized AI computing platform that issues the GNUS token across Ethereum, Polygon, and Fantom networks. On May 5, 2024, the project suffered a $1.27 million exploit in which an attacker leveraged a Discord breach to steal private key material, mint 100 million counterfeit GNUS tokens, and sell them into live liquidity pools — causing the token price to collapse. The token has traded 98-99% below its all-time high and ZachXBT has flagged the entity as a concern in the crypto community.

Loopring is an Ethereum Layer-2 zkRollup-based decentralized exchange protocol founded in 2017 by Daniel Wang. The protocol suffered a critical June 2024 security breach in which an attacker compromised the Official Guardian two-factor authentication server, draining approximately $5 million from 58 smart wallet accounts. Subsequent to the hack, Loopring wound down its consumer wallet product, shut down DeFi services, lost listings on major exchanges including Binance, Upbit, and Bithumb, and saw its CEO resign in August 2025, leaving the project's long-term viability in serious question.

Resupply (resupply.fi / resupply.finance) is a decentralized stablecoin lending protocol built by contributors from Convex Finance and Yearn Finance, succeeding the hacked Prisma Finance protocol after a March 2024 governance vote. The protocol suffered a critical $9.6 million exploit on June 26, 2025, caused by a donation-attack vulnerability in a newly deployed ERC-4626 vault, with stolen funds laundered through Tornado Cash. The team's post-exploit governance response generated significant community controversy, including alleged silencing of critics and a disputed insurance-pool burn proposal, before the bad debt was eventually fully repaid in August 2025.

OcelotDex is a decentralized exchange (DEX) operating as an automated market maker (AMM) on ZetaChain, a cross-chain interoperability blockchain. The protocol has an extremely low total value locked of approximately $4.57 as of mid-2026, indicating near-total user abandonment. A security incident reportedly resulting in approximately $4.9 million in losses via an infinite mint and dump vulnerability was attributed to the protocol in September 2024, though independent Tier 1 or Tier 2 confirmation of this specific event remains limited.

Loopscale is a Solana-based DeFi lending protocol (formerly Bridgesplit) launched on April 10, 2025, backed by Coinbase Ventures, Solana Labs, and CoinFund. On April 26, 2025 — just 16 days after launch — the protocol suffered a $5.8 million oracle pricing exploit affecting its Genesis Vaults, an attack vector that had been flagged in its pre-launch OShield security audit but was allegedly inadequately remediated. All stolen funds were ultimately recovered via negotiation with the exploiter, and user deposits suffered no permanent loss.

Arcadia V2 is a non-custodial leverage farming and liquidity management protocol operating primarily on Base, developed by Belgium-based Arcadia Finance (founded 2021, backed by Coinbase Ventures). The protocol has suffered two serious security exploits: a July 2023 reentrancy attack on its V1 codebase draining approximately $455K across Ethereum and Optimism, and a more severe July 2025 arbitrary calldata exploit on V2's Rebalancer contract that drained approximately $3.6M on Base despite multiple prior audits. ZachXBT has flagged the protocol as a high-risk entity given this pattern of repeated critical security failures.

Typus Perp is a GMX-style perpetuals DEX operating on the Sui blockchain, developed by Typus Finance (founded by Tommy Chen). On October 15, 2025, the protocol suffered a $3.44 million oracle manipulation exploit that drained its TLP liquidity pool entirely — caused by an unaudited smart contract module that was excluded from the project's May 2025 MoveBit security audit. As of May 2026, the protocol has minimal TVL ($126K) and the stolen funds have not been recovered.

Odin.Fun (ODIN•FUN) is a Bitcoin-based meme coin launchpad and automated market maker launched in January 2025 by Bioniq co-founder Bob Bodily, designed as a Pump.fun analogue for Bitcoin Runes tokens. The platform has suffered at least four confirmed security incidents within its first year of operation, including a critical $7 million (58.2 BTC) AMM liquidity manipulation exploit in August 2025 that left the treasury insolvent and unable to fully compensate affected users. As of the latest available reporting (August–September 2025), the platform remained halted pending security audits, with no committed reopening timeline.

TrustedVolumes is an independent DeFi liquidity provider and market maker operating as a resolver within the 1inch ecosystem on Ethereum. On May 7, 2026, the platform suffered a $6.7 million exploit caused by a critical authorization flaw in its custom RFQ swap proxy contract, which allowed any external party to self-register as an approved order signer. The attacker responsible has been linked by blockchain security firm Blockaid to the March 2025 1inch Fusion V1 hack that drained approximately $5 million, marking the same operator as a serial exploiter targeting the 1inch resolver ecosystem.

Ribbon Finance is an Ethereum-based DeFi protocol that pioneered Theta Vaults (DeFi Options Vaults) for structured yield products, later expanding into the Aevo derivatives exchange. The protocol has experienced multiple serious incidents including a $2.7 million oracle exploit in December 2025 whose recovery plan drew widespread community condemnation, a 2021 Sybil attack on its token airdrop by a connected venture capital firm, and a DNS hijacking in 2022. Its native token RBN lost approximately 90% of its value in 2025 alone and sits more than 99% below its all-time high.

CrediX Finance was a DeFi lending protocol launched in July 2025 on the Sonic blockchain that suffered a $4.5 million exploit on August 4, 2025, less than one month after launch. The exploit involved a compromised or insider-controlled admin wallet that minted unbacked synthetic tokens to drain liquidity pools; the team subsequently vanished, deleted all official channels, and failed to honor public recovery promises, prompting widespread allegations of a premeditated exit scam. Note: CrediX Finance (Sonic, 2025) is a distinct entity from Credix Finance (Solana, founded 2021), which is a separate legitimate RWA protocol.

Aperture LM (also marketed as Aperture Finance) is a multi-chain DeFi liquidity management protocol that launched in 2022 and raised $12 million at a reported $250 million valuation. On January 25, 2026, the protocol suffered a critical smart contract exploit due to insufficient input validation in its V3 and V4 helper modules, resulting in $3.67 million stolen from Aperture directly and contributing to a combined ~$17 million loss across a coordinated attack that also hit SwapNet. Stolen funds were laundered through Tornado Cash, no public compensation plan for affected users has been confirmed, and the protocol's closed-source contract architecture was identified as a compounding risk factor that hindered independent security review.

Makina Finance is a non-custodial DeFi execution engine that launched in late 2025 on Ethereum, enabling automated yield strategies via tokenized vaults called Machines. On January 20, 2026, the protocol suffered a $4.13 million oracle manipulation exploit targeting its DUSD/USDC Curve stableswap pool, despite having completed six independent security audits in the months prior. The team recovered approximately $3.65 million (89% of user losses) within one week and resumed operations on January 26, 2026, though a residual 11% shortfall remained subject to a revenue-share restitution plan.

Saga is a Layer 1 blockchain protocol built on Cosmos that allows developers to deploy parallelized, VM-agnostic dedicated chains called Chainlets, with a primary focus on gaming applications. The SAGA token launched on April 9, 2024 at an all-time high of approximately $7.53, but had declined roughly 99% from that peak by late 2025. In January 2026, the protocol's SagaEVM chainlet suffered a $7 million smart contract exploit that drained bridged assets, caused the Saga Dollar stablecoin to depeg, and led to a 55% TVL crash.

Matcha Meta is a DEX meta-aggregator built on the 0x protocol by 0x Labs, launched in 2020, that routes trades across 140+ DEXs on 10+ blockchains. On January 25, 2026, a vulnerability in the SwapNet routing module — an integrated third-party liquidity provider — was exploited via an arbitrary external call flaw, draining open token allowances from users who had disabled the platform's default One-Time Approval feature. PeckShield reported initial losses of approximately $16.8M; Matcha Meta's post-mortem confirmed $13.43M in net losses across 20 affected users, with the balance attributable to a separate, concurrent $3.4M Aperture Finance exploit. Users with persistent approvals to SwapNet contracts face ongoing residual exposure until those allowances are revoked.

US Permissionless Dollar (USPD) is a decentralized, over-collateralized stablecoin protocol built on Ethereum by Permissionless Technologies, the team behind the Morpher trading platform. In December 2025, the protocol suffered a critical exploit via a clandestine proxy deployment attack — later dubbed CPIMP — that had silently compromised admin privileges since September 2025, resulting in approximately $1 million in losses. The project has undergone audits by Nethermind and Resonance Security but the exploit bypassed audited code by targeting the deployment layer, raising unresolved questions about operational security and the viability of the planned V2 relaunch.

Unleash Protocol is a decentralized intellectual property finance (IPFi) platform built on the Story Protocol blockchain, launched in early 2024. On December 30, 2025, the protocol suffered a confirmed $3.9 million exploit in which an attacker gained unauthorized administrative control through its multisignature governance system, executed an unauthorized smart contract upgrade, and laundered 1,337 ETH through Tornado Cash. The protocol subsequently paused all operations; as of early 2026 no recovery or user compensation plan has been publicly confirmed.

IoTeX is a Layer 1 blockchain and DePIN (Decentralized Physical Infrastructure Network) platform founded in 2017 by Raullen Chai, Qevan Guo, Jing Sun, and Xinxin Fan, with its native IOTX token launched via ICO in 2018. In February 2026 the project suffered a significant security incident when a compromised private key on the Ethereum side of its ioTube cross-chain bridge allowed an attacker to drain approximately $4.3–$4.4 million in assets and mint 410 million unauthorized CIOTX tokens, with total estimated damages disputed between $4.4 million (official) and $8.8 million (PeckShield). Additional concerns include a prior market-maker-linked near-zero price anomaly on Binance in October 2025, governance centralization risks from its 36-delegate Roll-DPoS consensus model, and on-chain analyst reports alleging the attacker's wallet was funded by the same entity behind the $49 million Infini Finance hack of 2025.

Hyperbridge is a cross-chain interoperability protocol built by Polytope Labs (founded by Nigerian engineers Seun Lanlege and David Salami) that uses cryptographic proofs to facilitate asset and message transfers across blockchains. On April 13, 2026, an attacker exploited a Merkle Mountain Range (MMR) proof verification vulnerability in the Token Gateway contract, minting 1 billion fraudulent bridged DOT tokens and extracting losses initially reported at $237,000 but later revised to approximately $2.5 million across Ethereum, Base, BNB Chain, and Arbitrum. The exploit occurred less than two weeks after the project publicly mocked the possibility of being hacked in an April Fools joke, and followed alleged dismissals of security researchers who had flagged vulnerabilities beforehand.

Flow is a layer-1 proof-of-stake blockchain created by Dapper Labs, the company behind NBA Top Shot and CryptoKitties, with FLOW as its native token. The project has faced a serious 2025 protocol-level exploit ($3.9M stolen), a controversial rollback proposal that drew community backlash, multiple rounds of company layoffs, a $4M securities class-action settlement, a separate $7.05M privacy lawsuit settlement, SEC investigation, and delisting from major South Korean exchanges following the breach. The FLOW token has lost over 99% of value from its April 2021 all-time high of $46.16, trading near $0.033 as of mid-2026.

Giddy (also branded DefiQ, Inc.) was a Draper, Utah-based self-custody DeFi wallet and yield-farming platform that launched its GDDY token on the Polygon network in April 2022. The project raised over $15 million from VC investors including Pelion Venture Partners, but has since shut down — leaving the GIDDY token trading more than 99% below its all-time high of approximately $0.35 in May 2022. ZachXBT has flagged the entity as a concern in the crypto trust-intelligence space, and community reviews allege that team members sold tokens prior to the app's public launch and that advertised staking yields were never delivered.

SolvBTC is the flagship wrapped Bitcoin product of Solv Protocol, designed to represent Bitcoin in DeFi systems across multiple chains. In March 2026, the BRO vault component of the protocol suffered a $2.7 million exploit due to a double-mint logic flaw in the BitcoinReserveOffering smart contract. Separately, in January 2025, the protocol faced credible public allegations of TVL manipulation prior to its SOLV token launch.

Shunda Park was a fortified forced-labor fraud compound located in Min Let Pan village, Karen State, Myanmar, operated under the protection of the junta-affiliated Democratic Karen Benevolent Army (DKBA). Workers trafficked from multiple countries were coerced into running pig-butchering cryptocurrency investment fraud schemes primarily targeting Americans from at least January through November 2025, when the Karen National Union seized the site. In April 2026, the U.S. Department of Justice charged two Chinese nationals, Huang Xingshan and Jiang Wen Jie, with wire fraud conspiracy for managing the compound; both were arrested by Thai authorities on immigration charges in early 2026 and remain in custody pending extradition proceedings.

Griffin AI is a Web3 no-code AI agent builder on BNB Chain that launched its native GAIN token on Binance Alpha on September 24, 2025. Within hours of launch, an attacker exploited a misconfigured LayerZero cross-chain peer to mint 5 billion unauthorized GAIN tokens and dump approximately $3 million worth into the market, crashing the token 87-90% and erasing roughly $36 million in market capitalization. The team subsequently enacted a token migration, a $2.5 million recovery fund, and a re-launch on October 6, 2025, though GAIN continues to trade approximately 95% below its all-time high.

