theft

Web3 security company CertiK has released the "Skynet North Korea Cyber Threat Report." The data shows that since 2016, North Korean hacker groups have plundered approximately $6.75 billion in digital assets. In 2025 alone, the losses from thefts they orchestrated reached as high as $2.06 billion, accounting for nearly 60% of the total losses in the global cryptocurrency industry for the entire year (including the $1.5 billion Bybit theft case). As of early 2026, this threat trend continues, with losses accounting for about 55%.The report emphasizes that the attack patterns of North Korean hackers have undergone a fundamental shift, evolving from simple code vulnerability exploitation to a national-level attack system that combines social engineering, deep supply chain attacks, and "physical infiltration." In the recent Drift protocol incident, attackers even spent six months lurking at offline industry conferences, establishing trust through real funds and interpersonal interactions before executing their attack.CertiK security experts warn that in the face of such systemic attacks, simple technical defenses have become weak. Cryptocurrency institutions urgently need to fully implement a "zero trust" hiring model, strengthen third-party supply chains, establish fund circuit breaker mechanisms, and collaborate with professional security organizations to build a comprehensive lifecycle defense system covering code audits, round-the-clock risk monitoring, and on-chain anti-money laundering/KYT (Know Your Transaction) fund tracking.

On-chain detective ZachXBT exposed American threat actor Dritan Kapllani Jr, claiming he is suspected of participating in a social engineering theft targeting crypto users, totaling approximately $19 million. ZachXBT stated that Dritan has long flaunted luxury cars, high-end watches, private jets, and nightlife on social media. On April 23, 2026, during a "Band 4 Band (B4B)" voice chat on Discord, he publicly displayed an Exodus wallet containing $3.68 million in assets to prove he was wealthier than another hacker.The relevant ETH address is: 0x4487db847db2fc99372a985743a26f46e0b2bba6. ZachXBT tracked and found that this address is linked to a social engineering theft case involving 185 BTC (approximately $13 million) on March 14, 2026. The next day, Dritan's Exodus wallet received about $5.3 million of those funds. By the time of the B4B call six weeks later, about $1.6 million had been spent or laundered.On May 11, the U.S. Justice Department unsealed a criminal indictment against Trenton Johnson, who is accused of participating in the aforementioned 185 BTC theft case and could face up to 40 years in prison. "Coconspirator 1" in the indictment is alleged to be Dritan, who has not yet been formally charged. ZachXBT also pointed out that Dritan is connected to hacker John Daghita (Lick), who was previously arrested for stealing $46 million from the U.S. government, and John had exposed Dritan's old wallet address on Telegram.On-chain analysis shows that this address is related to multiple high-confidence social engineering theft cases in 2025, with a total amount involved exceeding $5.85 million. ZachXBT stated that Dritan has been active in "The Com" hacker circle for a long time and had previously not faced formal charges due to his minor status. He is now over 18 years old, and "the borrowed time may finally be over."

According to Cointelegraph, Coinbase has been sued in a federal court in California, with the case involving frozen funds related to a $55 million DAI phishing theft.The plaintiffs claim that a portion of the traceable stolen funds flowed into Coinbase retail user accounts after being mixed through Tornado Cash and are currently still frozen; Coinbase stated that the assets can only be released after a court ruling on ownership.The lawsuit also states that the theft is related to the malicious wallet theft platform Inferno Drainer, and the victims had commissioned Zero Shadow and Five Stones Intelligence to track the flow of funds.

According to The Block, North Korea has denied allegations of its involvement in cryptocurrency theft, calling the claims "absurd defamation" and a "political tool." The statement was released by state media, emphasizing that necessary measures will be taken to safeguard national interests.However, data from blockchain analysis firm TRM Labs shows that hacker groups associated with North Korea have stolen approximately $577 million, accounting for about 76% of global cryptocurrency theft losses during the same period. This includes two major attack incidents on KelpDAO (approximately $292 million) and Drift Protocol (approximately $285 million).TRM pointed out that the related attacks are mainly associated with the Lazarus Group and its sub-organizations. Since 2017, the cumulative scale of cryptocurrency theft linked to North Korea has exceeded $6 billion. U.S. and international agencies generally believe that such funds are used to support military and missile programs. Meanwhile, the U.S. Treasury has recently imposed sanctions on related individuals and entities, involving approximately $800 million in illegal fund flows for 2024.

