News linked to this event type.
stablecoin issuer StablR suffered a sustained attack, causing its euro stablecoin EURR and dollar stablecoin USDR to depeg.Blockchain security firm Blockaid stated that the attacker allegedly gained control by obtaining the private key of one of the owners of the minting multi-signature account. Exploiting the 1/3 signature threshold mechanism, the attacker replaced other administrators and minted an additional 8.35 million USDR and 4.5 million EURR.Subsequently, the attacker swapped tokens worth approximately $10.4 million for about 1,115 ETH on a DEX, yielding an actual profit of around $2.8 million. Following the incident, EURR fell to around $0.88, while USDR dropped to approximately $0.7.Blockaid noted that the incident was not caused by a smart contract vulnerability but rather by a failure in key management and governance mechanisms. (Cointelegraph)
UK police announced that five individuals have been sentenced in a “wrench attack” case targeting cryptocurrency holders. The suspects met the victim at a Shoreditch pub in London in July 2025 and forcibly took him to his home, where they used violence and threats—including coercing facial recognition verification—to compel him to access his bank and cryptocurrency accounts, stealing over £10,000 in cash, cryptocurrency, and watches. During the investigation, cryptocurrency exchange Coinbase reported suspicious activity on the victim’s account to the police, who subsequently identified and arrested the suspects. The court sentenced four principal offenders to prison terms ranging from three-and-a-half to six-and-a-half years, while a fifth individual received a community service order for money laundering. Police stated that the incident inflicted long-term psychological trauma on the victim and his family, highlighting the rising risk of offline violent crime targeting cryptocurrency asset holders.
According to Cointelegraph, Bitcoin mining company MARA Holdings spent $4.3 million on CEO Fred Thiel’s personal security in 2025, including $430,780 for vehicle armor, as well as residential and personal security expenses. Filings show related spending for 2024 totaled $191,040. In the same year, MARA also spent $3.9 million on CFO Salman Khan’s personal security. The report notes that personal safety costs for companies are rising amid an increase in “wrench attacks” targeting cryptocurrency executives and investors.
Polymarket staff member Shantikiran Chanal posted on platform X, stating that they have taken note of the security reports related to reward distribution, and that user funds and market settlements remain safe. The investigation indicates that a private key leak occurred in a wallet used for internal operations, and the issue is not related to contracts or core infrastructure. Further updates will be provided.Previous report: ZachXBT stated that the Polymarket UMA CTF Adapter contract allegedly came under attack on Polygon, with over $520,000 having been drained.
According to on-chain investigator ZachXBT, Polymarket’s UMA CTF adapter on the Polygon network appears to have been attacked, resulting in losses exceeding $520,000 so far.
THORChain has released its fourth update regarding the Asgard vault intrusion incident, publishing the ADR028 proposal and opening voting for node operators. The proposal indicates that the protocol will first absorb losses through its Protocol-Owned Liquidity (POL), with the remaining portion to be borne by synthetic asset holders. The exact proportion is still under evaluation. The POL will be reduced to zero as a result, and the proposal suggests allocating a portion of system revenue over time to gradually replenish it. This plan does not involve minting new RUNE, selling RUNE, or diluting holder equity.On the technical side, the GG20 version will be temporarily retained with a patch upgrade. Trading will resume after the vulnerability is fixed and a successful node rotation is completed. A slower, more security-focused release cadence is planned for the future.Regarding the slashing mechanism, unrelated nodes sharing the same vault as the attacker will be protected, while the attacker's node will be fully slashed. The recovered RUNE will be paired with recoverable assets from the affected vault, and any excess RUNE will be burned.Additionally, THORChain has offered a white-hat bounty to the attacker to recover funds. If a portion of the funds is recovered, the recovery plan will be adjusted proportionally. THORChain emphasizes its commitment to remaining neutral and permissionless, stating it will not censor the attacker's swap transactions after trading resumes.Currently, node operators are voting on the overall direction and principles of the proposal. The specific figures in the ADR are indicative and will be adjusted later via the Mimir mechanism. The goal is to restart the network as soon as possible. A "yes" vote means developers can proceed further along this path.