Cyrus Finance is a decentralized yield-optimizer protocol operating on the BNB Smart Chain that markets itself as a high-yield DeFi platform utilizing PancakeSwap liquidity pairs and single-sided vaults. On March 22, 2026, the protocol suffered a $5 million flash loan exploit attributed to flawed pool-share accounting in its smart contracts, with no reported fund recovery. Multiple secondary domains (cyrusfinance.xyz) associated with the Cyrus Finance brand have been independently flagged as potentially malicious fake-broker sites that simulate trading activity and block user withdrawals.

Yearn Ether (yETH) is a liquid staking token aggregation vault developed by Yearn Finance, launched under YIP-72 as a self-governed, permissionless product. On November 30, 2025, the yETH weighted stableswap pool was exploited via an arithmetic underflow and stale cache vulnerability, resulting in approximately $9 million in losses — the third major security incident involving a Yearn product since 2021. Approximately $2.4 million was partially recovered; roughly $6.6 million remains unrecovered, with a significant portion laundered through Tornado Cash.

Purrlend is a non-custodial DeFi lending and borrowing protocol deployed on HyperEVM and MegaETH, operating as an Aave-style fork designed for leveraged yield farming. On April 25, 2026, the protocol suffered a multisig permission exploit that drained approximately $1.52 million across both networks, collapsing its TVL by roughly 70%. As of late May 2026, the protocol remains paused with no published post-mortem, recovery plan, or user compensation details.

BSC TMM/USDT is a Binance Smart Chain token pair that was exploited on April 4, 2026, via a flash loan-based reserve manipulation attack, resulting in an estimated loss of $1.665 million USDT. The attacker burned TMM tokens to a dead address to artificially skew pool reserves, then extracted USDT through a Constant Product Market Maker (CPMM) pricing imbalance. The TMM token contract lacked reserve synchronization on burn operations and had no verified third-party security audit on file.

An active phishing campaign exploiting Google Search sponsored advertisements to impersonate the Uniswap decentralized exchange was publicly exposed on May 25, 2026, by on-chain analyst b_block_oficial. Attackers operating two identified Ethereum wallets have allegedly stolen over $400,000 from multiple victims by deploying wallet-drainer malware services (Inferno Drainer and Vanilla Drainer), which siphon assets after victims approve malicious smart contracts on cloned Uniswap interfaces. The Security Alliance (SEAL) has confirmed blocking 356+ related fraudulent advertisement URLs and describes the broader Google Ads phishing trend as active and ongoing for more than a year.

Kame Aggregator is a decentralized exchange (DEX) aggregator protocol built on the Sei blockchain, launched in late May 2025, designed to route token swaps across multiple liquidity sources for optimal pricing. On September 13, 2025, the protocol suffered a critical smart contract exploit in which approximately $1.325 million was drained from 830 user wallets via an arbitrary external call vulnerability in its swap() function. The primary exploiter returned approximately $946,000 after negotiations, while secondary exploiters retained approximately $357,000; the team initiated a compensation program that reached over $1 million USDC in distributions by November 2025.

BetterBank is a DeFi lending and borrowing protocol built on PulseChain, launched in August 2025, offering a dual-token system (ESTEEM and FAVOR) with high-yield savings and LP-backed credit. Approximately three weeks after launch, the protocol suffered a $5 million exploit on August 26-27, 2025, caused by an unvalidated bonus reward minting function that had been flagged as a critical vulnerability by auditor Zokyo one month prior but was downgraded to 'Informational' severity and left unpatched by the team. The attacker returned approximately $2.7 million following on-chain negotiations, leaving a net loss of roughly $1.4 million; the protocol subsequently froze trading and announced relaunch plans.

Nemo Protocol is a Sui-based DeFi yield trading platform that suffered a $2.6 million exploit on September 7, 2025, caused by an unnamed developer who deployed unaudited code to mainnet while bypassing internal review processes. A security auditor had flagged a related vulnerability 27 days before the attack, which the team acknowledged it failed to address in time. The protocol's TVL has since collapsed to zero and it has been flagged as high-risk by trust intelligence sources.

Volo Vault is a yield-generating vault product operated by Volo Protocol, a BTCFi and liquid staking platform built on the Sui blockchain. In April 2026, three of its vaults were exploited via a compromised admin private key, resulting in approximately $3.5 million in losses across WBTC, XAUm, and USDC holdings. The team committed to absorbing all user losses and ultimately recovered approximately 90% of the stolen funds through coordination with the Sui Foundation, ZachXBT, and ecosystem partners.

TrapDoor is an active cross-ecosystem software supply chain attack campaign first observed on May 22, 2026, distributing credential-stealing malware across 34+ malicious packages and 384+ artifact versions on npm, PyPI, and Crates.io. The campaign targets crypto, DeFi, Solana, and AI developers to steal cryptocurrency wallet keystores, SSH keys, AWS credentials, GitHub tokens, and browser secrets. A novel component of the campaign plants hidden instructions inside .cursorrules and CLAUDE.md files — using zero-width Unicode steganography — to manipulate AI coding assistants such as Cursor and Claude Code into performing covert data exfiltration routines disguised as security scans.

Bunni V2 was a decentralized exchange and liquidity layer built on Uniswap v4, developed by Timeless Finance. On September 1-2, 2025, the protocol suffered a critical exploit draining approximately $8.4 million across Ethereum and Unichain through a rounding-direction vulnerability in its withdrawal mechanism. The team permanently shut down the protocol on October 23, 2025, citing inability to finance a secure relaunch after the exploit erased 97% of TVL.

Seedify (Seedify.fund) is a blockchain gaming incubator and IDO/IGO launchpad founded in February 2021 by Levent Cem Aydan, operating on BNB Chain, Ethereum, and Avalanche with its native SFUND token. The platform suffered a critical $1.2–1.7 million bridge exploit in September 2025 attributed by ZachXBT and CZ (Binance) to the North Korean DPRK-affiliated 'Contagious Interview' hacking campaign, causing SFUND to collapse approximately 80–99% and affecting approximately 64,000 token holders. The platform's SFUND token has declined more than 99% from its November 2021 all-time high of approximately $17.67, and the project has been flagged by ZachXBT in connection with the on-chain forensics tying the exploit to state-sponsored theft infrastructure.

FOOM Cash (foom.cash) is a pseudonymous, privacy-focused decentralized lottery protocol built on Ethereum and Base, marketed as an 'upgraded Tornado Cash' using zk-SNARKs cryptography. On February 26, 2026, the protocol suffered a $2.26 million exploit caused by a critical deployment error in its Groth16 trusted setup — a flaw publicly known from an identical exploit on Veil Cash days earlier that the team failed to patch. The team had been silent for approximately three months prior to the attack and was subsequently flagged as a notable risk by AVOID.NET due to compounding concerns: anonymous founders, serious operational negligence, misleading post-incident communications, and unverifiable audit claims.

Ranger Finance was a Solana-based perpetual contract aggregator that raised $1.9M in seed funding in January 2025 and launched its RNGR token in January 2026. Within two months of token launch, community governance voted to liquidate the project treasury following allegations that the team made materially misleading claims about trading volume and revenue during its ICO. The project formally shut down in May 2026 after the treasury liquidation and approximately $900,000 in exposure from the DPRK-linked Drift Protocol exploit left operations unsustainable, with employees and vendors not fully compensated.

Ooki Protocol (formerly bZx Protocol) is a decentralized margin trading and lending protocol on Ethereum that was the subject of the first-ever CFTC enforcement action against a DAO, resulting in a 2023 default judgment ordering the protocol to cease operations and pay $643,542 in penalties. The protocol suffered four separate security incidents between 2020 and 2021 totaling over $64 million in losses, including a $55 million phishing-based hack attributed by Kaspersky to the North Korean state-linked BlueNoroff group. Following the CFTC judgment, the Ooki DAO's website was ordered shut down and the protocol has been effectively defunct.

Gate.io (formerly Bter.com) is a centralized cryptocurrency exchange founded in 2013 by Han Lin, serving over 30 million users across 224 countries. The exchange has been flagged by on-chain investigator ZachXBT for allegedly concealing a $230 million hack attributed to North Korean state-sponsored hackers (Lazarus Group) that occurred in April 2018 and was never publicly disclosed to users. Additional concerns include a manipulated futures price feed incident causing millions in user losses in 2025, an AML-based ban by India's Financial Intelligence Unit in 2024, persistent user complaints about frozen withdrawals, and alleged wash trading activity inflating reported volumes.

Pickle Finance was an Ethereum-based DeFi yield aggregator launched in September 2020 that suffered a critical smart contract exploit on November 21, 2020, resulting in the theft of approximately 19.76 million DAI (roughly $19.7 million) from its pDAI PickleJar. The exploit, known as the 'Evil Jar Attack,' combined three design flaws in unaudited contract code and led to a 50% collapse in the PICKLE token price, with hack proceeds later laundered through Tornado Cash. The protocol subsequently merged with Yearn Finance but never meaningfully recovered; it officially announced its shutdown in 2025 with the UI disabled on October 1, 2025.

Solana MEV sandwich bots are automated programs that exploit Solana's transaction ordering mechanisms to front-run and back-run retail user trades, extracting an estimated $370 million to $500 million from users between January 2024 and May 2025. The practice has drawn enforcement responses from the Solana Foundation, Jito Labs, and Marinade Finance, and is the subject of an active federal class-action lawsuit in the Southern District of New York naming Pump.fun, Solana Labs, and related entities. While coordinated countermeasures reduced attack profitability by an estimated 60-70% in 2025, attacks continue and disproportionately harm memecoin traders using high slippage settings on Raydium and Pump.fun.

xToken (XTK) was a DeFi protocol offering wrapped staking tokens and liquidity management on Ethereum, founded by Michael J. Cohen in 2020. The protocol suffered two major flash loan exploits in 2021 — a $24.5 million attack in May and a $4.5 million attack in August — resulting in total losses exceeding $29 million and the permanent retirement of its flagship xSNX product. The XTK governance token subsequently lost approximately 99.84% of its value, and compensation paid to victims was significantly below the amounts stolen.

StableMagnet was a stablecoin yield and DEX protocol launched on Binance Smart Chain (BSC) that executed a deliberate rug pull on June 23-24, 2021, stealing approximately $27 million in USDT, USDC, and BUSD from over 1,000 users. The team concealed a malicious backdoor by substituting an unverified SwapUtils library for the one shown in publicly audited source code — a novel attack vector that exposed a critical gap in how block explorers verify linked library code. Following an anonymous white-hat investigation and Manchester police arrests, most of the stolen funds were eventually returned by late 2022.

Spartan Protocol is a decentralized liquidity and synthetic-asset protocol that launched on Binance Smart Chain (BSC) in 2020 and was operated by a fully anonymous, community-driven team. On May 2, 2021, a critical vulnerability in the protocol's liquidity-share calculation logic was exploited via flash loan, resulting in approximately $30 million in stolen funds — ranking it among the largest DeFi exploits of that era. The protocol attempted a v2 rebuild with re-audited contracts but has since fallen to near-zero TVL and market cap, with no meaningful development activity recorded after 2024.

Trenton Richard David Johnston is a 19-year-old Canadian national indicted by a federal grand jury in the Southern District of Florida on May 11, 2026, on charges of conspiracy to commit wire fraud and conspiracy to commit money laundering. Johnston allegedly led a support-impersonation scheme targeting cryptocurrency users that caused losses exceeding $13 million. He was residing in the United States unlawfully on an overstayed visa and is alleged to have spent over $1 million in stolen funds on luxury vehicles, jewelry, and nightlife in Miami.

Kelsier Ventures (also operated as Kelsier Labs LLC) is a Delaware-registered crypto venture capital and marketing firm controlled by the Davis family — Hayden Davis (CEO), Gideon Davis (COO), and Tom Davis (Chairman) — with Charles Thomas Davis also named in litigation. The firm is a co-defendant in two active federal class-action lawsuits in the U.S. District Court for the Southern District of New York alleging it served as the marketing and execution arm for a coordinated serial pump-and-dump scheme spanning at least 15 Solana-based memecoins, including MELANIA, LIBRA, M3M3, ENRON, and TRUST, resulting in alleged investor losses exceeding $69 million across the five focal tokens and an estimated $251–280 million in LIBRA alone. Hayden Davis publicly admitted to sniping both the MELANIA and LIBRA tokens, and blockchain analytics firm Bubblemaps documented on-chain evidence linking Davis-controlled wallets to more than $100 million in alleged liquidity extraction.

Riscoin is an alleged cryptocurrency copy-trading investment scheme operated under the corporate umbrella of League of Seagull Ltd. and its associated brand Seagull Alliance. On May 14, 2026, the Philippine Securities and Exchange Commission issued a cease-and-desist order against Riscoin, Riscoin Exchange, Riscoin Trading, League of Seagull Ltd., and Seagull Alliance for soliciting unregistered securities and operating a fraudulent, Ponzi-like scheme. Multiple regulators in New Zealand, Australia, and the Philippines have independently warned the public against the platform, and the scheme is alleged to have collapsed in May 2026 when withdrawal fees were raised to 99.8 percent, effectively blocking all investor redemptions.

