Reviewing 20 Hacking Incidents: Why Does the Crypto Industry Keep Getting Hacked?
TechFlow Selected TechFlow Selected
Reviewing 20 Hacking Incidents: Why Does the Crypto Industry Keep Getting Hacked?
Analyzing 20 cryptocurrency theft cases, dissecting the two primary attack vectors used by hackers, and explaining why a vulnerability in one protocol can harm the entire ecosystem.
Navigating Web3 tides with focused insightsAuthor: Changan I Biteye Content Team
In April 2026, Kelp DAO suffered a $292 million hack: the attacker borrowed real assets from Aave using uncollateralized tokens, generating over $200 million in bad debt within 46 minutes.
This is just one of many hacks this year. Drift lost $285 million; Step Finance lost approximately $30 million; Resolv Labs lost roughly $23 million—the news keeps coming, one after another, with no time for the industry to react before the next project is compromised.
Are there underlying patterns behind these incidents? How exactly do hackers attack protocols?
This article reviews 20 of the most representative hacks—both historical and recent—in an effort to uncover answers.
Based on our analysis of these 20 cases, three clear patterns emerge:
- Technical vulnerabilities account for the majority of incidents, but individual losses tend to be relatively limited. In contrast, permission-related and social engineering attacks—though fewer in number—account for the vast majority of total losses.
- The scale of permission-based attacks continues to escalate. Among the 20 cases, the four largest losses were all attributed to North Korean hackers.
- The battleground for technical vulnerabilities is shifting: cross-chain bridges have never been secure.
I. Top 10 Projects by Loss Amount
1. Project Name: Bybit (Loss: $1.5B | Date: February 2025)
Cause of breach:
The North Korean hacker group Lazarus Group (attributed with high confidence by the FBI and ZachXBT under the codename “TraderTraitor”) breached Safe Wallet’s multisig mechanism via frontend UI hijacking + multisig fraud.
The attackers first infiltrated Bybit’s core developer devices and injected malicious JavaScript code into the wallet’s frontend. When multisig signers (six individuals) executed routine cold wallet transfers, the UI displayed normal recipient addresses and amounts—but the underlying Call Data was tampered with, redirecting 401,000 ETH to the attacker’s address. Under this “what you see is not what you get” deception, three out of six signers approved the transaction, resulting in instantaneous fund loss.
Root cause: Multisig relies on human–machine interaction layers; lack of independent frontend verification invalidated mathematical security. Tether froze related USDT within hours, whereas Circle delayed USDC freezing by 24 hours—exacerbating losses. This incident exposed the fatal threat posed by social engineering + UI attacks against centralized exchanges, catalyzing initiatives like Safenet—a transaction verification network.
This incident closely mirrors Drift Protocol (April 2026, $285M): targeted social engineering to build trust, followed by UI/signature fraud—marking a strategic shift by hackers from smart contract vulnerabilities toward “human–machine weaknesses.”
In its response, Bybit swiftly deployed its own capital to fully reimburse all losses, ensuring zero user impact; the platform remains stable today.
2. Project Name: Ronin Network (Loss: $624M | Date: March 2022)
Cause of breach: The Lazarus Group used social engineering and backdoor techniques to gain full control over validator node private keys.
The attackers infiltrated Sky Mavis’ internal systems and exploited a backdoor in a gas-free RPC node to take control of five of nine validator nodes—including four operated by Sky Mavis and one by Axie DAO. They then forged two withdrawal transactions, illicitly extracting 173,600 ETH and $25.5M in USDC.
The root cause lies in the cross-chain bridge’s design: excessive concentration of validation authority among a small number of nodes. With only five signatures required out of nine nodes to execute operations, the threshold proved virtually meaningless against targeted social engineering.
3. Project Name: Poly Network (Loss: $611M | Date: August 2021)
Cause of breach: The core vulnerability was flawed permission management in the cross-chain contracts.
