BonkDAO Governance Takeover
An attacker spent about $4M quietly buying BONK to capture BonkDAO's vote, then pushed a malicious Realms proposal that drained roughly $20M from the treasury.
An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.
Since 2009, more than $14.14B has been drained from blockchains and the businesses that touch them. This is the running ledger — citation-first, on-chain verifiable, and updated as we learn more.
Malicious JavaScript injected into Safe{Wallet}'s signing UI drained 401,000 ETH ($1.46B) from a Bybit cold-wallet transfer, the largest crypto theft ever.
An attacker spent about $4M quietly buying BONK to capture BonkDAO's vote, then pushed a malicious Realms proposal that drained roughly $20M from the treasury.
A flash-loan attacker manipulated share accounting in Summer.fi's Lazy Summer USDC vault, redeeming inflated assets to drain about $6 million on Ethereum.
An attacker drained $820,000 in USDC from privacy protocol Hinkal — nearly its entire cross-chain TVL — via unverified 'proofless' deposits, then laundered it through Tornado Cash and THORChain.
A flash-loan-funded attacker inflated Edel Finance's internal wGOOGLx exchange rate ~78x, borrowing against phantom tokenized-Google-stock collateral to leave about $403,000 in bad debt.
A compromised third-party vendor injected a malicious script into Polymarket's frontend, phishing approvals that drained about $2.94M in PUSD from user wallets.
A predictable-randomness flaw in SecondFi's Cardano wallet-generation software let attackers drain about $2.4M in ADA from 178 wallets, with up to $20M more potentially at risk.