# Hack Related Articles

HTX News Center provides the latest articles and in-depth analysis on "Hack", covering market trends, project updates, tech developments, and regulatory policies in the crypto industry.

The Hunter Becomes the Hunted: The Most Profitable MEV Bot Gets Hacked

A well-known and highly profitable Ethereum MEV Bot, Jaredfromsubway.eth, suffered a sophisticated on-chain attack this Saturday, losing over $7.5 million. Analysis by Blockaid and others reveals this was not a conventional phishing or smart contract exploit, but a targeted "counter-MEV honeypot attack." The attacker meticulously laid a trap over several weeks, deploying 66 fake token contracts and liquidity pools disguised as major assets like WETH and USDC. These pools created the illusion of arbitrage opportunities. The MEV Bot's automated system detected these signals, executed trades, and in the process, granted approval permissions to attacker-controlled contracts. These approvals were not revoked, creating a persistent vulnerability. The attacker then exploited this in a single transaction, draining the bot's ETH, USDC, and USDT holdings. Jaredfromsubway.eth is notorious as one of Ethereum's most active and profitable MEV Bots, primarily known for executing "sandwich attacks" to profit from transaction slippage. Estimates suggest it has earned tens of millions in MEV revenue. The incident highlights escalating crypto security threats, demonstrating that even top-tier automated "predators" are vulnerable to novel, logic-based attacks designed to exploit their own operational rules. Following the hack, an unverified X account impersonating Jaredfromsubway.eth emerged, falsely offering a bounty for the return of funds, prompting developer warnings for users to stay vigilant.

marsbit06/21 09:22

The Hunter Becomes the Hunted: The Most Profitable MEV Bot Gets Hacked

marsbit06/21 09:22

The Revelation from the Raydium Theft Incident: New DeFi Vulnerabilities Lurking in Forgotten Old Contracts

**Raydium Exploit Reveals DeFi's Hidden Risk: Forgotten "Zombie" Contracts** A recent attack on Raydium's deprecated V3 AMM pools resulted in a loss of approximately $1.34 million. The hacker exploited pools that were no longer supported by Raydium's current UI or SDK but remained fully functional and accessible on-chain. This incident highlights a critical, often overlooked category of risk in DeFi: inactive or legacy smart contracts that projects fail to properly decommission. Since March 2025, there have been at least 8 publicly reported attacks targeting such abandoned contracts, with total losses around $10.8 million. Including older pools and deprecated features, the count rises to 10 incidents with roughly $22.5 million in losses. These "zombie contracts" represent a lifecycle management failure rather than a code vulnerability, yet they are typically misclassified under general "code bug" categories in security reports, masking the true scale of the problem. The root cause is that projects often merely document a contract as "deprecated" without taking essential technical steps to secure it: withdrawing remaining assets, disabling external call functions, and implementing ongoing monitoring. These forgotten, under-monitored components become prime targets for attackers. To address this, the industry needs to recognize "zombie contracts" as a distinct risk category and establish standardized decommissioning protocols. Essential steps should include: 1) a formal retirement announcement, 2) removal of all front-end integrations, 3) withdrawal of locked assets, 4) disabling key contract functions, 5) ongoing security monitoring, 6) clear user communication, and 7) a post-mortem analysis. The value of a DeFi project lies not only in its current TVL but also in the security of its historical codebase, which has now become a new attack surface.

Foresight News06/13 06:15

The Revelation from the Raydium Theft Incident: New DeFi Vulnerabilities Lurking in Forgotten Old Contracts

Foresight News06/13 06:15

Beosin: 36 Major Security Incidents in May Resulting in Over $76 Million in Losses

In May 2026, the Web3 ecosystem suffered over $76.15 million in losses across 36 major security incidents, according to Beosin Alert. The primary causes were contract vulnerabilities and private key leaks. The top loss involved the Verus-Ethereum Bridge, which lost $11.58 million due to a cross-chain message validation flaw—a vulnerability type historically responsible for massive losses at Wormhole and Nomad. The Echo Protocol attack, resulting from a private key leak, saw the minting of 1,000 eBTC (nominal value ~$76.7M), with the attacker netting ~$5.13 million due to liquidity constraints. Cross-chain bridges were the hardest-hit category, accounting for $27.995 million in losses. DeFi protocols were the most frequently targeted, with 14 attacks. Ethereum saw the highest chain-specific losses at over $48.76 million, followed by BNB Chain, Monad, and TON, indicating a multi-chain attack landscape. A detailed analysis highlighted three key incidents: 1. **Verus-Ethereum Bridge**: A flaw where the bridge contract verified proof from the Verus chain but failed to validate the underlying asset value, allowing fake outputs. 2. **Trusted Volumes**: A signature parameter defect in its RFQ system allowed an attacker to manipulate authorization checks and drain assets from the Resolver contract. 3. **Private Key Leaks (e.g., StablR)**: Operational failures, including inadequate multi-signature wallet thresholds and lack of timelocks, led to losses exceeding $25 million across multiple projects. The report concludes that the Web3 security threat landscape is expanding systemically. Risks now span code, infrastructure, interoperability, and human processes, moving beyond code audits alone. Projects are urged to enhance operational security, review old contracts, and users should regularly revoke unnecessary approvals.

