theft

Recently, the People's Procuratorate of Licang District, Qingdao City, Shandong Province, China, handled a Bitcoin theft case. The defendant, Zhang, obtained the mnemonic phrase while assisting an acquaintance in registering a virtual currency wallet, and later transferred 107 BTC in multiple transactions, equivalent to over 50 million yuan at current market prices. Zhang argued that his actions were a "protective takeover," but the prosecution found that he transferred the stolen BTC through multiple trading platforms and exchanged it for over 660,000 yuan. The Licang District Court sentenced Zhang to 10 years and 9 months in prison for theft and imposed a fine of 100,000 yuan; the second instance upheld the original judgment.Reports indicate that the prosecutor handling the case strictly adhered to laws and judicial policies, and after in-depth analysis, concluded that although China's regulatory policies deny the legal currency status of virtual currencies, they do not negate their property attributes, nor do they prohibit citizens from legally holding and circulating them. Bitcoin requires investment in computing power, funds, and other costs to acquire, which gives it economic value; rights holders can achieve exclusive control and management through private keys and mnemonic phrases, aligning with the core characteristics of "property" in criminal law, making it a target for theft. In determining the amount, since virtual currencies have no official pricing, the Licang District Procuratorate discarded market price estimates and used the actual proceeds from the crime of over 660,000 yuan as the amount for theft, ensuring accurate conviction, appropriate sentencing, and unity of guilt and punishment.

On-chain security analysis account Eye stated that the BNB Chain project launch platform DxSale is suspected of exploiting a hidden backdoor to siphon off funds from an old liquidity pool locked in 2021, involving over 1,400 LPs and an amount of approximately $7.3 million. The analysis indicates that this attack includes operations such as "silent ownership transfer" and over 80 wallet hops.After the LP was drained, the attack address received over 1,200 BNB (approximately $763,000), with the funds believed to come directly from multiple stolen LP pools. More concerning is that this address had previously been dormant for a long time but has a direct on-chain association with a wallet marked as related to the DxSale team; this address is also one of the important funding inflow addresses for the DxSale smart contract.Subsequently, the attack address transferred about 3,400 BNB (approximately $1.2 million) to multiple wallets and completed the fund transfer through several Binance deposit addresses. Eye stated that if the related accusations are true, it implies that the DxSale team may have reserved a backdoor for the platform years ago and ultimately carried out the attack themselves. They also called for Binance to freeze the related funds, believing that these assets essentially belong to the project investors who had previously financed through DxSale. DxSale was one of the most well-known launchpads and LP locking infrastructure on the BNB Chain, with projects like SAFEMOON having used its services.

A man in Florida, USA, was arrested for allegedly stealing approximately $1.9 million worth of Bitcoin by using the mnemonic phrase of his former employer's hardware wallet. Police stated that the unauthorized transfer of the stolen funds occurred in 2020, when the suspect still had access to critical security information.

Security company Socket Security disclosed that a cryptocurrency theft operation named TrapDoor is launching active supply chain attacks in package repositories such as npm, PyPI, and Crates.io. A total of 34 malicious packages and 384 versions and components have been identified, with attackers continuously pushing new versions across various ecosystems.TrapDoor primarily targets developers in the cryptocurrency, DeFi, AI, and security fields, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, environment variables, and API keys. Socket detected that the median detection time for malicious versions was 5 minutes and 27 seconds, with the fastest detection occurring 58 seconds after release.

According to GoPlus analysis, the stablecoin protocol StablR had security issues with its multi-signature contract settings on Ethereum (multi-signature threshold of 1), and the holder's private key was stolen, resulting in StablR $EURR and $USDR stablecoins being depegged by 20%. The attacker has profited approximately $2.8 million.

