LND

2025-01-01

LND.fi protocol launches on Sonic mainnet (approximate early 2025 launch date; team publicly acknowledged SonicLabs support ahead of launch)

2025-03-29

Deployer address (0xc0454e...) granted Pool Admin role on LND.fi contracts; modified AToken and VariableDebtToken contracts with backdoored access control initialized — 41 days before the exploit

2025-05-05

LND.fi goes live on Hyperliquid L1 with price feeds from Pyth Network and incentives via merkl.xyz, expanding from Sonic

2025-05-09

At 2:29 AM UTC, deployer begins draining LND.fi pools via the backdoored transferUnderlyingTo function; approximately $1.18–1.42 million stolen within minutes

2025-05-09

At 2:39 AM UTC, stolen funds bridged to wallets on BSC (~$786K) and Ethereum (~$397K, deposited to TradeOrge); ~$240K routed to MEXC via Hyperliquid

2025-05-09

At 9:19 AM UTC, Pool Admin role revoked by separate address (0xe82e...aba4); LND.fi freezes its website and revokes compromised account privileges

2025-05-09

Official postmortem published by team member 'michaelmai' on HackMD, attributing the attack to 'a developer who was actually a DPRK IT worker'

2025-05-01

Halborn Security publishes analysis of the LND hack as part of its May 2025 DeFi hacks review, confirming access control root cause and DPRK IT worker attribution

2025-06-01

lnd.fi domain no longer operated by the LND team; domain listed for sale on Nameshift.com domain marketplace, indicating apparent protocol shutdown (approximate date)