Bankr posted on platform X, stating that the team is currently working with external partners such as zeroShadow to continue the investigation and restoration efforts. It is expected that full functionality will be restored by next week after completing additional security reviews and monitoring measures.Bankr stated that in the short term, it may gradually restore token issuance and some "read-only" features, allowing users to view account information such as balances. However, wallet transaction functions, including swap and transfer, will remain suspended during the review period.Previously, Bankr disclosed that an attacker had gained access to 14 Bankr wallets. The platform subsequently suspended related functions and promised full compensation for user losses.
According to on-chain analyst PeckShield (@PeckShieldAlert), the VerusCoin cross-chain bridge attacker has returned 4,052.4 ETH (approximately $8.5 million) to the project team’s address (0xF9AB...C1A74), representing 75% of the total stolen amount. The remaining 25% (1,350 ETH, approximately $2.8 million) is retained in the attacker’s wallet as a white-hat bounty.
According to an official announcement, South Korean cryptocurrency exchange Bithumb has announced the immediate suspension of all virtual asset deposits and withdrawals related to the overseas payment platform Heleket, effective May 21, 2026. The announcement states that Heleket is suspected of involvement in illegal activities such as money laundering and terrorist financing. Bithumb stated that this measure is taken to comply with relevant regulations, including the Act on Reporting and Using Specified Financial Transaction Information and the Virtual Asset User Protection Act, and to safeguard users’ assets. Bithumb also warned that using unverified overseas services may expose users to risks such as hacking attacks and disruptions to deposit and withdrawal services.
according to monitoring by Specter Analyst, a high-net-worth investor holding significant assets on Kraken and Coinbase exchanges fell victim to an alleged personal intimidation attack, resulting in total losses of approximately $6.7 million across various assets.The attacker withdrew 1,554 ETH (approximately $3.3 million) and 10.5 BTC from the user's Kraken account. Simultaneously, the attacker also breached the user's Coinbase defenses, withdrawing 34.1 cbBTC. Subsequently, the attacker directly deposited over $5.3 million of the stolen funds into the privacy protocol Tornado Cash to obfuscate the transaction trail. (financefeeds)
Syndicate Labs stated that after five years of developing on-chain infrastructure for customizable Ethereum Rollups and sequencers, the company has decided to shut down due to a drastic contraction in the Rollup market. Syndicate Labs previously completed a $20 million Series A funding round led by Andreessen Horowitz in 2021.This decision caused the SYND token price to drop 21% in the past three hours, hitting an all-time low of $0.012, a 99.5% decline from its peak of $2.61 in September 2025.Additionally, Syndicate Labs stated that the Syndicate Network Collective operates independently of Syndicate Labs, so the governance of the SYND token will not be immediately affected. The decision to shut down was not influenced by the previous hacking incident involving bridged assets.
According to CertiK monitoring, the attacker of cross-chain aggregation protocol Transit Finance has deposited 832.9 ETH into Tornado Cash, valued at approximately $1.8 million.
Syndicate, a DAO infrastructure service provider, has announced it will gradually cease operations. It stated that after five years of continuously building on-chain developer infrastructure, the Rollup market has undergone fundamental changes. Currently, the Rollup market has significantly shrunk, some Rollup projects are gradually shutting down, and the market has shifted from EVM Rollups to custom chains built from scratch by consulting teams, leading to a notable decline in reusable technology and network value.Syndicate stated that its system consists of two parts: Syndicate Labs, responsible for development, will be closed, while the independent entity Syndicate Network Collective (Wyoming DUNA), which holds SYND tokens and has governance rights, will continue to exist. SYND governance will not be affected in the short term.Furthermore, Syndicate emphasized that this decision to cease operations is unrelated to recent cross-chain security incidents. Affected users and SYND holders have been fully compensated through the treasury reserves, and team and investor tokens are currently still in a lock-up period.
According to on-chain analyst PeckShield (@PeckShieldAlert), RetoSwap—a peer-to-peer, decentralized exchange for Monero (XMR)—was exploited by hackers leveraging a vulnerability in the Haveno trading protocol, resulting in the theft of users’ funds totaling 7,000 XMR (approximately $2.7 million). Following the incident, the RetoSwap team responded swiftly, blacklisting the attacker’s onion address at 02:33 UTC and pausing all platform trading by enforcing an upgrade to client version 2.0.0. The attack has now been contained.
