A suspected British hacker linked to one of the largest single Bitcoin thefts ever recorded may have been detained in Dubai, according to claims made Friday by on-chain investigator ZachXBT.

In a post shared on his Telegram channel on December 5, ZachXBT said a man known online as “Danny” or “Meech,” identified as Danish Zulfiqar, appears to have been taken into custody by authorities, with a portion of the stolen crypto allegedly seized.

He pointed to roughly $18.58 million in digital assets now held in a single Ethereum wallet that he says is connected to the suspect.

ZachXBT noted that several wallets previously tied to the alleged hacker had funneled funds into the same address in a pattern commonly seen during law enforcement seizures.

He also claimed Zulfiqar was last known to be in Dubai, where a villa was reportedly raided.

Authorities Silent as Reports Surface of Possible Arrest in $243M Bitcoin Hack

According to the investigator, others linked to the suspect have also gone silent in recent days.

So far, there has been no official confirmation from Dubai Police or UAE authorities regarding any arrest, asset seizure, or raid connected to the case.

Local media outlets in the region have also not verified the claims.

The possible arrest follows months of investigation into the August 19, 2024, theft of 4,064 Bitcoin, worth about $243 million at the time. The funds were taken from a single Genesis creditor who accessed assets through Gemini.

ZachXBT made the case public in September, alleging the theft was carried out through a coordinated social engineering attack.

According to his findings, the attackers posed as Google support staff and convinced the victim to reset two-factor authentication.

They then used remote access software to take control of the account. After extracting the private keys, the attackers drained the wallet and moved the Bitcoin through a web of exchanges and swap services in an attempt to launder the funds.

ZachXBT initially tied the attack to three online aliases, “Greavys,” “Wiz,” and “Box”, later naming Malone Lam, Veer Chetal, and Jeandiel Serrano as the people behind those accounts.

He said his findings were shared with law enforcement authorities.

U.S. Charges, UK Guilty Plea, Thailand Arrest Mark New Phase of Crypto Crime Probes

U.S. prosecutors later filed criminal cases connected to related activity. In September 2024, the Department of Justice charged two suspects in a $230 million crypto fraud scheme.

Broader racketeering charges later described an operation totaling more than $263 million, including the Genesis-linked Bitcoin theft. Court documents outlined a mix of SIM swaps, social engineering tactics, and even physical burglaries.

Prosecutors said the stolen funds were spent on high-end cars, travel, and nightlife. One of the defendants, Veer Chetal, was later accused of carrying out another $2 million crypto theft while out on bond.

ZachXBT has also connected Zulfiqar to the August 2023 Kroll SIM swap incident, which exposed the personal data of creditors tied to BlockFi, Genesis, and FTX.

That breach later played a role in more than $300 million worth of crypto thefts through follow-up phishing and impersonation schemes.

The reported Dubai development comes as crypto-related law enforcement activity continues to pick up worldwide.

In October, Thai authorities arrested Liang Ai-Bing in Bangkok over an alleged $31 million crypto Ponzi scheme that ZachXBT had previously exposed.

Thai police arrest alleged FINTOCH mastermind behind $31 million crypto Ponzi scheme that defrauded investors across multiple Asian countries.#Thailand #Policehttps://t.co/Mccq2KpZfb

— Cryptonews.com (@cryptonews) October 30, 2025

In the UK, authorities recently secured a guilty plea from Zhimin Qian in a case tied to what officials described as the largest crypto seizure in history, involving more than $6.7 billion in Bitcoin.

Outside of investigations, ZachXBT has also remained active in public disputes.

In November, he clashed with UFC fighter Conor McGregor over comments about Khabib Nurmagomedov’s NFT project, redirecting attention to McGregor’s own failed meme coin venture earlier this year.

The post ZachXBT: British Hacker Linked to $243M Genesis Theft Likely Nabbed in Dubai appeared first on Cryptonews.

A Florida appeals court has reinstated a lawsuit accusing Binance of failing to freeze and recover roughly $80 million worth of stolen Bitcoin, reopening a case that had previously been dismissed over jurisdictional grounds.

According to Bloomberg Law, Florida’s Third District Court of Appeal ruled Wednesday that the lower court erred when it concluded it lacked personal jurisdiction over Binance Holdings Inc.