ElementalDeFi is a Solana-based DeFi fund and lending platform founded in September 2022 that offers yield products including Elemental Lend, the Geyser Fund, and the Geodium Fund. On April 7, 2026, blockchain investigator ZachXBT publicly disclosed that an individual identified as Keisuke Watanabe — an alleged North Korean IT operative — had been employed at the project for multiple years, and that the same individual served as CTO at the related Solana DEX Stabble. As of May 22, 2026, ElementalDeFi has issued no public response, audit findings, or remediation plan, leaving unresolved the risk that the operative may have introduced backdoors or malicious code into the protocol's production smart contracts.

Stabble is a Solana-based decentralized exchange (DEX) that specializes in stablecoin liquidity pools. On April 7, 2026, onchain investigator ZachXBT publicly identified the protocol's former CTO, operating under the name Keisuke Watanabe, as an alleged North Korean DPRK IT operative who had also worked at Solana DeFi project ElementalDeFi. Following the disclosure, Stabble's new management team issued an emergency alert urging all liquidity providers to withdraw funds immediately, citing the unquantified risk of planted backdoor code; TVL collapsed 62% within hours and the protocol halted operations pending fresh security audits.

A coordinated international law enforcement operation announced on April 29, 2026, dismantled at least nine cryptocurrency investment fraud compounds operating across Southeast Asia and Dubai, resulting in 276 arrests and the restraint of over $701 million in cryptocurrency. The operation was led by Dubai Police in cooperation with the FBI, China's Ministry of Public Security, and Royal Thai Police, targeting 'pig-butchering' romance fraud schemes operated by three alleged criminal organizations—Ko Thet Company, Sanduo Group, and Giant Company—whose compounds employed trafficked workers held under coercive conditions. The U.S. Department of Justice charged six defendants in the Southern District of California, and separately charged two Chinese nationals for managing the Shunda compound in Myanmar; related OFAC sanctions targeted a Cambodian senator and 28 associates for protecting scam compound networks.

Meteora is a Solana-based decentralized exchange and liquidity protocol, originally founded as Mercurial Finance before rebranding in 2023. Its co-founder Benjamin Chow resigned in February 2025 amid allegations that the platform's infrastructure was used to orchestrate coordinated pump-and-dump schemes across at least 15 tokens including LIBRA, MELANIA, M3M3, ENRON, and TRUST, causing an estimated $69 million or more in retail investor losses. Multiple class-action lawsuits are active in the Southern District of New York asserting fraud, RICO violations, and market manipulation; the protocol also issued a $4.2 million MET token airdrop to wallets linked to the Trump team hours after the amended complaint was filed, with all tokens immediately sent to OKX.

John Daghita, age 25, known online as 'Lick,' is a US national arrested on March 4, 2026, on the Caribbean island of Saint Martin in a joint FBI and French Gendarmerie operation. He is alleged to have stolen more than $46 million in cryptocurrency from wallets managed by the US Marshals Service through insider access tied to CMDSS, a Virginia-based private contractor operated by his father, Dean Daghita. Following his public identification by blockchain investigator ZachXBT in January 2026, Daghita launched the $LICK meme coin on Pump.fun while allegedly controlling approximately 40% of total supply; the token surged before crashing 97%, and Pump.fun delisted it mid-trading.

A fraudulent meme coin operating under the ticker ERICTRUMP launched on Pump.fun (Solana) on May 16, 2025, surging approximately 6,200% to a peak market cap of $160 million before collapsing to roughly $30,000 in a confirmed rug pull. No affiliation with Eric Trump was established. The deployer wallet, partially identified on-chain by the prefix 'BjTm', had previously deployed at least three other failed Eric Trump-themed tokens on Pump.fun, indicating a serial impersonation operation. Blockchain analytics firm Bubblemaps issued a public pre-collapse warning citing greater than 80% supply concentration in ten wallets.

Vulcan Forged is a UK-based blockchain gaming studio and NFT marketplace operating on Polygon and its own Elysium Layer-1 blockchain, best known for VulcanVerse and its native PYR token. In December 2021 the platform suffered one of the largest gaming-sector hacks on record: an attacker exploited Vulcan Forged's servers to extract private keys from 96 semi-custodial wallets, stealing approximately 4.5 million PYR tokens then valued at roughly $140 million. The platform subsequently refunded affected users from its treasury and pledged to migrate to non-custodial wallets, but the incident exposed fundamental centralization and custodial risks in its architecture.

Parity Multisig was a multi-signature wallet implementation developed by Parity Technologies, founded by Ethereum co-founder Gavin Wood. The software suffered two catastrophic security failures in 2017: a July hack in which 153,037 ETH (approximately $30–32 million at the time) was stolen from three Ethereum project wallets via an unguarded initialization function, and a November incident in which GitHub user devops199 accidentally triggered a self-destruct on the shared library contract, permanently freezing 513,774 ETH (approximately $150–280 million at the time) across 587 wallets. The frozen funds have never been recovered, and the July 2017 attacker resumed laundering stolen ETH through the exchange eXch in May 2024 after seven years of inactivity.

Portal (PORTAL) is a Web3 gaming platform and cross-chain token project that launched on Binance Launchpool on February 29, 2024, reaching an all-time high of approximately $4.41 before collapsing over 99% to below $0.01 by late 2025. The project has been flagged due to concerns including extreme token holder concentration, a low audited code coverage percentage, a pre-seed investor price roughly 30x below the listing price creating immediate sell pressure, active phishing and wallet-drainer campaigns impersonating the project, and a partially anonymous founding team. No formal regulatory action by the SEC, CFTC, or DOJ has been publicly confirmed as of May 2026.

pNetwork is a cross-chain bridge and interoperability protocol built on the pTokens architecture, enabling assets to move between Bitcoin, Ethereum, BNB Chain, and other networks via wrapped synthetic tokens. The protocol has suffered two major security incidents — a September 2021 pBTC-on-BSC hack losing approximately $12 million, and a November 2022 pGALA incident that triggered a $28 million lawsuit by Gala Games and Huobi alleging pNetwork's own engineers caused the vulnerability through a leaked private key, then allegedly profited from a self-described 'white hat' rescue. As of 2025, the PNT governance token trades at a fraction of its 2021 peak and the protocol operates with negligible market capitalization and trading volume.

The DAO was a decentralized autonomous organization launched on the Ethereum blockchain in April 2016 that raised approximately $150 million in Ether — the largest crowdfunding to date at the time — before being drained of 3.6 million ETH (roughly $50–60 million) on June 17, 2016, via a reentrancy vulnerability in its smart contract code. The hack triggered an acrimonious debate over blockchain immutability and led to a contentious hard fork of the Ethereum network on July 20, 2016, splitting it into Ethereum (ETH) and Ethereum Classic (ETC). In 2017 the U.S. SEC concluded that DAO tokens constituted unregistered securities, marking a landmark regulatory precedent for the entire crypto industry.

BONK.fun (also styled LetsBonk.fun) is a Solana-based meme coin launchpad that launched on April 25, 2025, as a joint initiative between the BONK community and the Raydium protocol, enabling no-code token creation with automatic BONK buyback-and-burn mechanics. On March 11–12, 2026, the platform suffered a domain hijack via social engineering against its domain registrar; attackers deployed a wallet drainer disguised as a fake terms-of-service modal, resulting in approximately $30,000 in confirmed losses before the site was taken offline. The platform relaunched on March 19–20, 2026, with a 110% refund commitment to affected users and enhanced security measures.

MAP Protocol is a cross-chain omnichain infrastructure project founded in 2019, issuing the MAPO token and operating the Butter Bridge for cross-chain asset transfers. On May 21, 2026, an attacker exploited an abi.encodePacked hash-collision vulnerability in Butter Bridge V3.1's retry-message path, minting approximately 1 quadrillion MAPO tokens — roughly 4.8 million times the legitimate circulating supply — causing a 96% token price collapse and extracting approximately $290,000 in combined ETH and liquidity. MAP Protocol subsequently paused all bridge operations and announced plans to patch, audit, and redeploy the bridge infrastructure.

Coincheck is a Tokyo-based cryptocurrency exchange that suffered what was, at the time, the largest cryptocurrency hack in history on January 26, 2018, when approximately 523 million NEM (XEM) tokens valued at roughly $534 million were stolen from a low-security hot wallet. The exchange was operating without a Financial Services Agency (FSA) license at the time of the breach, had failed to implement standard multisignature security for NEM holdings, and received multiple business improvement orders from Japanese regulators in the aftermath. Coincheck was subsequently acquired by Monex Group in April 2018, obtained its FSA license in January 2019, and listed on the Nasdaq in December 2024 via a SPAC merger under the ticker CNCK.

dForce Lending (operating as Lendf.Me) is a Chinese-founded DeFi lending protocol that suffered a landmark ~$25 million ERC-777 reentrancy exploit in April 2020 — one of the largest DeFi hacks of that year — and a second reentrancy attack in February 2023 that drained $3.65 million. In both incidents, stolen funds were ultimately returned after the attackers were identified or negotiated with. The protocol has also faced persistent allegations of plagiarizing Compound Finance's open-source smart contract code without attribution, and a 2021 ConsenSys Diligence audit flagged centralised owner controls capable of draining user funds. ZachXBT has flagged dForce as a high-risk entity.

KuCoin is a global cryptocurrency exchange founded in 2017 that has accumulated one of the most serious regulatory and security records in the industry. The exchange suffered a $285 million hot-wallet hack in September 2020 attributed to North Korea's Lazarus Group, and in January 2025 pleaded guilty to operating an unlicensed money transmitting business in the United States, agreeing to pay over $297 million in fines and forfeitures and exit the US market for at least two years. On-chain investigator ZachXBT has publicly alleged that KuCoin continues to enable illicit fund flows by ignoring victim and law enforcement requests.

Eminence Finance (EMN) was an unfinished, unaudited NFT gaming protocol being developed by Yearn Finance founder Andre Cronje that was exploited on September 29, 2020, resulting in the theft of approximately $15 million in DAI from its bonding curve contracts. The contracts had never been officially announced or released to the public, but community members discovered and deposited into them after Cronje's cryptic tweets; the attacker returned $8 million to Cronje's deployer address but $7 million was never recovered. The incident became a defining case study in DeFi's 'degen' culture and the risks of deploying unaudited smart contracts to Ethereum mainnet.

Dritan Kapllani Jr. is an 18-year-old US-based individual publicly identified by on-chain investigator ZachXBT on May 12, 2026, as allegedly responsible for approximately $19 million in cryptocurrency social engineering thefts spanning August 2025 through March 2026. He is named as 'Co-Conspirator 1' in a federal criminal complaint (case no. 26-cr-20181, S.D. Fla.) unsealed May 11, 2026, charging associates Trenton Richard David Johnston and Brandon Michael Tardibone, though Kapllani himself had not been formally charged as of May 15, 2026. Following ZachXBT's public exposure, Kapllani allegedly moved $2.59 million in funds into harder-to-freeze assets through a newly created wallet.

Harvest Finance is a decentralized yield-aggregation protocol (token: FARM) that suffered a landmark $33.8 million flash loan-based price manipulation attack on October 26, 2020, one of the largest DeFi exploits of that year. Pre-attack, the protocol held over $1 billion in TVL while being governed by a single anonymous admin key—a concentration of power flagged by multiple security auditors and researchers. The protocol continues to operate with substantially reduced TVL (~$12 million as of 2025), though the stolen funds were never recovered and the attacker was never publicly identified or charged.

Yearn Finance is a decentralized yield aggregator on Ethereum that routes user deposits into lending protocols to maximize returns. Founded by Andre Cronje in 2020, the protocol has suffered at least four documented security exploits between 2021 and 2025, with aggregate losses exceeding $20 million, and its founder departed in 2022 citing sustained pressure from an SEC investigation. Governance concerns, an interconnected web of affiliated DeFi protocols implicated in their own major hacks, and repeated failures to deprecate vulnerable legacy code compound the protocol's risk profile.

LuBian (lubian.com) was a China-based Bitcoin mining pool that briefly ranked among the world's six largest before ceasing operations in early 2021. The pool is alleged to have functioned as a money laundering vehicle for Chen Zhi's Prince Group, a transnational criminal organization that operated forced-labor pig-butchering scam compounds in Cambodia. In October 2025, the U.S. Department of Justice announced the largest forfeiture in its history — approximately 127,271 BTC (~$15 billion) — directly linked to LuBian and Chen Zhi's criminal enterprise.

Compounder Finance was an Ethereum-based DeFi yield aggregator that launched in November 2020 and executed a deliberate rug pull approximately 22 days later, stealing between $10.8 million and $12.5 million from investors. Anonymous developers embedded hidden 'Evil Strategy' smart contracts behind a publicly visible but unmonitored 24-hour timelock, then drained all user funds and deleted the project's website and social media accounts. No funds were recovered and the perpetrators have never been publicly identified.

Value DeFi (formerly YFValue/YFV) was a DeFi yield aggregation and AMM protocol that suffered three documented security exploits between August 2020 and May 2021, resulting in combined losses of approximately $24 million. Beyond the technical failures, the project was found to have used a paid actress from Fiverr to impersonate a co-founder named 'Anna Tanaka,' raising severe concerns about team identity, transparency, and intent. The VALUE token is effectively defunct, trading at a fraction of a cent with a near-zero market cap.