Police officer Guo Tingyu from the Cybersecurity Division of the Qingshan Branch of the Wuhan Public Security Bureau participated in the investigation of Hubei's first virtual currency theft case. By tracking the flow of funds and analyzing the code of fake wallets, he identified and dismantled a cryptocurrency theft gang involved in over 100 million yuan in illicit funds, with all five suspects arrested.The gang induced users to download a counterfeit virtual currency wallet app to steal coins, with a total download count of over ten thousand. Guo Tingyu also participated in the investigation of multiple virtual currency-related criminal cases.

According to the U.S. Department of Justice, 22-year-old Evan Tangeman from Newport Beach, California, was sentenced to 70 months in prison and 3 years of supervised release by a federal court in Washington, D.C. for his involvement in an interstate social engineering crime group that assisted in laundering at least $3.5 million.The crime group has been operating since October 2023, stealing over $263 million in cryptocurrency through hacking, social engineering, and other means. Most members are unemployed youths, either minors or under 20 years old, originating from online gaming platforms. Tangeman was responsible for converting the stolen cryptocurrency into fiat currency and leasing luxury homes for group members in places like Los Angeles and Miami, and he also received luxury cars such as Bentleys and Lamborghinis as payment. After the incident, Tangeman instructed his accomplices to destroy digital devices to eliminate evidence. The case is being jointly investigated by the FBI's Washington, Los Angeles, and Miami field offices along with the IRS Criminal Investigation Division, and so far, 9 individuals involved have pleaded guilty.

Kelp DAO officially stated in a post on X regarding the theft incident that the cause of the theft was the compromise of two RPC nodes hosted by LayerZero, while a third RPC node suffered a DDoS attack. This was an attack targeting LayerZero's infrastructure, and Kelp's own system was not involved in the construction or operation of that infrastructure.The 1/1 DVN configuration is the scheme recorded in LayerZero's documentation and is the default setting for all new OFT deployments. Kelp has been operating on LayerZero's infrastructure since January 2024 and has maintained open communication with the LayerZero team. During Kelp's expansion to Layer2, the DVN configuration issue was discussed, and at that time, the default configuration was explicitly confirmed to be appropriate. Kelp's current top priority is to safeguard user interests and prevent risks from spreading within the DeFi ecosystem. The team is collaborating with various parties within the ecosystem to analyze the impact, seek support, and explore all possible mitigation solutions.

LayerZero Labs released an incident report stating that KelpDAO suffered an attack resulting in a loss of approximately $290 million. Preliminary assessments indicate that the attacker is the Lazarus Group, which has ties to North Korea (more specifically, TraderTraitor). The attack was executed by poisoning the downstream RPC infrastructure relied upon by its decentralized verification network (DVN). The attacker controlled some RPC nodes and, in conjunction with a DDoS attack, induced the system to switch to malicious nodes, thereby forging cross-chain transactions.All affected RPC nodes have been taken offline and replaced, and the DVN has now resumed operation. LayerZero emphasized that this incident was limited to the rsETH application configuration of KelpDAO and did not affect other assets or applications. The reason is that KelpDAO was using a single DVN (1/1) architecture at the time and did not utilize the multi-DVN redundancy mechanism that is officially recommended for long-term use, resulting in a lack of independent verification nodes to identify forged messages.LayerZero pointed out that there were no vulnerabilities in its protocol itself, and applications with multi-DVN configurations were not affected, meaning there is no contagious risk in the system. LayerZero stated that it will urge all projects using single DVN configurations to migrate to multi-DVN architectures as soon as possible and has suspended providing signature and verification services for 1/1 configuration applications. Meanwhile, the company is cooperating with global law enforcement agencies to investigate and assist industry partners in tracking the stolen funds. LayerZero noted that this incident highlights the value of modular security architecture and also reminds the industry to pay attention to the potential security risks of RPC verification links.

