theft

The People's Court of Honggang District, Daqing City, Heilongjiang Province recently announced a first-instance judgment. Two men were sentenced for stealing electricity from high-voltage lines in an oil field to mine Bitcoin. The main offender, Zhang, was sentenced to 10 years in prison and fined 50,000 yuan, while the accomplice, Zhao, was sentenced to 4 years and 10 months in prison and fined 20,000 yuan.According to the judgment, Zhang illegally connected to the high-voltage line of an oil field from a certain oil extraction plant in Daqing and set up 24 Bitcoin mining machines in an abandoned pigsty he rented. In December of the same year, Zhao joined in knowing that Zhang was stealing electricity and purchased an additional 12 mining machines, bringing the total to 36 machines running. In August 2025, the two were arrested by the public security authorities. It was calculated that Zhang stole 565,375.2 kilowatt-hours of electricity, valued at 438,580.52 yuan; Zhao stole 468,060 kilowatt-hours, valued at 363,750.78 yuan. The court found both men guilty of theft, with Zhang being the principal offender and Zhao the accomplice. The court also ordered Zhang to compensate 438,580.52 yuan, while Zhao was jointly liable for 363,750.78 yuan of that amount. The mining machines and related equipment involved in the case will be handled by the public security authorities in accordance with the law.

In the DeFi protocol Drift theft incident, the loss of JLP positions is approximately $155.6 million. In response, Jupiter officials stated that the platform was not affected by this incident, its lending product Jupiter Lend was not involved in the Drift market, and that JLP assets are "fully backed by underlying assets."Jupiter also stated that this incident is a "difficult day" for the Solana DeFi ecosystem and expressed concern for the Drift team and affected users.According to previous news from ChainCatcher, the Solana ecosystem Drift Protocol was attacked, resulting in losses of at least $200 million.

Distributed Capital partner Shen Bo posted on X detailing the complete list and addresses of his stolen assets in 2022. He revealed that the theft occurred on November 10, 2022, Eastern Time, between 00:46 and 01:02. The Trust Wallet hot wallet installed on his iPhone 12 Pro Max was stolen, with assets valued at approximately 42 million dollars.The address details are: ETH: 0x6be85603322df6DC66163eF5f82A9c6ffBC5e894 BTC: 1ECNeZyiHgqJmv42i3pkWY48xiXy7KukTG / bc1qg3mnvn8saea50js7nzkhm8k054mpwqmcuq3de5 TRON: TJLBmmUb5TcFFXTLzuuaKU96uTg5Sjn1yD26. On that day, Shen Bo set a bounty to recover approximately 42 million dollars worth of cryptocurrency stolen three years ago.

Andrej Karpathy posted on the X platform that litellm has encountered a PyPI supply chain attack, where executing pip install litellm can steal SSH keys, AWS/GCP/Azure credentials, Kubernetes configurations, git credentials, environment variables, encrypted wallets, SSL private keys, CI/CD keys, and database passwords.litellm has a monthly download volume of 97 million, and the risk can spread to all projects that depend on litellm, such as dspy. The version with the malicious code was online for less than about 1 hour, and it was discovered due to a flaw in the attack code that caused Callum McMahon's machine to run out of memory and crash. Andrej Karpathy stated that supply chain attacks are the most threatening issue in modern software, as each installation of dependencies can introduce tampered packages deep within the dependency tree, leading him to increasingly prefer reducing dependencies and using LLM to directly implement simple functions.

According to Decrypt, Chinese citizen Zhang Xinghua was sentenced to two years in prison by a Singapore court for conspiring to abuse computer systems and handling criminal proceeds in connection with a theft of approximately $6.9 million at the SafeX cryptocurrency exchange.Prosecutors stated that he conspired with two other accomplices, one of whom, Chen Chong Xin, who is still at large, accessed the SafeX crypto vault without authorization three times between June and August 2025, transferring over $6.9 million to multiple wallets. He then laundered part of the funds through Tornado Cash, depositing over $1.6 million in two transactions, which could have yielded over $886,000 in profits, but police intervened to stop it.The case came to light after the SafeX system triggered a low balance alert. Singapore has frozen or seized approximately $2.1 million in related crypto assets, while about $4.8 million remains unrecoverable in offshore private wallets or with virtual asset service providers. Court hearings revealed that Zhang Xinghua returned approximately $95,000 in Bitcoin through his wife. Another accomplice in the case is still under investigation.

