This is the second time such an attack has happened to these same platforms, with another DNS hijacking incident occurring almost exactly two years ago. In that instance, users lost around $100,000 when submitting transactions via the scam websites.
Aerodrome and Velodrome suffer website takeovers, again
Attackers redirected users intending to visit the websites for the decentralized exchanges Aerodrome and Velodrome to their own fraudulent versions using DNS hijacking, after taking control of the websites' domains. The platforms urged users not to visit the websites as they worked to regain control.
Cardano founder calls the FBI on a user who says his AI mistake caused a chainsplit
On November 21, the Cardano blockchain suffered a major chainsplit after someone created a transaction that exploited an old bug in Cardano node software, causing the chain to split. The person who submitted the transaction fessed up on Twitter, writing, "It started off as a 'let's see if I can reproduce the bad transaction' personal challenge and then I was dumb enough to rely on AI's instructions on how to block all traffic in/out of my Linux server without properly testing it on testnet first, and then watched in horror as the last block time on explorers froze."
Charles Hoskinson, the founder of Cardano, responded with a tweet boasting about how quickly the chain recovered from the catastrophic split, then accused the person of acting maliciously. "It was absolutely personal", Hoskinson wrote, adding that the person's public version of events was merely him "trying to walk it back because he knows the FBI is already involved". Hoskinson added, "There was a premeditated attack from a disgruntled [single pool operator] who spent months in the Fake Fred discord actively looking at ways to harm the brand and reputation of IOG. He targeted my personal pool and it resulted in disruption of the entire cardano network."
Hoskinson's decision to involve the FBI horrified some onlookers, including one other engineer at the company who publicly quit after the incident. They wrote, "I've fucked up pen testing in a major way once. I've seen my colleagues do the same. I didn't realize there was a risk of getting raided by the authorities because of that + saying mean things on the Internet."
GANA Payment hacked for $3.1 million
An attacker stole approximately $3.1 million from the BNB chain-based GANA Payment project. The thief laundered about $1 million of the stolen funds through Tornado Cash shortly after. The attacker was able transfer ownership of the GANA contract to themselves, possibly after a private key leak.
The theft was first observed by crypto sleuth zachxbt. Not long after, the project acknowledged on its Twitter account that "GANA's interaction contract has been targeted by an external attack, resulting in unauthorized asset theft."
Crypto tracking platform DappRadar shuts down, citing financial woes
Amid a month of falling crypto prices, the crypto tracking platform DappRadar has announced it will be shutting down after seven years of operation. "Running a platform of this scale became financially unsustainable in the current environment," the company announced on Twitter.
The company had previously raised several rounds of financing, with a $2.3 million seed round in 2019 and a $5 million Series A in 2021.
Cardano holder loses $6 million to slippage
A holder of around 14.4 million ADA (~$6.9 million), the token for the Cardano network, made an expensive error when attempting to swap the tokens for a stablecoin. Because the stablecoin they were looking to buy is lightly used and has only around $10.6 million tokens in circulation, an attempt to purchase millions of the tokens on the market caused the dollar-pegged stablecoin's price to spike to around $1.26. The resulting slippage meant that the trader spent their roughly $6.9 million in tokens to receive a little less than $850,000 in the USDA stablecoin, meaning the trader essentially threw away $6 million.
Observers have questioned what happened. It's possible that the holder, who had not been active on-chain since 2020, was simply unaware of the slippage risk. It's also possible that it was a "fat-finger" trade — that the trader accidentally selected the wrong stablecoin from a list of similarly named options, some of which could have more easily absorbed a trade of that size.
Elixir shuts down deUSD after Stream Finance halt
After the defi yield platform Stream Finance announced a $93 million loss, Elixir announced it would be discontinuing its deUSD synthetic stablecoin. Stream Finance owes $68 million to Elixir, and holds around $75 million deUSD.
Elixir has announced that they plan to allow deUSD holders to redeem their tokens for USDC through a process that will also eliminate the risk of Stream Finance cashing out their deUSD without repaying their loan. According to Elixir, "Stream comprised of 99%+ of the lending positions (and has decided to not repay or close positions)".
