Web3 is Going Just Great

March 9, 2026

Thief pilfers NFTs priced at $230,000 from Gondi

A thief exploited a smart contract belonging to the Gondi NFT platform to steal 78 NFTs priced at $230,000. Perhaps the most shocking part of the theft is that the attacker managed to find NFTs still holding any value at all. Around half of the stolen NFTs were taken from a single wallet.

According to Gondi, the exploiter took advantage of functionality that allowed users to sell their NFTs to automatically repay loans.

Gondi has said it has reimbursed customers by buying them "comparable items" from the same collections as their stolen NFTs, although it seems questionable that this will satisfy customers who purchased products whose whole selling point is that they aren't interchangeable.

"NFT lending protocol Gondi says platform secured after $230K exploit", Cointelegraph [archive]

March 5, 2026

Solv Protocol exploited for $2.7 million

(attribution)

The Solv Protocol bitcoin defi lending and staking platform disclosed an exploit that they said affected fewer than ten users, but nevertheless netted the attacker 38 SolvBTC (a wrapped bitcoin token priced at $2.7 million). Although Solv has not disclosed specifics of the attack, some researchers have suggested it was a bug in the protocol's burn and mint functionality.

February 26, 2026

Crypto stolen from Korean authorities after they post wallet seed phrase

A press release photo of Ledger hardware wallets, arranged next to cards displaying their seed phrases

Press photo from Korean authorities (attribution)

When Korean authorities posted a photograph of seized cash and other items from a police raid, they included photos of cards containing crypto wallet seed phrases, which were proudly arranged on the table next to Ledger hardware wallets for the photo op. Because it only takes a seed phrase to gain control of a crypto wallet, someone who saw the press release quickly acted to move around 4 million PRTG tokens from the wallet. The tokens are notionally worth $4.9 million, although the token is not highly liquid.

The blunder was likely due to the authorities' lack of knowledge about cryptocurrency. The move was somewhat akin to authorities publicly posting a username and password for a criminal's bank account — though that would likely be an easier mistake to unwind.

"$4.8M in crypto stolen after Korean tax agency exposes wallet seed", Bleeping Computer [archive]

February 21, 2026

YieldBlox lending pool drained of $10.2 million

(attribution)

A lending pool operated by YieldBlox on the Stellar blockchain was emptied of around $10.2 million in an oracle manipulation attack on the Reflector oracle supplying prices for the USTRY/USDC market. Reflector has said that there was no flaw with their oracle, and that market illiquidity caused the problem. "Reflector quoted correct prices. ... but it's impossible to quote adequate prices for a market fully handled by a single market-maker with almost zero trading activity."

The attacker was able to manipulate the oracle price to show that USTRY was priced at $100 (rather than its actual trading price of around $1.05). Then, they borrowed against the overvalued asset, withdrawing XLM and USDC priced at $10.2 million. However, around 48 million of the stolen XLM (~$7.2 million) were frozen.

February 21, 2026

IoTeX bridge exploited for $2 million after private key compromise

(attribution)

IoTeX, a platform to connect IoT devices to blockchain networks, lost around $2 million after a private key compromise enabled an attacker to drain funds from the project's token safe. Initial loss estimates were as high as $8.8 million, although IoTeX CEO Raullen Chai stated that the actual loss was closer to $2 million.

Blockchain security researcher Specter has suggested there may be links between this attack and a $50 million theft from the Infini "stablecoin neobank" a year ago.

"IoTeX hit by private key exploit draining around $2 million from bridge contracts, per co-founder", The Block [archive]

February 20, 2026

Goliath Ventures CEO charged with running $328 million Ponzi scheme

Federal authorities arrested Christopher Alexander Delgado, the CEO of Goliath Ventures (previously Gen-Z Ventures). According to the charging documents, what Delgado presented to prospective investors as a way to earn returns via crypto liquidity pools was actually a Ponzi scheme, where investors' money was just being used to pay off earlier investors. With the profits from his venture, Delgado allegedly threw lavish parties and purchased multiple multi-million dollar properties.

Goliath Ventures - United States v. Christopher Alexander Delgado, US Attorney's Office for the Middle District of Florida

February 19, 2026

South Korean prosecutors lose $22 million of seized crypto to the wallet inspector, later recover it

Still frame from The Simpsons episode "Homer Goes to College", where they encounter the "wallet inspector"

"The wallet inspector" from The Simpsons (attribution)

Staff members working for South Korean prosecutors, for some reason, decided to use a "wallet checking tool" during an August 2025 audit of seized crypto assets. The tool they selected turned out to be a phishing tool, and five wallets were drained of 320 BTC.

On February 19, the office announced they had recovered the stolen assets and identified the thief.

"Prosecutors recover $22 million worth of lost Bitcoin", DL News [archive]

February 1, 2026

CrossCurve users exploited for around $3 million

(attribution)

Hackers exploited a bug in smart contracts deployed by the defi protocol CrossCurve to steal an estimated $3 million across multiple blockchains. The thief was able to spoof cross-chain messages, causing the CrossCurve bridge to release assets not belonging to them.

CrossCurve took a conciliatory tone in on-chain messages sent to the thief, writing, "These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent." (Who among us hasn't accidentally stolen millions of dollars?) However, they warned, they planned to escalate to working with law enforcement and blockchain security firms to investigate and prosecute the theft if the funds were not returned within 72 hours.

"CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit", Decrypt [archive]

January 31, 2026

$29 million stolen from from Step Finance treasury wallets

(attribution)

The Solana-based defi portfolio tracker Step Finance lost 261,854 SOL (~$28.7 million) when a thief gained access to treasury and fee wallets. It's not yet clear how the attacker was able to steal the funds, although Step Finance posted to Twitter that the theft occurred via a "well known attack vector". Step wrote that they were working with cybersecurity firms and law enforcement to address the incident.

January 25, 2026

Aperture Finance users lose at least $3.4 million

(attribution)

An attacker exploited a bug in an Aperture Finance smart contract to steal at least $3.4 million from users who had enabled "instant liquidity management" features. Aperture Finance is a defi platform that aims to allow users to trade by telling large language models their "intents".

Aperture has said they disabled portions of their web app impacted by the bug, and are working to try to trace and recover stolen funds.

Tweet thread by Aperture Finance [archive]

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.