Hacked, Explained

When a crypto protocol, exchange, or smart contract is "hacked," funds are stolen or manipulated through technical exploits, social engineering, or infrastructure compromise — events that have collectively drained billions of dollars from the industry and remain its most persistent reputational liability.

What "Hacked" Actually Means in Crypto

The word gets applied loosely. In practice, crypto hacks fall into distinct categories with different threat surfaces:

Smart contract exploits target flaws in on-chain code — reentrancy bugs, price oracle manipulation, flash loan attacks, or logic errors in bridge contracts. These are the most common DeFi attack vector and often the most dramatic in scale.

Infrastructure and key compromise targets the systems around a protocol: hot wallets, DNS records, admin keys, or cloud infrastructure. When Bonk.fun's domain was hijacked and a crypto drainer was planted on the compromised site, the protocol's on-chain code was untouched — the attack surface was the domain registrar and web frontend.

Social account and platform hijacks are increasingly common as a secondary attack surface. Pump.fun's Instagram account was compromised, and Binance co-CEO Yi He's WeChat was taken over to push a meme coin called MUBARA. These attacks exploit trust — users who see a familiar name may act before verifying.

Exchange-level breaches target custodial systems holding user funds. Russia's Grinex exchange was hacked for $13 million, with the exchange alleging involvement of "Western special services" — a claim that illustrates how geopolitics now intersect with crypto infrastructure security.

Understanding the category matters for assessing severity, recoverability, and responsibility.

JLJohn

Apr 19, 2026

View article →

Pump.fun Instagram account hacked, platforms are safe as funds remain untouched

cryptotimes.io • Apr 19, 2026

Top Comment

Benthic

Apr 19, 2026

Second time Pump.fun's own social got popped in 14 months — the Feb 2025 X hack extracted ~$600k pushing fake $PUMP governance, and every subsequent celebrity IG hijack (Adele, Pudgy Penguins' CEO shilling $IGLOO) used Pump.fun as the payload venue. With 98.6% of tokens already rug-pulling per Solidus Labs and daily revenue down 85% from the $14M peak, verified account takeovers extend the rug-shilling pipeline one more hop. Attack surface keeps growing right as they pivot multi-chain beyond Solana.

The Scale of the Problem

The frequency and size of crypto hacks has not meaningfully declined despite years of auditing culture, bug bounties, and formal verification tooling. Immunefi's research found that hacked crypto tokens drop an average of 61% in value and rarely recover — a finding that underscores how much of the damage is reputational rather than purely financial.

Recent weeks have illustrated the cluster effect. In just four days in mid-May:

• A protocol was exploited for over $10 million on May 15
• The Verus-Ethereum Bridge was hacked on May 18, losing approximately $11.5 million
• A separate exploit saw an attacker mint 1,000 $eBTC tokens (valued at roughly $76.64 million) and use them to steal 385 ETH

That kind of tempo — multiple major incidents inside a single week — reflects not a new attack vector but a sustained baseline risk that the industry has not resolved. The 1inch ecosystem saw its TrustedVolumes solver hacked for a combined loss exceeding 1,291 ETH, 1.26 million USDC, 206,000 USDT, and 16.94 WBTC. These are not rounding errors; they represent real user losses across real asset classes.

Bitcoin's base layer has never been successfully hacked at the protocol level, and ETH's mainnet has not been exploited at the consensus layer either. The overwhelming majority of hacks occur at the application layer: bridges, DeFi protocols, centralized exchanges, and the surrounding web infrastructure.

Why DeFi Keeps Getting Exploited

Several structural factors make DeFi persistently vulnerable:

Code is law — and code has bugs. Smart contracts execute exactly as written. An auditor can miss an edge case; a developer can misunderstand a mathematical invariant; a new protocol can interact with an older one in ways nobody anticipated. Once deployed, most contracts are immutable or upgradeable only through governance processes that are themselves attack surfaces.

Bridges are chokepoints. Cross-chain bridges concentrate enormous value and require complex, multi-signature custody or cryptographic proof systems to function. The Verus-Ethereum Bridge hack fits a pattern stretching back to Ronin ($625 million, 2022), Wormhole ($320 million, 2022), and Nomad ($190 million, 2022). Bridges remain among the highest-risk components in crypto infrastructure.

Speed-to-market pressure. Protocols launch under competitive pressure, sometimes before audits complete. Forks of existing code inherit existing bugs. Economic incentives reward shipping fast over shipping safe.

Oracle dependency. Many DeFi protocols rely on price oracles — external data feeds — to value collateral. Manipulating an oracle, often via flash loans, can trick a protocol into accepting worthless or overvalued collateral. This is a category of vulnerability that is well understood and still being exploited.

The blind spots we choose to ignore. As one piece of recent analysis noted, the industry has been aware of these structural weaknesses for years. The problem is not ignorance — it is incentive misalignment. Protocols that move fast and capture market share can afford to compensate victims later; protocols that delay launch for exhaustive security review lose the window.

View article →

McKinsey AI platform hacked via rogue agent: vast confidential data trove at risk, no auth needed

𝕏/@efipm • Mar 11, 2026

Top Comment

Danicjade

Mar 12, 2026

Cases of AI agents going rogue are not looking nice. They need to be put to order

What Happens After a Hack

Recovery trajectories vary enormously. The dominant pattern is poor: Immunefi's data shows most hacked projects never fully recover, because poor incident response and lost user trust prove more damaging than the stolen funds themselves.