BlockFills (operated by Reliz Technology Group Holdings, Inc.) was a Chicago-based institutional cryptocurrency trading and lending firm that processed $61.1 billion in volume in 2025 before filing for Chapter 11 bankruptcy in the U.S. Bankruptcy Court for the District of Delaware on March 15, 2026. The firm suspended client withdrawals and deposits on February 11, 2026, amid approximately $75 million in accumulated lending losses, and subsequently faced two civil lawsuits alleging misappropriation of customer assets and commingling of client funds with company funds. At the time of filing, BlockFills reported assets of $50 million to $100 million against liabilities of $100 million to $500 million, with approximately $145 million in general unsecured obligations.

LAB is the native token of an AI-powered multi-chain trading terminal that launched via a Binance Wallet exclusive Token Generation Event in October 2025. In May 2026, on-chain investigator ZachXBT published two investigations alleging that insiders controlled more than 95% of the token supply, coordinated a pump to a $6 billion fully diluted valuation, and withdrew approximately 100 million LAB tokens worth $480 million through 10 freshly created wallets before the price crashed more than 65%. The alleged scheme involved a BVI-registered shell company, predatory OTC loan agreements, unilateral vesting changes, and on-chain links to a broader pattern of exchange-facilitated supply-control manipulation attributed to an unknown market maker operating primarily through Bitget.

BlockDAG Network (BDAG) is a cryptocurrency project that ran a presale from December 2023 through February 2026, claiming to raise over $442 million, though its CEO stated publicly the actual figure was approximately $200 million. On-chain investigator ZachXBT and a DL News investigation have alleged that the project's true co-founder, Gurhan Kiziloz, operated behind the scenes while using a paid frontman as public CEO, transferred presale funds through Middle Eastern OTC brokers, and commingled at least $25 million in presale proceeds from BlockDAG and a sister project (ZKP) to pay influencers promoting Kiziloz's casino venture. Following its February 2026 token launch, BDAG fell approximately 99.98% from its all-time high within two months.

DSJEX (DSJ Exchange PTY Ltd) and its sister recruitment platform BG Wealth Sharing LTD operated for approximately twelve months as a coordinated fake AI trading platform and multi-level marketing Ponzi scheme, collapsing in late April and early May 2026 with estimated investor losses exceeding $150 million. The scheme attracted victims through promises of 1.3%–2.6% daily returns, a fabricated CEO persona, and MLM referral commissions, while operators ran simulated trading on a fraudulent backend. Following a U.S. domain seizure and law enforcement action on April 23, 2026, operators laundered over $92 million across Ethereum and Tron before a coordinated effort by on-chain investigator ZachXBT, Tether, Binance, OKX, and U.S. law enforcement froze $41.5 million in stolen funds.

The Verus-Ethereum Bridge is a cross-chain asset transfer protocol connecting the Verus blockchain to Ethereum, launched in October 2023. On May 18, 2026, a critical validation flaw in the bridge's checkCCEValues function was exploited, allowing an attacker to drain approximately $11.58 million in assets — comprising 103.6 tBTC, 1,625 ETH, and 147,000 USDC — at a cost of roughly $10 in transaction fees. All stolen funds were converted to approximately 5,402 ETH and subsequently moved through Tornado Cash.

Echo Protocol is a Bitcoin liquidity aggregation and yield infrastructure protocol operating on the Monad and Aptos blockchains, offering liquid staking, restaking, and cross-chain DeFi services through its wrapped Bitcoin asset eBTC. On May 19, 2026, the protocol suffered a critical admin key compromise on its Monad deployment, enabling an attacker to mint approximately 1,000 unauthorized eBTC tokens worth $76.7 million and borrow $3.45 million in WBTC through the Curvance lending protocol, ultimately laundering roughly $822,000 through Tornado Cash. The incident exposed severe centralized access-control failures in a protocol marketed as trustless Bitcoin DeFi infrastructure.

Alpha Finance Lab (later rebranded to Alpha Venture DAO, then Stella) is a DeFi protocol best known for its leveraged yield farming product Alpha Homora. On February 13, 2021, Alpha Homora V2 was exploited for approximately $37.5 million via a sophisticated attack that required insider knowledge of an unannounced smart contract, draining funds from its Iron Bank (Cream Finance) integration. By March 2023, the protocol had repaid less than 2% of the resulting $32 million debt to Iron Bank despite a formal repayment agreement, triggering a second crisis in which user funds were frozen.

EasyFi was a Layer 2 DeFi lending protocol operating on Polygon Network, forked from Compound Finance, that suffered one of the largest DeFi hacks of 2021 when an attacker compromised the CEO's MetaMask admin keys on April 19, 2021, stealing approximately $81 million in EASY tokens and stablecoins. The protocol attempted a hard fork and compensation plan, but a significant portion of token holders on decentralized exchanges alleged they remained uncompensated, and community members raised concerns about transparency, censorship of dissent, and the fundamental security failure of managing over $100 million in assets through a single admin key held in a browser extension. ZachXBT has flagged EasyFi as a high-risk entity.

Uranium Finance was a Binance Smart Chain-based automated market maker (AMM) that was exploited twice in April 2021, resulting in total losses of approximately $54.7 million. The larger exploit on April 28, 2021, drained roughly $53.3 million across 26 liquidity pools due to a mathematical error in its forked Uniswap v2 pair contracts; the protocol subsequently shut down permanently. In March 2026, U.S. authorities indicted Jonathan Spalletta, a Maryland resident, on computer fraud and money laundering charges in connection with both attacks, after previously seizing approximately $31 million in cryptocurrency in February 2025.

Meerkat Finance was a Binance Smart Chain yield-vault protocol that launched on March 3, 2021 and was drained of approximately $31.56 million in BUSD and BNB less than 24 hours later. On-chain evidence indicates the project's own deployer address executed the exploit, pointing to an intentional exit scam rather than an external hack. A developer identifying as 'Jamboo' subsequently claimed the drain was a 'trial' testing user greed, promised full refunds, and approximately 95% of funds were eventually recovered under heavy pressure from Binance and the BSC community.

PAID Network is an Ethereum-based DeFi launchpad and legal-contract protocol whose native PAID token suffered a catastrophic infinite mint exploit on March 5, 2021, resulting in approximately 59.5 million tokens being minted and ~2,040 ETH (~$3 million at the time) extracted before the team intervened. Significant on-chain evidence and community investigators raised allegations that the attack was an insider job or was enabled by gross negligence over a known vulnerability, though the team maintained it was an external private-key compromise. The token has since declined over 99% from its all-time high and retains a negligible market capitalization as of 2025-2026.

y00ts is a generative art NFT collection of 15,000 pieces created by Rohun Vora (known as 'Frank') and DeLabs, originally launched on Solana in September 2022. The project became notable not only for its peak valuations during the 2022 NFT boom but for an unusually turbulent migration history — leaving Solana for Polygon with a $3M grant, then abandoning Polygon for Ethereum after just four months and returning the grant, before ultimately migrating back to Solana in 2024. The project's credibility has been repeatedly questioned by its community following these pivots, the founder's May 2025 resignation, and a disputed wallet breach incident.

Rari Capital was a DeFi yield-aggregation and lending protocol launched in July 2020 by teenage co-founders Jai Bhavnani, Jack Lipstone, and David Lucid. It suffered two major security exploits — a $11 million hack in May 2021 and an $80 million reentrancy hack in April 2022 — and subsequently merged with Fei Protocol to form Tribe DAO before winding down in 2022. In September 2024, the SEC secured final court judgments against the company and all three co-founders for misleading investors and operating as unregistered brokers.

Popsicle Finance is a cross-chain automated yield optimization protocol, launched in March 2021, that suffered a critical $20.7 million exploit in August 2021 due to a reward-tracking vulnerability in its Sorbetto Fragola pools. The protocol is part of Daniele Sestagalli's 'Frog Nation' ecosystem alongside Wonderland (TIME) and Abracadabra Money (MIM), which was later engulfed in a major scandal when the treasury manager of Wonderland was revealed to be Michael Patryn, a convicted felon and co-founder of the fraudulent QuadrigaCX exchange. The project subsequently rebranded as WAGMI in 2023 but remains a high-risk entity given the severity of the 2021 exploit, the laundering of stolen funds through Tornado Cash, and the broader Frog Nation governance failures.

Poly Network was a cross-chain interoperability protocol launched in August 2020 by Neo, Ontology, and Switcheo. It suffered the largest DeFi hack in history in August 2021 (~$611M stolen, nearly all returned), followed by a second exploit in July 2023 (~$10M realized losses) attributed to compromised multisig private keys. The protocol permanently shut down all services on September 30, 2024.

bEarn.fi (BearnFi) is a Binance Smart Chain-based cross-chain yield farming and algorithmic stablecoin protocol that launched in late 2020. On May 16, 2021, an attacker exploited a smart contract denomination mismatch to drain approximately $10.85 million in BUSD from the protocol's bVaults via a flash loan attack. The project subsequently became inactive, with its native BFI token recording no price data after mid-2023 and a market capitalization of effectively zero. The entity has been flagged by ZachXBT.

PancakeBunny (Bunny Finance) was a Binance Smart Chain yield-optimizer developed by the anonymous team MOUND (Mound Inc.), which received a $1.6 million seed round led by Binance Labs in April 2021. The protocol suffered three separate exploits across 2021–2022 totaling over $127 million in losses, including a $45 million flash loan attack in May 2021, a $2.4 million polyBUNNY exploit on Polygon in July 2021, and an $80 million hack of its affiliated lending protocol Qubit Finance in January 2022. The BUNNY token has lost more than 99% of its all-time high value, the protocol transitioned to a DAO structure in early 2022, and no stolen funds from any exploit were publicly confirmed as recovered.

DeGods is a 10,000-piece NFT collection originally launched on Solana in October 2021 by Rohun Vora (known publicly as 'Frank DeGods'), which rose to become one of the most prominent Solana NFT projects before a series of controversial chain migrations, leadership changes, and product missteps substantially eroded community trust and floor value. The project migrated from Solana to Ethereum in early 2023, its sister collection y00ts moved to and then departed from Polygon, and both collections later bridged back to Solana in 2024. Rohun Vora resigned as CEO in May 2025 amid falling floor prices, a suspicious wallet incident, and unresolved community grievances around governance and tokenomics.

C.R.E.A.M. Finance (Crypto Rules Everything Around Me) is a decentralized lending and borrowing protocol launched in August 2020, forked from Compound Finance. The protocol suffered three major exploits in 2021 totaling approximately $185 million in losses, making it one of the most frequently and severely hacked DeFi protocols in history. On-chain investigator ZachXBT flagged the protocol and its founders, and the CREAM token has collapsed more than 99% from its all-time high.

Mirror Protocol was a Terra-based DeFi platform enabling synthetic assets (mAssets) that tracked prices of US stocks. The protocol suffered a $90 million exploit in October 2021 that went undetected for seven months, a governance attack campaign in December 2021 targeting $40 million in community funds, and a second $2 million oracle exploit in May 2022. It became permanently inactive in August 2022 following the catastrophic collapse of the Terra/LUNA/UST ecosystem, which was orchestrated by its parent company Terraform Labs under Do Kwon, who was subsequently convicted of fraud and sentenced to 15 years in prison.

Indexed Finance was an Ethereum-based decentralized protocol offering passively managed index pools, launched in late 2020. On October 14, 2021, the protocol suffered a sophisticated $16 million flash loan exploit targeting its DEFI5 and CC10 pools, destroying most user funds. The alleged attacker, Canadian mathematics prodigy Andean Medjedovic, was later charged by U.S. prosecutors in February 2025 in connection with $65 million in combined DeFi thefts and remains a fugitive as of early 2026.

Frank DeGods, the pseudonym of Rohun Vora, is the founder and former CEO of DeLabs, the company behind the DeGods and y00ts NFT collections. He stepped down as CEO in May 2025 after a period of sustained controversy including allegations of mismanagement, insider trading accusations tied to the LIBRA token scandal, a disputed post-resignation wallet compromise, and a series of contentious cross-chain migrations. No formal charges or regulatory actions have been filed against Vora as of the time of this report.

Vee Finance is a decentralized lending and leveraged trading protocol deployed on the Avalanche blockchain that launched its mainnet on September 14, 2021. Within one week of launch, on September 20-21, 2021, an attacker exploited price oracle manipulation and a decimal calculation error in the protocol's smart contracts, draining approximately $35 million in ETH and BTC — a hack that ranks among the largest DeFi exploits on Avalanche. The protocol relaunched as V2 with improved security measures including Chainlink oracle integration, but the stolen funds were never recovered, and activity and token value have declined precipitously since the incident.

Compound V2 is a legacy Ethereum-based decentralized lending protocol launched in May 2019 and formally deprecated in December 2025 in favor of Compound V3 (Comet). The protocol has experienced a series of material incidents including a ~$80M COMP token distribution bug in October 2021, a $89M oracle-driven liquidation cascade in November 2020, a confirmed website hijack flagged by ZachXBT in July 2024, a social media phishing hack in 2023 that resulted in $4.4M in losses, and an alleged governance attack in July 2024 in which a whale coordinated the passage of a $24M treasury transfer. V2 is now in wind-down mode with new borrows and mints paused.

