News linked to this event type.
According to Arkham (@arkham), Avi Eisenberg—a crypto hacker who exploited Mango Finance in 2022 to arbitrage $110 million—recently signed a new on-chain transaction. Eisenberg had previously been arrested and imprisoned for market manipulation, and his post-release on-chain activity has sparked heated discussion within the community.
According to the U.S. Department of Justice, Evan Tangeman, a 22-year-old man from Newport Beach, California, was sentenced on April 24 to 70 months in federal prison followed by three years of supervised release by the U.S. District Court for the District of Columbia. Tangeman participated in an interstate social engineering crime ring that laundered at least $3.5 million. The criminal group operated since October 2023, stealing over $263 million in cryptocurrency through hacking and social engineering tactics. Its members were predominantly minors or unemployed youths under age 20, and the group originated on online gaming platforms. Tangeman was responsible for converting stolen cryptocurrency into fiat currency and leasing luxury mansions for group members in cities including Los Angeles and Miami; he personally received high-end vehicles—including a Bentley and a Lamborghini—as compensation. After the scheme unraveled, Tangeman instructed his co-conspirators to destroy digital devices to obstruct the investigation. The case was jointly investigated by the FBI’s Washington, Los Angeles, and Miami field offices, along with the IRS Criminal Investigation Division. To date, nine defendants have pleaded guilty.
According to on-chain analyst Yujin (@EmberCN), the hacker who stole approximately $98 million worth of assets from Balancer last November has been continuously swapping ETH for BTC via THORChain. To date, the hacker has swapped a total of 14,300 ETH for 419.3 BTC (approximately $32.51 million). The hacker currently holds 7,700 ETH on the Ethereum chain and 419.3 BTC on the Bitcoin chain, with a combined value of approximately $50.4 million. Since the price of ETH has fallen significantly from around $3,600 at the time of the theft, the value of the hacker’s holdings has shrunk by nearly half—from the original $98 million.
According to Onchain Lens monitoring, the Balancer attacker (0xa6d6...BDaA) exchanged 13,191 ETH for 386.52 BTC, worth $30.54 million, over the past 15 hours. The attacker currently still holds 8,000 ETH, valued at $18.52 million.
According to an official announcement, OpenAI has launched a biotechnology security vulnerability bounty program for GPT-5.5 and is now accepting applications. This program aims to strengthen the safety of its advanced AI capabilities in the biotechnology domain by inviting researchers with experience in AI red-teaming, security, or biosecurity to attempt identifying general jailbreak methods that can bypass its five biotechnology safety challenges.
According to on-chain analyst Yujin (@EmberCN), the hacker who stole approximately $98 million in assets from Balancer last November is today exchanging ETH for BTC via THORChain. So far, 7,000 ETH have been swapped for 204.7 BTC—valued at roughly $15.88 million—and the process continues. Additionally, it has been disclosed that this address currently holds 15,000 ETH on Ethereum, valued at approximately $34.65 million, and 204.7 BTC on Bitcoin.
According to a research report released by cybersecurity firm Expel, the company is tracking an advanced persistent threat (APT) group dubbed “HexagonalRodent,” which is highly assessed to be a North Korean (DPRK) state-sponsored actor. This group primarily targets Web3 developers and specializes in stealing high-value digital assets—including cryptocurrencies and NFTs. In the first quarter of 2026 alone, the group compromised 2,726 developer devices and stole access credentials for 26,584 cryptocurrency wallets, with the total value of stolen assets reaching as high as $12 million. The group primarily carries out its attacks via fake job postings—publishing lucrative positions on LinkedIn and Web3 recruitment platforms to lure job seekers into completing “skills assessments” embedded with malicious code. These assessments exploit VSCode’s tasks.json functionality to automatically execute malware when victims open the project folder. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, all of which possess capabilities such as password theft, remote control, and reverse shell execution. Notably, the group extensively leverages generative AI tools—including ChatGPT and Cursor—to develop malware, build counterfeit corporate websites, and generate AI-forged executive teams. It even registered a shell company in Mexico to enhance the credibility of its operations. Additionally, the group recently carried out its first-ever supply-chain attack, successfully infiltrating a VSCode extension.