The attacker exploited the relationship between two high-privilege contracts—EthCrossChainManager and EthCrossChainData—to forge an executable function call. Because EthCrossChainManager held authority to modify Keeper public keys—and because the _method parameter used during invocation could be arbitrarily defined by users—the attacker constructed a hash collision to successfully invoke putCurEpochConPubKeyBytes, a function normally restricted to high-privilege accounts.
This allowed the attacker to replace the legitimate manager’s public key with their own, gaining full control over cross-chain assets and ultimately withdrawing funds across multiple chains.
4. Project Name: Wormhole (Loss: $326M | Date: February 2022)
Cause of breach: Normally, when users transfer assets across chains, the system must first confirm that those assets have actually been deposited and that associated signatures are valid—only then does it mint corresponding assets on the destination chain.
Wormhole’s flaw lay precisely in this signature verification step. Its code used an obsolete and insecure function to verify transaction legitimacy—a function originally intended to confirm whether prior signature validation had truly occurred. However, its checks were insufficient, creating an exploitable loophole.
The attacker leveraged this vulnerability to fabricate seemingly “validated” messages, tricking the system into believing the cross-chain operation was genuine. In essence, the system should have first verified “was the asset actually locked in?” But due to the bypassed validation step, it accepted the attacker’s fake proof at face value.
As a result, the attacker minted large quantities of wETH without depositing any real assets. These newly minted assets were then further withdrawn and exchanged, causing Wormhole to lose approximately $326 million.
5. Project Name: Drift Protocol (Loss: $285M | Date: April 2026)
Cause of breach: A DPRK-affiliated hacker group conducted a six-month targeted infiltration, culminating in an attack exploiting Solana’s Durable Nonce pre-sign scam.
Starting in autumn 2025, the attackers posed as a quantitative trading firm, building offline trust with Drift contributors at multiple international crypto conferences—and even invested over $1 million into the Ecosystem Vault to bolster credibility. Once trusted, they induced members of the Security Council to pre-sign seemingly harmless transactions. Leveraging Solana’s Durable Nonce mechanism, they concealed governance-transfer instructions within these transactions. Simultaneously, Drift had just migrated to zero-latency multisig—eliminating any window for post-facto detection or intervention.
After seizing protocol governance, the attackers registered a fake token CVT with only hundreds of dollars in real liquidity, manipulated its price via wash trading, then deposited 500 million CVT as collateral to borrow $285 million in USDC, SOL, and ETH. The entire execution phase lasted only 12 minutes.
Drift’s official team and SEAL 911 security team attributed this attack to the DPRK-linked organization with “medium-to-high confidence.” The actual operators were not North Korean nationals but third-party intermediaries controlled by the group, who handled all offline interactions.
6. Project Name: WazirX (Loss: $235M | Date: July 2024)
Cause of breach: The core issue was the gradual compromise—and eventual replacement—of a multisig wallet with a malicious contract.
The attackers first obtained partial signer access (via phishing and direct compromise or induced signing). Building on this, they then misled other signers through fake interfaces, causing them to unknowingly approve malicious transactions.
Once sufficient signatures were collected, the attackers did not immediately withdraw assets. Instead, leveraging the multisig wallet’s upgradability mechanism, they executed a contract upgrade—replacing the original implementation contract with their own malicious one.
Once deployed, this malicious contract became the new execution logic: all subsequent transactions were redirected, and funds continuously flowed to the attacker’s address. Ultimately, full control over the multisig wallet was seized, and on-chain assets were gradually drained.
7. Project Name: Cetus (Loss: $223M | Date: May 2025)
Cause of breach: The attack stemmed from an arithmetic overflow vulnerability in the protocol’s liquidity calculation.
Specifically, Cetus used a math function with incorrect boundary checks when handling large numbers. When a value reached a critical threshold, the system failed to detect the impending overflow and proceeded with computation—causing abnormal amplification of results.
