Taiko bridge exploited
The Taiko bridge, which allows assets to be transferred between the Ethereum mainnet and the Taiko Ethereum layer-2 chain, was exploited for at least $1.7 million before the network was halted, limiting losses. An attacker was able to forge withdrawal requests to appear as though they matched real deposits. Crypto security firm BlockSec said that the attacker may have gained access to a signing key that had been exposed on GitHub.
Highly active MEV bot known as jaredfromsubway.eth drained for $7.7 million
On blockchains like Ethereum, a strategy known as "MEV" (short for "maximal extractable value") allows intermediaries to profit from manipulating the structure of blocks added to the chain — often reordering or "sandwiching" transactions in ways that extract profits. Automated software known as MEV bots make a business out of this strategy, and one of the most active is a bot called jaredfromsubway.eth — likely so named after one-time Subway spokesman and convicted sex offender Jared Fogle because of its strategy of "sandwiching" transactions by placing trades on both sides, causing the original trader to pay more.
On June 20, an attacker used a series of contracts to cause the bot to grant token approvals that were later used to drain 4,427 ETH ($7.7 million). Some of the funds were then laundered through Tornado Cash.
Main Street USD (msUSD) loses its dollar peg
Main Street USD, also known as msUSD, lost its dollar peg and crashed to around $0.25. At points, the token dipped as low as around $0.06. The asset, issued by Main Street Finance, is supposed to be redeemable 1:1 with Circle's USDC stablecoin. It's used as part of a yield strategy that is marketed as "democratizing the options box spread strategy through a stablecoin". Prior to the depeg, there was about $80 million msUSD in circulation.
On June 20, the verification provider Accountable announced that they had "terminated its service agreement with MainStreet, effective immediately. MainStreet was unable to meet our verification standards." The sudden loss of confidence in the token caused the price to plummet as holders rushed to withdraw funds.
Main Street issued a statement, claiming that "Mainstreet remains fully backed" and that "this is an infrastructure and reporting issue, not a solvency issue." However, they noted that "while our portfolio remains fully backed, converting positions into immediate liquidity depends on prevailing market depth and market-maker appetite."
Aztec Connect hacked for a second time in less than a week
Three days after Aztec Labs' deprecated Aztec Connect blockchain bridge was exploited for $2.1 million, the project has been hacked again for the same amount. Aztec Labs confirmed the second exploit, again trying to emphasize that the code was deprecated four years ago.
The hacks are part of a spate of exploits targeting legacy smart contracts belonging to projects including Raydium and DxSale. Although some projects have developed techniques to circumvent the immutable nature of blockchains and allow smart contracts to be upgraded or retired, many legacy contracts cannot be changed or shut down, leaving them vulnerable to attack indefinitely.
Pudgy Penguins shuts down Pudgy Party NFT game after losing millions in less than ten months
The Pudgy Penguins NFT brand announced it would be shutting down its Pudgy Party NFT games less than ten months after its launch. The game was a mobile battle royale game, but built on crypto rails, with NFTs used for in-game items and characters that players could buy and sell. Pudgy Penguins seemed aware that the crypto aspect would be off-putting to many players, telling Decrypt in December 2025 that they were downplaying the crypto side of things "because the world is not ready for NFTs or crypto, or even blockchain en masse yet. But soon, very, very soon, we're going to use Pudgy Party as the glue between Web3 and Web2."
Although Pudgy Penguins CEO Lucas Netz boasted on Twitter in December about "1M+ downloads today. 10M+ downloads soon." he later admitted interest in the game had quickly died off. In a community call to announce the game's shutdown, Netz acknowledged that within months of the launch, there were only 200–300 active players. The project had lost the company millions of dollars, he confessed.
Deprecated project Aztec Connect exploited for $2.1 million
Aztec Connect, an abandoned defi privacy bridge from Aztec Labs, was drained of $2.1 million after an attacker exploited a bug in the project's smart contracts. Although the project was deprecated three years ago, funds remained in the legacy system. "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us," the project posted on social media.
The theft is only the latest in a string of attacks targeting vulnerable legacy smart contracts, many of which cannot be deleted, paused, or changed due to blockchains' immutable nature. Raydium and DxSale are two other platforms that have recently suffered losses due to old, insecure code.
Secret bridge exploited for $4.67 million a week before anyone notices
The bridge between the Cosmos-based Secret network and Axelar network was exploited via an infinite mint bug that went unnoticed for a week. An attacker exploited a smart contract in order to mint a large quantity of wrapped Axelar tokens on the Secret network, which they then redeeemed for around $4.67 million.
The exploit, which occurred on June 10, went unnoticed until June 17, when a transaction failed with a message suggesting that more tokens had been bridged out of the Secret network than had been bridged in.
Secret has warned, "If you hold Axelar-bridged saXXX tokens on Secret, please be aware their backing was affected and your funds may be lost."
Raydium users lose $1.34 million after legacy smart contract exploited
An attacker exploited a legacy smart contract that had been used by the Raydium Solana DEX before it was deprecated in 2021. Though the contract was unused, there were still funds in the liquidity pools affected by the vulnerable contract. Using fake LP tokens, the exploiter was able to trick an old smart contract with insufficient validation into allowing them to withdraw assets.
Raydium has said it will compensate users who lost funds in the exploit.
Humanity Protocol loses $36 million to employee laptop compromise
Humanity Protocol, a decentralized identity project that uses palm scans to try to prove that users are human, has suffered a $36 million loss after attackers compromised a laptop belonging to an employee. After the laptop was infected with malware, the malicious code gained root access, then stole seven private keys that were reportedly accidentally stored in a backup. Several of the keys were sufficient to satisfy multisignature requirements, which are intended to prevent private key leaks from allowing attackers to gain control over sensitive infrastructure like bridges. With multisignature wallets, keys are supposed to be stored separately across multiple individuals and devices; however, in this case, attackers only needed to compromise one laptop to gain control over multisig-protected contracts.
With the keys, the attacker stole more than 6 million of Humanity's H token, then used other keys to upgrade a bridge and drain 141 million more tokens. With the bridge access, they also minted 300 million new H tokens. The attacker then quickly swapped the ill-gotten tokens for ETH, causing the H price to plummet by 80–90%.
Humanity Protocol markets itself as a competitor to Sam Altman's World (formerly Worldcoin), a decentralized identity project that aims to use iris scans to prove that users are unique humans. Humanity raised $20 million in 2025 from Pantera Capital and Jump Crypto.
Thief steals remaining 7,200 unsold The Kiss NFTs in digital museum heist
Remember when Austria's otherwise respectable Belvedere Museum sold 10,000 NFTs representing postage-stamp sized sections of Gustav Klimt's The Kiss for like $2,000 a pop? No? Don't worry, I've got you.
Only about a quarter of them ever sold, leaving about 7,200 of them on the digital shelves. That is, until they were stolen (or, as the museum put it, "transferred from the wallet without authorization"). If valued at their sale price the stolen NFTs would be worth €13.32 million (US$15.3 million), though it's hard to argue the thief could've ever sold them for that amount given the museum had failed to do so for several years.
The stolen NFTs were soon made even less appealing to prospective buyers when the museum un-linked the image files from the digital assets, and OpenSea blocked them from trading.
- Hacker stahl dem Belvedere 7200 NFT-Zertifikate von Klimts "Kuss", Der Standard (in German) [archive]