Kelp DAO released a community update on X, noting that the recent rsETH security incident has remained tense over the past several days. However, with support from partners and the broader community, discussions are progressing in a positive direction, and efforts to identify an appropriate resolution are being accelerated. The guiding principles have already been reflected in initial actions, and subsequent updates will continue along this path, aiming for a win-win outcome for all stakeholders. Over the past four days, the Kelp team has engaged in in-depth communication with partners and other relevant parties. Specific progress includes: the Arbitrum Security Council has taken measures to freeze the stolen funds, and the SEAL 911 emergency response team has swiftly stepped in to conduct preliminary investigations, providing a clear and objective analytical perspective on the incident. While some developments have not yet been fully disclosed, related work continues to advance steadily. Kelp DAO stated that its current priority is safeguarding user assets and strengthening the protocol itself. This incident is also viewed as a critical test—not only for the project but for the broader DeFi ecosystem—and key follow-up developments will continue to be shared via official channels.
According to on-chain analyst Ai Aunt (@ai_9684xtpa), the address 0xb5E…Fc24e deposited a total of 1.397 million UNI tokens—worth approximately $4.6 million—into three exchanges two hours ago. Notably, the Bybit deposit address has had multiple interactions with the DeFi crypto fund DeFiance Capital, which is an investor in both Aave and LayerZero—two entities closely linked to the recent Kelp DAO hack incident.
SlowMist CISO 23pds (@im23pds) disclosed that the Bitwarden CLI version 2026.4.0 was subjected to a Checkmarx supply-chain attack between 17:57 and 19:30 ET on April 22. During this window, attackers abused a GitHub Action within Bitwarden’s CI/CD pipeline to briefly distribute a malicious package via npm. The official statement confirmed that Vault data was not compromised and production systems remained unaffected; only users who installed this specific version via npm during the aforementioned time window were impacted. Affected users are advised to immediately uninstall version 2026.4.0, clear their npm cache, rotate sensitive credentials—including API tokens and SSH keys—investigate anomalous activity in GitHub and CI environments, and upgrade to the patched version 2026.4.1.
According to on-chain analyst Onchain Lens (@OnchainLens), the Balancer hacker’s address has reactivated after five months of dormancy, transferring 100 ETH (approximately $233,000) to a new wallet and beginning fund transfers via ThorChain. The hacker currently still holds 21,900 ETH, valued at approximately $51.13 million.
According to information on the governance forum page, Mantle plans to provide Aave with a loan of 30,000 ETH to help it address the non-performing loan risk triggered by the recent attack. According to analyst Yujin’s statistics, confirmed rescue funds now cover a shortfall of approximately 43,500 ETH.
According to Onchain Lens monitoring, the Balancer attacker, dormant for five months, has transferred 100 ETH (approximately $233,000) to a new address and begun transferring funds through Tornado Cash.The attacker currently still holds 21,900 ETH, valued at approximately $51.13 million.
According to The Block, JPMorgan analysts noted in their latest report that ongoing DeFi security vulnerabilities and stagnant growth in total value locked (TVL) continue to constrain institutional enthusiasm for the DeFi sector. Recently, Kelp DAO’s cross-chain bridge suffered a major attack, during which the attacker minted $292 million worth of uncollateralized rsETH tokens and borrowed real ETH on Aave, resulting in approximately $230 million in bad debt. This caused DeFi TVL to evaporate by roughly $20 billion within several days. LayerZero and blockchain security researchers have attributed this attack to the North Korean hacker group Lazarus Group; some of the stolen funds have been frozen, while the rest remain in circulation. Analysts also pointed out that DeFi TVL denominated in ETH has remained range-bound for an extended period, raising market concerns about whether DeFi can achieve organic growth sufficient to support institutional adoption. Furthermore, following each security incident, users tend to shift funds into USDT as a safe-haven asset—yet this trend has not yet significantly driven USDT’s market capitalization growth.
