Reviewing 20 Hacking Incidents: Why Does the Crypto Industry Keep Getting Hacked?
TechFlow Selected TechFlow Selected
Reviewing 20 Hacking Incidents: Why Does the Crypto Industry Keep Getting Hacked?
Analyzing 20 cryptocurrency theft cases, dissecting the two attack paths exploited by hackers, and explaining why a vulnerability in one protocol can harm the entire ecosystem.
Navigating Web3 tides with focused insightsAuthor: Changan I Biteye Content Team
In April 2026, Kelp DAO suffered a $292 million hack: attackers borrowed real assets from Aave using uncollateralized tokens, generating over $200 million in bad debt within 46 minutes.
This is just one of many hacks this year—Drift lost $285 million, Step Finance around $30 million, and Resolv Labs approximately $23 million. Hack after hack keeps hitting the industry before it can even react—by the time one project is compromised, another has already fallen.
Are there patterns behind these incidents? How exactly do hackers attack protocols?
This article analyzes 20 of the most representative hacks—both historical and recent—to uncover answers.
Based on our analysis of these 20 cases, three clear patterns emerge:
- Technical vulnerability exploits dominate in number—but account for relatively limited losses per incident. In contrast, permission-based and social engineering attacks, though fewer in count, contribute the vast majority of total losses.
- The scale of permission-based attacks continues to escalate. Among the 20 cases, the four largest losses were all attributed to North Korean hackers.
- The battlefield for technical vulnerabilities is shifting—and cross-chain bridges have never been secure.
I. Top 10 Hacked Projects by Loss Amount
1. Project Name: Bybit (Loss: $1.5B | Date: February 2025)
Cause of breach:
The North Korean hacker group Lazarus Group (high-confidence attribution by the FBI and ZachXBT, codenamed “TraderTraitor”) breached Safe Wallet’s multisig mechanism via frontend UI hijacking + multisig fraud.
Attackers injected malicious JavaScript code into the Safe Wallet frontend. When multisig signers (six in total) executed routine cold wallet transfers, the UI displayed legitimate recipient addresses and amounts—but underlying Call Data was tampered with, redirecting 401,000 ETH to the attacker’s address. Under this “what you see is not what you get” deception, three of six signers approved the transaction, causing instant fund loss.
Root issue: Multisig relies on human–machine interaction layers; lack of independent frontend verification undermined mathematical security. Tether froze related USDT within hours, while Circle delayed USDC freezing by 24 hours—exacerbating losses. This incident exposed the fatal threat of social engineering + UI attacks against centralized exchanges and spurred initiatives like Safenet, a transaction-verification network.
This incident closely mirrors Drift Protocol’s (April 2026, $285M): targeted social engineering to build trust, followed by UI/signature fraud—marking a strategic shift by hackers from smart contract vulnerabilities toward “human–machine weaknesses.”
In response, Bybit swiftly covered all losses using its own capital, ensuring zero user loss; the platform remains stable today.
2. Project Name: Ronin Network (Loss: $624M | Date: March 2022)
Cause of breach: The Lazarus Group used social engineering and backdoor access to fully compromise validator node private keys.
Attackers infiltrated Sky Mavis’s internal systems and exploited a backdoor in a gas-free RPC node to gain control of five of nine validator nodes—including four operated by Sky Mavis and one by Axie DAO. They then forged two withdrawal transactions, illicitly extracting 173,600 ETH and 25.5 million USDC.
The root cause lies in the cross-chain bridge’s design: excessive concentration of validation authority among few nodes. With only five out of nine signatures required to approve actions, the threshold became effectively meaningless under targeted social engineering.
3. Project Name: Poly Network (Loss: $611M | Date: August 2021)
Cause of breach: Poly Network’s core vulnerability stemmed from flawed permission management in its cross-chain contracts.
Attackers exploited the relationship between two high-privilege contracts—EthCrossChainManager and EthCrossChainData—to forge an executable function call. Since EthCrossChainManager held authority to modify Keeper public keys—and since the _method parameter used during invocation was user-controllable—the attacker achieved a hash collision to successfully invoke putCurEpochConPubKeyBytes, a function normally restricted to privileged users.
This allowed the attacker to replace the legitimate manager’s public key with their own, gaining full control over cross-chain assets and withdrawing funds across multiple chains.
4. Project Name: Wormhole (Loss: $326M | Date: February 2022)
Cause of breach: Normally, when transferring assets across chains, the system must first verify that assets have indeed been deposited and that associated signatures are valid—only then does the destination chain mint corresponding assets.