AnubisDAO was an OlympusDAO fork that launched on October 28, 2021, and raised approximately 13,556 WETH (roughly $60 million) in under 20 hours through a Copper Liquidity Bootstrapping Pool. Before the sale concluded, the entire pool was drained to an external wallet, wiping investors to zero; on-chain investigator ZachXBT later identified two pseudonymous actors — Beerus and Ersan — as the likely perpetrators, and traced the stolen funds through Tornado Cash in 2023. No criminal charges have been publicly confirmed, no investor recovery has occurred, and the ANKH token is worthless.

AscendEX (formerly BitMAX) is a Singapore-based cryptocurrency exchange founded in 2018 that suffered one of the largest centralized exchange hot wallet hacks on record in December 2021, with approximately $77.7 million stolen across Ethereum, Binance Smart Chain, and Polygon networks. The exchange operates without regulatory authorization in major jurisdictions including the UK (FCA warning issued) and France (AMF blacklisted), and has accumulated a Trustpilot rating of 1.3/5 driven by user reports of frozen funds, unannounced token delistings, and unresponsive customer support. The exchange received a $50 million Series B investment in November 2021 — just weeks before the hack — from backers including Alameda Research, a firm later implicated in the collapse of FTX.

Grim Finance was a Fantom-based DeFi yield optimizer (fork of Beefy Finance) that suffered a devastating reentrancy exploit on December 19, 2021, resulting in approximately $30 million in user funds stolen. The vulnerability — a missing reentrancy guard in the depositFor() function — had existed in an audited codebase and was classified by security researchers as an entirely preventable, well-understood attack class. The protocol has since collapsed to a near-zero TVL of roughly $29,000 and its proposed compensation plan yielded no meaningful restitution for affected users.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

Ledger SAS is a Paris-based hardware cryptocurrency wallet manufacturer founded in 2014, producing the Nano S and Nano X devices used by millions worldwide. Despite its status as a legitimate and established company, Ledger has been involved in two major security incidents: a 2020 customer database breach exposing over 1 million email addresses and 272,000 physical addresses, and a December 2023 supply chain attack on its @ledgerhq/connect-kit npm package that drained approximately $600,000–$850,000 from users of multiple DeFi protocols via the Angel Drainer malware-as-a-service. A third-party data breach via payment processor Global-e was disclosed in January 2026.

Chris Larsen is the co-founder and Executive Chairman of Ripple, one of the most prominent figures in the XRP ecosystem. On January 30, 2024, attackers drained an estimated 213–283 million XRP (valued at $112.5–$150 million) from his personal cryptocurrency accounts — not Ripple corporate wallets — in what became the largest individual crypto theft of 2024. A U.S. government forfeiture complaint filed in March 2025 linked the breach to the 2022 LastPass password manager hack, alleging that private keys had been stored in an online vault subsequently compromised by attackers.

Tornado Cash is a decentralized, non-custodial cryptocurrency mixing protocol deployed on Ethereum in December 2019, co-founded by Roman Storm, Roman Semenov, and Alexey Pertsev. It was sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) in August 2022 for allegedly laundering over $7 billion in virtual currency, including hundreds of millions stolen by North Korea's Lazarus Group; the sanctions were later lifted in March 2025 following a Fifth Circuit ruling that immutable smart contracts do not constitute sanctionable 'property' under IEEPA. All three co-founders face or have faced criminal proceedings: Pertsev was convicted in the Netherlands in May 2024 and sentenced to 64 months in prison, Storm was convicted on one of three counts in the U.S. in August 2025, and Semenov remains at large.

Inferno Drainer is a scam-as-a-service (drainer-as-a-service) platform that provided phishing infrastructure and malicious wallet-draining scripts to criminal affiliates in exchange for a percentage of stolen funds. Active from November 2022 through at least early 2025, it is attributed to stealing over $80 million from approximately 137,000 victims during its initial operational phase, with operators claiming a cumulative total exceeding $250 million across all periods including a covert post-shutdown phase. It operates by luring victims to phishing websites impersonating legitimate crypto brands, tricking users into signing malicious transactions that drain wallets across multiple EVM-compatible blockchains.

Velodrome Finance is an automated market maker (AMM) and decentralized exchange (DEX) launched on June 2, 2022, on the Optimism Layer 2 network. It is a fork and improvement of Andre Cronje's Solidly Exchange, implementing a ve(3,3) governance and liquidity incentive model. The protocol has experienced three documented security incidents: an insider theft of $350,000 by a team member in August 2022, a DNS/frontend social-engineering attack in November–December 2023 resulting in approximately $250,000 in user losses, and a second DNS hijacking in November 2025 attributed to a NameSilo registrar insider, resulting in estimated losses of $700,000–$1,000,000. Smart contracts have not been directly exploited; all monetary losses have stemmed from front-end and operational security failures.

Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.

BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebranding of the Royal ransomware gang, itself a successor to the Conti cybercrime syndicate believed to be operated by Russian-speaking threat actors. The group employed double-extortion tactics across critical infrastructure sectors including healthcare, automotive, education, and government, compromising over 450 U.S. victims and demanding more than $500 million in ransom, primarily in Bitcoin, before international law enforcement dismantled its infrastructure in July 2025 under Operation Checkmate.

Compound Finance is an Ethereum-based decentralized lending protocol founded in 2017 by Robert Leshner and Geoffrey Hayes that allows users to lend and borrow cryptocurrencies algorithmically. The protocol has been subject to multiple significant security and governance incidents, including a 2021 smart contract bug that placed up to ~280,000 COMP tokens (approximately $80–90 million) at risk, a 2024 alleged governance takeover by a whale known as 'Humpy,' and a July 2024 front-end DNS hijacking attack tied to the Squarespace registrar migration. Despite these incidents, the core smart contract protocol has not been exploited; the recurring issues have primarily affected token distribution, governance integrity, and front-end infrastructure.

The Blockchain Bandit is an unidentified threat actor or group that systematically exploited Ethereum wallets holding cryptographically weak private keys between approximately 2015 and 2018, accumulating more than 45,000 ETH (worth over $54 million at peak 2018 valuations) through a technique researchers later termed 'Ethercombing.' The actor compromised 732 private keys across 49,060 transactions, draining wallets in near-real-time using automated blockchain monitoring. Dormant since 2018, the actor re-emerged in January 2023 and again in December 2024, consolidating approximately 51,000 ETH (valued at roughly $172 million) into a single multisig wallet, as tracked by on-chain investigator ZachXBT.

The Democratic People's Republic of Korea (DPRK), operating primarily through state-sponsored hacking units designated as the Lazarus Group, TraderTraitor, and APT38, has stolen an estimated $6.75 billion in cryptocurrency since 2016 across dozens of major exploits. These operations are attributed by the FBI, OFAC, CISA, and allied governments to North Korea's Reconnaissance General Bureau and are conducted to fund the regime's weapons of mass destruction and ballistic missile programs in circumvention of international sanctions. DPRK-linked hackers are responsible for the largest single crypto theft in history — the $1.5 billion Bybit hack in February 2025 — and continue to operate at unprecedented scale and sophistication.

Lazarus Group is a North Korean state-sponsored advanced persistent threat (APT) actor, also tracked as APT38, TraderTraitor, BlueNorOff, Hidden Cobra, and ZINC, operating under the Reconnaissance General Bureau (RGB) of the Korean People's Army. Active since approximately 2009, the group has stolen an estimated $6.75 billion in cryptocurrency through targeted attacks on exchanges, bridges, and blockchain companies, using stolen funds to finance North Korea's weapons programs and circumvent international sanctions. The U.S. Department of Justice has indicted three named members, and OFAC placed the group on the Specially Designated Nationals (SDN) list in April 2022.

Veer Chetal, known online as 'Wiz,' is a 19-year-old from Danbury, Connecticut who pleaded guilty in November 2024 to conspiracy to commit wire fraud and conspiracy to launder monetary instruments in connection with a $243–245 million Bitcoin theft targeting a single Genesis creditor via social engineering. He was identified and exposed by blockchain investigator ZachXBT, who traced stolen funds on-chain and publicly named the perpetrators before law enforcement arrests were made. Chetal was re-arrested in early 2025 after committing additional crypto thefts while released on bond and faces a federal sentencing guideline range of 19–24 years imprisonment.

NFTMachine is the online alias of Tyler Gaye, a Denver, Colorado resident who allegedly orchestrated a presale fraud in early 2021 by raising approximately $500,000 (reportedly 277 ETH from 130+ investors) for a promised NFT marketplace called opeNFT (also stylized ONFT), which was never launched. A Denver District Court judge entered a default judgment of $275,000 against Gaye in November 2022, classifying the conduct as civil theft. On-chain investigator ZachXBT has subsequently alleged Gaye continued launching new crypto projects — including Arcade DAO and Gamegear — under the alias 'scaredofboobs' without satisfying the court-ordered judgment.

Vkevin is a pseudonymous threat actor known for operating fake Safeguard Telegram bot phishing campaigns that have allegedly drained seven figures from victims' cryptocurrency wallets. On January 23, 2025, blockchain investigator ZachXBT published a 31-minute video exposing Vkevin in the act of running these scams from what was described as a New York school, and confirmed the individual had been doxxed. Vkevin is additionally alleged to have conducted a 2022 Discord attack against DigikongNFT using a spoofed MEE6 bot, resulting in over $300,000 in NFT losses.

On November 3, 2024, unidentified scammers compromised the X (Twitter) account of rapper Wiz Khalifa (35.7 million followers) and used it to promote two fraudulent Solana meme coins — $WIZ and $WIZZLE — launched on pump.fun. The $WIZ token reached a peak market cap of approximately $2.5 million within 15 minutes before collapsing over 95% in under one hour, with at least two insider wallets extracting a combined $160,000 in profit. Blockchain investigator ZachXBT linked the incident to a broader campaign of celebrity account takeovers that allegedly stole over $3.5 million in total, and subsequently accused a former professional Fortnite player known as 'Serpent' of involvement in the coordinated scheme.

eXch (exch.cx) was a no-KYC instant cryptocurrency swap service operating from 2014 until its forced shutdown in May 2025. Registered in Belize under the name Private Project Facilitators LTD, the platform processed an estimated $1.9 billion in total volume, deliberately advertising its absence of anti-money laundering controls on criminal underground forums. German federal law enforcement seized approximately $38 million in cryptocurrency assets and 8 terabytes of data from the platform in April 2025, following evidence linking eXch to laundering roughly $200 million of funds stolen in the $1.46 billion Bybit hack carried out by North Korea's Lazarus Group.

WazirX is an Indian cryptocurrency exchange co-founded in 2018 by Nischal Shetty, Sameer Mhatre, and Siddharth Menon that suffered the largest crypto hack in Indian history on July 18, 2024, when approximately $234.9 million in user assets were stolen from a Gnosis Safe multisig wallet via a sophisticated supply-chain-style attack attributed by Elliptic, ZachXBT, and a joint US-Japan-South Korea government statement to North Korea's Lazarus Group. The hack triggered suspension of all withdrawals, a Singapore court-supervised restructuring process in which users are expected to recover approximately 55% of their assets, and ongoing regulatory and law enforcement scrutiny in India.

Glori Finance was an alleged DeFi lending protocol deployed on the Arbitrum network in early 2024, operating as a Compound V2 fork with approximately $1.4 million in total value locked (TVL) at the time of its exposure. On April 14, 2024, blockchain investigator ZachXBT identified that the top GLORI token holders had seeded liquidity using funds stolen from prior scams — specifically the Crolend, Hash DAO, and HellHoundFi frauds — linking Glori Finance to a serial scam ring responsible for over $20 million in cumulative losses. Following ZachXBT's public disclosure, the Glori Finance X account was deactivated and the protocol's website went offline, consistent with an exit scam.

Bitforex was a cryptocurrency exchange founded in 2017, registered in Seychelles and operating under a Hong Kong address, which collapsed in February 2024 after approximately $56.5 million was drained from its hot wallets across Ethereum, Tron, and Bitcoin in a controlled fund extraction widely characterized as an exit scam. The exchange had a documented history of wash trading allegations dating to 2018, a prior unexplained withdrawal freeze in 2022, regulatory warnings from Japan's FSA and Hong Kong's SFC, and operated without a license in the jurisdictions it claimed as home. Following the collapse, team members were allegedly detained by Jiangsu Province police in China, and the exchange briefly reopened for KYC-verified withdrawals in July 2024 before announcing permanent closure.

Aqua (also known as AquaBot) was a Solana-based Telegram trading bot that conducted a presale in September 2025, raising approximately 21,770 SOL ($4.65 million) from retail investors before executing an apparent exit scam. On-chain investigator ZachXBT flagged the project after presale funds were split into four tranches, routed through intermediary wallets, and sent to instant exchanges hours before the scheduled token generation event. The project had secured endorsements from multiple established Solana ecosystem participants — including Meteora, Helius, Dialect, SYMMIO — and had received a near-perfect audit score from QuillAudits just days before the alleged rug pull.

Magnate Finance was a DeFi lending and borrowing protocol deployed on Coinbase's Base Layer 2 network that executed an exit scam on August 25, 2023, stealing approximately $6.4–6.5 million in user funds by manipulating its price oracle. On-chain investigator ZachXBT issued a public warning hours before the rug pull, having traced the deployer address to at least two prior exit scams: Solfire ($4.8M, January 2022) and Kokomo Finance ($5.5M, March 2023), establishing this as the work of a repeat-offender scam ring responsible for over $16.7 million in total losses.