Moonwell accrues almost $3.7 million of bad debt after oracle malfunction
The Moonwell lending protocol, built on the Base Ethereum L2, wound up with $3.7 million in bad debt after an attacker took advantage of an oracle malfunction that caused the price of wrsETH to be massively inflated. The Chainlink oracle used by the project erroneously reported that a single wrsETH token (Kelp DAO's wrapped restaked ETH) was priced at around 1.65 million ETH (~$5.8 billion). Within 30 seconds of the oracle reporting bad data, an attacker took advantage of the error to borrow huge amounts of tokens, which they then swapped to other tokens to cash out.
Ultimately the attacker profited around 295 ETH (~$1 million), but the protocol was saddled with significantly more bad debt that the team will now have to grapple with.
- wrsETH Oracle Malfunction 11/4/25, Moonwell forum
- Tweet by CertiK Alert [archive]
Stream Finance halts activity after $93 million loss
The Stream Finance defi yield project announced that "an external fund manager overseeing Stream funds disclosed the loss of approximately $93 million in Stream fund assets." Stream announced that they were in the process of withdrawing remaining liquid assets, and had halted all deposits or withdrawals. They also announced they had retained a law firm to investigate the "incident".
The project didn't disclose who the fund manager was, or the circumstances in which the "loss" occurred.
The Staked Stream USD token depegged on November 3, and crashed further following the announcement.
Balancer exploited for at least $110 million
The defi protocol Balancer suffered a major exploit that drained over $110 million across several blockchains, including Ethereum, Polygon, Base, and Sonic. Attackers exploited faulty access control in the
manageUserBalance function of Balancer's v2 smart contract, enabling unauthorized internal withdrawals. The stolen tokens included 6,850 osETH, 6,590 wETH, and 4,260 wstETH, later consolidated into new wallets likely for laundering.The exploit also impacted forked protocols like Beets Finance, which lost around $3 million. Balancer's BAL token dropped over 10% following the theft.
This was Balancer's third major security incident since 2020, despite prior audits by OpenZeppelin and Trail of Bits.
Garden hacked for $11 million
The Garden bitcoin bridge suffered a roughly $11 million loss after one of its solvers was compromised. These solvers essentially act as market makers for the protocol. Some blockchain sleuths have questioned whether the affected solver, which Garden described as a separate entity, may actually be operated by the same team as Garden.
There wasn't much sympathy to be had for Garden after this exploit. The protocol had recently announced hitting a milestone of bridging more than $2 billion in assets, but the celebration was criticized after zachxbt pointed out that a substantial portion of the bridged funds were proceeds of crimes being laundered to evade detection and recovery.
Cryptomus fined $127 million for compliance failures
The Canadian cryptocurrency exchange Cryptomus has been fined CA$177 million (US$127 million) by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for failing to report more than 1,000 suspicious transactions linked to darknet markets, distribution of child sex abuse material, fraud, ransomware, and sanctions evasion. It additionally failed to report more than 7,500 transactions originating from Iran, and more than 1,500 high-value transactions.
Cryptomus was temporarily banned from trading in British Columbia in May. The CA$177 million fine smashes Canada's previous record for the largest penalty they've ever imposed. That honor previously went to KuCoin, another crypto exchange fined CA$20 million (US$14.3 million) in September.
Fortress Trust is insolvent
Nevada's Financial Institutions Division has issued a cease and desist order against Fortress Trust, stating that the firm is "on the verge of insolvency". The company admits it "failed to safeguard assets under its custody and is unable to meet all customer withdrawals". The company has only around $1.3 million in actual assets in custody, while it owes customers around $12.3 million.
In 2023, Fortress experienced a $15 million theft. Though the company originally announced it would be acquired by Ripple, which had agreed to cover the shortfall, the deal eventually fell through. It's not clear how — or if — the funds were ever restored.
Fortress's insolvency has strong parallels to that of Prime Trust, another trust company that shares a founder in Scott Purcell. NFID issued a cease and desist to Prime Trust in June 2023 after finding the company was insolvent; in bankruptcy proceedings, that company later blamed much of the insolvency on losing access to a hardware wallet that held customer assets.
- Order to cease and desist from violations of NRS 669, State of Nevada Department of Business and Industry Financial Institutions Division.
Paxos accidentally mints more than twice the global GDP in PayPal stablecoins
Paxos, the issuer of PayPal's PYUSD stablecoin, accidentally minted 300 trillion of the supposedly dollar-pegged token. For context, this is approximately 2.5x the global GDP, and around 125x the total number of US dollars actually in circulation.