According to Bloomberg Law, Florida’s Third District Court of Appeal ruled Wednesday that a user who alleges roughly $80 million in BTC was stolen on Binance may revive a state-level lawsuit, finding the trial court erred in concluding it lacked personal jurisdiction over…

— Wu Blockchain (@WuBlockchain) December 4, 2025

The decision allows the plaintiff to proceed with a state-level lawsuit alleging that Binance failed to act quickly after the theft was reported.

Appeals Court Reverses Dismissal Saying Use of AWS Ties Binance to Florida

The case stems from a 2022 incident in which the plaintiff, identified as Michael Osterer, reported that about 1,000 Bitcoin was stolen from his wallet.

He claims the hackers transferred the funds to a Binance account, where the assets were converted and withdrawn before the exchange intervened.

Osterer alleges that Binance was negligent, breached its contractual duties, and enabled the laundering of stolen property by failing to freeze the assets promptly.

Osterer is seeking the full value of the stolen Bitcoin, estimated at roughly $80 million, along with interest. In 2023, he also attempted to expand the case into a class action on behalf of other victims whose stolen assets were allegedly routed through Binance.

A trial court initially dismissed the lawsuit after determining that Binance, which operates offshore, did not have sufficient connections to Florida to be sued in the state.

The appeals court overturned that finding, ruling that Binance’s U.S.-facing affiliates and its reliance on U.S. infrastructure were enough to establish jurisdiction.

The court specifically pointed to the exchange’s use of Amazon Web Services and its U.S. operational footprint as valid contacts with Florida.

The decision sends the case back to trial court, where Osterer will again be allowed to argue his claims under Florida state law.

The ruling adds to legal pressure on offshore crypto exchanges that have previously relied on jurisdictional defenses to block U.S. lawsuits involving stolen assets.

Binance may still seek to appeal the ruling or attempt to shift the dispute into arbitration, a strategy the company has pursued in other U.S. cases.

Even After Zhao’s Pardon, Binance Faces Fresh Legal Heat in the U.S.

The revived lawsuit comes as Binance continues to face sustained legal scrutiny in the United States. In November, the exchange and its founder, Changpeng Zhao, were named in a federal lawsuit filed by the families of victims of the October 2023 Hamas attack.

Families of the Hamas 2023 attack victims have sued Binance and CZ for facilitating $1 billion in crypto to the accounts of terror groups.#HamasCryptoFunding #Binance #ChangpengZhaohttps://t.co/lLG1d5D75l

— Cryptonews.com (@cryptonews) November 25, 2025

The plaintiffs accused Binance of knowingly facilitating crypto transactions tied to the militant group and helping move more than $1 billion through accounts linked to terrorist organizations.

Binance has denied the allegations and said it complies with international sanctions laws.

Earlier this year, Binance also sought to dismiss a separate class action brought by U.S. investors in California, arguing that an arbitration clause in its user agreement required private dispute resolution.

That case is tied to broader securities law claims alleging the exchange promoted unregistered crypto tokens and misled investors.

Binance is trying to dismiss a U.S. class action lawsuit, saying users agreed to arbitration—not court.#Binance #Securities #CryptoLawsuithttps://t.co/c8VGpdC7CI

— Cryptonews.com (@cryptonews) May 20, 2025

Binance’s legal disputes in the United States have already led to some of the largest settlements in crypto history. In November 2023, the exchange agreed to pay $4.3 billion to resolve charges brought by the DOJ over violations of the Bank Secrecy Act.

Also, CZ pleaded guilty to a related criminal offense and accepted a separate $150 million personal settlement. Binance also paid $2.7 billion to settle a civil case with the Commodity Futures Trading Commission.

In May 2025, the U.S. Securities and Exchange Commission dropped its civil enforcement lawsuit against Binance and Zhao, bringing an end to a legal battle that had lasted more than two years.

Months later, in October, President Donald Trump issued a pardon to Zhao, wiping away the criminal conviction tied to the Justice Department case.

The post Florida Court Revives $80M Binance Lawsuit Over Stolen Bitcoin Claims appeared first on Cryptonews.

Shiba Inu’s core development team is escalating its response to the Shibarium bridge exploit after a new on-chain investigation mapped the hacker’s Tornado Cash laundering trail to KuCoin deposit accounts. Reacting to on-chain sleuth Shima (@MRShimamoto) on X, core developer Kaal Dhairya wrote “Great work! This needs to be amplified. I will also ensure it’s sent to the FBI attached to the open investigation report and request Kucoin to cooperate.”