According to on-chain security firm PeckShield, the attacker who previously stole $24 million worth of $aEthUSDC from DeFi user @sillytuna is still transferring the stolen assets, and the money laundering activities are ongoing.Tracking shows that the attacker has taken various measures to disperse the funds:• Exchanged approximately $2 million worth of $DAI and $ETH for 6,174.4 $XMR (Monero), currently stored in Hyperliquid• Deposited about $6.5 million worth of $USDC and $USDT into centralized exchanges such as OKX, MEXC, and Bitkan• Laundered 375 ETH through the privacy mixing protocol Tornado Cash.

Suspect John Daghita in the $40 million cryptocurrency theft case involving the U.S. government has been arrested by the FBI.On-chain detective ZachXBT previously revealed that John Daghita is the son of the CEO of CMDSS, a company that had contracts with the U.S. government to handle seized cryptocurrency.According to ZachXBT, he exposed in January 2026 that John used his father's company CMDSS (which holds the USMS contract) to access and transfer relevant assets from wallets managed by the U.S. Marshals Service (USMS). Subsequently, John mocked ZachXBT multiple times on a Telegram channel and initiated a "dust attack" by publicly sending part of the involved funds to his wallet address.

According to Cointelegraph, Google's Threat Analysis Group recently disclosed a new iOS exploit kit named "Coruna," which is being used for cryptocurrency theft targeting iPhone users. This kit primarily targets devices running iOS versions 13 to 17.2.1 and includes 23 exploit scripts and 5 complete attack chains, some of which are previously unknown vulnerabilities.It can carry out attacks through counterfeit cryptocurrency-related websites. Reportedly, when users access these malicious sites using vulnerable iOS devices, the attack code automatically runs, scanning for sensitive information on the device, particularly text containing keywords such as mnemonic phrases, backup phrases, and bank account details, and attempts to steal assets from cryptocurrency applications like Uniswap and MetaMask.Google researchers strongly recommend that iPhone users immediately update their devices to the latest iOS version. If updating is not possible, they should enable Apple's "Lockdown Mode" to enhance protection.

According to a report by South Korea's Asia Economy, the National Tax Service of South Korea released news materials regarding on-site searches of 124 high-profile, habitual tax evaders, revealing现场照片 that included the seized Ledger hardware wallet's mnemonic phrase, with no pixelation applied.Blockchain data expert Jaewoo Cho stated that shortly after the mnemonic phrase was leaked, all 4 million PRTG tokens stored in the wallet were transferred to an unidentified wallet early this morning, with estimated losses reaching approximately 6.4 billion won (about 4.8 million USD).Analysis shows that the thief first deposited a small amount of Ethereum to be used as transaction fees into the wallet, and then transferred all the tokens in three transactions.

The Hong Kong virtual currency trading platform AAX ceased operations in mid-November 2022 under the pretext of system maintenance and updates, leaving over 300 customers unable to retrieve nearly 100 million Hong Kong dollars in assets. After an investigation, Hong Kong law enforcement discovered that the platform's shutdown was allegedly caused by false information and illegal means, with the person in charge fleeing Hong Kong with a virtual currency wallet and private keys, and later being arrested upon returning.Hong Kong police stated that after a thorough investigation, 191 victims reported losses totaling approximately 81 million Hong Kong dollars, while the AAX person in charge withdrew virtual currency worth about 633 million Hong Kong dollars after the platform ceased operations. He has currently been charged with 3 counts of theft and 1 count of fraud.

