SEAL 911

Without @tayvano_ coordinating things (with the support of the rest of the @SEAL_911 team), there is no way we would have been able to freeze DPRK's $70M. Seriously send this woman her flowers, she deserves it!

If funds or accounts were impacted, report it early: • IC3 • Chainabuse • @SEAL_911 • local law enforcement Even if recovery is uncertain, reporting helps connect campaigns and victims.

We appreciate the recent decision by the @arbitrum Security Council to take action in response to the LayerZero-DVN/rsETH incident of April 18. Over the past two days, the KelpDAO team has worked closely and constructively with members of the security council and broader ecosystem stakeholders to provide detailed context and support evaluation efforts. We would like to particularly acknowledge the exceptional efforts of @_SEAL_Org 's SEAL 911 among countless others, whose coordination, information structuring, and stakeholder engagement were instrumental in bringing clarity and urgency to this process. Our focus remains on pursuing all available avenues to support rsETH holders and mitigate the impact of the incident across the Defi ecosystem.

We’re fully aware of the rsETH exploit and have been in active remediation with the @KelpDAO team since the incident and continue to monitor. All other applications remain safe. We are still identifying the root cause alongside @_SEAL_Org and others. We will publish a complete post-mortem with @KelpDAO as soon as we have all information.

PSA for protocols: Shortlist of good Opsec Providers ► @trailofbits ► @opsek_io ► @0xGroomLake ► @SEAL_911 ► @DigOppGroup If you're building a protocol or worried that your opsec might not be airtight, PLEASE reach out to at least one of these teams.

I want to reiterate my thanks to @tayvano_, @tanuki42_, @pcaversaccio and @bax1337 for their expertise and support during this period. They have been an absolute pleasure to work with and personally, could not speak more highly of them and the @SEAL_911 team.

Earlier today, Dango experienced a security incident. An attacker exploited a bug in the insurance fund's logic and drained USDC collateral held in the perps contract. The bug is that the insurance fund allows anyone to donate to it, but it fails to check that the donation amount is positive. This issue is isolated to the insurance fund donation logic, which has now been removed, and does not impact order matching, PnL settlement, liquidation, or any other part of the trading system. Thanks to a bridge rate limit in place, the damage is limited: the attacker was able to bridge $410,010 USDC off to Ethereum while the bulk of the exploited funds ($1,490,012) remain on Dango and are recoverable. The attacker is: Dango account: 0x023ef9e3e20caca6ef3743cbfba6469d69978999 Ethereum account: 0x271d1f2f4194e61f2a17ea82d82e31cea9f6762a In the meantime, we have paused the chain and are now recovering the $1,490,012 stuck in the exploiter's account that they were unable to bridge out of Dango. We have also contacted the team at @SEAL_911 who have since notified @circle and all major exchanges. All affected users will be made whole. The protocol will be fully operational again soon. We invite the exploiter to reach to us at info@leftcurve.io and negotiate a bug bounty. The points program will be postponed until a later date. More updates to follow.

Once we released that the domain had been stolen we instantly reached out to every wallet provider which had the domain blocked in around 1 hour after reaching out, meaning no one could load or transact with the site. We'd like to thank @phantom @solflare @SEAL_911 @MetaMask and co for their swift action. If we didn't get all the wallets to block the site very quickly this could've been a lot worse.

BONKfun is back and here’s what happened 👇 On March 11, the BONKfun website was hijacked by a malicious actor via a social engineering targeting our domain service provider. This resulted in the domain being transferred to an external registrar. The domain service provider has accepted responsibility for transfer, and we have confirmed this incident was not the result of any compromise of BONK or BONKfun internal systems, codebase, or team accounts. Upon identifying the breach, we immediately took action to: 1) Disable the site 2) Coordinate with wallet providers to flag the domain as malicious 3) Contain further user impact We’d like to thank @phantom, @solflare, @MetaMask, @_SEAL_Org and all other security partners that helped spread the word quickly. We estimate the total customer losses at $30,000 and we will be reimbursing affected users at 110% of losses to account for opportunity cost. As a result of this social engineering on the domain service provider, the BONKfun domain was transferred to an external registrar, and that transfer greatly inhibited our ability to move quickly with relaunching the site in a secure manner. The domain and domain registration were fully transferred back around 5:00 pm Eastern time on 3/18. Full functionality with major wallet providers was restored late on 3/19, which has now enabled us to safely and securely relaunch the site. The main BONKfun domain is still experiencing flags from several antivirus software providers, we are working to remove these flags as soon as possible. For users experiencing issues with BONK.fun due to anti-virus software, letsBONK.fun is also live now and contains the same functionality as the main site.