Shiba Inu Sleuth Exposes Shibarium Hacker

The Shibarium bridge was exploited in mid-September in an attack estimated at around $2.3–$2.4 million, after the perpetrator seized a super-majority of validator keys and withdrew assets including ETH, SHIB and KNINE. K9 Finance DAO, Shibarium’s liquid-staking partner, launched a bounty process that started at 5 ETH, later advanced to a 20 ETH smart-contract offer and ultimately to a final 25 ETH proposal endorsed directly by the Shiba Inu team. The exploiter never accepted, and K9 Finance has since confirmed that the unclaimed ETH in the bounty contract has been returned to contributors, with Shib.io receiving back 20 ETH.

In a detailed 1 December thread, Shima said the “Shibarium Bridge hacker foolishly chose not to accept the K9 bounty – it’s finally time to share the investigation we’ve been working on,” describing months of tracing that involved thousands of transactions and 111 wallets. His reconstruction shows 260 ETH flowing from exploit-linked wallets into Tornado Cash, with 232.49 ETH ultimately reaching KuCoin through 48 deposits into 45 unique KuCoin deposit addresses, which he believes are largely operated by money mules rather than the hacker directly.

According to his write-up and an accompanying MetaSleuth dashboard, the trail begins with the original exploit address and nine “dumping” wallets. Those wallets received the stolen tokens, liquidated them gradually for ETH over roughly a week, and sent a total of 260 ETH into Tornado Cash. Of that amount, 250 ETH entered the mixer’s 10-ETH pool and 10 ETH the 1-ETH pool in an attempt to break on-chain linkability between the hack and any later withdrawals.

The critical breakthrough, Shima says, came about forty days after the exploit. A wallet already tied to the hacker cluster sent exactly 0.0874 ETH to what was intended to be a clean Tornado withdrawal wallet. That minor top-up, he describes as “one stupid mistake” that “completely unravelled their Tornado Cash laundering,” because it established a direct on-chain connection between the exploit side of the graph and a supposedly anonymous post-mixer address. From that contaminated node he was able to work outward, clustering multiple Tornado withdrawal wallets, intermediaries and final KuCoin “funnel” wallets.

Shima reports that each funnel wallet typically routes funds to two KuCoin deposit addresses, creating a final cluster of 45 KuCoin endpoints and roughly two dozen depositors that he argues can be treated as money-mule cash-out accounts. He says the full address list, transaction graph and methodology were first shared privately with the Shibarium team so they could approach law enforcement and KuCoin while any funds remained within reach. However, he recounts that KuCoin’s fraud desk insisted on receiving a formal law-enforcement case number before acting on the evidence.

The official ShibariumNet X account has now publicly backed the research: “Thanks to @MRShimamoto for doing all the hard work here to compile this thread. We truly appreciate your diligence and methodical approach. Hopefully this investigation can continue with the help of the proper authorities. The communities need answers.”

At press time, Shiba Inu (SHIB) traded at $0.00000878

The University of Pennsylvania and the University of Phoenix confirm that they are victims of the recent Oracle EBS hacking campaign.

The post Penn and Phoenix Universities Disclose Data Breach After Oracle Hack appeared first on SecurityWeek.

Yearn Finance reported that a legacy yETH product was hit by an exploit that allowed an attacker to mint a massive amount of fake tokens and swap them for real assets.

According to on-chain alerts and protocol statements, the attacker created a near-infinite supply of yETH in a single transaction, then used those tokens to pull ETH and liquid-staking derivatives from liquidity pools.

The incident was first flagged on November 30, 2025, and the total impact has been reported at roughly $9 million.

#PeckShieldAlert Yearn Finance @yearnfi suffered an attack resulting in a total loss of ~$9M.

The exploit involved minting a near-infinite number of yETH tokens, depleting the pool in a single transaction.

~1K $ETH (worth ~$3M) was sent to #TornadoCash, while the exploiter’s… pic.twitter.com/IXNygpwoWa

— PeckShieldAlert (@PeckShieldAlert) December 1, 2025

How The Exploit Worked

Based on reports, the attacker took advantage of a flaw in the yETH minting logic and produced tokens on the order of 235 trillion in one go.

Those worthless tokens were then swapped for real assets from Balancer and Curve pools tied to the product, emptying liquidity in minutes. Chain monitors and security researchers showed the mint and subsequent swaps unfolding very quickly on the blockchain.