The attacker engineered a precise sequence: first triggering extreme price conditions via large trades, then establishing liquidity positions within specific ranges while contributing only minimal (“dust-level”) assets. Under these conditions, the overflow bug was triggered—causing the system to calculate vastly inflated liquidity shares for the attacker relative to their actual contribution.
The attacker then withdrew liquidity using these artificially inflated shares, extracting far more assets from the pool than deposited. This process was repeatable, enabling continuous draining of pool funds and ultimately massive losses.
8. Project Name: Gala Games (Loss: $216M | Date: May 2024)
Cause of breach: The core issue was compromise of a high-privilege minting account’s private key, leading to broken access control.
While Gala’s contracts enforced permission restrictions on the mint function, the private key of one authorized minter account was stolen by attackers. That account remained dormant yet retained full high-privilege rights.
Upon gaining control, the attacker directly invoked the contract’s mint function to generate approximately 5 billion GALA tokens, transferring them to their personal address. Subsequently, they sold these tokens in batches on exchanges to convert them into ETH.
No smart contract vulnerability was exploited—only legitimate permissions were misused for malicious ends.
9. Project Name: Mixin Network (Loss: $200M | Date: September 2023)
Cause of breach: The core issue was storage of private keys in a centrally managed cloud database.
Mixin Network claimed to be maintained by 35 mainnet nodes supporting cross-chain transfers across 48 public blockchains. Yet the private keys for its hot wallets and numerous deposit addresses were stored—in “recoverable” form—in a third-party cloud service provider’s database. At dawn on September 23, 2023, attackers breached that database and extracted these keys en masse.
With the keys in hand, attackers needed no contract logic exploitation—they simply signed transactions as legitimate owners. On-chain records show attackers systematically emptied addresses in descending order of balance, executing over 10,000 transactions over several hours. Primary assets included ~$95.3M in ETH, ~$23.7M in BTC, and ~$23.6M in USDT—much of which was rapidly swapped into DAI to evade freezing.
10. Project Name: Euler Finance (Loss: $197M | Date: March 2023)
Cause of breach: The core issue was inconsistency in internal asset/liability accounting logic—amplified via flash loans.
Specifically, Euler’s DonateToReserve function, upon execution, destroyed only the eToken representing deposited collateral—but failed to simultaneously destroy the dToken representing debt—breaking the system’s collateral/debt correspondence.
As a result, the protocol incorrectly interpreted reduced collateral and altered debt structure—producing anomalous asset states.
The attacker engineered an end-to-end workflow: first borrowing large sums via flash loans, then repeatedly depositing and borrowing within the protocol to manipulate eToken/dToken ratios. Exploiting this logical flaw, the system generated erroneous asset/liability states—granting the attacker borrowing capacity far exceeding actual collateral backing.
Having gained abnormally inflated borrowing power, the attacker withdrew funds in batches across multiple assets (DAI, USDC, stETH, wBTC), completing everything in single transactions and repeating the process to maximize gains—ultimately causing ~$197 million in losses.
II. Ten Recent Breaches
1. Project Name: Hyperbridge (Loss: ~$2.5M | Date: April 2026)
Cause of breach: The core issue was a flaw in the Token Gateway’s proof verification logic.
The attacker exploited missing input validation in Merkle Mountain Range (MMR) proof verification to forge an invalid cross-chain proof that the system mistakenly accepted as valid. This granted them administrative control over the Ethereum bridged DOT contract, enabling them to mint ~1 billion counterfeit bridged DOT tokens and dump them on DEXs.
The attack also impacted DOT pools on Ethereum, Base, BNB Chain, and Arbitrum. Official estimates of initial losses (~$237,000) were later revised upward to ~$2.5 million.
2. Project Name: Venus Protocol (Loss: ~$3.7M–$5M | Date: March 2026)
Cause of breach: The core issue was bypassable supply cap validation, compounded by manipulation of exchange rate calculation logic.
