Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 219Phishing / Social Engineering

Ionic Money Fake-LBTC Listing

$8.6M extracted from Ionic Money on Mode after attackers impersonated Lombard Finance for weeks, got a fake LBTC listed, then borrowed against it.

Date
Victim
Ionic Money
Chain(s)
Mode
Status
Funds Stolen

In February 2025, the Mode-based lending platform Ionic Money — formerly Midas Capital — was exploited for approximately $8.6 million (Rekt lists $6.94M) through a multi-week social-engineering operation. Attackers impersonated Lombard Finance team members, conducted business-development discussions across "several weeks," and ultimately tricked Ionic into listing a fake LBTC token as collateral. They then deposited 250 of their fake LBTC and borrowed real assets against it.

What happened

The attack chain ran on a timescale longer than typical crypto exploits:

  1. Initial contact: Attackers reached out to Ionic Money posing as Lombard Finance representatives, proposing to list LBTC (Lombard's wrapped Bitcoin product) as collateral on Ionic.
  2. Business development: The impersonators spent several weeks engaging with the Ionic team — technical discussions about LBTC's design, market-fit conversations, risk-parameter negotiations.
  3. Token preparation: The attackers deployed their own fake LBTC contract, then set up a Balancer liquidity pool with $400,000 in their own liquidity to provide superficial price-discovery for the token.
  4. Oracle integration: They convinced Ionic to integrate an API3 oracle price feed for their fake LBTC — a key step that gave the asset a "trusted price" that the lending markets would consume.
  5. Listing approval: After several weeks of due diligence theater, the Ionic team approved the fraudulent asset as collateral on the lending platform.

Once the fake LBTC was live as collateral, the attack was mechanical:

  1. Minted 250 fake LBTC from their own contract (it was their token; they could mint as much as they wanted).
  2. Deposited the 250 fake LBTC as collateral, with the API3 oracle reporting it at the legitimate LBTC market price.
  3. Borrowed $8.6M worth of real assets against the fake collateral.
  4. Walked away without repaying, leaving Ionic holding worthless fake LBTC as the only backing for the loans.

After the theft, the attackers used cross-chain bridges to transfer approximately $3.5M to Ethereum, with 1,204 ETH (~$3.2M) bridged straight into Tornado Cash.

Aftermath

  • Ionic paused affected lending markets and audited every listed collateral asset's provenance.
  • The Lombard Finance team publicly confirmed the impersonation and clarified that none of their team had been involved in the Ionic listing process.
  • No public recovery from the attacker's wallets.
  • The exploit's pacing — weeks of business development before the technical attack — strongly suggests state-aligned threat actor behaviour rather than opportunistic exploitation.

Why it matters

Ionic Money's incident is one of the clearest 2025 cases for how social-engineering operations against protocols are increasing in patience and sophistication. The attack was not opportunistic. The attackers:

  • Researched Ionic's listing process thoroughly enough to know what evidence would be required.
  • Built a multi-week relationship with the team, establishing trust before exploiting it.
  • Constructed a credible artifact — the Balancer pool with real $400K liquidity and the API3 oracle integration — that wouldn't immediately scream "scam" to a normal due-diligence review.

The structural lessons for DeFi lending platforms:

  1. "We met with their team" is not validation — protocols listing new collateral must verify counterparty identity through channels independent of the people requesting the listing. Lombard's own communication channels, not Ionic's Telegram chat with someone claiming to be Lombard.

  2. Token-provenance checks must be cryptographic, not narrative — verifying that the deployed contract address matches the protocol's official announcements (signed by their known multi-sig or social-media account) rather than trusting the listing proposer's word.

  3. Oracle integration is part of the listing risk — adding an oracle price feed for a token gives it an enormous attack surface; the oracle integration step should be a separate, high-friction approval gate that requires independent verification of the underlying.

The "weeks of impersonation before the attack" timeline is also notable as a state-actor calling card. Lazarus and similar groups maintain dedicated personnel for these slow-burn operations precisely because the patience cost is much lower than the expected return on a successful exploit. Defending against this requires institutional processes that don't depend on individual team members' ability to spot patient social engineers.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-ionic-money-hack-february-2025
  2. [02]rekt.newshttps://rekt.news/ionic-money-rekt
  3. [03]quadrigainitiative.comhttps://quadrigainitiative.com/casestudy/ionicmoneyfakelbtccollateralsocialengineering.php

Related filings