Blockscope

First major hack of 2026, as @Truebitprotocol was drained for $26.2 million through an overflow in unverified bytecode. The same attacker hit Sparkle weeks prior. Old code keeps bleeding - the archives have clearly become a shopping list. rekt.news/truebit-rekt

4/ Exploiter addresses: 1. 0x6aecb6ee5d7fa4f5b7b5553ed0173442f0ee5ccb 2. 0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50 3. 0x3b58192943ee6f9ae92d54dd1ef378cfd519862a 4. 0x62afdd1bd84f6b152572404be90679ae58eb4862 Exploit Tx: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014 Tx. hash for on-chain communication: 0x46f7539cfe46b3e925d69b9bc62fc31c8f06305c8d155bdb5a4c528f3dfb1277

1/ @Truebitprotocol appears to have been exploited for roughly $26M. As of now, the team hasn’t posted an incident update on their official socials, but we’re have seen large outflows from protocol-linked contracts plus on-chain communications consistent with a compromise. Exploiter: 0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50

@Truebitprotocol 3/ The activity also suggests the attack was initiated/planned back in November, when the suspected exploiter was funded via Rhino.fi (likely as part of the setup phase).

@Truebitprotocol 2/ The stolen funds are currently consolidated into two wallets holding ~$13M each.

We are actively monitoring the situation and, so far, have identified dozens of theft-related addresses. The tracer below maps EVM outflows from victim wallets, already totaling hundreds of transactions. Thanks to @zachxbt for early alerts. We’ve also observed onward movement into centralized exchanges. For example, 0x463452c356322d463b84891ebda33daed274cb40 has made deposits to multiple CEX deposit addresses like ChangeNow, HTX, KuCoin. Please refer to the images below. If you believe you’ve been affected, we can help with tracing, attribution, and preparing evidence for exchange escalation.

We’ve identified a security incident affecting Trust Wallet Browser Extension version 2.68 only. Users with Browser Extension 2.68 should disable and upgrade to 2.69. Please refer to the official Chrome Webstore link here: chrome.google.com/webstore/detai… Please note: Mobile-only users and all other browser extension versions are not impacted. We understand how concerning this is and our team is actively working on the issue. We’ll keep sharing updates as soon as possible.

1/ Stablecoin Monitor just got a major upgrade: we now track not only dozens of stablecoins, but also the entities behind them; Issuers, owners, bridges, protocols, DAOs, and more. Visit: stablecoinmonitor.com/entity

A victim, attributed to the ENS name markpascall.eth, lost approximately $1.05M in assets in a suspected private key compromise. The incident came to light after @zachxbt flagged the activity. The stolen funds were consolidated and swapped for ~330 ETH, which was then funneled into Tornado Cash. Exploiter address: 0x4f8affe6cd269d1f8352d0542432de6975c3912d

2/ In mid-September, the exploiter front-ran the contract's initialization, inserting a malicious proxy to seize Admin privileges. The backdoor remained dormant and undetected for 78 days. Using the Blockscope AI Investigator, we analyzed the root cause transaction to visualize exactly how the injection occurred.

1/ Just yesterday we were discussing CPIMP attacks, and now we have a live example: @USPD_io has been exploited for ~$1M via a malicious backdoor proxy planted over 2 months ago. All the drained funds were swapped to ETH. The exploiter currently holds ~$1.05M at this address: 0x083379bdac3e138cb0c7210e0282fbc466a3215a This wasn't a flash loan attack but a sophisticated "sleeper" job.

2/ On further analysis of counterparties, we identified a distinct obfuscation flow from last year: • Funds were received from Mixers & Exchanges. • Assets moved through intermediaries performing repeated $ETH ⇄ $WETH swaps. • Swapped funds were sent to fresh addresses before final exchange deposits. This layering was clearly designed to mask origins and sever exposure links.

1/ Earlier today, @zachxbt reported the likely arrest of threat actor Danish Zulfiqar ("Danny"), linked to the $243M Genesis theft and Kroll SIM swaps. Blockscope analyzed the suspected seizure address: 0xb37d617716e46511E56FE07b885fBdD70119f768 Current holdings sit at ~$18.58M (primarily $ETH & $DAI), showing specific consolidation patterns consistent with Law Enforcement seizures.

Great catch on the incident. To be precise, this fits the pattern of a CPIMP or Proxy vulnerability rather than a flaw specific to x402. This risk exists for any agentic layer communicating with uninitialized contracts. Have you confirmed any loss of funds? Our initial check shows admin roles were indeed swapped, but no funds have moved yet.

The first x402-related incident has been detected. ↓ What does this mean for the future of agentic applications?

In a major win for blockchain forensics, @Europol, working with German and Swiss authorities, has successfully shut down Cryptomixer, a service responsible for laundering over €1.3 billion in Bitcoin since 2016. The operation led to the seizure of €25 million in cryptocurrency and the dismantling of critical infrastructure in Zurich. For those in crypto compliance and investigation, the most significant outcome is the seizure of 12 terabytes of operational data, along with the domain cryptomixer.io. This "treasure trove" of logs likely contains years of transaction history and user patterns, previously thought to be untraceable. This data will be instrumental in unmasking historical illicit activity related to ransomware groups and darknet markets for years to come. Read the official announcement here: europol.europa.eu/media-press/ne…

@yearnfi 2/ Tracer visualizes the entire complex transaction, consisting of the yETH mint, flash loans, multiple swaps, and Tornado Cash deposits, with the remaining funds moving to a new holding wallet.

@yearnfi was exploited a few hours ago, resulting in an estimated total loss of ~$9M. The root cause appears to stem from a vulnerability that allowed the exploiter to mint an excessive supply of yETH tokens. Tx: 0x53fe7ef190c34d810c50fb66f0fc65a1ceedc10309cf4b4013d64042a0331156 Approximately, ~1K ETH ($3.11M) has already been washed via Tornado Cash, while the majority of the remaining traced funds (~$6.1M) are currently sitting in the exploiter's wallet: 0xa80D3F2022F6Bfd0B260bF16D72CaD025440C822 Notably, although the exploiter minted a massive amount of tokens, they were only able to successfully sell and launder a portion of the supply. We are actively investigating the case and will provide updates shortly. Image 1: Minting yETH Image 2: Tornado Cash Deposits Image 3: Funds holding

@GANA_PayFi @zachxbt 3/ The remaining balance of roughly $1.049M was transferred to a separate address: 0xd10Ed57534Dc63f2ea9dC0cB0096086F3CC8fA4d, which eventually deposited the totality of the funds into Tornado Cash as well.

1/ Yesterday, @GANA_PayFi (Gana Payments) was exploited for approximately $3.147M on BSC. The exploiter drained the project liquidity across multiple transactions. Credit to @zachxbt for the initial alert. Primary Exploiter: 0x2e8A8670B734E260ceDBC6d5a05532264aae5C38

2/ Approximately two-thirds of the stolen funds (~$2.1M) were bridged to the Ethereum Mainnet using deBridge and Stargate, and subsequently deposited into Tornado Cash. Involved Addresses: • 0x7a503e3ab9433ebf13afb4f7f1793c25733b3cca • 0x98fc13632ff112e4667fc4f21ae980571f122b5a