Specifically, Venus calculated market funds by reading true balances directly via balanceOf(); however, supply cap enforcement occurred only during mint() calls.
Attackers circumvented mint() entirely by directly transferring underlying ERC-20 assets into the vToken contract—thus evading supply cap checks.
Because these assets were counted toward contract balance, the system’s exchange rate calculation assumed increased pool assets—yet no corresponding increase in vToken supply occurred—artificially inflating the exchange rate.
Under this condition, the attacker’s existing collateral appeared vastly more valuable—granting them disproportionately high borrowing capacity.
The attacker then exploited this inflated collateral value in repeated borrow → pump → reborrow loops, extracting multiple assets from the protocol and ultimately causing ~$5 million in losses.
3. Project Name: Resolv Labs (Loss: ~$23M–$25M | Date: March 2026)
Cause of breach: The core issue was compromise of a critical signing private key—and absence of on-chain minting limits.
Resolv’s USR minting relied on an off-chain service: users submitted requests, which were then signed by a system holding a privileged private key (SERVICE_ROLE), before being executed by the contract.
But the contract performed only signature validation—not reasonableness checks on minted amounts—and imposed no collateral ratio, oracle price, or maximum minting limits.
Attackers breached the project’s cloud infrastructure and stole this signing key—enabling them to generate valid signatures at will.
With signing authority secured, attackers used minimal USDC input (~$100K–$200K) and forged parameters to mint ~80 million unbacked USR tokens.
These uncollateralized USR tokens were quickly swapped into other stablecoins and ultimately converted to ETH—funds were gradually withdrawn, while massive new supply caused USR to depeg sharply.
4. Project Name: Saga (Loss: ~$7M | Date: January 2026)
Cause of breach: The core issue was a flaw in the EVM precompile bridge’s validation logic.
SagaEVM used an Ethermint-based EVM implementation containing an undiscovered vulnerability affecting cross-chain bridge transaction validation.
The attacker crafted specific transactions to bypass validations for both “asset deposit confirmation” and “stablecoin supply caps.”
Once validation was bypassed, the system treated these fabricated messages as legitimate cross-chain operations—and minted corresponding stablecoins accordingly. Without real collateral backing, attackers could mint stablecoins costlessly and swap them for real assets within the protocol.
Ultimately, protocol funds were persistently drained, the stablecoin depegged, and ~$7 million in assets were withdrawn.
5. Project Name: Solv (Loss: ~$2.5M | Date: March 2026)
Cause of breach: The core issue was a double-mint vulnerability in the BRO Vault contract (triggered by reentrancy).
Specifically, when receiving ERC-3525 assets, the contract called doSafeTransferIn; and since ERC-3525 builds on ERC-721, the safe transfer process triggered the onERC721Received callback.
Within this flow, the contract minted once during the main execution path—and again inside the callback.
Because the callback fired before the first mint completed, attackers triggered two mints per deposit—creating a classic reentrancy vector. By repeatedly exploiting this, attackers amplified small inputs into large quantities of BRO, swapped them for SolvBTC, and withdrew funds.
6. Project Name: Aave (Indirect impact: Bad debt risk ~$177M–$236M | Date: April 2026)
Cause of breach: The direct vulnerability was not in Aave itself—but rather in Kelp DAO’s cross-chain bridge validation mechanism.
The attacker sent a forged message to the LayerZero-based cross-chain bridge, causing the system to release and mint ~116,500 rsETH without any actual ETH deposits. These rsETH tokens lacked real asset backing but were treated as valid collateral within the system.
The attacker then deposited these uncollateralized rsETH into Aave as collateral and borrowed large volumes of real assets (WETH). Given Aave’s parameter settings permitting large-scale collateralization and lending, the attacker rapidly withdrew and transferred funds.
The final outcome: attackers shifted risk onto Aave via “forged collateral → real asset borrowing,” resulting in massive bad debt.
