Monday, January 19, 2026

Legacy code keeps paying out, operations keep breaking, and off-chain security keeps doing most of the damage.

This week:

• TrueBit loses $26.2M to a five-year-old contract no one bothered to verify, proving abandoned code is still active capital for attackers.

• YO Protocol vaporizes $3.71M by signing a rebalance with broken slippage settings, showing that bad parameters are as dangerous as exploits.

• Data leaks, Telegram scams, malicious browser extensions, and on-chain ransomware remind us that most “crypto hacks” still start off-chain.

When legacy code becomes a museum piece and operational controls become optional, DeFi doesn’t get hacked. It gets harvested by anyone patient enough to read bytecode.

• TrueBit donates $26.2M to anyone willing to decompile five-year-old math. An abandoned proxy contract with unverified bytecode and 2021-era Solidity finally met someone curious enough to test it. One unchecked addition overflowed the bonding curve, minting hundreds of millions of TRU for near zero cost, burning them back for real ETH, and looping five times in a single transaction. 8,535 ETH disappeared into Tornado Cash. TRU went from $0.16 to effectively zero in hours. No audits, no verified source, no active monitoring, just a slogan that read “Don’t just trust, verify” sitting on top of code nobody had verified since 2021. DeFi learned again that legacy contracts aren’t dead, they’re loot boxes waiting to be opened. (Read more)

• YO Protocol turns a routine rebalance into a $3.71M donation to Uniswap v4 LPs. No attacker. No exploit. One vault operator pushed a rebalance through Odos with slippage protection effectively disabled, routing millions into pools with microscopic liquidity and absurd fee tiers. The aggregator obeyed perfectly. $3.71M in, $112K out. 97% of the value atomized into LP wallets in a single transaction. The team quietly backstopped the loss via multisig, paused the market, and later asked LPs to return 90% “as a bug bounty.” A $10M Series A couldn’t save them from the oldest DeFi failure mode: broken parameters signed by a trusted key. (Read more)

Lessons from The Ledger Data Leak: How to Secure Your Crypto (8 min read)
Ledger didn’t get hacked on-chain, it got bled off-chain. A payments partner leak handed attackers names, addresses, emails, and phone numbers, turning every Ledger customer into a custom-built phishing target. Now scams aren’t generic anymore, they’re personal: fake support calls, QR traps, deepfake voices, even real-world wrench attacks.

A Web2.5 Vulnerability Story: Between Backend and Onchain (7 min read)
This bridge didn’t break because the code was bad, it broke because Web2 and Web3 disagreed on what “valid” meant. A backend leaked secrets by broadcasting transactions that were guaranteed to fail, turning reverts into free intel. Different signature rules, parallel claims, and one sloppy boundary let attackers claim funds, refund later, and walk away whole twice.

Common Telegram Scams in Crypto and How to Stay Safe: A Founder's Guide (8 min read)
Most crypto losses don’t start with exploits, they start with messages. Telegram collapses identity, authority, urgency, and execution into a single interface, turning founders into signing oracles for attackers. In 2026, security isn’t just about protecting keys, it’s about defending communication channels where one fake message can move more money than any smart contract bug ever could.

Uniswap V4 Hooks Security Deep Dive (50 min read)
Hooks give builders god-mode control over liquidity, fees, and accounting, but that power turns small design mistakes into protocol-level exploits. In v4, most failures won’t come from Uniswap itself, they’ll come from custom hooks where backend logic, permission models, accounting, and edge-case math quietly decide who gets drained.

Top Security Risks for Digital Asset Treasury Companies (7 min read)
DAT companies turn crypto exposure into equities, but that also turns every security mistake into a stock market event. A leaked key, a poisoned dependency, or a compromised employee doesn’t just lose funds, it rewrites valuation, investor trust, and regulatory risk in real time.

Over half of crypto is already dead. CoinGecko data shows 53.2% of all tokens have failed, with 11.6 million collapses in 2025 alone, driven by memecoin factories, launchpad spam, and the October $19B liquidation cascade that wiped out fragile liquidity overnight.

Eric Adams’ NYC token implodes after suspicious liquidity pulls. A wallet linked to the deployer removed ~$2.43M in USDC at peak prices, added back only ~$1.5M after a 60% drop, leaving ~$932K unaccounted for as the token crashed over 80% from a $600M market cap, according to Bubblemaps.

Malicious Chrome extension steals MEXC API keys by posing as a trading bot. A fake “MEXC API Automator” on the Chrome Web Store secretly creates API keys with withdrawal rights, hides the permission in the UI, and sends the keys to a Telegram bot, giving attackers full control of victims’ exchange accounts even after the extension is removed.

DeadLock ransomware hides its infrastructure inside Polygon smart contracts. The malware stores and rotates proxy server addresses on-chain to evade takedowns, turning the blockchain into a decentralized command-and-control layer that’s nearly impossible to disrupt.

Two major crypto events in Paris are canceled as violent attacks on crypto holders surge. NFT Paris and RWA Paris 2026 were officially shut down over “market conditions,” but the cancellations come amid at least 18 crypto-linked kidnappings, home invasions, and extortion attempts across France.

Innovate Cybersecurity Summit
April 19 - April 21, 2026 | Marco Island, Florida, US
An education-driven cybersecurity event centered on hands-on workshops, technical briefings, and practitioner-led sessions covering threat detection, incident response and cloud security.

EuroSec 2026
April 27, 2026 | Edinburgh, Scotland, UK
A research-focused workshop bringing together academics and practitioners to share early-stage, systems-oriented security work, covering new attacks and defenses, OS and network security, malware analysis, reverse engineering and vulnerability research.

Gartner Security & Risk Management Summit 2026
June 1 - 3, 2026 | National Harbor, MD, USA
A strategic event for security leaders exploring risk management frameworks, zero-trust architectures, cloud and identity security, and future threat landscapes.

Infosecurity Europe 2026
June 2 - 4, 2026 | London, UK
Europe’s largest dedicated cybersecurity expo and conference, focusing on enterprise security, threat intelligence, governance, compliance, and cutting-edge defensive tools.

IndoSec Summit 2026
September 15 - 16, 2026 | Jakarta, Indonesia
Indonesia’s flagship cybersecurity summit brings together CISOs, government officials, and industry experts to discuss threat intelligence, risk management, and regional cyber defence strategies in the Asia-Pacific.

Last year, Phemex showed what happens when one set of keys controls an entire multi-chain empire. A single access control failure turned almost 30 hot wallets into open doors, and $73.54M vanished chain by chain before anyone could react. Ethereum, Solana, XRP, Bitcoin, Base, Tron, DOGE, ADA, Hedera, and a dozen more all fell in sequence, proving that “multi-chain” doesn’t mean resilient, it means multiplied risk. Cold wallets survived, reputations didn’t, and the lesson was brutal: one compromised permission can scale into a synchronized, cross-chain liquidation of trust.

One hacker, one SQL bug, and suddenly the “shadow CIA” was bleeding five million emails into daylight. The FBI didn’t stop it, they steered it, turning a hacktivist into an unwitting instrument of surveillance. This isn’t a cybercrime story, it’s a lesson in how power hides, manipulates, and still wins.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.