Wormhole’s flaw lay precisely in this “signature verification” step. Its code used an outdated and insecure function to check transaction validity—a function originally meant to confirm whether signature verification had truly occurred. However, its logic was insufficiently rigorous, creating an exploitable gap.
Attackers leveraged this flaw to fabricate seemingly “verified” data, tricking the system into treating fraudulent cross-chain operations as legitimate. In essence, the system should have first confirmed “has the money actually been locked up?” But because verification was bypassed, it blindly accepted the attacker’s fake proof.
As a result, attackers minted large quantities of wETH without depositing any real collateral. These assets were then further transferred and swapped, ultimately costing Wormhole ~$326 million.
5. Project Name: Drift Protocol (Loss: $285M | Date: April 2026)
Cause of breach: A DPRK-linked hacker organization conducted a six-month targeted infiltration, culminating in an attack exploiting Solana’s Durable Nonce pre-sign scam.
Beginning in autumn 2025, attackers posed as a quantitative trading firm, building offline trust with Drift contributors at multiple international crypto conferences—and invested over $1 million into the Ecosystem Vault to establish credibility. Once trusted, they induced members of the Security Council to pre-sign seemingly harmless transactions: leveraging Solana’s Durable Nonce mechanism, they embedded governance transfer instructions inside them. Concurrently, Drift had just migrated to zero-latency multisig—eliminating any window for post-execution detection or intervention.
After seizing protocol governance, attackers registered a fake token CVT with only hundreds of dollars in real liquidity, manufactured artificial price signals via wash trading, then deposited 500 million CVT as collateral to borrow $285 million in USDC, SOL, and ETH. The entire execution phase lasted just 12 minutes.
Drift’s official team and SEAL 911 security analysts attributed this attack to the DPRK-linked organization with “medium-to-high confidence.” The perpetrators were not North Korean nationals but third-party intermediaries controlled by the group who carried out the physical interactions.
6. Project Name: WazirX (Loss: $235M | Date: July 2024)
Cause of breach: The core of this attack involved progressive compromise of a multisig wallet—culminating in its replacement with a malicious contract.
Attackers first obtained partial signer privileges (via phishing, direct compromise, or induced signing). Building on that, they misled other signers through spoofed interfaces, causing them to unknowingly approve malicious transactions.
Once enough signatures were collected, attackers did not immediately withdraw assets. Instead, they exploited the multisig wallet’s upgradability feature, executing a contract upgrade to replace the original implementation contract with their deployed malicious one.
Once set as the new execution logic, all subsequent transactions were redirected to the attacker’s address. Ultimately, full control over the multisig wallet was seized, and on-chain assets were gradually drained.
7. Project Name: Cetus (Loss: $223M | Date: May 2025)
Cause of breach: This attack originated from an arithmetic overflow vulnerability in the protocol’s liquidity calculation.
Specifically, Cetus’s math functions handling large numbers contained boundary-check flaws. When a value hit a critical threshold, the system failed to correctly detect the impending overflow and continued computing—causing results to explode abnormally.
Attackers built an operation sequence around this: first triggering extreme price conditions via large trades, then creating liquidity positions within specific ranges using minimal (dust-level) asset inputs. Under these conditions, the overflow was triggered—causing the system to calculate liquidity shares vastly exceeding actual contributions.
Attackers then removed liquidity using these inflated shares, extracting far more assets from the pool than they deposited. This process could be repeated, continuously draining pool funds and resulting in massive losses.
8. Project Name: Gala Games (Loss: $216M | Date: May 2024)
Cause of breach: The core issue was compromise of a high-privilege minting account’s private key, leading to broken access control.
Gala’s contracts imposed permission restrictions on minting—but one privileged minter account’s private key was stolen. Though long inactive, this account retained full high-privilege rights.
After gaining control, attackers directly invoked the contract’s mint function to create ~5 billion GALA tokens and transfer them to their personal address. They then sold these tokens in batches on the market to realize profits.
No smart contract vulnerability was exploited—only legitimate permissions were abused maliciously.
9. Project Name: Mixin Network (Loss: $200M | Date: September 2023)
Cause of breach: The core issue was storing private keys in a centrally managed cloud database.
Mixin Network claimed to be maintained by 35 mainnet nodes supporting cross-chain transfers across 48 public chains—but its hot wallets and numerous deposit addresses’ private keys were stored “recoverably” in a third-party cloud service provider’s database. On the early morning of September 23, 2023, attackers breached that database and extracted keys en masse.
