The hacks are part of a spate of exploits targeting legacy smart contracts belonging to projects including Raydium and DxSale. Although some projects have developed techniques to circumvent the immutable nature of blockchains and allow smart contracts to be upgraded or retired, many legacy contracts cannot be changed or shut down, leaving them vulnerable to attack indefinitely.
Aztec Connect hacked for a second time in less than a week
Three days after Aztec Labs' deprecated Aztec Connect blockchain bridge was exploited for $2.1 million, the project has been hacked again for the same amount. Aztec Labs confirmed the second exploit, again trying to emphasize that the code was deprecated four years ago.
Deprecated project Aztec Connect exploited for $2.1 million
Aztec Connect, an abandoned defi privacy bridge from Aztec Labs, was drained of $2.1 million after an attacker exploited a bug in the project's smart contracts. Although the project was deprecated three years ago, funds remained in the legacy system. "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the project posted on social media.
The theft is only the latest in a string of attacks targeting vulnerable legacy smart contracts, many of which cannot be deleted, paused, or changed due to blockchains' immutable nature. Raydium and DxSale are two other platforms that have recently suffered losses due to old, insecure code.
Raydium users lose $1.34 million after legacy smart contract exploited
An attacker exploited a legacy smart contract that had been used by the Raydium Solana DEX before it was deprecated in 2021. Though the contract was unused, there were still funds in the liquidity pools affected by the vulnerable contract. Using fake LP tokens, the exploiter was able to trick an old smart contract with insufficient validation into allowing them to withdraw assets.
Raydium has said it will compensate users who lost funds in the exploit.
Humanity Protocol loses $36 million to employee laptop compromise
Humanity Protocol, a decentralized identity project that uses palm scans to try to prove that users are human, has suffered a $36 million loss after attackers compromised a laptop belonging to an employee. After the laptop was infected with malware, the malicious code gained root access, then stole seven private keys that were reportedly accidentally stored in a backup. Several of the keys were sufficient to satisfy multisignature requirements, which are intended to prevent private key leaks from allowing attackers to gain control over sensitive infrastructure like bridges. With multisignature wallets, keys are supposed to be stored separately across multiple individuals and devices; however, in this case, attackers only needed to compromise one laptop to gain control over multisig-protected contracts.
With the keys, the attacker stole more than 6 million of Humanity's H token, then used other keys to upgrade a bridge and drain 141 million more tokens. With the bridge access, they also minted 300 million new H tokens. The attacker then quickly swapped the ill-gotten tokens for ETH, causing the H price to plummet by 80–90%.
Humanity Protocol markets itself as a competitor to Sam Altman's World (formerly Worldcoin), a decentralized identity project that aims to use iris scans to prove that users are unique humans. Humanity raised $20 million in 2025 from Pantera Capital and Jump Crypto.
Thief steals remaining 7,200 unsold The Kiss NFTs in digital museum heist
Remember when Austria's otherwise respectable Belvedere Museum sold 10,000 NFTs representing postage-stamp sized sections of Gustav Klimt's The Kiss for like $2,000 a pop? No? Don't worry, I've got you.
Only about a quarter of them ever sold, leaving about 7,200 of them on the digital shelves. That is, until they were stolen (or, as the museum put it, "transferred from the wallet without authorization"). If valued at their sale price the stolen NFTs would be worth €13.32 million (US$15.3 million), though it's hard to argue the thief could've ever sold them for that amount given the museum had failed to do so for several years.
The stolen NFTs were soon made even less appealing to prospective buyers when the museum un-linked the image files from the digital assets, and OpenSea blocked them from trading.
- Hacker stahl dem Belvedere 7200 NFT-Zertifikate von Klimts "Kuss", Der Standard (in German) [archive]
Gravity Bridge drained of $5.4 million
Gravity Bridge, a bridge between the Cosmos and Ethereum blockchains, suffered $5.4 million in losses likely due compromised private keys. The developers of the protocol urged validators to halt while the theft was investigated, and the bridge was indeed halted shortly after. Two weeks after the hack, the Gravity Bridge interface remained unavailable.
DxSale exploited for $7.3 million
DxSale, a project that was popular in 2021 for launching new tokens and creating liquidity pools, suffered a $7.3 million exploit after ownership of a locker contract was transferred to a new address. Nine months later, the contract ownership was repeatedly moved between many new wallets — likely in an attempt to cover tracks — before $7.3 million was taken from old liquidity pools. The stolen assets were then swapped to BNB and routed through bridges and mixers to obscure the trail.
SquidRouterModule, unrelated to Squid Router, exploited for $3.2 million
A third-party Gnosis Safe smart contract called SquidRouterModule was exploited for $3.2 million. The smart contract included a set string that could be passed to identify a "safe" message; however, the string was visible in the public smart contract code and used by an attacker to impersonate Gnosis Safe users and then drain their wallets. 86 wallets had used the module, and lost a combined $3.2 million.
The name led to some confusion due to the similarly named Squid Router, which is not related. It's not clear if the users who installed the module were aware that the two projects were separate.
Polymarket loses $700,000 to private key compromise
Crypto sleuth zachxbt identified that "A Polymarket admin address appears to have been compromised on Polygon", writing that $520,000 had been drained as of the time of his post. The theft ultimately amounted to around $700,000, and Polymarket confirmed that a "wallet used for internal top-up operations" had been compromised. They did not provide further details as to how the compromise happened, though the company's VP of Engineering later said that the private key was six years old and that all private keys would be replaced with a managed key going forward.
RetoSwap users lose $2.7 million to Haveno vulnerability
The RetoSwap decentralized exchange for trading the Monero privacycoin was exploited after an attacker exploited a vulnerability in the Haveno Monero exchange protocol used by the project. Users lost an estimated $2.7 million when their transactions were routed to the attacker's wallet.
Because Monero is a privacycoin, a type of cryptocurrency that obscures transaction details including sender and receiver wallets, it is not feasible to trace the stolen assets.