At 21:11 UTC on Nov 30, an incident occurred involving the yETH stableswap pool that resulted in the minting of a large amount of yETH. The contract impacted is a custom version of popular stableswap code, unrelated to other Yearn products. Yearn V2/V3 vaults are not at risk.

— yearn (@yearnfi) December 1, 2025

What Assets Were Taken

Reports have disclosed that roughly $8 million was pulled from the main yETH stable-swap pool, while about $0.9 million was taken from a yETH–WETH pool.

In addition, roughly 1,000 ETH—valued at about $3 million at the time of movement—was sent to Tornado Cash in attempts to obscure the trail. The attacker converted fake yETH into a mix of ETH and liquid staking tokens before attempting to launder funds.

Impact On Yearn’s Core Products

According to Yearn officials and follow-up coverage, the breach was limited to an older, legacy implementation of the yETH product and did not affect Yearn’s main V2 and V3 vaults.

Deposits into the affected pool were isolated while the team and outside experts began an investigation. This isolation is said to have kept the bulk of user funds in active vaults from being touched.

Market Reaction And Wider Concerns

Crypto markets saw selling pressure as the news spread, with traders weighing the risk that comes from combining liquid staking tokens with custom swap code.

Yearn Finance said it is working with outside security teams to run a post-mortem and to patch the vulnerability. Based on reports, teams named in coverage include external auditors and blockchain investigators who are tracking the stolen funds and advising on recovery options.

The protocol’s notice warned users about the affected legacy product and urged caution while the review continues.

Featured image from Unsplash, chart from TradingView

South Korea’s largest cryptocurrency exchange, Upbit, said it uncovered and repaired a serious flaw in its internal wallet system while investigating the recent $30 million theft from the platform.

In a statement released Friday, Upbit CEO Oh Kyung-seok disclosed that engineers identified a weakness in the exchange’s wallet software that could have allowed attackers to infer private keys by studying publicly available blockchain data.

However, the crypto firm has not confirmed whether the vulnerability played a role in the breach.

Upbit Says Internal Wallet Bug May Have Exposed Private Keys

The flaw did not stem from the blockchains themselves but from how Upbit’s wallet software generated cryptographic signatures.

According to the exchange, the issue may have produced weak or predictable signing data, creating the possibility that a sophisticated attacker could mathematically reconstruct wallet keys by analyzing historical transactions.

“We identified and addressed the vulnerability during a comprehensive inspection of all related networks and wallet systems,” Oh said, adding that the company activated emergency response protocols and halted all withdrawals and deposits until systems were verified as secure.

Upbit stopped onchain activity on November 26 after detecting abnormal outflows from its Solana-based hot wallets.

Tokens impacted included SOL, ORCA, RAY and JUP, the exchange said. Assets were quickly transferred to cold storage while forensic reviews began.

Losses totaled an estimated 44.5 billion won ($30 million), including about 38.6 billion won ($26 million) in customer holdings.

Upbit says attackers might have inferred private keys by analyzing user wallet address patterns. If true, I doubt anyone other than North Korean hackers (Lazarus) could do this. pic.twitter.com/cS4I8okrVb

— Ki Young Ju (@ki_young_ju) November 28, 2025

The exchange confirmed that approximately 2.3 billion won ($1.5 million) in funds have already been frozen through coordination with external parties.

Upbit emphasized that it has not established a direct link between the wallet vulnerability and the theft. The issue was discovered only during an internal audit triggered by the incident.

“No security system can ever be considered perfect,” Oh said, pledging infrastructure upgrades and continued transparency as investigations continue.

The company said all affected users would be reimbursed in full using internal reserves. Withdrawals and deposits will remain suspended until final security inspections are completed.

South Korean Probe Points to North Korea’s Lazarus Group in Upbit Hack

South Korean authorities have launched an investigation, and local reports have cited early intelligence assessments that allegedly connect the intrusion to North Korea’s Lazarus Group.

The group has previously been linked to crypto thefts aimed at generating revenue for Pyongyang amid persistent foreign currency shortages.

Officials believe this time the hackers may have bypassed core infrastructure by impersonating administrators or compromising internal accounts to authorize the withdrawal.

Upbit continues to work with law enforcement agencies and blockchain projects to freeze and recover assets where possible, the exchange said.

The incident comes at a sensitive moment for Upbit’s parent company, Dunamu, which is preparing for a merger with South Korean internet giant Naver ahead of a potential public listing.