Paxos later announced that the mint was an "internal technical error", and that they had burned the excess tokens.
While PayPal promises its customers that "Reserves are held 100% in US dollar deposits, US treasuries and cash equivalents – meaning that customer funds are available for 1:1 redemption with Paxos," there clearly isn't much in the way of safeguards to ensure that is always the case. As with most stablecoin issuers, Paxos merely issues self-reported and unreviewed portfolio reports, and monthly third-party attestations (not audits) of reserves.
Hyperliquid user loses $21 million to private key leak
An attacker apparently obtained access to a victim's private key, enabling them to drain $21 million in various crypto assets. The attacker quickly bridged the stolen funds to ETH, then bounced through various addresses in hopes of disguising their origin and making the funds more challenging to recover.
Some originally feared that the theft was enabled by an exploit on Hyperliquid itself, shortly after another Hyperliquid-based project was compromised, but the theft appears to have been a key leak rather than an exploit on the protocol.
Abracadabra loses more "Magic Internet Money" to third hack in two years
In their third major hack in two years, the Abracadabra defi lending project lost $1.8 million of their Magic Internet Money stablecoin. An attacker took advantage of a bug in the project smart contracts to borrow more than their provided collateral would normally allow. The attack was funded via Tornado Cash, and the exploiter then swapped the stolen tokens for ETH and laundered them back through Tornado.
The project disclosed the theft, describing the exploit as affecting "some deprecated contracts". They downplayed the theft, saying they'd bought back the stolen assets using treasury funds.
Abracadabra previously suffered a $13 million theft in March 2025, and a $6.5 million theft in January 2024.
Futureverse announces restructuring two years after raising $54 million
In 2023, there was no shortage of buzzy press coverage for Futureverse, which promised to build a metaverse and gaming-focused blockchain. They partnered with Ready Player One author Ernest Cline to build the "Readyverse". They partnered with the estate of Muhammad Ali to build an "AI-powered" boxing game (with NFTs!) They partnered with Rebook to build a "virtual sneaker design experience", where customers could design sneakers to equip to their Fortnite or Roblox characters. That year, the company had raised $54 million in a Series A round led by 10T Holdings and Ripple Labs. They made even more money from token sales to retail investors.
As recently as this year, Futureverse was earning spots on "most innovative company" lists. In April, they announced they'd be acquiring Candy Digital, an NFT company created by Mike Novogratz, Gary Vaynerchuk, and others (which itself had raised a $100 million series A in 2021, and another funding round in 2023). "NFTs will be back in a big way one of these days", wrote Axios, covering the sale in April 2025.
But now, Futureverse has announced they've "made the difficult decision to begin a restructuring of the business". Focusing only on the AI portion of their business, and conspicuously omitting any mention of blockchains, NFTs, or metaverses, the company says they "recognize that adjustments are needed to ensure the long-term sustainability of our vision."
Futureverse locked comments on the post, likely to try to dodge angry community members who accused the company of stealing from them or rug-pulling.
Hyperdrive lending protocol exploited for $782,000
Exploiters drained $782,000 in crypto assets from two markets on the Hyperdrive lending protocol, which is built on the Hyperliquid layer-1 blockchain. The attacker apparently took advantage of a security flaw in one of the project's smart contracts to drain the funds.
Hyperdrive paused all markets while investigating the vulnerability, and patched the bug. They also compensated those who had lost money in the exploit.
Hypervault rug pulls for $3.6 million
Only days after the Hypervault yield farming platform announced on Twitter that they'd surpassed $5 million in total value locked, the platform suddenly shut down its website and social media accounts. Simultaneously, the crypto security firm PeckShield observed an "abnormal withdrawal" of a large quantity of various crypto assets priced at around $3.6 million, which were swapped to 752 ETH (~$3.1 million) and laundered through Tornado Cash.
The project had attracted customers by advertising yields of 76–95%.
SBI Crypto likely suffers $21 million theft
Crypto sleuth zachxbt observed $21 million in "suspicious outflows" from SBI Crypto, a crypto mining subsidiary of the Japanese SBI Group. The money was quickly laundered through instant exchanges and Tornado Cash, in ways zachxbt observed were similar to tactics of North Korean crypto thieves.
SBI Crypto has not made any public statements addressing the apparent theft.