The Drift Protocol case offers one template for handling the aftermath. After being hacked, Drift received a $148 million recovery commitment from Tether — structured as $127.5 million in USDT-denominated backing to reimburse customers and fund a relaunch. Critics noted that rival Circle had failed to freeze the hacked funds, while Tether moved quickly. The Tether backing did not come without conditions, however, and the arrangement drew scrutiny over what Tether wanted in return — illustrating how post-hack recovery increasingly involves negotiated deals between protocols and large stablecoin issuers.

The older reference point is Mt. Gox, the Bitcoin exchange that was hacked in 2014 and entered a decade-long creditor repayment saga. Mt. Gox's former CEO has floated the idea of a Bitcoin hard fork to recover the 80,000 BTC that were stolen — a proposal that the broader Bitcoin community has not taken seriously but that illustrates how unresolved the remedies can remain. Meanwhile, analysis of LEO token premiums suggests there may be movement on Bitfinex's hacked BTC, which is tied to roughly 30% of the U.S. Strategic Bitcoin Reserve — a figure that connects historic hacks directly to current geopolitics.

USDC and USDT issuers (Circle and Tether respectively) have become key actors in hack response, given their ability to freeze stolen stablecoins on-chain. The contrast between Circle's inaction and Tether's intervention in the Drift case has sharpened the debate over how stablecoin issuers should exercise that power — and whether their ability to freeze funds represents a security feature or a centralization risk.

The Incident Response Gap

Security researchers increasingly identify the response window — the hours immediately after a hack is detected — as the factor that most determines outcome. Protocols that can pause contracts, freeze liquidity, and communicate clearly to users within the first hour limit secondary damage from panic sells and copycat exploits.

Most protocols are not prepared for this. Security monitoring is often inadequate; on-call engineering teams may not have authority to pause contracts without governance votes; communication defaults to vague tweets that create more confusion than clarity.

White-hat hackers and security firms like Immunefi, BlockSec, and Seal911 have emerged as informal first responders who can sometimes front-run attackers on stolen funds — but this depends on being alerted quickly and having the right on-chain tooling deployed in advance.

The industry's security discourse is also becoming more self-critical. One widely-noted recent piece called out Rekt News — historically a respected exploit tracker — for having been replaced by an LLM writing snarky "wow hacked again" articles. The observation captures something real: much of the public conversation about hacks has become normalized to the point of numbness, which is itself a problem for accountability.

JLJohn

Mar 12, 2026

View article →

Bonk.fun hacked: Domain hijacked, crypto drainer planted. The operator, known as Tom, said only users who signed a fake terms-of-service message on the compromised site after the breach were affected

CoinDesk • Mar 12, 2026

Top Comment

Danicjade

Mar 12, 2026

Just tell me in simple terms, Funds were lost but they amount to nothin?,

High-Profile Individual and Infrastructure Hacks

Beyond protocols, individuals with significant crypto holdings are targets. Espresso co-founder Jill Gunter reported her personal wallet was hacked, with funds routed through Railgun — a privacy protocol that attackers have increasingly used for laundering. The Bankr platform temporarily disabled transactions after 14 wallets were hacked.

The McKinsey AI platform breach — where a rogue agent accessed a vast confidential data trove without authentication — is a reminder that crypto-adjacent infrastructure faces the same risks as every other technology sector, and that the convergence of AI agents with financial protocols creates new attack surfaces that are not yet well understood.

Mythos AI has been flagged as posing no direct threat to Bitcoin's blockchain but heightening risks for exchanges through vulnerabilities and social engineering vectors — a distinction between protocol security and ecosystem security that recurs across most threat assessments.

What Good Security Practice Looks Like

Despite the persistent hack rate, the industry has developed a body of knowledge about what works:

Multiple independent audits from firms that specialize in different vulnerability classes (economic attacks vs. code logic vs. access control).

Bug bounty programs with meaningful rewards — protocols that pay six or seven figures for critical vulnerabilities attract serious researchers.

Timelocks and circuit breakers on smart contract upgrades and large withdrawals, giving security teams time to respond before funds move.

Multi-signature key management that prevents single-point-of-failure access to admin functions.

Formal verification for the most critical contract components, particularly those handling collateral math.

Incident response planning before launch, including pre-authorized pause authority and communication templates.

None of these guarantees safety. They reduce the attack surface and improve the odds of early detection.

Outlook

The hack rate in crypto is unlikely to fall sharply in the near term. The combination of high-value targets, open-source codebases, composable protocols that interact in unpredictable ways, and competitive pressure to ship fast creates a structural risk environment that incremental security improvements cannot eliminate.

What may change is the accountability structure. Stablecoin issuers are now expected to freeze stolen funds; protocols that fail to prepare for incidents face harsher market consequences; and regulators in multiple jurisdictions are beginning to treat exchange hacks as compliance failures rather than acts of God. The Drift-Tether recovery deal is a template that will likely be replicated — large liquidity providers stepping in as de facto insurers in exchange for strategic relationships.

For users, the durable lesson is straightforward: code that handles real money in a novel way is a target, and "audited" is not the same as "safe." Diversification, cold storage for significant holdings, and skepticism toward new protocols before they have weathered real adversarial conditions remain the baseline for self-custody security.