7. Project Name: YieldBlox (Loss: ~$10.2M | Date: February 2026)
Cause of breach: The core issue was oracle price manipulation via single transactions (low liquidity + VWAP mechanism).
Prior to the attack, the USTRY/USDC trading pair had virtually no liquidity—and no legitimate trades occurred within the oracle’s pricing window. YieldBlox’s Reflector oracle used VWAP (volume-weighted average price), meaning a single trade could dictate the price under such conditions.
The attacker first placed an extreme bid (~500 USDC per USTRY), then used another account to execute a tiny-volume trade (~0.05 USTRY), successfully inflating the oracle price to ~$106.
With the price artificially inflated, the attacker’s USTRY holdings were treated as high-value collateral—granting borrowing capacity far exceeding their true worth. The attacker then borrowed the pool’s entire assets (XLM and USDC), completing extraction.
8. Project Name: Step Finance (Loss: ~$30M–$40M | Date: January 2026)
Cause of breach: The core issue was compromise of core team members’ devices—resulting in private key exposure or compromised signing workflows.
Attackers breached senior team members’ devices, gaining access to project-controlled wallets. This access may have involved direct private key theft—or malware injection disrupting signing processes, causing administrators to unknowingly approve malicious transactions.
Once in control, attackers operated across multiple Solana wallets under project control—including unstaking assets and withdrawing funds. No smart contract vulnerabilities were involved—only direct misuse of already-acquired wallet privileges.
Ultimately, large-scale fund withdrawals caused ~$30 million in losses and triggered sharp token price declines.
9. Project Name: Truebit (Loss: ~$26M | Date: January 2026)
Cause of breach: The core issue was an integer overflow vulnerability in the TRU purchase pricing function.
During buyTRU() price calculations involving large-number multiplication and addition, the contract compiled with Solidity 0.6.10—which lacks default overflow protection.
When attackers supplied a specific large parameter, intermediate computations overflowed and wrapped around—drastically reducing the final computed purchase price—even to zero.
Under these conditions, attackers could acquire large quantities of TRU at extremely low—or even zero—cost.
Meanwhile, the sellTRU() logic remained unaffected, allowing proportional redemption against ETH reserves in the contract.
Attackers then repeated the cycle:
👉 Buy TRU cheaply/for free → Sell TRU at fair price → Withdraw ETH
Through multiple iterations, they persistently drained funds from the protocol—ultimately causing ~$26 million in losses.
10. Project Name: Makina (Loss: ~$4.1M | Date: January 2026)
Cause of breach: The core issue was reliance on external Curve pool data for AUM/sharePrice calculations—with no validation—and susceptibility to flash loan manipulation.
Attackers used flash loans to borrow large sums, temporarily inject liquidity into multiple Curve pools, and execute trades—artificially altering pool states and related calculations (e.g., LP value, withdrawal outputs).
These manipulated values were fed directly into the protocol’s AUM (assets under management) calculations—and subsequently influenced sharePrice.
Without effective validation or time-weighted averaging of external data, the system accepted these anomalies as truth—leading to:
- Massively inflated AUM
- Abnormally amplified sharePrice
Once sharePrice was inflated, attackers arbitragued the price differential—swapping assets out of the DUSD/USDC pool to realize profit.
III. Common Patterns & Insights Across All 20 Incidents
Across these 20 breaches, a clear trend emerges: hackers steal massive sums via only two fundamental pathways—technical vulnerabilities and social engineering.
1️⃣ Technical Vulnerabilities: Examining their chronological distribution reveals a clear migration path.
Early technical vulnerabilities clustered heavily around cross-chain bridges—the fastest-expanding, newest-code, and least-audited DeFi infrastructure at the time. Bridges carried massive assets but hadn’t yet undergone sufficient adversarial testing.
Later, the industry began prioritizing bridge security, strengthening verification mechanisms—making large-scale bridge vulnerabilities markedly rarer. Yet vulnerabilities didn’t vanish—they simply relocated—to internal DeFi protocol logic (mathematical errors), oracle designs, and dependencies on third-party libraries.