marsbit06/10 09:26

Beosin: 36 Major Security Incidents in May Resulting in Over $76 Million in Losses

marsbit06/10 09:26

Humanity Loses $31 Million in Attack, Token Price Plummets 90% Due to a Single Private Key

On June 9th, the digital identity project Humanity Protocol suffered a major security breach resulting in over $31 million in losses. According to on-chain analyst Specter, hundreds of wallets holding the project's H token were drained. The attack was confirmed by founder Terence Kwok to be caused by the compromise of a foundation member's private key. As a precaution, users are advised to avoid interacting with Humanity's cross-chain bridge or liquidity pools. The incident caused the H token price to crash over 90%, from around $0.70 to a low of $0.052, wiping its market cap from $2 billion to approximately $35.7 million. The attacker allegedly minted 100 million new H tokens and is selling them for BNB. This breach adds to existing controversies surrounding Humanity Protocol. Founded in 2024, it aimed to verify human users via palm-print biometrics and zero-knowledge proofs. However, a leaked conversation in 2025 revealed that only about 1 million of its 9 million claimed Human IDs had completed biometric verification, suggesting 88% might be bots. Furthermore, the project has faced allegations of being a repackaged product from a Chinese access control vendor, raising privacy and authenticity concerns. Founder Terence Kwok's previous venture, Tink Labs, a hotel smartphone startup that raised $170 million, failed and entered bankruptcy in 2020 after burning through its funding. The current attack highlights the persistent critical issue of private key management in crypto. Unlike smart contract exploits, a private key compromise bypasses all on-chain security mechanisms. With no user compensation plan announced yet, this $31 million breach may be a final blow to the project's credibility, already weakened by previous controversies and a heavily depreciated token.

marsbit06/09 03:40

Humanity Loses $31 Million in Attack, Token Price Plummets 90% Due to a Single Private Key

marsbit06/09 03:40

Humanity Loses $31 Million, a Private Key Causes Token Price to Plunge 90%

On June 9th, the digital identity project Humanity Protocol suffered a major security breach resulting in over $31 million stolen from hundreds of wallets holding its H token. The attack was caused by the compromise of a private key belonging to a foundation member, leading the team to advise users against interacting with its bridge or liquidity pools. Following the incident, the price of the H token plummeted by over 90%, from around $0.70 to a low of $0.052, wiping out a significant portion of its market capitalization. The attacker allegedly minted 100 million new H tokens and began selling them for BNB. Humanity Protocol, founded in 2024, aimed to verify human users through palm-print biometrics and zero-knowledge proofs on Polygon CDK. Despite raising $50 million across two funding rounds and achieving a unicorn valuation, the project faced prior controversies. Shortly after its June 2025 token launch, reports emerged that only about 1 million of its 9 million registered IDs had completed biometric verification, suggesting 88% might be bots. Furthermore, allegations surfaced that the project might be a rebranded "shell" of a Chinese access control company, raising concerns about data privacy and authenticity. The project's founder, Terence Kwok, has a controversial business history. His previous venture, Tink Labs, burned through $170 million in funding before collapsing in 2020. The breach highlights the persistent critical risk of private key management in crypto. With no user compensation plan detailed in the initial response, the incident deals a severe blow to trust in a project already struggling with credibility issues.

Foresight News06/09 03:18

Humanity Loses $31 Million, a Private Key Causes Token Price to Plunge 90%

Foresight News06/09 03:18

Single-Day Plunge of 30%, Arthur Hayes Suddenly Liquidates: Why Did ZEC Get Exploded by Security Issues?

On June 5th, Zcash founder Zooko Wilcox disclosed a critical soundness vulnerability in the project's latest Orchard privacy pool. This flaw, found in the elliptic curve multiplication constraints, could allow an attacker to create unlimited counterfeit ZEC within the shielded pool, with transactions appearing valid. The vulnerability was discovered in late May by security researcher Taylor Hornby, who utilized Anthropic's new Opus 4.8 AI model for a targeted audit. The Zcash ecosystem had already performed an emergency network upgrade to patch the issue. However, the detailed disclosure triggered severe market panic, causing ZEC's price to plummet over 30% in a single day. Notably, prominent investor Arthur Hayes announced he had sold his entire ZEC position following the news. The incident starkly challenges the "technological trust" narrative central to privacy coins. Despite years of top-tier cryptographic audits, the bug persisted until uncovered with advanced AI-assisted research. This highlights the growing gap between theoretical perfection and practical implementation in privacy technology. The event serves as a industry-wide warning: in an AI-driven security landscape, the assumption that "undiscovered equals safe" is obsolete. It underscores the urgent need for continuous, proactive security practices combining AI audits, formal verification, and rapid response mechanisms.

foresightnews_api06/05 04:34

Single-Day Plunge of 30%, Arthur Hayes Suddenly Liquidates: Why Did ZEC Get Exploded by Security Issues?

foresightnews_api06/05 04:34

活动图片