Blockchain Security Brief
The weekly record of web3 darkest hours
Monday, April 20, 2026
Top Exploits
One company sold trust it couldn’t account for. One bridge sold math it didn’t fully test.
This week:
• Sumsub spent years verifying everyone else while leaving its own control structure and security posture in the dark. Public records showed a seven-month ownership gap where the KYC giant officially claimed it could not identify who controlled it, then quietly reversed the filing, while an intrusion that began in July 2024 sat undetected until January 2026. (Read more)
• Hyperbridge lost ~$2.5M after one missing bounds check let attackers forge proof messages, seize admin rights over bridged DOT, and mint a billion tokens out of thin air. The exploit didn’t break the cryptography, it walked through the part where cryptographic guarantees became Solidity assumptions, proving once again that bridges don’t need a multisig to fail if the proof verifier still trusts unchecked input. (Read more)
Rekt x The Defiant Documentary
Can we build a system that is open enough to be trustless, but private enough to be usable? Featuring Danelle Dixon (CEO and Executive Director) and Tomer Weller (Chief Product Officer) of Stellar Development Foundation, we explore the future of onchain confidentiality.
Premiering April 22 at Stellar House, Mexico City.
In partnership with the Stellar Development Foundation
Deep Dives
Explained: The Rhea Finance Hack (April 2026) (3 min read)
Rhea Finance trusted fresh price data with no memory. The attacker fabricated tokens, faked price history, and turned worthless collateral into $7.6M in real liquidity by feeding the system just enough data to believe it.
How Three Compounding Failures Let an Attacker Mint $1.2B in Bridged Tokens (18 min read)
Hyperbridge didn’t fail at one point - it failed everywhere that mattered. A forged proof unlocked admin control, no delay stopped the takeover, and unlimited minting did the rest, turning a single transaction into full control over bridged supply and a fast path to liquidity extraction.
The Front Line of Web3 Security: How Wallets, Exchanges and Payment Providers Protect Users in 2026 (11 min read)
The biggest exploits no longer break contracts - they break users. As phishing, spoofed frontends, and transaction deception take over, security shifts to the moment before the signature, where wallets, exchanges, and payment rails either catch the attack… or sign it.
Explained: The TMM Hack (April 2026) (4 min read)
TMM didn’t get hacked. The pool got lied to. The attacker used flash loans to strip TMM liquidity down to almost nothing, making it look scarce, then dumped hundreds of millions of tokens into the distorted pool and walked away with $1.6M in USDT.
Analysis | FBI Releases the 2025 Internet Crime Report (8 min read)
Crypto scams didn’t just grow. They scaled into full-blown operations. With AI-powered fraud, targeted attacks on older users, and $11B+ in crypto-related losses, the report shows a shift from random scams to industrialized pipelines designed to extract, recycle, and re-target victims at scale.
Now is the Time to Support Rekt
Everyone reads Rekt when things break.
Few support it before they do.
No paywalls. No token. No backing. Just raw post-mortems, investigations, and the uncomfortable truths. This only works as long as the people who benefit from it actually step up.
If Rekt has ever saved you from getting rekt - this is your moment to support us.
Other Security Stories
AI is now fixing smart contract bugs before you even read them. Cygent acts as a security engineer that finds vulnerabilities, writes the fixes, and opens PRs automatically, collapsing the gap between “audit” and “actually securing the code.”
Vault insurance is coming to DeFi. Catalysis launched a vault-native coverage layer backed by restaked capital, aiming to protect deposits, yet most of DeFi still operates without safeguards when things actually break.
Operation Atlantic exposed 20,000 crypto fraud victims. Authorities froze $12M and traced $45M in stolen funds tied to approval phishing scams that trick users into granting wallet access and draining assets.
Fake Ledger app drains $420K from a single user. A malicious Ledger Live clone slipped into the App Store, tricked the victim into entering his seed phrase, and instantly wiped 5.9 BTC.
Obsidian plugins turn note-taking into a backdoor. Attackers used fake VC outreach to lure victims into loading malicious plugins that deploy a RAT, giving full device access and routing commands through blockchain-based infrastructure.
Security Jobs
Director, Security, FalconX, New York City, US
Security Engineer, ether.fi, Cayman Islands / Denver / New York
Security Architect, BitMEX, Singapore
Security Engineer (Data & Endpoint Security), OKX, Hong Kong
Member of Product, Security, Anchorage Digital, Remote (US / Portugal)
Rekt Flashback
Four years ago, Elephant Money showed how one ignored vulnerability can turn tokenomics into an ATM. A flash loan attack manipulated ELEPHANT’s price during TRUNK minting, extracting ~$22.2M while the protocol cycled its own mechanics against itself. Same price manipulation, same missed warning, same reminder that in DeFi, you don’t need a complex exploit - just find where the math can be bent.
Memes and Videos
Inside the Billion Dollar Hacking Empire: CONTI
Conti wasn’t a gang, it was a ransomware company with payroll, playbooks, and $180M in damage. Phishing got them in, layered malware mapped the network, ransomware cashed out. Leaks, war, and internal cracks killed the brand, not the business.
Source: Cybernews
Source: danheld
Want to partner with us?
Skip the bots, hit the brains.
Get your message in front of the sharpest, most battle-tested crowd in crypto.
If they notice you, the whole space will. [Partner with us]
We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous.
We are all rekt.