- Cetus: Incorrect boundary conditions in a math library,
- Truebit: Integer overflows in outdated compiler versions,
- YieldBlox: Over-reliance on oracles in low-liquidity markets.
The underlying reality is singular: attack surfaces always follow assets, code novelty, and audit blind spots. When one infrastructure type suffers concentrated attacks—and the industry responds with heightened scrutiny and stronger defenses—attackers migrate to the next fastest-growing, most vulnerable frontier.
2️⃣ Social Engineering: Of these 20 breaches, four have been confirmed or highly attributed to North Korean state-sponsored hackers—Ronin, WazirX, Bybit, and Drift—cumulatively causing over $2.5 billion in losses.
According to Chainalysis, North Korean-linked hackers stole over $2 billion in crypto assets in 2025 alone—nearly 60% of global crypto theft that year. Compared to 2024, their attack frequency dropped by 74%, but average loss per incident surged dramatically.
North Korean tactics continue evolving—from Ronin-era direct internal system intrusion, to Bybit’s supply-chain attack, to Drift’s six-month offline infiltration—each time finding novel ways beyond existing defenses.
Even more concerning: North Korean hackers are embedding deep-cover operatives disguised as developers across the global crypto industry. Once hired into target firms, these agents map internal system architectures, obtain codebase access, and quietly implant backdoors into production code.
The scope of impact is widening: Early breaches affected only the compromised protocol itself—but as DeFi composability deepens, single-point failures now propagate outward.
- Drift: After its breach, at least 20 protocols dependent on its liquidity or strategies experienced disruptions, suspensions, or direct losses—Carrot Protocol saw 50% of its TVL impacted.
- Aave: Aave’s contracts were completely uncompromised—yet merely accepting Kelp DAO’s rsETH as collateral meant external bridge validation failure directly translated into Aave’s bad debt risk.
These patterns point to one stark reality: Depositing assets into a protocol means trusting not just its code—but every external asset it relies upon, every third-party service it integrates, and every individual entrusted with governance authority—their judgment and operational security.
Lately, breach headlines keep coming—one after another. Polymarket recently launched a market asking “Will any crypto project suffer a >$100M hack this year?”—and it settled before the month ended. This isn’t coincidence: DeFi’s asset scale is growing, inter-protocol dependencies are deepening—but defensive capabilities haven’t kept pace.
Security pressure hasn’t eased—yet threat dimensions are expanding. In April 2026, Anthropic’s Claude Mythos Preview discovered thousands of critical vulnerabilities across mainstream operating systems and browsers—and converted 72% of known vulnerabilities into actionable exploit paths.
Once applied systematically to scan smart contracts, this capability implies DeFi vulnerabilities will be discovered—and exploited—at unprecedented speed. Meanwhile, projects can proactively use such tools for self-audits—identifying and patching risks before adversaries do—enhancing their overall security posture.
⏰ For ordinary users, these cases offer several direct takeaways:
- Don’t concentrate assets in a single protocol. While diversification won’t eliminate risk entirely, it caps potential losses per incident.
- Maintain distance from new protocols. Most technical vulnerabilities surface early in a protocol’s lifecycle. A protocol running for two years—having survived multiple audits and real-world stress tests—is far safer than one offering sky-high yields immediately upon launch.
- Evaluate whether the protocol is genuinely profitable. Profitable protocols possess actual resources to compensate users if losses occur. Protocols sustained solely by token incentives—and lacking real revenue—typically respond to incidents with new token emissions or vague promises.
A truly mature financial infrastructure never places security behind growth metrics. Until that day arrives, breach headlines won’t stop.
Risk Disclaimer: All content herein is for informational purposes only and does not constitute investment advice. Cryptocurrency markets are highly volatile, and smart contracts carry inherent risks. Please conduct your own independent risk assessment before making decisions.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@BiteyeCN