Update on the Votemarket incident: Following previous communications, the situation has been successfully handled as a white-hat resolution, and a significant portion of the affected funds (60.58 ETH) has been returned to the Stake DAO treasury. Thank you to the community for its patience and support over the past days. Special appreciation to @seal_911 and @pcaversaccio for their valuable support throughout this process.

Following the recent DNS hijacking incident, the Neutrl domain has been successfully migrated to neutrl.finance and is now secured on a new DNS provider. Neutrl smart contracts have been unpaused and are fully operational. ALL USER FUNDS ARE SAFE. Protocol NAV, including reserves and user funds, remains secure within Neutrl’s custodial wallets, supported by a custody framework and off-exchange settlement (OES) that isolates funds from front-end and infrastructure risks. Users should no longer interact with neutrl[.]fi under any circumstances and should only use the new domain moving forward. The .fi domain will be sunset. As an added precaution, users who interacted with the compromised domain are advised to review and revoke permissions via revoke[.]cash, including any Permit2 approvals associated with the following malicious addresses: 0x23f2741EaA0045038e9b52100CdcC890163dE53F 0xa0Adf074056E41dfB892aFC69881E15073b384b9 Please also revoke any approvals associated with addresses you do not recognize. We extend our sincere gratitude to the teams at @0xGroomLake and @SEAL_911, whose support and expertise were instrumental in our response. Their work in strengthening security across the ecosystem is invaluable. Additional updates will be shared as they become available, along with a full post-mortem.

@_SEAL_Org 😘 🦭

March 1st incident report On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries. The initial access originated through a compromised employee laptop, from which a legacy credential was exfiltrated. That credential provided access to a snapshot containing production secrets. From there, the attackers were able to escalate their access to our broader infrastructure, including parts of our database and certain cryptocurrency wallets. We first detected the incident after noticing suspicious purchasing patterns with certain suppliers. We realized that our gift card stock and supply lines were being exploited. At the same time we found some of our hot wallets being drained and funds transferred to attacker-controlled wallets. The moment we identified the breach, we took all of our systems offline as part of our containment response. Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods across many countries. Safely switching all these things off and bringing them back online is not trivial. Since the incident, our team has been working closely with top industry security researchers, incident response specialists, on-chain analysts and law enforcement to understand what happened and how we can prevent it from happening again. A sincere thank you to @zeroshadow_io, @SEAL_Org, @RecoverisTeam and @fearsoff for their rapid response and support throughout this ordeal. What about your data Based on our investigation and our logs we don’t have reason to think that customer data was the target of this breach. There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory. Bitrefill was designed to store very little personal data. We are a store, not a crypto service provider. We don’t require mandatory KYC. When a customer chooses to verify their account - e.g. to access higher purchasing tiers or certain products - that data is kept exclusively with our external KYC provider, with no backups in our system. Still, based on database logs, we know that a subset of purchase records was accessed and we want to be transparent about that. Around 18,500 purchase records were accessed by the attackers. Those records contained limited customer information, such as email addresses, crypto payment address, and metadata including IP address. For approximately 1,000 purchases, specific products required customers to provide a name. That information is encrypted in our database. However, since the attackers may have gotten access to the encryption keys, we are treating this data as potentially accessed. Customers in this category have already been notified directly by email. At this time, based on the information currently available, we do not believe customers need to take specific action. As a precaution, we recommend remaining cautious of any unexpected communications related to Bitrefill or crypto. If this assessment changes, we will of course immediately inform those affected. What we are doing We have already significantly improved our cybersecurity practices, but vow to continue to draw learnings from this experience to make sure user and company balances and data remain maximally safe. Specifically we’re: -Continuing thorough cybersecurity reviews and pentests with multiple external experts and implementing recommendations; -Further tightening internal access controls; -Further improving logging and monitoring for faster detection and more effective response; and -Continuing to refine and test our incident response procedures and automated shutdown procedures. The bottom line Getting hit by a sophisticated attack sucks (a lot). We’ve been in business for over 10 years and it’s the first time we’ve been hit this hard. But we survived. Bitrefill was designed to limit the impact if something like this ever happened. Bitrefill remains well funded, has been profitable for several years and will absorb these losses from our operational capital. Almost everything is back to normal: payments, stock, accounts. Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us. We will continue to do our best to continue deserving your trust. Thank you!