The Fuzhou City Cangshan District People's Procuratorate disclosed that a man was sentenced to 12 years and 7 months in prison for theft after stealing 4 Bitcoins from others and illegally profiting about 900,000 yuan, with a fine of 300,000 yuan. The second instance upheld the original verdict.The case shows that at the end of 2020, Wang entrusted Lin to assist in cashing out the Bitcoins he held. During the process of accessing Wang's Bitcoin wallet hard drive and computer, Lin stole the wallet's "private key" and related data, transferring 4 Bitcoins into his own name, and subsequently sold them for profit. In 2024, after Wang discovered abnormal asset activity, he reported it to the police, and Lin was subsequently arrested.The procuratorial authority stated that although current regulations clearly indicate that virtual currencies do not have the status of legal tender, Bitcoins possess value, manageability, and transferability, meeting the general characteristics of "property" in criminal law, and are subject to property crime. Relevant infringement actions will also be held criminally accountable.

Slow Fog's Yu Xian posted on the X platform stating that the reason for the Verus theft may be that the attacker constructed a forged Merkle proof, which passed the verification of the Verus Ethereum bridge (not open source), thus successfully withdrawing funds (ETH/tBTC/USDC). Specific details need to be further verified.

"On-chain detective" ZachXBT stated that the hacker "Dritan Kapplani Jr" transferred approximately $2.59 million in assets, including 1.99 million DAI and 259 ETH. The related funds were transferred from address 0x4487...bba6 to address 0x67ec...125d, and the stolen funds are currently in a stagnant state.ZachXBT indicated that it released an investigation report on May 12, detailing the connections between Dritan Kapplani Jr and Trenton (Trent) Johnson in a social engineering theft case involving 185 bitcoins (approximately $13 million).

Web3 security company CertiK has released the "Skynet North Korea Cyber Threat Report." The data shows that since 2016, North Korean hacker groups have plundered approximately $6.75 billion in digital assets. In 2025 alone, the losses from thefts they orchestrated reached as high as $2.06 billion, accounting for nearly 60% of the total losses in the global cryptocurrency industry for the entire year (including the $1.5 billion Bybit theft case). As of early 2026, this threat trend continues, with losses accounting for about 55%.The report emphasizes that the attack patterns of North Korean hackers have undergone a fundamental shift, evolving from simple code vulnerability exploitation to a national-level attack system that combines social engineering, deep supply chain attacks, and "physical infiltration." In the recent Drift protocol incident, attackers even spent six months lurking at offline industry conferences, establishing trust through real funds and interpersonal interactions before executing their attack.CertiK security experts warn that in the face of such systemic attacks, simple technical defenses have become weak. Cryptocurrency institutions urgently need to fully implement a "zero trust" hiring model, strengthen third-party supply chains, establish fund circuit breaker mechanisms, and collaborate with professional security organizations to build a comprehensive lifecycle defense system covering code audits, round-the-clock risk monitoring, and on-chain anti-money laundering/KYT (Know Your Transaction) fund tracking.

On-chain detective ZachXBT exposed American threat actor Dritan Kapllani Jr, claiming he is suspected of participating in a social engineering theft targeting crypto users, totaling approximately $19 million. ZachXBT stated that Dritan has long flaunted luxury cars, high-end watches, private jets, and nightlife on social media. On April 23, 2026, during a "Band 4 Band (B4B)" voice chat on Discord, he publicly displayed an Exodus wallet containing $3.68 million in assets to prove he was wealthier than another hacker.The relevant ETH address is: 0x4487db847db2fc99372a985743a26f46e0b2bba6. ZachXBT tracked and found that this address is linked to a social engineering theft case involving 185 BTC (approximately $13 million) on March 14, 2026. The next day, Dritan's Exodus wallet received about $5.3 million of those funds. By the time of the B4B call six weeks later, about $1.6 million had been spent or laundered.On May 11, the U.S. Justice Department unsealed a criminal indictment against Trenton Johnson, who is accused of participating in the aforementioned 185 BTC theft case and could face up to 40 years in prison. "Coconspirator 1" in the indictment is alleged to be Dritan, who has not yet been formally charged. ZachXBT also pointed out that Dritan is connected to hacker John Daghita (Lick), who was previously arrested for stealing $46 million from the U.S. government, and John had exposed Dritan's old wallet address on Telegram.On-chain analysis shows that this address is related to multiple high-confidence social engineering theft cases in 2025, with a total amount involved exceeding $5.85 million. ZachXBT stated that Dritan has been active in "The Com" hacker circle for a long time and had previously not faced formal charges due to his minor status. He is now over 18 years old, and "the borrowed time may finally be over."