With those keys, attackers needed no contract logic exploitation—just legitimate signing to initiate transfers. On-chain records show they drained addresses in descending order of balance, executing over 10,000 transactions over several hours—primarily withdrawing ~$95.3 million in ETH, $23.7 million in BTC, and $23.6 million in USDT (which was quickly swapped to DAI to evade freezing).
10. Project Name: Euler Finance (Loss: $197M | Date: March 2023)
Cause of breach: The core issue was inconsistent internal accounting of assets versus liabilities—amplified via flash loans.
Specifically, Euler’s DonateToReserve function, when executed, destroyed only eTokens representing collateral—but failed to destroy corresponding dTokens representing debt—breaking the alignment between “collateral” and “liability” in the system.
Under such conditions, the protocol incorrectly interpreted reduced collateral and altered debt structures, producing anomalous asset states.
Attackers constructed a full operation sequence around this: first borrowing large sums via flash loans, then repeatedly depositing and borrowing within the protocol to manipulate eToken/dToken ratios. Leveraging this logic flaw, the system generated erroneous asset/liability states—granting borrowing capacity far exceeding actual collateralization.
With abnormally inflated borrowing power, attackers withdrew funds in batches across multiple assets (DAI, USDC, stETH, wBTC), completing everything in single transactions and amplifying gains across repeated operations—ultimately causing ~$197 million in losses.
II. Ten Recent Hacks
1. Project Name: Hyperbridge (Loss: ~$2.5M | Date: April 2026)
Cause of breach: The core issue was defective proof verification logic in the Token Gateway.
Attackers exploited missing input validation in Merkle Mountain Range (MMR) proof verification to forge an invalid cross-chain proof that the system erroneously accepted as valid. This granted them administrative control over Ethereum’s bridged DOT contract, enabling them to mint ~1 billion counterfeit bridged DOT tokens and dump them on DEXes.
The attack also impacted DOT pools on Ethereum, Base, BNB Chain, and Arbitrum. Official loss estimates were revised from an initial ~$237,000 to ~$2.5 million.
2. Project Name: Venus Protocol (Loss: ~$3.7M–$5M | Date: March 2026)
Cause of breach: The core issue was bypassable supply cap checks combined with manipulable exchange rate calculations.
Specifically, Venus computed market funds by directly reading contract balances via balanceOf(); however, supply cap enforcement occurred only during mint() calls.
Attackers circumvented mint() entirely by directly transferring underlying assets (ERC-20 transfers) into vToken contracts—thus evading supply cap checks.
Since these funds were counted in contract balances, the system calculated an artificially inflated exchange rate—believing pool assets had increased while vToken supply remained unchanged.
Under this condition, attackers’ existing collateral value was amplified—granting disproportionately high borrowing capacity.
They then exploited this inflated collateral value in repeated borrow → pump price → borrow cycles, extracting multiple assets from the protocol—ultimately causing ~$5 million in losses.
3. Project Name: Resolv Labs (Loss: ~$23M–$25M | Date: March 2026)
Cause of breach: The core issue was compromise of a critical signing private key—and absence of minting caps in on-chain contracts.
Resolv’s USR minting flow relied on an off-chain service: users submitted requests, which were signed by a system holding a privileged private key (SERVICE_ROLE), and finally executed by the contract.
But the contract only verified “was the signature valid?”—not “was the mint amount reasonable?”—and enforced no collateral ratio, oracle price checks, or maximum mint limits.
Attackers breached the project’s cloud infrastructure and stole this signing key—giving them full ability to generate valid signatures at will.
With signing authority, attackers used minimal USDC (~$100k–$200k) as input, forged parameters, and directly minted ~80 million unminted USR tokens—without any backing collateral.
These unbacked USR tokens were rapidly swapped into other stablecoins and ultimately ETH, with funds gradually withdrawn—while massive new supply caused USR to depeg sharply.
4. Project Name: Saga (Loss: ~$7M | Date: January 2026)
Cause of breach: The core issue was defective validation logic in the EVM precompile bridge.
SagaEVM used an Ethermint-based EVM implementation containing an undetected vulnerability affecting cross-chain bridge transaction validation.
Attackers crafted specific transactions to bypass bridge validations—specifically, checks for “has collateral been deposited?” and “are stablecoin supply limits enforced?”
Once validation was bypassed, the system treated forged messages as legitimate cross-chain operations and minted corresponding stablecoins accordingly. Without real collateral backing, attackers could mint unlimited stablecoins costlessly—and swap them for real assets in the protocol.
Ultimately, protocol funds were persistently drained, stablecoins depegged, and ~$7 million in assets were withdrawn.
5. Project Name: Solv (Loss: ~$2.5M | Date: March 2026)
Cause of breach: The core issue was a double-mint vulnerability in the BRO Vault contract (triggered by reentrancy).