The post Upbit Finds Critical Wallet Flaw Amid Probe Into $30M Hack appeared first on Cryptonews.

South Korea’s largest cryptocurrency exchange, Upbit, is currently under scrutiny by regulators following a significant hack that led to the unauthorized withdrawal of approximately $36.9 million in assets on the Solana (SOL) network. The breach impacted over 20 different tokens and has prompted Upbit to freeze assets on its platform while an investigation unfolds.

Lazarus Group Tied To Upbit Hack

Authorities are now investigating the possibility of North Korean involvement in the cyber attack. Reports suggest that a group affiliated with North Korea’s intelligence agency, the notorious Lazarus Group, may have orchestrated the hack, which Upbit has described as an “abnormal withdrawal.” 

This group has been consistently linked to several high-profile crypto heists in recent years, and the US Federal Bureau of Investigation (FBI) has identified North Korean cyber operations as one of the most sophisticated and persistent threats.

The recent attack coincidentally occurred just days before the sixth anniversary of a previous major breach, in which Upbit lost 342,000 Ethereum (ETH) to North Korean hackers. 

According to an unnamed government official, this latest hack bears similarities to a 2019 incident in which approximately 58 billion won in cryptocurrencies was stolen, also attributed to the Lazarus Group.

In response to the attack, the South Korean National Police Agency has launched an investigation into the matter, although officials have not provided further comments on the case. Upbit’s operator, Dunamu, confirmed that an in-depth investigation into the cause and extent of the asset outflow is currently underway.

Crypto Exchange Moves Funds To Cold Storage

The cryptocurrency exchange’s CEO Oh Kyung-seok stated that as soon as abnormal withdrawal activity was detected, Upbit promptly suspended all deposit and withdrawal services. 

“We are conducting a comprehensive inspection, prioritizing the protection of member assets,” he said in a notice to users. Following the discovery of the unauthorized transactions, Upbit has taken steps to freeze the affected funds wherever possible.

To prevent any further unauthorized transfers, the exchange has shifted all remaining assets to cold storage, ensuring “a secure environment for funds.” 

Upbit is also said to be working with relevant project teams to freeze assets on-chain, having already blocked a portion of the stolen funds related to the cryptocurrency Solayer (LAYER). The exchange has indicated that deposits and withdrawals will only resume once full security checks are completed.

Dunamu has vowed to reimburse customers for any losses with business funds as part of its commitment to its users. It remains to be seen what additional information the country’s authorities will release in the coming days, as well as potential refund deadlines for affected individuals.  

Featured image from DALL-E, chart from TradingView.com 

Upbit, South Korea’s biggest cryptocurrency exchange, said it found unusual withdrawals from one of its Solana hot wallets and moved quickly to stop trades and protect customers.

According to company statements and law enforcement sources, about 44.5 billion Korean won — roughly $32 million — vanished in the incident that surfaced late November 2025. Upbit paused deposits and withdrawals and said it would repay affected users from its own reserves.

Suspected North Korean Ties

Based on reports from investigators and industry watchers, authorities are examining links to the Lazarus Group, a cyber unit long tied to North Korea.

Security teams point to methods similar to earlier attacks attributed to the same group, including a major breach in 2019 that took 342,000 ETH from the exchange.

Officials say the pattern of rapid withdrawals, quick cross-chain transfers, and spreading funds across many wallets matches tactics used in past nation-linked operations.

today south korea blamed north korea for the upbit hack nice headline but that part came later

so what actually happened?

an unknown attacker drained a few of upbit’s hot wallets waited a bit then started moving funds across chains

at some point the hacker bridged usdc from… pic.twitter.com/swq8yjIOLR

— trix (@trixwtb) November 28, 2025

How The Funds Were Moved

Reports have disclosed that the stolen tokens were moved off Solana, converted through several bridges, and routed through multiple chains to make tracking harder.

Transfers happened fast and in many small transactions, which complicates tracing attempts on the blockchain. Blockchain analysts are combing transaction histories, but the bridge conversions and mixing steps slow down any straightforward recovery efforts.

On-Site Checks And Ongoing Forensics

Authorities have launched inspections at Upbit’s systems and are reviewing logs, admin access records, and wallet backups.

According to sources close to the probe, investigators suspect an admin credential compromise or impersonation rather than a simple software flaw in Upbit’s servers.

While evidence is still being gathered, forensic teams are looking for the entry point used to sign the withdrawal transactions and any indicators of outside control.