TradeOgre was an unregistered, no-KYC cryptocurrency exchange founded around 2018 and known for listing privacy coins including Monero (XMR) and Pirate Chain. On September 18, 2025, the RCMP executed Canada's largest-ever cryptocurrency seizure, dismantling the platform and seizing over CAD $56 million (approximately USD $40 million) in digital assets. Investigators determined that the majority of funds transacted on the platform came from criminal sources, including ransomware proceeds, darknet market activity, hacking exploits, and fraud schemes.

The 'WallStreetBets' brand has been exploited in at least two distinct crypto fraud incidents: a 2021 Telegram pre-mine scam using a fake 'WallStreetBets – Crypto Pumps' channel that stole over $2.1 million in BNB and ETH, and a 2023 Ethereum meme token (WSB Coin) that surged to a $50 million market cap before insiders allegedly dumped $635,000 worth of tokens within days of launch, collapsing the price by over 90%. Neither token was authorized by Reddit or the r/WallStreetBets subreddit, and ZachXBT publicly identified the alleged perpetrators in the 2023 incident.

JELLY (JellyJelly / JELLYJELLY) is a Solana memecoin launched in January 2025 by Venmo co-founder Iqram Magdon-Ismail that became the center of a major market manipulation incident on Hyperliquid on March 26, 2025. A coordinated trader used a self-liquidation strategy — opening large opposing long and short positions — to force Hyperliquid's HLP liquidity vault to absorb a toxic short, causing up to $13.5 million in unrealized losses before validators emergency-delisted the token and force-settled all positions at a fixed price. The incident triggered widespread criticism of Hyperliquid's decentralization claims and raised systemic questions about perpetuals DEX risk management.

Avalanche C-Chain address 0x327a81d0d128db8886d265be73c9fdda97194f30 was flagged by on-chain investigator ZachXBT in June 2024 as the primary launderer for the BTCTurk exchange hack, having transferred approximately 1.96 million AVAX (valued at ~$54.2 million) to Coinbase, Binance, Gate.io, and THORChain. ZachXBT's timing analysis linked subsequent BTC withdrawals of approximately $45.96 million to the same threat actor, who was also allegedly responsible for a concurrent $2.9 million theft from Sportsbet. The address currently holds negligible funds, consistent with successful laundering of proceeds.

Nobitex is Iran's largest cryptocurrency exchange, founded in 2017, claiming over 11 million users and handling approximately 70% of Iran's on-chain crypto volume. A March 2025 Reuters investigation identified its founders as brothers Ali and Mohammad Kharrazi — members of a family with documented ties to Iran's Supreme Leaders and the founding of the Islamic Revolutionary Guard Corps — who operated the exchange under an alternative surname. Blockchain analytics firms including Elliptic, Chainalysis, and TRM Labs have documented billions of dollars in flows through Nobitex connected to sanctioned Iranian state entities including the Central Bank of Iran and the IRGC, making the platform a critical node in Iran's sanctions evasion infrastructure.

GANA Payment was a BNB Smart Chain payment-focused DeFi project (BEP-20 token) that launched on November 11, 2025 and was exploited nine days later on November 20, 2025, resulting in losses exceeding $3.1 million. On-chain investigator ZachXBT confirmed the attack, which involved a compromised deployer private key combined with abuse of EIP-7702 to drain the project's staking contract; stolen funds were subsequently laundered through Tornado Cash on both BSC and Ethereum. The GANA token lost over 90% of its value within 24 hours of the exploit.

Sportsbet.io is a cryptocurrency gambling and sports betting platform operated by mBet Solutions N.V. under the Yolo Group umbrella, licensed in Curaçao. On June 22, 2024, blockchain investigator ZachXBT publicly identified that the platform's hot wallets were drained of approximately $3.5 million in USDT and TRX, attributing the attack to the same threat actor who hours later stole an estimated $55 million from Turkish exchange BtcTurk, with stolen funds allegedly commingled between both hacks. The platform has drawn ongoing scrutiny for operating in regulatory grey markets, serving users in jurisdictions where it holds no local license, and for systemic user complaints involving account closures and fund seizures following wins. Yolo Group founder Tim Heath confirmed in 2025 that the brand is being wound down in favor of fully regulated markets.

TON (The Open Network) is a layer-1 blockchain originally developed by Telegram, abandoned in 2020 following an SEC enforcement action that compelled a $18.5 million penalty and $1.22 billion investor return, and subsequently revived by an independent TON Foundation. By 2024, rapid ecosystem growth attracted a significant wave of phishing campaigns, wallet drainer toolkits, pyramid schemes, and rug pull activity, with over 1,200 fraud cases reported in H1 2024 alone. In May 2026, Pavel Durov announced Telegram would reassume control as the network's largest validator, reintroducing centralization risk to a network already under scrutiny for facilitating illicit marketplaces.

Wallex is an Iranian cryptocurrency exchange founded in 2018 in Tehran by graduates of Sharif University of Technology, serving approximately 1 million users as of 2022 and operating as a major domestic crypto-to-rial on/off-ramp. On March 25, 2026, blockchain investigator ZachXBT flagged suspicious fund consolidation activity, prompting both Tether (USDT) and Circle (USDC) to simultaneously blacklist Wallex-linked wallet addresses, leaving approximately $2.49 million stranded on-chain. Wallex operates in a jurisdiction under comprehensive U.S. OFAC sanctions, has been linked by Chainalysis to transactions with a U.S.-sanctioned individual, and suffered a confirmed data breach in 2021 that exposed user credentials.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

pump.fun (operated by Baton Corporation Ltd., also listed on AVOID.NET as 'pumpdotfun') is a Solana-based meme token launchpad that launched in January 2024 and rapidly became one of the most-used token creation platforms in crypto, generating over $800 million in cumulative revenue and more than 11.9 million tokens. The platform is subject to an active RICO class action lawsuit in the SDNY alleging up to $5.5 billion in retail losses, a UK FCA regulatory ban, a $1.9 million insider flash loan exploit, documented use by North Korea's Lazarus Group for money laundering, and independent research classifying 98.6% of its tokens as rug pulls or fraud.

Masa (also known as Masa Finance, later rebranded as Gopher) is a Web3 data and identity protocol that launched a soulbound token standard on Ethereum in 2023 before pivoting to a decentralized AI data network. The MASA token, sold via CoinList in March 2024 at $0.079 and hitting an all-time high of approximately $0.4697 on its April 11, 2024 listing date, subsequently collapsed by over 99.9% to trade near $0.00002 by mid-2026. ZachXBT publicly accused the project of concealing a six-figure security exploit in September 2024, which the team later confirmed only after the allegation was made public.

Tapioca DAO is an omnichain DeFi money market built on LayerZero, offering a CDP stablecoin (USDO) and isolated lending markets (Singularity/Big Bang) across Arbitrum and BNB Chain. On October 18, 2024, the protocol suffered a critical security breach when a team member was targeted by a social engineering attack attributed to North Korea's Contagious Interview campaign, resulting in private key compromise, drainage of TAP token vesting contracts, and the minting of 5 quintillion USDO. Approximately $4.4–4.7 million was stolen before a partial counter-exploit recovered roughly 996 ETH (~$2.7 million), leaving the protocol treasury down approximately 45% and the TAP token price collapsed over 95%.

Garden Finance is a cross-chain Bitcoin bridge protocol launched in 2023 by former Ren Protocol developers, using Hash Time Locked Contracts (HTLCs) and an intents-based solver network to enable atomic swaps across Ethereum, Solana, Arbitrum, Base, and other chains. On October 30–31, 2025, one of its largest solver operators was compromised via a leaked private key, resulting in approximately $11.4 million in stolen assets that were subsequently laundered through Tornado Cash. Prior to the exploit, blockchain investigator ZachXBT alleged that over 80% of the protocol's recent fee revenue was derived from laundering funds stolen in the February 2025 Bybit hack, which the Lazarus Group (DPRK) perpetrated for approximately $1.4 billion.

Bitcoin Depot was once the largest Bitcoin ATM operator in North America, operating more than 9,000 kiosks before filing for Chapter 11 bankruptcy on May 18, 2026. The company faces lawsuits from the attorneys general of Iowa and Massachusetts alleging it knowingly facilitated crypto scams, with one state finding that more than 80% of high-value transactions at its kiosks were linked to fraud. Multiple data breaches, a $3.6 million wallet theft, regulatory enforcement in California, and on-chain evidence flagged by ZachXBT further document systemic compliance and security failures.

Noones is a peer-to-peer cryptocurrency trading platform targeting Africa and the Global South, founded and initially led by Ray Youssef, co-founder of the now-defunct Paxful. In January 2025, the platform suffered an $8 million hot-wallet exploit that was concealed for nearly three weeks before on-chain investigator ZachXBT publicly exposed the breach. Compounding platform risk, Youssef was subsequently indicted by the DOJ in early 2026 on federal AML charges stemming from his leadership of Paxful, and stepped down as Noones CEO shortly thereafter.

HyperCycle (HYPC) is an Ethereum ERC-20 token marketed as infrastructure for decentralized AI-to-AI transactions, co-founded by SingularityNET's Ben Goertzel and TODA inventor Toufi Saliba. The token has lost approximately 99% of its value from its all-time high of $1.29, and its smart contract contains a PAUSER_ROLE that allows a designated admin to halt all token transfers at will. No independent smart contract security audit has been publicly submitted, and the tokenomics structure — which allocates 20% to team, advisors, and partners with a relatively short vesting cliff — has been cited by multiple analysts as generating sustained selling pressure that disadvantages retail participants. ZachXBT has broadly flagged AI-narrative token projects as high-risk.

Kroll Restructuring Administration LLC served as the court-appointed claims and noticing agent for the FTX, BlockFi, and Genesis bankruptcy proceedings. On August 19, 2023, a threat actor executed a SIM swap attack against a Kroll employee's T-Mobile account, gaining unauthorized access to files containing the personal data of tens of thousands of crypto bankruptcy claimants. The exposed data was subsequently exploited in large-scale phishing and social engineering campaigns, with blockchain investigator ZachXBT estimating total losses attributable to the breach at eight to nine figures, and at least one alleged perpetrator — Danish Zulfiqar, also known as 'Danny' — was arrested in Dubai in late 2025 on RICO charges related to a broader $263 million social engineering conspiracy.

MEXC is a centralized cryptocurrency exchange founded in 2018, incorporated in Seychelles, that has accumulated a significant regulatory record across multiple jurisdictions including warnings or cease orders from authorities in Hong Kong, Germany, Belgium, Japan, Estonia, and South Korea. The exchange gained widespread notoriety in late 2025 after on-chain investigator ZachXBT amplified user reports of frozen funds, including a high-profile case in which a trader known as 'The White Whale' had approximately $3 million frozen without adequate explanation, eventually prompting a public apology from the exchange's Chief Strategy Officer. MEXC's parent entity MEXC Global Ltd was struck off by the Seychelles registry in August 2023, dissolved in December 2024, and never obtained a license under the Seychelles VASP Act 2024, leaving its current operational and legal standing opaque.

Wasabi Protocol is a decentralized perpetual futures and leveraged trading platform for memecoins and long-tail assets, deployed on Ethereum, Base, Berachain, and Blast. On April 30, 2026, the protocol suffered a critical multi-chain exploit in which a compromised admin deployer key was used to execute malicious UUPS proxy upgrades across core contracts, draining over $5 million in user funds. Security firm BlockSec reported that the attacker's wallets had been funded via Tornado Cash, and on-chain investigator ZachXBT publicly criticized the protocol for single-EOA admin control, absence of a timelock or multisig, and alleged misappropriation of project funds on influencer marketing.

1EU2pMence1UfifCco2UHJCdoqorAtpT7 is a legacy P2PKH Bitcoin address holding approximately 9,999.99 BTC that has never had any outgoing transactions, marking it as a dormant high-value wallet. The address has been publicly circulated in attacker-community repositories as a brute-force cracking target, appearing in GitHub issue lists of 'rich wallet addresses for BTC crack' alongside automated key-collision tools. No verifiable private-key compromise or confirmed theft has been documented as of the investigation date; however, the address's inclusion in brute-force tooling databases and its indexing on privatekeys.pw elevates its risk profile considerably.

KelpDAO (also KernelDAO) is an Ethereum-based liquid restaking protocol that issues rsETH, a yield-bearing token representing restaked positions via EigenLayer. On April 18, 2026, attackers attributed to North Korea's Lazarus Group (TraderTraitor subunit) exploited a single-verifier bridge configuration to mint 116,500 unbacked rsETH tokens worth approximately $292 million, making it the largest single DeFi exploit of 2026. The attack triggered cascading losses across Aave, SparkLend, and Fluid, sparked a $300 million+ industry recovery coalition (DeFi United), a legal dispute over $71 million frozen by Arbitrum's Security Council, and a protracted public blame dispute between KelpDAO and bridge provider LayerZero.