According to the Wall Street Journal, US President Donald Trump had a tense and heated phone call with Israeli Prime Minister Benjamin Netanyahu on Tuesday evening. According to sources, Netanyahu strongly criticized the agreement aimed at ending the war with Iran during the call, while Trump defended the diplomatic process. Israel has long been skeptical about whether Iran will adhere to any agreement to dismantle its nuclear program and halt attacks on regional countries. According to insiders, Netanyahu reiterated these positions to Trump during calls on both last Sunday and Tuesday. However, Trump was not convinced. He told Netanyahu that he would continue to push for an agreement to prevent Iran from acquiring nuclear weapons. Trump also stated that if Iran fails to show greater flexibility in negotiations, it may face a new round of strikes. (Golden Ten)
Sentient has officially launched the latest season of its hackathon, Challenge 0. This event offers a $6,000 prize pool and MiniMax points.
Drift Protocol stated on X platform that after the protocol resumes operation, users who have staked in the Insurance Fund will be able to withdraw their corresponding shares normally. The Insurance Fund is designed to maintain the protocol's solvency during liquidation or bankruptcy scenarios. Since the protocol was paused before losses were realized through normal liquidation or bankruptcy processes, the Insurance Fund was not affected by the relevant vulnerability or attack.Drift Protocol added that the protocol's own Insurance Fund assets will be used to support system restart and user recovery, and it plans to disclose the relevant on-chain addresses to allow the community to track fund usage and subsequent deployment.
LayerZero Labs has released a recent incident report stating that on April 18, 2026, the KelpDAO rsETH cross-chain bridge, built on its cross-chain communication protocol, suffered an attack resulting in the theft of approximately 116,500 rsETH (around $292 million). Multiple security organizations, including Mandiant, CrowdStrike, and independent researchers, have attributed this attack to the North Korea-linked hacker group TraderTraitor (UNC4899).According to the report, the attack began on March 6, 2026. The attackers compromised a LayerZero developer account through social engineering, obtained session keys, and penetrated the RPC cloud environment. They further contaminated internal RPC node data and manipulated the returned results to deceive monitoring systems and the Decentralized Verification Network (DVN). Subsequently, the attackers launched a denial-of-service attack against external RPC providers, forcing the verification system to rely on the compromised nodes to generate forged cross-chain proofs, thereby successfully extracting the funds.LayerZero pointed out that the core vulnerability of this incident lay in the affected application adopting a "single-verifier" configuration. This allowed the target contract to execute asset releases upon receiving only a single valid signature, leading to the theft of rsETH.Following the incident, LayerZero Labs announced an adjustment to security policies. This includes no longer allowing its own DVN to act as the sole signer in a single-verifier configuration, rebuilding the affected cloud infrastructure, and introducing short-term credentials, instant permission upgrades, and multi-party approval mechanisms to enhance security. Additionally, zeroShadow and law enforcement agencies have initiated investigations and asset tracing. LayerZero stated it will continue to collaborate with ecosystem partners to strengthen the cross-chain security framework to address increasingly sophisticated nation-state attack threats.
GitHub posted on X platform, sharing more investigation details regarding the unauthorized access incident to its internal repositories. Yesterday, GitHub detected and contained an attack on an employee's device involving a malicious VS Code plugin. GitHub has removed the malicious plugin version, isolated the endpoint, and immediately initiated an incident response.Current assessment indicates that this activity only involved the theft of GitHub's internal repositories. The attackers' claim of approximately 3,800 repositories aligns with GitHub's investigation direction so far. GitHub has taken swift action to mitigate risks, rotating critical keys yesterday and overnight, and prioritizing the most impactful credentials. GitHub will continue analyzing logs, verifying key rotations, and monitoring subsequent activities. A more comprehensive report will be released upon completion of the investigation.
According to an announcement by Bankr’s official X account (@bankrbot), on May 20, 2026, Bankr—a blockchain-based financial infrastructure platform—confirmed it had suffered a cyberattack. A total of 14 user wallets were compromised. The platform has urgently suspended its trading functionality and pledged to fully compensate all losses. Blockchain analyst @99barzzz tracked the incident, revealing that the losses amounted to approximately $385,000. The hacker’s EVM-compatible address has been identified.