phishing

Velodrome Finance is an automated market maker (AMM) and decentralized exchange (DEX) launched on June 2, 2022, on the Optimism Layer 2 network. It is a fork and improvement of Andre Cronje's Solidly Exchange, implementing a ve(3,3) governance and liquidity incentive model. The protocol has experienced three documented security incidents: an insider theft of $350,000 by a team member in August 2022, a DNS/frontend social-engineering attack in November–December 2023 resulting in approximately $250,000 in user losses, and a second DNS hijacking in November 2025 attributed to a NameSilo registrar insider, resulting in estimated losses of $700,000–$1,000,000. Smart contracts have not been directly exploited; all monetary losses have stemmed from front-end and operational security failures.

Ledger SAS is a Paris-based hardware cryptocurrency wallet manufacturer founded in 2014, producing the Nano S and Nano X devices used by millions worldwide. Despite its status as a legitimate and established company, Ledger has been involved in two major security incidents: a 2020 customer database breach exposing over 1 million email addresses and 272,000 physical addresses, and a December 2023 supply chain attack on its @ledgerhq/connect-kit npm package that drained approximately $600,000–$850,000 from users of multiple DeFi protocols via the Angel Drainer malware-as-a-service. A third-party data breach via payment processor Global-e was disclosed in January 2026.

A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.

Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.

Pink Drainer was a Drainer-as-a-Service (DaaS) phishing toolkit that operated from approximately July 2023 to May 2024, facilitating the theft of over $85.3 million in cryptocurrency from more than 21,000 victims across Ethereum and other networks. The operators ran the service by licensing a sophisticated wallet-draining script to affiliate phishers for a 20-30% cut of stolen proceeds, then announced a voluntary shutdown on May 17, 2024, citing their goal as 'accomplished.'

Compound Finance is an Ethereum-based decentralized lending protocol founded in 2017 by Robert Leshner and Geoffrey Hayes that allows users to lend and borrow cryptocurrencies algorithmically. The protocol has been subject to multiple significant security and governance incidents, including a 2021 smart contract bug that placed up to ~280,000 COMP tokens (approximately $80–90 million) at risk, a 2024 alleged governance takeover by a whale known as 'Humpy,' and a July 2024 front-end DNS hijacking attack tied to the Squarespace registrar migration. Despite these incidents, the core smart contract protocol has not been exploited; the recurring issues have primarily affected token distribution, governance integrity, and front-end infrastructure.

TON (The Open Network) is a layer-1 blockchain originally developed by Telegram, abandoned in 2020 following an SEC enforcement action that compelled a $18.5 million penalty and $1.22 billion investor return, and subsequently revived by an independent TON Foundation. By 2024, rapid ecosystem growth attracted a significant wave of phishing campaigns, wallet drainer toolkits, pyramid schemes, and rug pull activity, with over 1,200 fraud cases reported in H1 2024 alone. In May 2026, Pavel Durov announced Telegram would reassume control as the network's largest validator, reintroducing centralization risk to a network already under scrutiny for facilitating illicit marketplaces.

Kroll Restructuring Administration LLC served as the court-appointed claims and noticing agent for the FTX, BlockFi, and Genesis bankruptcy proceedings. On August 19, 2023, a threat actor executed a SIM swap attack against a Kroll employee's T-Mobile account, gaining unauthorized access to files containing the personal data of tens of thousands of crypto bankruptcy claimants. The exposed data was subsequently exploited in large-scale phishing and social engineering campaigns, with blockchain investigator ZachXBT estimating total losses attributable to the breach at eight to nine figures, and at least one alleged perpetrator — Danish Zulfiqar, also known as 'Danny' — was arrested in Dubai in late 2025 on RICO charges related to a broader $263 million social engineering conspiracy.

Token 2049 is one of the world's largest crypto conferences, held annually in Singapore and Dubai by Hong Kong-based BOB Group. The event has faced repeated criticism for insufficient sponsor vetting, most notably when OFAC- and UK-sanctioned Russia-linked stablecoin A7A5 was listed as a platinum sponsor and given a speaking slot at the October 2025 Singapore edition. Separately, in March 2025, on-chain investigator ZachXBT publicly flagged multiple Token 2049 sponsors — including DWF Labs, Bitunix, JuCoin, WEEX, and Spacecoin — for fraud, wash trading, and regulatory non-compliance, warning that conference sponsorship carries no implied credibility.

EigenLayer is a legitimate Ethereum restaking protocol operated by Eigen Labs that became a high-value target for phishing campaigns, wallet drainer attacks, and social engineering in 2024 following the launch of its EIGEN token. In October 2024 alone, the protocol's official X account was compromised to promote a fake airdrop resulting in at least $800,000 lost by one victim, and a separate email-based social engineering attack redirected approximately $5.7 million in locked investor tokens to an attacker's wallet. EIGEN holders and restakers face an elevated and persistent threat surface from impersonation sites, fake airdrop claims, and token-approval drainer schemes that exploit the protocol's name and brand recognition.