Investigation And Market Impact

The timing of the theft drew attention because it coincided with corporate news: Upbit’s parent, Dunamu, had public talk of a merger with Naver valued at about $10.3 billion.

Market players noted the coincidence, and some suggested the attack could aim to distract or unsettle stakeholders. For investors, exchanges, and regulators, the incident renews calls for stricter custody controls, better separation of hot and cold wallets, and clearer rules for large crypto platforms.

Yonhap News reports that South Korea’s largest crypto exchange, Upbit, suffered a hack worth about 44.5 billion KRW ($32 million). Authorities are investigating whether North Korea’s Lazarus Group was behind the attack. The group was also linked to Upbit’s 2019 theft of 58…

— Wu Blockchain (@WuBlockchain) November 28, 2025

Upbit has pledged full reimbursement to users hit by the theft and says it will share findings when the probe allows. Based on reports, tracing and recovery work is ongoing but will be slow because of how the assets were fragmented and moved across chains.

Watchers say confirmation of Lazarus involvement would mark another example of how state-linked actors continue to target major crypto firms.

Authorities have not yet publicly released a definitive attribution. The next steps to watch include any formal statements from prosecutors, whether any of the moved funds are frozen or returned, and how regulators will respond to reduce the chance of similar losses.

Featured image from Advance Innovations, chart from TradingView

South Korea’s largest cryptocurrency exchange, Upbit, is facing a second major security crisis after 44.5 billion won (around $30–32 million) in digital assets were drained from a hot wallet, with authorities “strongly” suspecting North Korea’s Lazarus Group.

According to ICT industry sources and government officials cited by Yonhap News on November 28, investigators are focusing on Lazarus, a hacking unit under North Korea’s Reconnaissance General Bureau, as the likely perpetrator. The group was also suspected in Upbit’s 2019 breach, when approximately 58 billion won in Ethereum was stolen.

North Korean Crypto Hackers Strike Again

The latest incident again centers on a hot wallet — an internet-connected operational wallet — replicating the core vulnerability of 2019. A government official quoted by Yonhap said the attack likely did not involve a deep server exploit but instead an administrative compromise: “Rather than a server attack, it’s possible they compromised an administrator account or impersonated an administrator to transfer funds,” adding that because the earlier hack used this method, “we consider this approach the most likely.”

Security experts point to the post-hack on-chain behavior as key circumstantial evidence. After the theft, the funds were rapidly “hopped” through other exchange wallets and then subjected to “mixing,” a laundering technique designed to break traceability.

One expert noted that “funds were hopped to other exchange wallets before mixing occurred. This can be seen as the modus operandi of the Lazarus Group,” adding that “once mixing occurs, transactions become untraceable.” Because FATF member countries cannot legally operate mixing services, the expert argued it is “highly likely North Korea was responsible.”

The timing has raised additional suspicion. The hack occurred on November 27, the same day Naver and Upbit operator Dunamu held a high-profile joint press conference at Naver’s “1784” headquarters to present their group-integration and AI/Web3 expansion strategy.

A security expert suggested the date may have been intentionally chosen: “Hackers often have a strong desire to show off. It’s possible they chose the 27th as the hacking date to flaunt their timing, selecting the very day of the merger announcement.” The attack also lands almost exactly six years after Upbit’s 2019 hack, which occurred on November 27.

Regulatory and supervisory bodies have moved quickly. Following a December interpretation by the Financial Services Commission that virtual asset exchanges’ user transaction data falls under the Credit Information Act, the Financial Supervisory Service and the Korea Financial Security Institute have launched an on-site inspection of Upbit. The Korea Internet & Security Agency has joined to provide technical support.

At press time, the total crypto market cap stood at $3.07 trillion.

Balancer has unveiled a plan to compensate users following a major exploit this month that drained more than $128 million from its V2 liquidity pools across multiple blockchains, marking one of the largest decentralized finance breaches of the year.

A proposal published Thursday by two community members lays out a framework to return roughly $8 million in recovered assets to affected liquidity providers.

The funds come from a mix of whitehat interventions and internal recovery efforts carried out during and after the attack. Community feedback is now being sought before any final decision is made.

Balancer Recovers $28M After Exploit Forces Protocol Shutdown

The exploit affected pools on five different networks and forced Balancer to pause portions of the protocol as security teams and outside researchers rushed to safeguard vulnerable assets.