Episode 10: THE BREACH WAS SEALED BY PANOPTIC - $0 lost - funds rescued - XOR linearity breaks position fingerprint - August 25, 2025 | White-hat via @cantinaxyz @seal_911 The one was saved. Fast response works. Series complete. #TheBreach

The domain hijacking incident has been fully resolved and control has been restored. The Curvance official domain, app.curvance.com, is secure and safe to use. Please note that users connecting via OKX or Coinbase wallets may still encounter a blocker. Our team is actively working with the relevant providers to resolve this and remove the restriction as soon as possible. We appreciate your patience and will share updates as they become available. A full post-mortem is provided below. Summary On February 16, 2026, Curvance experienced a domain registrar hijacking incident as part of a broader, coordinated infrastructure attack impacting multiple protocols across the industry. At approximately 4:36am EST, the Curvance domain registrar account was compromised through a social engineering attack targeting GoDaddy support. The attacker obtained registrar-level control of the domain and redirected traffic to a malicious front end during the exposure window. It is important to be clear: this was an off-chain, domain-level incident. Protocol funds remain secure and smart contracts were not impacted at any time. Approximate Detection & Response Timeline (EST) Feb 16, 2026 • 4:36am — Unauthorized changes to nameservers occurred following social engineering of the domain registrar’s support channels. • 6:18am — Incident detected by @blockaid_ monitoring systems • 6:48am — First unauthorized domain taken offline and containment actions initiated by @SEAL_911 • 12:21pm — A second unauthorized domain was created while domain registrar control was still in process of being recovered. Feb 17, 2026 • 3:17am — GoDaddy locked the domain registrar account, preventing any additional unauthorized changes while control was being restored. However, the second and final unauthorized domain still remained active. • 7:01pm — Final unauthorized domain taken offline with assistance from @ChainPatrol Feb 20, 2026 • 6:19pm — Full control of the domain registrar account was successfully restored. We were informed that the registrar was experiencing a significant spike in similar domain security incidents during this period, resulting in elevated support backlog and extended recovery timelines. Upon detection, we coordinated with @blockaid_, @SEAL_911, and @ChainPatrol to assess exposure, halt traffic, and prevent further interaction with the malicious endpoint. Their rapid escalation materially reduced potential user impact during the exposure window. Scope of Impact The incident was limited strictly to the domain registrar layer. There was never a breach of smart contracts, protocol funds remained secure at all times, and Curvance internal systems and accounts were not compromised. Any potential losses are strictly isolated to users who directly interacted with the compromised domain during the exposure window. If you believe you may have been impacted, please create a support ticket in the Curvance Discord so our team can review your case and assist directly. Preliminary investigation indicates the attacker bypassed GoDaddy verification controls through support channel manipulation. Hardening Measures In response, and following recommendations from @SEAL_911, we are upgrading our domain infrastructure by transferring the Curvance domain to an institutional-grade registrar utilized by Fortune 500 companies, thereby reducing exposure to retail support channels. Industry Coordination Following this incident, we conducted research and outreach to several protocols who shared similar registrar exposure and have proactively engaged them to serve as a resource in strengthening and hardening their domain infrastructure. Closing Statement We take infrastructure and user security extremely seriously. Our monitoring, response procedures, and security partnerships enabled rapid detection and containment, significantly limiting the exposure window. We extend our sincere thanks to @blockaid_, @SEAL_911, and @ChainPatrol for their immediate detection, coordination, and hands-on support during containment. We will continue to provide updates as additional hardening measures are finalized.

.@_SEAL_Org and the volunteers at @SEAL_911 do critical work for the entire ecosystem. We’re proud to support them and encourage others to consider doing the same. Details on how to contribute can be found in our blog post.

Thank you @thedaofund and the community for making the hard work that good people do behind the scenes for this space possible 🎉 As always, if you are a crypto user who needs urgent and immediate help in an emergency @SEAL_911 is there and waiting.