Cardano (ADA) holders face a persistent and multi-vector threat landscape that includes deepfake giveaway scams impersonating founder Charles Hoskinson, social media account hijackings used to promote fraudulent tokens, phishing campaigns distributing credential-stealing malware disguised as wallet software, and NFT-based wallet drainers. The Cardano Foundation's own X account was compromised in December 2024, resulting in the promotion of a fake token and false regulatory claims. State-sponsored actors including the North Korean Lazarus Group have also targeted ADA holders through the Atomic Wallet supply chain attack.

Vitalik Buterin is the legitimate co-founder of Ethereum and is not himself a scam actor. However, his name, likeness, and social media presence constitute one of the most heavily weaponized impersonation surfaces in crypto. Documented threats include a September 2023 SIM-swap of his X account (linked to Pink Drainer, resulting in ~$691K stolen from followers), persistent fake giveaway livestreams on YouTube, thousands of fraudulent Instagram accounts, and an escalating campaign of AI-generated deepfake videos distributing wallet-drainer phishing links.

SafePal is a hardware and software cryptocurrency wallet founded in 2018 by Veronica Wong and incubated by Binance Labs, with over 10 million claimed users. The platform has been surrounded by multiple serious security incidents including a malicious Firefox extension that impersonated the wallet for seven months in 2021, a Binance-backed Launchpad token (SFP), hardware vulnerabilities disclosed by Kraken Security Labs, and a $6.5–7 million theft linked to a tampered hardware wallet sold via the Chinese platform Douyin (TikTok China). SafePal itself has not been hacked directly, but its brand has been repeatedly exploited by third-party threat actors, and ZachXBT has documented its wallets appearing in fund-laundering flows.

KAITO is the native token of Kaito AI, an AI-powered 'InfoFi' (information finance) platform built on Base blockchain, founded by former Citadel quantitative trader Yu Hu and launched in February 2025. On March 15, 2025, both the official Kaito AI X account and Yu Hu's personal account were compromised by hackers who spread false claims of wallet breaches while simultaneously holding short positions on KAITO, netting an estimated $1 million in profit from the manufactured price panic. The platform faced additional scrutiny from blockchain investigator ZachXBT over alleged AI bot spam incentivized by its Yaps reward system, which was ultimately sunset in January 2026 after X revoked API access to all InfoFi applications.

Hypurr NFTs are a 4,600-piece cat-themed NFT collection airdropped by the Hyper Foundation on September 28, 2025, to early Hyperliquid users who participated in the November 2024 Genesis Event. On the day of launch, blockchain investigator ZachXBT flagged the theft of eight Hypurr NFTs from compromised HyperEVM wallets, yielding approximately $400,000 in profit for the attacker. The collection itself is a legitimate product of the Hyper Foundation, but the incident exposed wallet security vulnerabilities in the HyperEVM ecosystem and coincided with a broader pattern of exploits across Hyperliquid-based protocols in late September 2025.

Cointelegraph is a major legitimate cryptocurrency news outlet that has been a victim of two distinct infrastructure compromises. In January 2024, attackers breached its email service provider MailerLite and sent phishing emails to subscribers using Angel Drainer malware, resulting in estimated losses of $580,000 to over $700,000 across affected platforms. In June 2025, attackers separately compromised Cointelegraph's banner advertising system to serve Inferno Drainer-linked pop-ups promoting a fake CTG token airdrop to site visitors.

Rapper Nelly (Cornell Iral Haynes Jr.) is flagged here not as a perpetrator of crypto fraud, but as a victim of an account compromise. In October 2023, an X (formerly Twitter) account associated with Nelly — handle @NellioETH — was hacked by an unknown third party who then used it to run a social engineering phishing campaign against crypto users. Blockchain investigator ZachXBT first identified and publicized the incident; specific amounts stolen from victims and detailed on-chain forensics have not been publicly confirmed.

Porkbun LLC is a legitimate ICANN-accredited domain registrar founded circa 2014-2015, headquartered in Sherwood, Oregon, and managing over 3.45 million domains. While the company is not itself a scam operation, it has attracted scrutiny from the crypto security community — including on-chain investigator ZachXBT — for hosting phishing infrastructure linked to Angel Drainer and Inferno Drainer wallet-draining services, including fake Ledger sites. Third-party tracking platforms document hundreds of flagged phishing domains registered through Porkbun and allege that the company's abuse-response enforcement has been inadequate, with a majority of reported domains remaining active after formal abuse reports.

Trezor is a legitimate Prague-based hardware wallet manufacturer (SatoshiLabs) and one of the oldest in the industry, but it has accumulated a significant threat ecosystem around its brand. A January 2024 breach of its third-party support portal exposed contact data for approximately 66,000 users, which subsequently fueled targeted phishing campaigns delivered via email, physical mail, and fake apps. Trezor hardware devices have also been subject to disclosed physical attack vectors, including an alleged unpatchable flaw in the STM32 microcontroller used in the Trezor T model.

CoinSpot is an Australian cryptocurrency exchange founded in 2013 by Russell Wilson and headquartered in Melbourne. It is registered with AUSTRAC as a Digital Currency Exchange (since May 2018) and holds ISO 27001 certification. On November 8, 2023, the platform suffered a suspected private key compromise resulting in the loss of approximately 1,283 ETH (~$2.4 million USD), with stolen funds bridged to Bitcoin via THORChain and Wan Bridge. No customer funds were reported lost in the incident.