In total, around $28 million of the stolen funds were eventually recovered through coordinated rescue efforts involving independent security researchers, Balancer’s internal team, and third parties.

Under the proposal, the reimbursement plan will cover only the $8 million rescued directly by whitehats and Balancer’s internal operations.

The remaining $19.7 million, held in osETH and osGNO, will be reimbursed separately through the governance process of Ethereum liquid staking protocol StakeWise, which has committed to returning funds to its impacted users.

The framework follows Balancer DAO’s Safe Harbor Agreement, which outlines the terms for whitehat recoveries and compensation.

Bounties are issued in the same assets recovered and cannot be taken directly from user funds.

Whitehat participants are set to receive a 10% bounty, capped at $1 million per operation, once they complete identity verification, compliance screening, and other legal checks.

Here's everything you need to know about the Balancer Hack:

1. The attack targeted Balancer's V2 vaults and liquidity pools, exploiting a vulnerability in smart contract interactions. Preliminary analysis from on-chain investigators points to a maliciously deployed contract that… pic.twitter.com/udAM4hB0OD

— Adi (@AdiFlips) November 3, 2025

Whitehat ‘Anon #1’ Led Balancer Rescue With $2.7M Recovery on Polygon

The proposal identifies six whitehat actors who collectively recovered about $3.9 million across several networks.

One hacker, referred to as “Anon #1,” accounted for the largest single recovery after securing $2.68 million in assets on Polygon, including WPOL, MaticX, TruMATIC, and stMatic tokens.

Balancer also coordinated internal rescue operations with security firm Certora, recovering an additional $4.1 million from metastable pools on Ethereum, Optimism, and Arbitrum that were deemed at risk but had not yet been exploited.

To claim funds, affected users will be required to digitally accept new terms and release Balancer Labs, its DAO, and related entities from legal liability tied to the incident.

A 180-day claim window is included, after which any unclaimed funds may be reassigned through future governance votes.

Crypto investors lost over $2.2 billion to hacks, scams, and breaches in the first half of 2025, driven largely by wallet compromises and phishing attacks, according to CertiK’s latest security report.

Wallet breaches alone caused $1.7 billion in losses across just 34 incidents, while phishing scams accounted for over $410 million across 132 attacks.

The post Balancer Proposes $8M Reimbursement Plan After $128M DeFi Exploit appeared first on Cryptonews.

South Korean authorities suspect that the November Upbit hack may have been masterminded by the notorious Lazarus Group. Unnamed industry sources told local media that the North Korean state-backed hackers may have been behind the breach, as the recent attack…

Dartmouth College has disclosed a data breach after cybercriminals leaked over 226 Gb of files stolen from the university.

The post Dartmouth College Confirms Data Theft in Oracle Hack appeared first on SecurityWeek.

Each infected version has the ability to automatically spread itself to thousands of other repositories without any human intervention whatsoever.

The post Zapier NPM Hack Unleashes Self-Spreading Worm Attack appeared first on TechRepublic.

Each infected version has the ability to automatically spread itself to thousands of other repositories without any human intervention whatsoever.

The post Zapier NPM Hack Unleashes Self-Spreading Worm Attack appeared first on TechRepublic.

More than 100 alleged victims of the Oracle EBS campaign have been added to the Cl0p ransomware website.

The post Canon Says Subsidiary Impacted by Oracle EBS Hack  appeared first on SecurityWeek.

The company has confirmed that it terminated an insider who shared screenshots of his computer with cybercriminals.

The post CrowdStrike Insider Helped Hackers Falsely Claim System Breach appeared first on SecurityWeek.

The Cl0p ransomware group has listed Mazda and Mazda USA as victims of the Oracle EBS campaign on its leak website.

The post Mazda Says No Data Leakage or Operational Impact From Oracle Hack appeared first on SecurityWeek.

More than 1.6 Tb of data allegedly stolen from Cox was made public by the hackers.

The post Cox Confirms Oracle EBS Hack as Cybercriminals Name 100 Alleged Victims appeared first on SecurityWeek.

Logitech was listed on the Cl0p ransomware leak website in early November, but its disclosure does not mention Oracle.

The post Logitech Confirms Data Breach Following Designation as Oracle Hack Victim appeared first on SecurityWeek.

The UK’s national healthcare system is working with the country’s National Cyber Security Centre to investigate the incident.

The post NHS Investigating Oracle EBS Hack Claims as Hackers Name Over 40 Alleged Victims appeared first on SecurityWeek.