Renzo Protocol is an Ethereum liquid restaking protocol that issues ezETH, serving as an interface to the EigenLayer ecosystem. In April 2024, ezETH suffered a severe depeg event — dropping as low as $700 in under one hour — triggered by an unpopular REZ tokenomics announcement that concentrated approximately 65% of supply with insiders and investors. The event caused over $56 million in DeFi liquidations affecting more than 250 users, and the REZ token has since lost approximately 97% of its all-time high value.

Metawin is an offshore crypto casino and gaming platform licensed under the Anjouan (Comoros) gaming authority, operated by Asobi N.V. from Curacao, and founded by Richard 'Skel' Skelhorn. On November 3, 2024, the platform suffered a significant hot wallet exploit across Ethereum and Solana blockchains resulting in approximately $4 million in stolen funds, with blockchain investigator ZachXBT tracing the stolen assets to KuCoin and a nested HitBTC service across more than 115 attacker-linked addresses. The CEO subsequently claimed to have personally covered the losses, restoring withdrawals for approximately 95% of affected users, though the platform's offshore jurisdictional status and the underlying security vulnerability raise ongoing concerns.

Spartans Bet (spartans.com) is a crypto betting and casino platform launched in 2025, operated by Nexus International Entertainment Ltd, a company registered in Belize and licensed under the disputed Anjouan (Comoros) gaming authority. On-chain investigator ZachXBT alleged in 2025 that the platform's suspected co-founder, Gurhan Kiziloz, is also the hidden operator behind BlockDAG Network, a project ZachXBT claims raised over $300 million from retail investors through deceptive social media advertising and misappropriated presale funds via Middle Eastern OTC channels. Spartans makes prominent 'provably fair' claims that lack independently verifiable third-party audit documentation, and the platform carries a below-average safety index of 6.4/10 from casino.guru, with user complaints citing refused withdrawals and unfair bonus terms.

Renzo Protocol is an EigenLayer liquid restaking protocol that issues ezETH, a liquid restaking token (LRT) representing restaked ETH. In April 2024, ezETH suffered a severe depeg — falling from ~$3,100 to as low as $688 on Uniswap — triggered by a controversial REZ tokenomics announcement that allocated only 5% of tokens to the community airdrop while reserving over 60% for team, investors, and advisors, causing cascading liquidations exceeding $56 million across DeFi platforms. Eight high-severity vulnerabilities were identified in a concurrent Code4rena security audit, and the incident exposed structural risks including withdrawal restrictions that prevented users from redeeming ezETH directly for ETH.

Netmind AI (netmind.ai) is a London-based decentralized GPU compute network that issues the NMT token on both Ethereum (ERC20) and BNB Smart Chain (BEP20) via upgradeable proxy contracts. In March 2024, 440,000 NMT tokens were sold in a sudden dump that caused a 76% price crash — attributed by the team to a compromised early miner wallet, though the mechanism remains disputed. The NMT contract is an upgradeable transparent proxy that grants the owner unilateral ability to disable sells, change fees, mint, or transfer tokens, representing a material centralization and rug-risk vector flagged by security tools and, according to AVOID.NET source tagging, by ZachXBT.

Token 2049 is one of the world's largest crypto conferences, held annually in Singapore and Dubai by Hong Kong-based BOB Group. The event has faced repeated criticism for insufficient sponsor vetting, most notably when OFAC- and UK-sanctioned Russia-linked stablecoin A7A5 was listed as a platinum sponsor and given a speaking slot at the October 2025 Singapore edition. Separately, in March 2025, on-chain investigator ZachXBT publicly flagged multiple Token 2049 sponsors — including DWF Labs, Bitunix, JuCoin, WEEX, and Spacecoin — for fraud, wash trading, and regulatory non-compliance, warning that conference sponsorship carries no implied credibility.

Act I: The AI Prophecy (ACT) is a Solana-based AI-narrative memecoin launched via Pump.fun in October 2024 with no verified product utility. The token reached an all-time high of approximately $0.92 in November 2024 before declining over 98% to roughly $0.013 by mid-2026. It has been subject to a documented co-founder token dump, a suspicious 49% flash crash on Binance in April 2025 attributed to large coordinated sell orders, and broad sector criticism from on-chain investigator ZachXBT who labeled 99% of AI agent tokens as scams.

Mixin Network is a Hong Kong-based cross-chain Layer 2 protocol that suffered one of the largest cryptocurrency hacks of 2023, losing approximately $200 million when its cloud service provider's database was compromised on September 23, 2023. The hack exposed a fundamental contradiction in Mixin's self-described decentralized architecture: the majority of user funds were held in hot wallets backed by a centralized cloud database. As of early 2026, the majority of stolen assets remain unrecovered, with the attacker beginning to launder funds through Tornado Cash.

JRNY Crypto (real name allegedly Tony Spark) is a pseudonymous cryptocurrency and NFT influencer operating since 2017, with over 760,000 followers on X and 590,000 YouTube subscribers at peak activity. ZachXBT flagged the account in November 2024 after approximately $4 million in crypto assets were drained from associated wallets in a suspected private key compromise; JRNY did not publicly acknowledge the incident. Separate community-sourced allegations include undisclosed paid promotions, a paid strategic advisory role at BSC launchpad Seedify that critics allege was not consistently disclosed to audiences, and criticism over the JRNY Club and Planet Xolo NFT projects failing to meet roadmap commitments.

PAAL AI is an Ethereum ERC20 token launched in July 2023, marketed as an AI-powered chatbot and automation ecosystem for crypto communities. In September 2023, blockchain investigator ZachXBT published on-chain evidence and leaked Telegram messages alleging that four prominent crypto influencers — TraderSZ, TraderNJ1, PetaByte, and Trader_XO — received undisclosed token allocations from the PAAL AI team and engaged in a coordinated pump-and-dump scheme, collectively dumping hundreds of thousands of dollars in PAAL tokens on retail buyers. The token subsequently declined approximately 98.7% from its March 2024 all-time high of $0.8653 to below $0.013 by mid-2026, while the PAAL brand has also been exploited by third-party wallet-draining scams impersonating its staking platform.

ANDY is a meme token launched on the Base (Ethereum L2) network in 2024, built around the 'boy's club' internet meme character. Blockchain investigator ZachXBT documented a theft of approximately $2 million in ANDY tokens from a victim's wallet in June 2024, with the perpetrator converting roughly half the stolen funds to Ethereum. CertiK's Skynet platform assigned the token a score of 2.7 out of 100, indicating serious security and governance deficiencies. Allegations that individuals associated with the token conducted SIM-swap attacks targeting Korean-American crypto holders have been attributed to ZachXBT's flagging but remain unconfirmed by independently verifiable Tier 1 or Tier 2 sources.

BtcTurk is Turkey's oldest and largest centralized cryptocurrency exchange, founded in 2013 in Istanbul. The exchange has suffered two major hot wallet breaches in 14 months — approximately $55 million stolen in June 2024 and approximately $48–$49 million in August 2025 — both attributed to private key compromise, establishing a pattern of repeated critical security failures. Despite operating under Turkish regulatory frameworks (CMB and MASAK) and maintaining cold wallet protections, the exchange's inability to prevent a second near-identical attack within a year raises serious concerns about the adequacy of its security controls.

Truflation is a blockchain-based inflation data oracle protocol that provides real-time economic indices to DeFi applications via its Truflation Stream Network (TSN) and TRUF token. In September 2024, the project suffered a confirmed malware attack that compromised private keys across its treasury multisig and personal wallets, resulting in losses estimated between $4.6 million and $5.2 million — predominantly in TRUF tokens, ETH, and DAI. On-chain investigator ZachXBT was among the first to publicly identify and report the incident; the project subsequently initiated a full TRUF token migration as a remediation measure.

SBI Crypto is a cryptocurrency mining subsidiary of Japan's SBI Holdings, operating one of the top Bitcoin mining pools globally and offering related infrastructure services. On September 24, 2025, addresses linked to the company saw approximately $21–24 million in suspicious outflows across five cryptocurrencies; blockchain investigator ZachXBT and security firm Cyvers identified laundering patterns consistent with DPRK-affiliated Lazarus Group operations. SBI Group did not proactively disclose the breach and provided only minimal confirmation after independent researchers surfaced the incident publicly.

Crypto.com is a Singapore-headquartered centralized cryptocurrency exchange founded in 2016 (originally as Monaco) by Kris Marszalek, Bobby Bao, Gary Or, and Rafael Melo. The platform has been subject to multiple serious security incidents, including a confirmed January 2022 hack in which $34 million was stolen via a 2FA bypass and laundered through Tornado Cash, and an alleged 2023 data breach linked to the Scattered Spider hacking group that the company did not publicly disclose to affected users. Blockchain investigator ZachXBT has publicly accused Crypto.com of governance manipulation and tokenomics fraud, citing the March 2025 reissuance of 70 billion CRO tokens that had been permanently burned in 2021, and the company's controversial 2020 forced swap from its original MCO token to CRO at unfavorable rates.

Cardano (ADA) holders face a persistent and multi-vector threat landscape that includes deepfake giveaway scams impersonating founder Charles Hoskinson, social media account hijackings used to promote fraudulent tokens, phishing campaigns distributing credential-stealing malware disguised as wallet software, and NFT-based wallet drainers. The Cardano Foundation's own X account was compromised in December 2024, resulting in the promotion of a fake token and false regulatory claims. State-sponsored actors including the North Korean Lazarus Group have also targeted ADA holders through the Atomic Wallet supply chain attack.

EigenLayer is a legitimate Ethereum restaking protocol operated by Eigen Labs that became a high-value target for phishing campaigns, wallet drainer attacks, and social engineering in 2024 following the launch of its EIGEN token. In October 2024 alone, the protocol's official X account was compromised to promote a fake airdrop resulting in at least $800,000 lost by one victim, and a separate email-based social engineering attack redirected approximately $5.7 million in locked investor tokens to an attacker's wallet. EIGEN holders and restakers face an elevated and persistent threat surface from impersonation sites, fake airdrop claims, and token-approval drainer schemes that exploit the protocol's name and brand recognition.

Serenity Shield is a blockchain-based data storage and crypto inheritance protocol built on BNB Smart Chain, operating a product called StrongBox. On February 27, 2024, a team MetaMask wallet was compromised and 6.9 million SERSH tokens valued at approximately $5.6 million were stolen, causing the token price to collapse by over 95% within 24 hours. On-chain investigator ZachXBT linked the attacker to a serial hacker responsible for multiple private-key compromise incidents across at least six other protocols in late 2023 and early 2024.

Nexera (formerly AllianceBlock) is a blockchain infrastructure protocol focused on compliant real-world asset tokenization, operating primarily on Ethereum. In August 2024, a threat actor later attributed to North Korea's Lazarus Group used social engineering and BeaverTail malware to steal smart contract management credentials, enabling unauthorized transfer of 47.24 million NXRA tokens valued at approximately $1.9 million. The team mitigated further losses by zeroing out and subsequently burning the 32.5 million tokens that remained in the attacker's wallet, limiting confirmed liquidated losses to roughly $449,000.

Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.

CoinEx is a centralized cryptocurrency exchange that suffered a major hot wallet breach on September 12, 2023, with losses estimated between $54 million and $70 million across multiple blockchains. On-chain investigators ZachXBT and Elliptic attributed the attack to the Lazarus Group (TraderTraitor), a North Korean state-sponsored threat actor, based on wallet address overlap with the contemporaneous Stake.com hack. Stolen proceeds were subsequently laundered in part through the Sinbad Bitcoin mixer, which was sanctioned by the U.S. Treasury's OFAC on November 29, 2023.

Andy Ayrey is a New Zealand-based AI researcher and self-described performance artist who created Truth Terminal, an autonomous AI chatbot that became closely associated with the Goatseus Maximus (GOAT) memecoin, which briefly reached a $900M–$1B market cap in late 2024. Ayrey disclosed holding 1.25 million GOAT tokens gifted to him and pledged not to trade on insider knowledge, later establishing a non-profit foundation (Truth Collective) to manage the AI's holdings. ZachXBT's involvement concerns the October 2024 SIM-swap hack of Ayrey's X account — which third-party hackers exploited to deploy scam memecoins netting over $1.5M — rather than direct fraud allegations against Ayrey himself; however, broader ethical concerns persist around the gray-area ecosystem of AI-agent-driven memecoin promotion that Truth Terminal helped legitimize.

Kiln is an institutional-grade, non-custodial staking infrastructure provider that manages over $14 billion in staked assets across 50+ proof-of-stake networks, including approximately 6% of the entire Ethereum validator set. In September 2025, Kiln suffered a sophisticated supply chain attack in which a threat actor compromised a GitHub access token belonging to a Kiln infrastructure engineer, injected malicious code into the Kiln Connect API, and caused the theft of approximately 192,600 SOL (~$41 million) from enterprise customer SwissBorg. The incident prompted Kiln to exit all 1.6 million ETH worth of its Ethereum validators as a precautionary measure, triggering the longest Ethereum exit queue backlog in the network's history.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

BitoPro is a Taiwanese centralized cryptocurrency exchange operated by BitoGroup, serving over 800,000 users with TWD (New Taiwan Dollar) fiat on/off-ramps. On May 8, 2025, the exchange suffered an approximately $11.5 million hot wallet theft attributed to North Korea's Lazarus Group via a social-engineering and AWS-token-hijacking attack. The exchange did not publicly disclose the breach for approximately 25 days, only confirming the incident after on-chain investigator ZachXBT flagged suspicious outflows on June 2, 2025.