Specifically, upon receiving ERC-3525 assets, the contract called doSafeTransferIn—and since ERC-3525 builds upon ERC-721, safe transfers triggered the onERC721Received callback.
Within this flow, the contract performed one mint in the main execution path—and another mint inside the callback.
Because the callback fired before the first mint completed, attackers could trigger two mints per single deposit—creating a classic reentrancy path. Repeatedly exploiting this, attackers amplified small asset inputs into large quantities of BRO, then swapped them for SolvBTC and withdrew.
6. Project Name: Aave (Indirect impact: Bad debt risk ~$177M–$236M | Date: April 2026)
Cause of breach: The direct vulnerability wasn’t in Aave—but in Kelp DAO’s cross-chain bridge verification mechanism.
Attackers sent a forged message to the LayerZero-based bridge, causing the system to erroneously release and mint ~116,500 rsETH without actual ETH deposits. These rsETH tokens lacked real asset backing—but were accepted as normal collateral in the system.
Attackers then deposited these unbacked rsETH into Aave as collateral and borrowed large volumes of real assets (WETH). Because Aave’s parameters permitted massive collateralization and lending, attackers rapidly completed borrowing and withdrew funds.
The end result: attackers shifted risk to Aave via “forged collateral → borrowed real assets,” creating massive bad debt.
7. Project Name: YieldBlox (Loss: ~$10.2M | Date: February 2026)
Cause of breach: The core issue was oracle price manipulation via single transactions (low liquidity + VWAP mechanism).
Prior to the attack, the USTRY/USDC trading pair had virtually no liquidity—and no legitimate trades occurred within the oracle’s price window. YieldBlox’s Reflector oracle used VWAP (volume-weighted average price), meaning a single trade could dictate the price under such conditions.
Attackers first placed an extreme price order (~500 USDC per USTRY), then used another account to execute a minuscule trade (~0.05 USTRY) at that price—successfully inflating the oracle price to ~$106.
With the inflated price, attackers’ USTRY holdings were treated as high-value collateral—granting borrowing capacity far exceeding real value. They then borrowed the pool’s entire assets (XLM and USDC) outright to complete fund extraction.
8. Project Name: Step Finance (Loss: ~$30M–$40M | Date: January 2026)
Cause of breach: The core issue was compromise of core team members’ devices—leading to private key or signing-process failure.
Attackers breached senior team members’ devices to gain access to the project’s control wallets. This access may have included direct private key theft—or malware implanted to interfere with transaction signing, causing managers to unknowingly approve malicious transactions.
Once in control, attackers operated across multiple Solana wallets under project control—including unstaking assets and withdrawing funds. No smart contract vulnerability was involved—only direct misuse of already-compromised wallet permissions.
Ultimately, large-scale fund withdrawals occurred—causing ~$30 million in losses and triggering sharp token price declines.
9. Project Name: Truebit (Loss: ~$26M | Date: January 2026)
Cause of breach: The core issue was integer overflow in the TRU purchase pricing function.
During buyTRU() price computation, multiple large-number multiplications and additions occurred—but the contract used Solidity 0.6.10, which lacks default overflow protection.
When attackers passed a specific large parameter, intermediate values overflowed and wrapped around—causing final purchase prices to be anomalously suppressed—even to zero.
Under this condition, attackers could acquire large quantities of TRU at extremely low—or zero—cost.
Meanwhile, the sellTRU() logic remained unaffected and still correctly redeemed ETH reserves proportionally.
Attackers then cycled repeatedly:
👉 Buy TRU cheaply/for free → Sell TRU at fair price → Withdraw ETH
Continuously draining funds across multiple rounds—ultimately causing ~$26 million in losses.
10. Project Name: Makina (Loss: ~$4.1M | Date: January 2026)
Cause of breach: The core issue was reliance on external Curve pool data for AUM/sharePrice calculations—with no validation—and susceptibility to flash loan manipulation.
Attackers borrowed large sums via flash loans, temporarily injecting liquidity and conducting trades across multiple Curve pools—artificially altering pool states and related computations (e.g., LP value, withdrawal calculations).
These manipulated data points were ingested directly by the protocol for AUM (assets under management) calculations—and subsequently influenced sharePrice.
Without effective validation or time-weighted averaging of external data, the system accepted these anomalies as truth—causing:
- AUM to be massively inflated
- sharePrice to be anomalously amplified
Once sharePrice was inflated, attackers arbitraging the price differential extracted assets from the DUSD/USDC pool—realizing profit.