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced sanctions against the Russian cybersecurity company Operation Zero and its head, Sergey Sergeyevich Zelenyuk, due to allegations that the company funded activities aimed at stealing U.S. trade secrets through cryptocurrency.The sanctions also include five other related individuals, accused of using cyber attack tools to threaten U.S. national security. This action stems from an investigation by the U.S. Department of Justice last year. An Australian citizen, Peter Williams, has admitted to stealing proprietary software from the U.S. defense contractor he worked for and providing the secrets to Operation Zero in exchange for millions of dollars in cryptocurrency.Williams has pleaded guilty to two counts of trade secret theft. The U.S. Treasury stated that Operation Zero primarily engages in the trading of exploit tools, which can exploit software vulnerabilities to gain unauthorized access, steal data, or control devices. The company also pays individuals who carry out attacks through a bounty system. Treasury Secretary Scott Bessent stated that if anyone steals U.S. trade secrets, the U.S. government will hold them accountable and will continue to protect sensitive technology and national security.

Hong Kong police have arrested an employee of a cryptocurrency trading platform who is suspected of stealing approximately 2.67 million USDT from about 20 customers, worth around 20.87 million HKD. The arrested individual is a 34-year-old network engineer surnamed Choi, who has worked at the company for 4 years and is primarily responsible for managing the mobile application.The company began receiving reports from customers about lost funds in early January this year. Investigations revealed that the employee had logged into the company database and accessed relevant customer accounts. The incident took place at an investment company located in the South Tower of Hong Kong Science Museum Road, Tsim Sha Tsui, which provides a cryptocurrency settlement platform. The case has now been handed over to the Ninth Team of the Criminal Investigation Unit of the Yau Tsim Police District for further investigation.

The Rosen Law Firm, a U.S. investor rights law firm, is investigating potential securities claims on behalf of Balancer (BAL) token investors, alleging that Balancer may have issued misleading business information to the public. This investigation stems from a Bloomberg report on November 3, which indicated that the DeFi protocol Balancer had been attacked, resulting in over $100 million in digital assets being stolen.According to monitoring by security firms PeckShield and Cyvers, the total losses from this incident are approximately $128 million. The Rosen Law Firm is currently preparing to file a class action lawsuit to seek recovery of investors' losses.

According to Arbitrum's news early this morning, Arbitrum has successfully regained control of the Arbitrum Governance (@arbitrumdao_gov) account, which can now interact securely. The official statement indicates that they are reviewing their security protocols to prevent similar incidents in the future.Previously reported by ChainCatcher, the official X account of Arbitrum Governance was compromised.

According to The Block, the cross-chain liquidity protocol CrossCurve (formerly known as EYWA) has confirmed that its cross-chain bridge protocol "is under attack" due to a vulnerability in its smart contract being exploited, resulting in approximately $3 million in funds being stolen across multiple networks. Blockchain security firm Defimon Alerts discovered that the attack vector was a gateway validation bypass vulnerability in CrossCurve's ReceiverAxelar contract.Analysis shows that anyone can use a forged cross-chain message to call the contract's expressExecute function, thereby bypassing the expected gateway validation and triggering unauthorized token unlocks on the protocol's PortalV2 contract. The protocol is supported by Curve Finance founder Michael Egorov, who previously raised $7 million.

According to Pie Shield monitoring, the hacker John (Lick), suspected of participating in the $90 million theft from the U.S. government in 2024, has begun depositing funds into Tornado Cash, with 11,037 ETH (approximately $33 million) already transferred to the mixer.Pie Shield stated that this individual is also related to a series of thefts targeting unidentified victims between November and December 2025.

"On-chain detective" ZachXBT posted on X platform revealing that John Daghita, who stole over $40 million in cryptocurrency from the U.S. government, is the son of the CEO of CMDSS, a company that has received contracts from the U.S. government to handle seized cryptocurrency.

Scroll announced on the X platform that the X account of its co-founder @shenhaichen has been compromised, and they are actively working to recover the account. Please do not interact with any links or direct messages.

BNB Chain's Chief Growth Officer Nina Rong posted that the theft of the BNB Chain Coinmarketcap account was due to a vulnerability that previously existed on the Coinmarketcap community platform. Immediate measures have been taken to ensure account security, and additional security measures have been implemented to prevent similar incidents from occurring again.