Yili Hua posted on platform X stating that it is important to preserve capital during a bear market. Incidents of theft on the blockchain are frequent, and in pursuit of a few percentage points of profit, the result can be the loss of the entire principal, just like many investment mistakes made in the past. There is always risk in investing, even if the money is held in an exchange or in financial management and mining.Our number one principle now is to always have profit-taking and stop-loss strategies. You must always consider how to respond in the worst-case scenario. Otherwise, the most regrettable situation is when a bull market arrives, and the principal is gone. Investing should be optimistic, but risk control must be rigorous.

According to on-chain analyst ZachXBT, a counterfeit Ledger Live application was launched on the Apple App Store, resulting in over 50 users' assets being stolen, with total losses amounting to approximately $9.5 million, involving various assets such as Bitcoin, EVM chain assets, TRON, Solana, and XRP.The stolen funds were subsequently transferred through more than 150 KuCoin deposit addresses and laundered using a centralized mixing service called AudiA6. Data shows that the largest single loss reached $3.23 million. The application has recently been removed by Apple.

According to CoinDesk, researchers from the University of California, Santa Barbara, the University of California, San Diego, blockchain security company Fuzzland, and World Liberty Financial have jointly published a paper warning that "LLM routers"—intermediary services located between users and AI models—have become a significant security risk for crypto assets.The researchers found that 26 LLM routers are secretly injecting malicious tool calls and stealing user credentials, with one incident leading to the emptying of a customer's crypto wallet worth $500,000.Additionally, the researchers were able to control about 400 downstream hosts within hours by "polluting" the router ecosystem. Since sensitive data such as private keys and API credentials are often transmitted in plaintext through these routers, users are effectively exposing their assets to risk without their knowledge.The researchers pointed out that as McKinsey predicts AI agents will mediate $30 trillion to $50 trillion in global consumer spending by 2030, Binance founder Changpeng Zhao also predicts that the payment volume of AI agents will be a million times that of humans. The current infrastructure security is severely lagging behind the pace of industry development, and the risk of the "weakest link" could trigger a systemic chain crisis.

According to market news, researchers from the University of California recently disclosed that some third-party AI large language model (LLM) routers have security risks that could lead to the theft of cryptocurrency assets. The research shows that LLM routers, acting as API intermediaries, can read plaintext information, and some routers have been found to inject malicious code and steal credentials.The team tested 28 paid and 400 free routers, finding that 9 routers actively injected malicious code, 2 deployed evasion triggers, and 17 accessed Amazon Web Services credentials. Some routers even transferred ETH using the researchers' Ethereum private keys.The study pointed out that the malicious behavior of the routers is difficult to detect, and some AI agent frameworks' "YOLO mode" can automatically execute commands, increasing security risks. The research recommends that developers should not allow private keys or mnemonic phrases to be transmitted through AI agents and calls on AI companies to encrypt signatures in responses to enhance security.

As the infiltration and attacks targeting the cryptocurrency industry continue to escalate, security experts point out that the core difference from hackers with backgrounds in other countries is that cryptocurrency assets have become an important direct source of financing for military expenses in that country. Reports indicate that during a recent months-long infiltration operation against Drift Protocol, North Korean hackers once again caused a stir in the industry.Experts state that this model is not merely a "fund transfer tool," but rather a direct "predatory profit" mechanism used to bypass international sanctions and obtain immediately usable hard currency. Security researchers note that, unlike countries such as Russia and Iran, North Korea almost entirely lacks sustainable foreign economic and commodity export capabilities, making it more reliant on cryptocurrency theft as a core source of income to support its nuclear weapons and ballistic missile programs.Experts also emphasize that North Korean hacker attack targets have expanded from simple phishing to exchanges, wallet services, and key holders of DeFi protocols, commonly employing long-term social engineering and identity disguise infiltration methods. Due to the characteristic of blockchain transactions being "irreversible once confirmed," the cryptocurrency industry is far weaker than the traditional financial system in terms of freezing and recovering funds, making such attacks more destructive in speed and scale. Security personnel warn that this type of "long-term infiltration + precise power seizure" attack model has yet to be effectively addressed by the industry.

X product head and Solana advisor Nikita Bier stated that during this round of creator revenue sharing, the revenue share for all aggregated accounts has been reduced to 60%. In the next cycle, it will be further reduced by 20%. Nikita Bier pointed out that the large amount of plagiarized reposts and clickbait content published daily on the timeline not only squeezes the living space of real creators but also hinders the growth of new authors. The next step will be to permanently deduct earnings from users who habitually post clickbait content and use the "BREAKING" label in every post. X will not restrict speech or the scope of dissemination but will not provide revenue compensation for manipulating distribution mechanisms or misleading user behavior.