According to Cointelegraph, Coinbase has been sued in a federal court in California, with the case involving frozen funds related to a $55 million DAI phishing theft.The plaintiffs claim that a portion of the traceable stolen funds flowed into Coinbase retail user accounts after being mixed through Tornado Cash and are currently still frozen; Coinbase stated that the assets can only be released after a court ruling on ownership.The lawsuit also states that the theft is related to the malicious wallet theft platform Inferno Drainer, and the victims had commissioned Zero Shadow and Five Stones Intelligence to track the flow of funds.

According to The Block, North Korea has denied allegations of its involvement in cryptocurrency theft, calling the claims "absurd defamation" and a "political tool." The statement was released by state media, emphasizing that necessary measures will be taken to safeguard national interests.However, data from blockchain analysis firm TRM Labs shows that hacker groups associated with North Korea have stolen approximately $577 million, accounting for about 76% of global cryptocurrency theft losses during the same period. This includes two major attack incidents on KelpDAO (approximately $292 million) and Drift Protocol (approximately $285 million).TRM pointed out that the related attacks are mainly associated with the Lazarus Group and its sub-organizations. Since 2017, the cumulative scale of cryptocurrency theft linked to North Korea has exceeded $6 billion. U.S. and international agencies generally believe that such funds are used to support military and missile programs. Meanwhile, the U.S. Treasury has recently imposed sanctions on related individuals and entities, involving approximately $800 million in illegal fund flows for 2024.

Police officer Guo Tingyu from the Cybersecurity Division of the Qingshan Branch of the Wuhan Public Security Bureau participated in the investigation of Hubei's first virtual currency theft case. By tracking the flow of funds and analyzing the code of fake wallets, he identified and dismantled a cryptocurrency theft gang involved in over 100 million yuan in illicit funds, with all five suspects arrested.The gang induced users to download a counterfeit virtual currency wallet app to steal coins, with a total download count of over ten thousand. Guo Tingyu also participated in the investigation of multiple virtual currency-related criminal cases.

According to the U.S. Department of Justice, 22-year-old Evan Tangeman from Newport Beach, California, was sentenced to 70 months in prison and 3 years of supervised release by a federal court in Washington, D.C. for his involvement in an interstate social engineering crime group that assisted in laundering at least $3.5 million.The crime group has been operating since October 2023, stealing over $263 million in cryptocurrency through hacking, social engineering, and other means. Most members are unemployed youths, either minors or under 20 years old, originating from online gaming platforms. Tangeman was responsible for converting the stolen cryptocurrency into fiat currency and leasing luxury homes for group members in places like Los Angeles and Miami, and he also received luxury cars such as Bentleys and Lamborghinis as payment. After the incident, Tangeman instructed his accomplices to destroy digital devices to eliminate evidence. The case is being jointly investigated by the FBI's Washington, Los Angeles, and Miami field offices along with the IRS Criminal Investigation Division, and so far, 9 individuals involved have pleaded guilty.

Kelp DAO officially stated in a post on X regarding the theft incident that the cause of the theft was the compromise of two RPC nodes hosted by LayerZero, while a third RPC node suffered a DDoS attack. This was an attack targeting LayerZero's infrastructure, and Kelp's own system was not involved in the construction or operation of that infrastructure.The 1/1 DVN configuration is the scheme recorded in LayerZero's documentation and is the default setting for all new OFT deployments. Kelp has been operating on LayerZero's infrastructure since January 2024 and has maintained open communication with the LayerZero team. During Kelp's expansion to Layer2, the DVN configuration issue was discussed, and at that time, the default configuration was explicitly confirmed to be appropriate. Kelp's current top priority is to safeguard user interests and prevent risks from spreading within the DeFi ecosystem. The team is collaborating with various parties within the ecosystem to analyze the impact, seek support, and explore all possible mitigation solutions.

