← LND1 decision on this page

Audit log

Every state-changing event for LND: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

#1publishby system:backfill
2026-05-27 20:30:06Z
Score: ? → ? (no score change)
anchoranchored
chain
●mainnet-betaslot 422,575,011
sig
AWyzzcvAZNcU…wx1t8sm1explorer ↗
hash
9AsWr1JtKKTn…14eG18Amsha256 → base58
verifying row…full verify ↗
canonical bytes (7434 B) ▸
{"actor":"system:backfill","investigation_id":"2f7c30c1-4224-4431-b322-5be4c94348e6","kind":"publish","page_slug":"lnd","published_at":"2026-05-27T20:30:06.405Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"LND","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"},{"credibility":2,"name":"LND Protocol — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/lnd"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec (Substack)","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"LND Postmortem — HackMD (official team postmortem by michaelmai)","type":"official","url":"https://hackmd.io/@michaelmai/LND-Postmortem"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"},{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"},{"credibility":2,"name":"Month in Review: Top DeFi Hacks of May 2025 — Halborn","type":"research","url":"https://www.halborn.com/blog/post/month-in-review-top-defi-hacks-of-may-2025"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"LND Postmortem — HackMD","type":"official","url":"https://hackmd.io/@michaelmai/LND-Postmortem"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"LND Protocol — DefiLlama TVL data","type":"on_chain","url":"https://defillama.com/protocol/lnd"},{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"ZachXBT uncovers North Korea-linked IT worker network — The Block","type":"news_article","url":"https://www.theblock.co/post/396847/zachxbt-uncovers-north-korea-linked-it-worker-network-generating-1m-monthly-via-crypto-payment-flows"},{"credibility":1,"name":"DPRK IT Workers — FBI Advisory","type":"regulatory","url":"https://www.fbi.gov/wanted/cyber/dprk-it-fraud"},{"credibility":2,"name":"North Korea IT Workers: Inside the DPRK's Crypto Laundering Network — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":1,"name":"Lendingblock (LND) Token Tracker — Etherscan","type":"on_chain","url":"https://etherscan.io/token/0x0947b0e6d821378805c9598291385ce7c791a6b2"},{"credibility":2,"name":"10 Questions For The Founders Of Lendingblock — The Fintech Times","type":"news_article","url":"https://thefintechtimes.com/lending-platform-lendingblock-2/"},{"credibility":2,"name":"Lendingblock 2.0 — Medium (official blog)","type":"official","url":"https://medium.com/lendingblock/lendingblock-2-0-7b333415bb58"},{"credibility":2,"name":"Lendingblock price today — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/lendingblock/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Bitcoin Lightning bug allows remote theft of bitcoin via LND nodes — Protos","type":"news_article","url":"https://protos.com/bitcoin-lightning-bug-allows-remote-theft-of-bitcoin-via-lnd-nodes/"},{"credibility":1,"name":"CVE-2024-38359: Lightning Network Daemon (LND) onion processing DoS — GitLab Advisory Database","type":"other","url":"https://advisories.gitlab.com/pkg/golang/github.com/lightningnetwork/lnd/CVE-2024-38359/"},{"credibility":1,"name":"Lightning Network Daemon — GitHub (Lightning Labs)","type":"official","url":"https://github.com/lightningnetwork/lnd"}]}],"sources_used":[],"summary":"LND (lnd.fi) was a non-custodial, multichain DeFi lending protocol built on Sonic (a high-performance EVM chain) as a fork of Aave V3. On May 9, 2025, the protocol was drained of approximately $1.27–1.42 million by a developer who gained Pool Admin credentials and introduced a malicious access control modification 41 days before executing the exploit; the official postmortem attributed the attacker to a DPRK (North Korea) IT worker embedded in the team under false pretenses. As of mid-2025, the lnd.fi domain is no longer operated by the team and appears listed for resale, indicating the protocol ceased operations following the incident.","timeline":[{"date":"2025-01-01","event":"LND.fi protocol launches on Sonic mainnet (approximate early 2025 launch date; team publicly acknowledged SonicLabs support ahead of launch)","source":""},{"date":"2025-03-29","event":"Deployer address (0xc0454e...) granted Pool Admin role on LND.fi contracts; modified AToken and VariableDebtToken contracts with backdoored access control initialized — 41 days before the exploit","source":""},{"date":"2025-05-05","event":"LND.fi goes live on Hyperliquid L1 with price feeds from Pyth Network and incentives via merkl.xyz, expanding from Sonic","source":""},{"date":"2025-05-09","event":"At 2:29 AM UTC, deployer begins draining LND.fi pools via the backdoored transferUnderlyingTo function; approximately $1.18–1.42 million stolen within minutes","source":""},{"date":"2025-05-09","event":"At 2:39 AM UTC, stolen funds bridged to wallets on BSC (~$786K) and Ethereum (~$397K, deposited to TradeOrge); ~$240K routed to MEXC via Hyperliquid","source":""},{"date":"2025-05-09","event":"At 9:19 AM UTC, Pool Admin role revoked by separate address (0xe82e...aba4); LND.fi freezes its website and revokes compromised account privileges","source":""},{"date":"2025-05-09","event":"Official postmortem published by team member 'michaelmai' on HackMD, attributing the attack to 'a developer who was actually a DPRK IT worker'","source":""},{"date":"2025-05-01","event":"Halborn Security publishes analysis of the LND hack as part of its May 2025 DeFi hacks review, confirming access control root cause and DPRK IT worker attribution","source":""},{"date":"2025-06-01","event":"lnd.fi domain no longer operated by the LND team; domain listed for sale on Nameshift.com domain marketplace, indicating apparent protocol shutdown (approximate date)","source":""}]},"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 383b76c9-0523-4c5d-ad7d-136149585b23

How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.