BONAD.fun is a permissionless meme token launchpad operating on the Monad blockchain, positioned as BONK's community-driven expansion from Solana into the EVM ecosystem via Monad. The platform is an independent community project not officially endorsed or vetted by the BONK Foundation, and no public smart contract audit has been documented. The platform shares brand identity and fee-recycling mechanics with Bonk.fun, the Solana-based predecessor that suffered a domain hijacking and wallet-drainer attack in March 2026 — a front-end attack vector that is directly relevant to BONAD.fun's risk surface as a structurally similar deployment.

Thunder Terminal is a Solana-based on-chain trading terminal that suffered a $240,000 exploit on December 27, 2023, when an attacker leveraged compromised MongoDB credentials to steal session tokens and drain 86.5 ETH and 439 SOL from 114 user wallets in under nine minutes. The attacker subsequently routed the stolen ETH through the Railgun privacy protocol and demanded a 50 ETH ransom for deletion of alleged user data, directly contradicting Thunder Terminal's public claim that no user data or private keys were compromised. Thunder Terminal pledged full reimbursement of stolen funds, engaged the FBI, and implemented additional security controls, though no public confirmation of completed reimbursements has been verified.

Sui is a Layer 1 blockchain developed by Mysten Labs, launched in May 2023 and built on the Move programming language. The network suffered one of the largest DeFi exploits of 2025 when Cetus Protocol — its primary DEX — was drained of approximately $223 million in May 2025, triggering a controversial emergency validator vote to freeze and reclaim stolen funds that exposed deep centralization concerns. Separately, ZachXBT investigated a $29 million SUI token theft in late 2024 involving Tornado Cash laundering and subsequently announced in July 2025 that he would no longer take Sui ecosystem cases due to inadequate incident-response infrastructure and lack of support from the ecosystem.

MustStopMurad is the X handle of Murad Mahmudov, a Princeton-educated former Goldman Sachs analyst and co-founder of the now-defunct Adaptive Capital hedge fund, who rose to prominence in 2024 as the primary advocate of the 'memecoin supercycle' thesis following a widely-circulated speech at TOKEN2049 Singapore. On-chain investigator ZachXBT published what he alleged to be 11 wallets linked to Mahmudov in October 2024, holding approximately $24 million in memecoins, raising concerns about undisclosed large holdings in tokens he publicly promotes to hundreds of thousands of followers. No regulatory action has been filed; the core allegations of supply control, potential front-running, and undisclosed conflicts of interest remain contested and unproven in any legal forum.

Rain (rain.com / Rain Financial) is a Bahrain-headquartered cryptocurrency exchange founded in 2017, holding licenses from the Central Bank of Bahrain and the Abu Dhabi Global Market's Financial Services Regulatory Authority. In April 2024, the exchange suffered a confirmed security breach of approximately $14.8 million in BTC, ETH, SOL, and XRP, which went undisclosed for approximately two weeks until blockchain investigator ZachXBT publicly exposed it. Rain subsequently confirmed the incident and stated that all customer funds were covered from company reserves.

CoinDCX is one of India's largest cryptocurrency exchanges, founded in 2018 and valued at $2.45 billion following Coinbase investment. In July 2025, the exchange suffered a $44.2 million security breach attributed by cybersecurity firm Cyvers to North Korea's Lazarus Group, which was first publicly identified by blockchain investigator ZachXBT before official disclosure. While customer funds were not directly affected and the exchange covered losses from treasury, the incident compounded existing concerns including co-founder arrests over alleged fraud in March 2026 and ongoing user withdrawal complaints.

KAITO is the native token of Kaito AI, an AI-powered 'InfoFi' (information finance) platform built on Base blockchain, founded by former Citadel quantitative trader Yu Hu and launched in February 2025. On March 15, 2025, both the official Kaito AI X account and Yu Hu's personal account were compromised by hackers who spread false claims of wallet breaches while simultaneously holding short positions on KAITO, netting an estimated $1 million in profit from the manufactured price panic. The platform faced additional scrutiny from blockchain investigator ZachXBT over alleged AI bot spam incentivized by its Yaps reward system, which was ultimately sunset in January 2026 after X revoked API access to all InfoFi applications.

Across Protocol is a cross-chain bridge protocol built on UMA's optimistic oracle, founded by Hart Lambur and the UMA/Risk Labs team and launched in 2021. In June 2025, pseudonymous investigator Ogle alleged that protocol insiders used undisclosed wallets to push through two governance proposals transferring approximately 150 million ACX tokens ($23 million) from the DAO treasury to Risk Labs, the team's own organization, constituting alleged self-dealing and DAO manipulation. Separate allegations from LayerZero founder Bryan Pellegrino claimed insider trading preceded a surprise Binance listing of ACX in December 2024, with the protocol subsequently proposing in early 2026 to dissolve its DAO entirely and convert to a U.S. C-corporation.

Hypurr NFTs are a 4,600-piece cat-themed NFT collection airdropped by the Hyper Foundation on September 28, 2025, to early Hyperliquid users who participated in the November 2024 Genesis Event. On the day of launch, blockchain investigator ZachXBT flagged the theft of eight Hypurr NFTs from compromised HyperEVM wallets, yielding approximately $400,000 in profit for the attacker. The collection itself is a legitimate product of the Hyper Foundation, but the incident exposed wallet security vulnerabilities in the HyperEVM ecosystem and coincided with a broader pattern of exploits across Hyperliquid-based protocols in late September 2025.

SafePal is a hardware and software cryptocurrency wallet founded in 2018 by Veronica Wong and incubated by Binance Labs, with over 10 million claimed users. The platform has been surrounded by multiple serious security incidents including a malicious Firefox extension that impersonated the wallet for seven months in 2021, a Binance-backed Launchpad token (SFP), hardware vulnerabilities disclosed by Kraken Security Labs, and a $6.5–7 million theft linked to a tampered hardware wallet sold via the Chinese platform Douyin (TikTok China). SafePal itself has not been hacked directly, but its brand has been repeatedly exploited by third-party threat actors, and ZachXBT has documented its wallets appearing in fund-laundering flows.

CoinsPaid is an Estonia-based cryptocurrency payment processor founded by Max Krupyshev that was targeted in two major security breaches: a $37.3 million hack in July 2023 attributed by the company and the FBI to North Korea's Lazarus Group (achieved via a sophisticated social engineering campaign using fake job offers), and a second breach in January 2024 resulting in approximately $7.5 million in losses. Despite the company's stated transparency and rapid operational recovery, the consecutive incidents raise significant concerns about its security posture and its status as a repeated high-value target for state-sponsored threat actors.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Strike (operated by Zap Solutions, Inc.) is a Bitcoin and Lightning Network payments application founded by Jack Mallers. The platform has faced scrutiny over a 2023 data breach it initially denied, the use of Tether (USDT) as a backing for purported USD cash balances for non-US users, and a 2026 proposed merger with Twenty One Capital (XXI) that raises serious conflict-of-interest concerns given Mallers serves as CEO of both entities.

Coinbase (NASDAQ: COIN) is the largest publicly listed cryptocurrency exchange in the United States, founded in 2012 and regulated across multiple jurisdictions. Despite its regulated status, the platform has been the subject of significant documented concerns: a May 2025 insider-enabled data breach affecting approximately 70,000 users with estimated remediation costs of $180–400 million, ongoing documented losses exceeding $300 million per year from social engineering scams targeting Coinbase users (as reported by blockchain investigator ZachXBT), a $100 million AML compliance settlement with the NYDFS in 2023, and controversies surrounding its Base Layer-2 blockchain including a disputed token launch and a contentious departure from the Optimism OP Stack ecosystem.

Rapper Nelly (Cornell Iral Haynes Jr.) is flagged here not as a perpetrator of crypto fraud, but as a victim of an account compromise. In October 2023, an X (formerly Twitter) account associated with Nelly — handle @NellioETH — was hacked by an unknown third party who then used it to run a social engineering phishing campaign against crypto users. Blockchain investigator ZachXBT first identified and publicized the incident; specific amounts stolen from victims and detailed on-chain forensics have not been publicly confirmed.

Circle Internet Group is the issuer of USDC, the second-largest USD-pegged stablecoin by market capitalization. Circle has faced sustained criticism from blockchain investigator ZachXBT and others for its policy of refusing to freeze USDC linked to hacks or scams without a formal court order or law enforcement mandate, which critics allege has allowed over $420 million in illicit funds to flow freely since 2022. The company went public on the NYSE in June 2025 under the ticker CRCL and received conditional OCC approval for a national trust bank charter in December 2025.

M2 is a UAE-based cryptocurrency exchange licensed by the Abu Dhabi Global Market (ADGM) Financial Services Regulatory Authority, operating as a regulated Multilateral Trading Facility and custodian since late 2023. On October 31, 2024, the exchange suffered a $13.7 million hot wallet breach attributed to an access control vulnerability across the Bitcoin, Ethereum, and Solana networks. M2 subsequently reimbursed all affected customers from its own assets and stated it had engaged law enforcement and regulatory authorities.

No verifiable information about an entity named 'Burgeleth' was found across any indexed web source as of May 2026. Exhaustive searches across news outlets, blockchain explorers, social media platforms, regulatory databases, domain registries, and crypto-specific intelligence sources (ZachXBT, Chainalysis, Scam Sniffer) returned zero results matching this name in a crypto or financial context. The slug may refer to an extremely obscure or newly created entity, an alternate spelling of a different entity, or a name that has not yet generated any publicly indexed presence.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Bittensor is a decentralized blockchain protocol functioning as a peer-to-peer marketplace for machine intelligence, using the TAO token to reward AI model contributors. In July 2024, the protocol was the target of a supply chain attack via a malicious version of its official PyPI package, resulting in the theft of approximately $28 million in TAO tokens from 32 wallets. A civil lawsuit filed in January 2025 alleges that former Opentensor Foundation employees orchestrated the attack, and on-chain investigator ZachXBT identified a key suspect through NFT wash-trade analysis and Railgun de-mixing.

Transak is a fiat-to-crypto on-ramp infrastructure provider founded in 2019 and serving over 8 million users across 160+ countries, with integrations into major platforms including MetaMask, Phantom, and Uniswap. In October 2024, a phishing attack on an employee's laptop led to unauthorized access to a third-party KYC vendor's dashboard, exposing the personal identity documents of approximately 92,554 users globally, including names, dates of birth, government-issued IDs, and selfie photos. The breach resulted in a $601,000 class action settlement covering U.S.-based affected users, and the Stormous ransomware group claimed responsibility, alleging extraction of over 300GB of data.

Pendle is a permissionless yield-trading protocol on Ethereum, launched in 2021 by TN Lee and Vu Nguyen, that allows users to separate and trade the principal and yield components of yield-bearing assets. In September 2024, Penpie — an independent yield optimizer built on top of Pendle — suffered a $27 million reentrancy exploit that was made possible in part by Pendle's permissionless market creation design. Although Pendle's own contracts were not directly exploited, the protocol's architecture contributed to the attack surface, and all 11,261 ETH in stolen funds were subsequently laundered through Tornado Cash.

Trezor is a legitimate Prague-based hardware wallet manufacturer (SatoshiLabs) and one of the oldest in the industry, but it has accumulated a significant threat ecosystem around its brand. A January 2024 breach of its third-party support portal exposed contact data for approximately 66,000 users, which subsequently fueled targeted phishing campaigns delivered via email, physical mail, and fake apps. Trezor hardware devices have also been subject to disclosed physical attack vectors, including an alleged unpatchable flaw in the STM32 microcontroller used in the Trezor T model.

CoinSpot is an Australian cryptocurrency exchange founded in 2013 by Russell Wilson and headquartered in Melbourne. It is registered with AUSTRAC as a Digital Currency Exchange (since May 2018) and holds ISO 27001 certification. On November 8, 2023, the platform suffered a suspected private key compromise resulting in the loss of approximately 1,283 ETH (~$2.4 million USD), with stolen funds bridged to Bitcoin via THORChain and Wan Bridge. No customer funds were reported lost in the incident.

Bybit is a Dubai-headquartered cryptocurrency derivatives and spot exchange founded in 2018 by Ben Zhou, serving over 80 million registered users globally. On February 21, 2025, the exchange suffered the largest cryptocurrency theft in recorded history when North Korean state-sponsored hackers attributed to the Lazarus Group (TraderTraitor) stole approximately $1.46 billion in Ethereum via a supply chain compromise of Safe{Wallet}'s frontend infrastructure. Separately, Bybit accounts have been cited in the ICIJ's 2025 Coin Laundry investigation into crypto exchanges facilitating international criminal money flows.

Ninamo is a purported crypto entity whose name was submitted for investigation on AVOID.NET. Exhaustive searches across regulatory databases, blockchain explorers, crypto news outlets, scam trackers, social media platforms, domain registries, and the Wayback Machine returned no verifiable information about any crypto project, exchange, token, or DeFi protocol operating under the name Ninamo. No wallet addresses, enforcement actions, community reports, or archived web presence could be located.