LayerZero Labs released an incident report stating that KelpDAO suffered an attack resulting in a loss of approximately $290 million. Preliminary assessments indicate that the attacker is the Lazarus Group, which has ties to North Korea (more specifically, TraderTraitor). The attack was executed by poisoning the downstream RPC infrastructure relied upon by its decentralized verification network (DVN). The attacker controlled some RPC nodes and, in conjunction with a DDoS attack, induced the system to switch to malicious nodes, thereby forging cross-chain transactions.All affected RPC nodes have been taken offline and replaced, and the DVN has now resumed operation. LayerZero emphasized that this incident was limited to the rsETH application configuration of KelpDAO and did not affect other assets or applications. The reason is that KelpDAO was using a single DVN (1/1) architecture at the time and did not utilize the multi-DVN redundancy mechanism that is officially recommended for long-term use, resulting in a lack of independent verification nodes to identify forged messages.LayerZero pointed out that there were no vulnerabilities in its protocol itself, and applications with multi-DVN configurations were not affected, meaning there is no contagious risk in the system. LayerZero stated that it will urge all projects using single DVN configurations to migrate to multi-DVN architectures as soon as possible and has suspended providing signature and verification services for 1/1 configuration applications. Meanwhile, the company is cooperating with global law enforcement agencies to investigate and assist industry partners in tracking the stolen funds. LayerZero noted that this incident highlights the value of modular security architecture and also reminds the industry to pay attention to the potential security risks of RPC verification links.

Yili Hua posted on platform X stating that it is important to preserve capital during a bear market. Incidents of theft on the blockchain are frequent, and in pursuit of a few percentage points of profit, the result can be the loss of the entire principal, just like many investment mistakes made in the past. There is always risk in investing, even if the money is held in an exchange or in financial management and mining.Our number one principle now is to always have profit-taking and stop-loss strategies. You must always consider how to respond in the worst-case scenario. Otherwise, the most regrettable situation is when a bull market arrives, and the principal is gone. Investing should be optimistic, but risk control must be rigorous.

According to on-chain analyst ZachXBT, a counterfeit Ledger Live application was launched on the Apple App Store, resulting in over 50 users' assets being stolen, with total losses amounting to approximately $9.5 million, involving various assets such as Bitcoin, EVM chain assets, TRON, Solana, and XRP.The stolen funds were subsequently transferred through more than 150 KuCoin deposit addresses and laundered using a centralized mixing service called AudiA6. Data shows that the largest single loss reached $3.23 million. The application has recently been removed by Apple.

According to CoinDesk, researchers from the University of California, Santa Barbara, the University of California, San Diego, blockchain security company Fuzzland, and World Liberty Financial have jointly published a paper warning that "LLM routers"—intermediary services located between users and AI models—have become a significant security risk for crypto assets.The researchers found that 26 LLM routers are secretly injecting malicious tool calls and stealing user credentials, with one incident leading to the emptying of a customer's crypto wallet worth $500,000.Additionally, the researchers were able to control about 400 downstream hosts within hours by "polluting" the router ecosystem. Since sensitive data such as private keys and API credentials are often transmitted in plaintext through these routers, users are effectively exposing their assets to risk without their knowledge.The researchers pointed out that as McKinsey predicts AI agents will mediate $30 trillion to $50 trillion in global consumer spending by 2030, Binance founder Changpeng Zhao also predicts that the payment volume of AI agents will be a million times that of humans. The current infrastructure security is severely lagging behind the pace of industry development, and the risk of the "weakest link" could trigger a systemic chain crisis.