Verify a decision

{"actor":"system:backfill","investigation_id":"2f7c30c1-4224-4431-b322-5be4c94348e6","kind":"publish","page_slug":"lnd","published_at":"2026-05-27T20:30:06.405Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"LND","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"},{"credibility":2,"name":"LND Protocol — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/lnd"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec (Substack)","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"LND Postmortem — HackMD (official team postmortem by michaelmai)","type":"official","url":"https://hackmd.io/@michaelmai/LND-Postmortem"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"},{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"},{"credibility":2,"name":"Month in Review: Top DeFi Hacks of May 2025 — Halborn","type":"research","url":"https://www.halborn.com/blog/post/month-in-review-top-defi-hacks-of-may-2025"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"LND Postmortem — HackMD","type":"official","url":"https://hackmd.io/@michaelmai/LND-Postmortem"},{"credibility":2,"name":"LND Postmortem: $1.27 Million Loss — DeFiHackLabs / SunSec","type":"research","url":"https://defihacklabs.substack.com/p/lnd-postmortem-127-million-loss"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"LND Protocol — DefiLlama TVL data","type":"on_chain","url":"https://defillama.com/protocol/lnd"},{"credibility":2,"name":"Explained: The LND Hack (May 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-lnd-hack-may-2025"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"ZachXBT uncovers North Korea-linked IT worker network — The Block","type":"news_article","url":"https://www.theblock.co/post/396847/zachxbt-uncovers-north-korea-linked-it-worker-network-generating-1m-monthly-via-crypto-payment-flows"},{"credibility":1,"name":"DPRK IT Workers — FBI Advisory","type":"regulatory","url":"https://www.fbi.gov/wanted/cyber/dprk-it-fraud"},{"credibility":2,"name":"North Korea IT Workers: Inside the DPRK's Crypto Laundering Network — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":1,"name":"Lendingblock (LND) Token Tracker — Etherscan","type":"on_chain","url":"https://etherscan.io/token/0x0947b0e6d821378805c9598291385ce7c791a6b2"},{"credibility":2,"name":"10 Questions For The Founders Of Lendingblock — The Fintech Times","type":"news_article","url":"https://thefintechtimes.com/lending-platform-lendingblock-2/"},{"credibility":2,"name":"Lendingblock 2.0 — Medium (official blog)","type":"official","url":"https://medium.com/lendingblock/lendingblock-2-0-7b333415bb58"},{"credibility":2,"name":"Lendingblock price today — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/lendingblock/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":2,"name":"Bitcoin Lightning bug allows remote theft of bitcoin via LND nodes — Protos","type":"news_article","url":"https://protos.com/bitcoin-lightning-bug-allows-remote-theft-of-bitcoin-via-lnd-nodes/"},{"credibility":1,"name":"CVE-2024-38359: Lightning Network Daemon (LND) onion processing DoS — GitLab Advisory Database","type":"other","url":"https://advisories.gitlab.com/pkg/golang/github.com/lightningnetwork/lnd/CVE-2024-38359/"},{"credibility":1,"name":"Lightning Network Daemon — GitHub (Lightning Labs)","type":"official","url":"https://github.com/lightningnetwork/lnd"}]}],"sources_used":[],"summary":"LND (lnd.fi) was a non-custodial, multichain DeFi lending protocol built on Sonic (a high-performance EVM chain) as a fork of Aave V3. On May 9, 2025, the protocol was drained of approximately $1.27–1.42 million by a developer who gained Pool Admin credentials and introduced a malicious access control modification 41 days before executing the exploit; the official postmortem attributed the attacker to a DPRK (North Korea) IT worker embedded in the team under false pretenses. As of mid-2025, the lnd.fi domain is no longer operated by the team and appears listed for resale, indicating the protocol ceased operations following the incident.","timeline":[{"date":"2025-01-01","event":"LND.fi protocol launches on Sonic mainnet (approximate early 2025 launch date; team publicly acknowledged SonicLabs support ahead of launch)","source":""},{"date":"2025-03-29","event":"Deployer address (0xc0454e...) granted Pool Admin role on LND.fi contracts; modified AToken and VariableDebtToken contracts with backdoored access control initialized — 41 days before the exploit","source":""},{"date":"2025-05-05","event":"LND.fi goes live on Hyperliquid L1 with price feeds from Pyth Network and incentives via merkl.xyz, expanding from Sonic","source":""},{"date":"2025-05-09","event":"At 2:29 AM UTC, deployer begins draining LND.fi pools via the backdoored transferUnderlyingTo function; approximately $1.18–1.42 million stolen within minutes","source":""},{"date":"2025-05-09","event":"At 2:39 AM UTC, stolen funds bridged to wallets on BSC (~$786K) and Ethereum (~$397K, deposited to TradeOrge); ~$240K routed to MEXC via Hyperliquid","source":""},{"date":"2025-05-09","event":"At 9:19 AM UTC, Pool Admin role revoked by separate address (0xe82e...aba4); LND.fi freezes its website and revokes compromised account privileges","source":""},{"date":"2025-05-09","event":"Official postmortem published by team member 'michaelmai' on HackMD, attributing the attack to 'a developer who was actually a DPRK IT worker'","source":""},{"date":"2025-05-01","event":"Halborn Security publishes analysis of the LND hack as part of its May 2025 DeFi hacks review, confirming access control root cause and DPRK IT worker attribution","source":""},{"date":"2025-06-01","event":"lnd.fi domain no longer operated by the LND team; domain listed for sale on Nameshift.com domain marketplace, indicating apparent protocol shutdown (approximate date)","source":""}]},"v":1}