Circle Chief Strategy Officer Dante Disparte published a response regarding the over $270 million theft incident involving Drift Protocol. Disparte stated that Circle only freezes USDC when legally mandated to do so, and this is not a unilateral decision, nor is it a backdoor or algorithmic monitoring. This reflects the rule of law in internet-native financial activities.He pointed out that the core issue facing open systems is that the legal framework's response speed lags behind technological development. Protocols, wallets, exchanges, and stablecoin issuers should regard security and accountability as a shared obligation, and DeFi protocols can develop on-chain technical protection measures by referencing the circuit breaker mechanisms of traditional markets.He also called for the legislative processes of the U.S. GENIUS Act and CLARITY Act to incorporate due process, property rights, and financial privacy protection standards into law before the next major security incident occurs.

The American law firm Gibbs Mura has officially announced a collective lawsuit investigation regarding the Drift Protocol theft incident, involving a fund scale of approximately $280 million to $285 million. It is reported that over $230 million USDC was transferred to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP).Gibbs Mura believes that although Circle has the technical capability to freeze funds, it did not take freezing action during this attack. The law firm is currently assessing whether investors can file claims against Circle for "failure to intervene in a timely manner," "insufficient monitoring," and "failure to fulfill stablecoin responsibilities," and is calling on affected users to participate in the lawsuit to advance fund recovery.

The People's Court of Honggang District, Daqing City, Heilongjiang Province recently announced a first-instance judgment. Two men were sentenced for stealing electricity from high-voltage lines in an oil field to mine Bitcoin. The main offender, Zhang, was sentenced to 10 years in prison and fined 50,000 yuan, while the accomplice, Zhao, was sentenced to 4 years and 10 months in prison and fined 20,000 yuan.According to the judgment, Zhang illegally connected to the high-voltage line of an oil field from a certain oil extraction plant in Daqing and set up 24 Bitcoin mining machines in an abandoned pigsty he rented. In December of the same year, Zhao joined in knowing that Zhang was stealing electricity and purchased an additional 12 mining machines, bringing the total to 36 machines running. In August 2025, the two were arrested by the public security authorities. It was calculated that Zhang stole 565,375.2 kilowatt-hours of electricity, valued at 438,580.52 yuan; Zhao stole 468,060 kilowatt-hours, valued at 363,750.78 yuan. The court found both men guilty of theft, with Zhang being the principal offender and Zhao the accomplice. The court also ordered Zhang to compensate 438,580.52 yuan, while Zhao was jointly liable for 363,750.78 yuan of that amount. The mining machines and related equipment involved in the case will be handled by the public security authorities in accordance with the law.

In the DeFi protocol Drift theft incident, the loss of JLP positions is approximately $155.6 million. In response, Jupiter officials stated that the platform was not affected by this incident, its lending product Jupiter Lend was not involved in the Drift market, and that JLP assets are "fully backed by underlying assets."Jupiter also stated that this incident is a "difficult day" for the Solana DeFi ecosystem and expressed concern for the Drift team and affected users.According to previous news from ChainCatcher, the Solana ecosystem Drift Protocol was attacked, resulting in losses of at least $200 million.

Distributed Capital partner Shen Bo posted on X detailing the complete list and addresses of his stolen assets in 2022. He revealed that the theft occurred on November 10, 2022, Eastern Time, between 00:46 and 01:02. The Trust Wallet hot wallet installed on his iPhone 12 Pro Max was stolen, with assets valued at approximately 42 million dollars.The address details are: ETH: 0x6be85603322df6DC66163eF5f82A9c6ffBC5e894 BTC: 1ECNeZyiHgqJmv42i3pkWY48xiXy7KukTG / bc1qg3mnvn8saea50js7nzkhm8k054mpwqmcuq3de5 TRON: TJLBmmUb5TcFFXTLzuuaKU96uTg5Sjn1yD26. On that day, Shen Bo set a bounty to recover approximately 42 million dollars worth of cryptocurrency stolen three years ago.