According to information from the governance forum, Bybit’s public chain Mantle plans to lend 30,000 ETH to Aave to address the bad debt risks arising from recent security incidents.According to statistics from crypto analyst Ember (@EmberCN), the confirmed scale of bailout funds is estimated to cover a shortfall of approximately 43,500 ETH.
According to on-chain analyst Ember (@EmberCN), the rsETH incident on April 18 resulted in a funding shortfall of approximately 68,900 ETH (around $160 million): the hacker collateralized rsETH to borrow 99,600 ETH; after Arbitrum recovered 30,700 ETH, the remaining funds were fully converted by the hacker into BTC. The incident has now entered the remediation phase. Aave is coordinating the establishment of a “DeFi United” relief fund, which has so far received cumulative donations totaling 13,500 ETH (approximately $31.45 million). Donors include Lido Finance (2,500 stETH), ether.fi Foundation (5,000 ETH), Aave founder Stani Kulechov (5,000 ETH), Golem Foundation (1,000 ETH), as well as LayerZero and Ink Foundation (amounts undisclosed).
the Lido team has initiated a proposal, planning to allocate up to 2,500 stETH (approximately $5.8 million) from the DAO to cover the rsETH asset shortfall resulting from the recent attack on Kelp DAO.Lido noted that the LayerZero-based exploit has led to insufficient rsETH reserves, triggering a chain reaction across the DeFi ecosystem, including rising interest rate pressure, tightening lending markets, and certain leveraged strategies facing passive liquidation risks.The proposal emphasizes that these funds will only be used as part of a complete recovery solution, provided that the overall shortfall can be fully addressed.Previously, the approximately $292 million attack on Kelp DAO had already impacted Aave, leading to bad debt issues, and its total value locked (TVL) once declined by nearly $8 billion.
Aave released the latest update on the rsETH security incident on the X platform, announcing that it has paused rsETH reserve-related operations on the Ethereum mainnet as well as networks including Arbitrum, Base, Mantle, and Linea. This measure is intended to prevent excess aETHrsETH from being withdrawn, thereby pushing positions close to the 95% liquidation threshold. This action aims to preserve as much capital as possible and reduce systemic risk while the asset recovery plan is underway. Aave stated that further progress and resolution plans will be continuously disclosed to the community.
Aave announced the latest developments regarding the rsETH security incident on X, stating that rsETH-related reserve operations have been suspended on Ethereum Mainnet and on networks including Arbitrum, Base, Mantle, and Linea. This measure aims to preserve as much capital as possible and mitigate systemic risk while the asset recovery plan is underway. Aave stated that it will continue to disclose subsequent updates and resolution plans to the community.
Lido has released an update regarding the Kelp security incident, stating that its Earn-series vaults are working with the management team to address the issue, focusing on two key risk areas: rsETH exposure and tightening liquidity in lending markets. Lido emphasizes that its core staking protocol remains unaffected, and both stETH and wstETH remain secure and stable. Currently, only the EarnETH vault holds approximately 9% of its TVL in rsETH exposure; related deposits and withdrawals have been suspended by the management team pending resolution. Of the ~$70 million in ETH stolen in the earlier attack, roughly $70 million has already been recovered; asset recovery and loss allocation efforts are ongoing. To mitigate liquidity pressure, the management team has reduced leverage and optimized position structures, significantly decreasing wETH debt exposure. Should losses ultimately materialize, EarnETH will activate its $3 million “first-loss protection mechanism,” funded by the DAO. Other vaults remain unaffected: DVV and EarnUSD are operating normally. The GGV sub-vault is currently experiencing negative yields due to a combination of recursive staking strategies and rising borrowing rates, but active adjustments are underway. Users’ previously submitted withdrawal requests will be processed at pre-incident valuations.