Web3 is Going Just Great

The hacks are part of a spate of exploits targeting legacy smart contracts belonging to projects including Raydium and DxSale. Although some projects have developed techniques to circumvent the immutable nature of blockchains and allow smart contracts to be upgraded or retired, many legacy contracts cannot be changed or shut down, leaving them vulnerable to attack indefinitely.

Although Pudgy Penguins CEO Lucas Netz boasted on Twitter in December about "1M+ downloads today. 10M+ downloads soon." he later admitted interest in the game had quickly died off. In a community call to announce the game's shutdown, Netz acknowledged that within months of the launch, there were only 200–300 active players. The project had lost the company millions of dollars, he confessed.

The theft is only the latest in a string of attacks targeting vulnerable legacy smart contracts, many of which cannot be deleted, paused, or changed due to blockchains' immutable nature. Raydium and DxSale are two other platforms that have recently suffered losses due to old, insecure code.

Raydium has said it will compensate users who lost funds in the exploit.

With the keys, the attacker stole more than 6 million of Humanity's H token, then used other keys to upgrade a bridge and drain 141 million more tokens. With the bridge access, they also minted 300 million new H tokens. The attacker then quickly swapped the ill-gotten tokens for ETH, causing the H price to plummet by 80–90%.

Humanity Protocol markets itself as a competitor to Sam Altman's World (formerly Worldcoin), a decentralized identity project that aims to use iris scans to prove that users are unique humans. Humanity raised $20 million in 2025 from Pantera Capital and Jump Crypto.

Only about a quarter of them ever sold, leaving about 7,200 of them on the digital shelves. That is, until they were stolen (or, as the museum put it, "transferred from the wallet without authorization"). If valued at their sale price the stolen NFTs would be worth €13.32 million (US$15.3 million), though it's hard to argue the thief could've ever sold them for that amount given the museum had failed to do so for several years.

The stolen NFTs were soon made even less appealing to prospective buyers when the museum un-linked the image files from the digital assets, and OpenSea blocked them from trading.

The name led to some confusion due to the similarly named Squid Router, which is not related. It's not clear if the users who installed the module were aware that the two projects were separate.

Because Monero is a privacycoin, a type of cryptocurrency that obscures transaction details including sender and receiver wallets, it is not feasible to trace the stolen assets.

The company's bankruptcy filing reports between $10 million and $50 million in both assets and liabilities. In a recent financial disclosure, the company had reported a 49% year-over-year reduction in revenue and a net loss of $9.5 million for the year. The company had also suffered a $3.67 million hack in April.

Bitcoin Depot has blamed a challenging state-level regulatory environment for its bankruptcy, pointing to a series of regulatory restrictions and outright bans on crypto ATMs, which are a major conduit for crypto scams. An FBI report on Internet crime in 2024 showed 11,000 reports of fraud involving crypto ATMs – a 99% increase from the prior year. Almost $250 million was reported lost due to such scams, with a majority of it coming from victims over 60 years old. Several states have responded by introducing laws imposing strict compliance requirements or transaction limits on ATM operators, and Indiana and Tennessee have both recently banned the kiosks entirely. Additionally, the company is defending against lawsuits from both Massachusetts and Iowa, which argue that the company uses a misleading pricing structure, knowingly enables crypto scames, and maintains a predatory refund policy.

Verus halted the entire Verus network after the exploit was detected in hopes of limiting further damage.

The exploiter later accepted a bounty offer by Verus, returning 4,052 ETH (~$8.5 million) while keeping the remaining ~25% as a "bounty".

Transit was previously exploited in 2022 for $21 million, although around 70% of the stolen assets were later returned.

The project has announced they intend to "restor[e] bridge liquidity through a legally structured sale of Foundation's TAC token treasury reserves."

Blockchain research firm Blockaid has linked the attacker to a similar exploit in March 2025 that saw $5 million drained from 1inch. This time, 1inch has asserted that although they use TrustedVolumes as a resolver, the exploit did not involve any of their systems.

Polish authorities have launched investigations into the apparent collapse. Losses have been estimated at 350 million zł (~$96 million).

Poland's Prime Minister Donald Tusk has also recently accused Zondacrypto of sponsoring conservative and right-wing politicians, including Polish President Karol Nawrocki. Nawrocki has repeatedly vetoed legislation aiming to regulate the crypto sector, describing it as overly burdensome to crypto businesses. Tusk has also alleged that Zondacrypto was funded by the Russian mafia and Russian intelligence services. These allegations are also being investigated by Polish authorities, and one report citing the country's Internal Security Agency claims that the Kremlin-linked Tambovskaya Bratva Russian mafia group took over the exchange as far back as 2018.

Volo says they have frozen or recovered all but around $60,000. They have also said they are "prepared to absorb this loss", rather than passing losses along to their users.

Aave maintains a $50 million insurance fund to absorb bad debt. However, this can't cover such a huge shortfall.

RaveDAO describes itself as a "community-driven global rave powerhouse", and sells NFT tickets to rave events.

RaveDAO has denied any responsibility for the recent price movements, but did not address allegations of enormous token concentration with the project's team or large transfers to exchanges around the time of the price jump.

When tokens are bridged from one chain to another, the tokens on the original chain are locked in the bridge smart contract while the token is used on the other chain, preventing its owner from double-spending the asset. With 116,500 locked rsETH now stolen, those using the token on other blockchains are now holding possibly unbacked tokens.

The rush for holders to offload their dubiously backed tokens is likely to worsen contagion throughout defi protocols, where those platforms could be left holding the bag. Some platforms, including Aave, Lido Finance, and Ethena, have paused markets involving rsETH to try to protect themselves.

This hack has set the new record for the largest defi hack in 2026, following the $285 million Drift exploit on April 1.

Some of the stolen tokens were returned by the attacker to the protocol, and around $4.35 million USDT were frozen by its issuer, Tether. Altogether, around $10 million was recovered, leaving $8.4 million outstanding.

According to blockchain intelligence firms TRM Labs and Chainalysis, Grinex is a rebranded version of the Garantex cryptocurrency exchange that was shut down and sanctioned in March 2025. Two of its operators were subsequently criminally charged in the US.

One victim, a musician who goes by G. Love, wrote: "I lost my retirement fund in a hack/Scam when I switched my Ledger over to my new computer and by accident downloaded a malicious ledger app from the Apple store. All my BTC gone in an instant." According to him, he lost 5.9 BTC (~$445,000).

Crypto sleuth zachxbt traced some of the stolen funds through Kucoin, a Chinese cryptocurrency exchange that was recently fined and forced to exit US markets over licensing and anti-money laundering failures. "The three largest victims lost seven figures each," he wrote.

Apple removed the malicious app from their App Store on April 13, six days after it had been added.