III. Common Patterns & Insights Across All 20 Incidents
Across these 20 incidents, a clear trend emerges: hackers steal massive assets via only two fundamental paths—technical vulnerabilities and social engineering.
1️⃣ Technical Vulnerabilities: Examining their chronological distribution reveals a distinct migration path.
Early technical vulnerabilities clustered heavily around cross-chain bridges—the fastest-growing, newest, and least-audited DeFi infrastructure at the time. Bridges handled enormous assets but hadn’t yet endured sufficient adversarial testing.
As the industry began prioritizing bridge security—strengthening verification mechanisms—large-scale technical bridge vulnerabilities declined markedly. Yet vulnerabilities didn’t vanish—they simply relocated: migrating into DeFi protocols’ internal mathematical logic, oracle designs, and third-party library dependencies.
- Cetus: Boundary condition errors in math libraries,
- Truebit: Integer overflows in outdated compilers,
- YieldBlox: Overreliance on oracles in low-liquidity markets.
The underlying reality is singular: the attack surface always follows assets, code novelty, and audit blind spots. When one infrastructure class is heavily targeted—and the industry responds with heightened vigilance and stronger defenses—attackers shift to the next fastest-growing, weakest-defended frontier.
2️⃣ Social Engineering: Of these 20 breaches, four have been confirmed or highly attributed to North Korean state-backed hackers—Ronin, WazirX, Bybit, and Drift—collectively causing over $2.5 billion in losses.
Per Chainalysis data, North Korean-linked hackers stole over $2 billion in crypto assets in 2025 alone—nearly 60% of global crypto theft that year. Compared to 2024, North Korean attack frequency dropped 74%, but average loss per incident surged dramatically.
North Korean tactics continue evolving—from Ronin’s direct internal system intrusion, to Bybit’s supply-chain attack, to Drift’s six-month offline infiltration—each time finding novel ways beyond existing defenses.
More alarmingly, North Korean hackers are embedding deep-cover operatives disguised as developers across the global crypto industry. Once hired into target firms, these agents map internal system architectures, gain codebase access, and quietly implant backdoors into production code.
The scope of impact is widening: Early breaches affected only the compromised protocol itself—but as DeFi composability deepens, single-point failures now propagate outward.
- Drift: After the breach, at least 20 protocols dependent on its liquidity or strategies experienced disruptions, pauses, or direct losses—Carrot Protocol saw 50% of its TVL impacted.
- Aave: Aave’s contracts were flawless—but merely accepting Kelp DAO’s rsETH as collateral meant external bridge verification failure directly translated into Aave’s bad debt risk.
These patterns point to one stark reality: depositing assets into a protocol isn’t just trusting its code. You’re also trusting every external asset it depends on, every third-party service it integrates, and the judgment and operational security of every individual holding administrative privileges.
Lately, hack headlines keep coming—one after another. Polymarket recently launched a market asking “Will any crypto project suffer a >$100M hack this year?”—and it settled before the month ended. This isn’t coincidence. DeFi’s asset scale is growing, inter-protocol dependencies are deepening—but defensive capabilities haven’t kept pace.
Security pressure hasn’t eased—yet threat dimensions are expanding. In April 2026, Anthropic’s Claude Mythos Preview—during testing—discovered thousands of critical vulnerabilities across every major OS and browser—and converted 72% of known vulnerabilities into actionable exploit paths.
Once systematically applied to scan smart contracts, this capability means DeFi vulnerabilities will be discovered—and exploited—at unprecedented speed. Simultaneously, projects can proactively leverage such tools for self-auditing—identifying and patching latent risks ahead of time to strengthen their security posture.
⏰ For ordinary users, these cases offer several direct takeaways:
- Don’t concentrate assets in a single protocol. While diversification doesn’t eliminate risk, it caps maximum loss per incident.
- Maintain distance from new protocols. Most technical vulnerabilities are discovered shortly after launch. A protocol that’s run smoothly for two years—undergoing multiple audits and real-world stress tests—is far safer than a newly launched, high-yield offering.
- Assess whether the protocol is genuinely profitable. Profitable protocols possess real capacity to compensate users when losses occur. Protocols sustained solely by token incentives—with no real revenue—often resort to issuing new tokens or making empty promises when things go wrong.
A truly mature financial infrastructure won’t perpetually subordinate security to growth metrics. Until that day arrives, hack headlines won’t stop.
Risk Disclaimer: All content herein is for informational purposes only and does not constitute investment advice. Cryptocurrency markets are highly volatile, and smart contracts carry inherent risks. Please conduct your own independent risk assessment before making decisions.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@BiteyeCN
