hodler

26 Jan 2026, 01:10

South Korean Bitcoin Catastrophe: Prosecutors Pinpoint Phishing in Staggering Loss of Seized Crypto

BitcoinWorld South Korean Bitcoin Catastrophe: Prosecutors Pinpoint Phishing in Staggering Loss of Seized Crypto SEOUL, South Korea – In a stunning security breach that exposes critical vulnerabilities in digital asset custody, South Korean prosecutors now suspect a sophisticated phishing attack led to the disappearance of seized Bitcoin valued at tens of billions of won. This incident, first reported by Segye Ilbo, throws a harsh spotlight on the procedural risks law enforcement faces when managing confiscated cryptocurrency, especially when relying on hardware wallets. Consequently, the investigation underscores a pressing, global challenge for authorities worldwide as they increasingly grapple with securing digital evidence and assets. South Korean Bitcoin Investigation Uncovers Phishing Vector According to official explanations from the prosecutorial team, the lost cryptocurrency was stored on a hardware wallet—a device typically considered among the most secure methods for holding digital assets. However, investigators believe the security key was compromised when someone connected the wallet to an internet-enabled device and subsequently accessed a malicious phishing site. This action potentially allowed attackers to drain the funds without direct physical access to the wallet itself. Therefore, this points not to a brute-force hack but to a social engineering exploit, a method that remains alarmingly effective against even robust technical safeguards. Furthermore, the case reveals a complex custody arrangement. The seized assets were under shared management, a detail that has expanded the scope of the inquiry. Prosecutors are actively considering the possibility of intentional theft by an insider with authorized access. This dual-track investigation—examining both external cyber intrusion and internal malfeasance—illustrates the multifaceted security threats confronting institutional crypto holders. For instance, similar high-profile losses have occurred at exchanges and investment funds, where combined human error and insider threats have led to catastrophic financial damage. Hardware Wallet Security Under Scrutiny This incident critically challenges the perceived invulnerability of hardware wallets. Often marketed as “cold storage” and immune to online attacks, their security model depends entirely on user behavior. When connected to a compromised computer or if the user is tricked into approving a malicious transaction, the physical device offers no protection. Security experts consistently warn that the “air-gap” is only as strong as the person bridging it. Private Key Isolation: Hardware wallets store private keys offline, but they must interact with online software to sign transactions. Phishing Vulnerability: Attackers can create fake interfaces that trick users into signing transactions that send funds to the attacker’s address. Supply Chain Risks: Maliciously modified hardware or compromised seed phrases during manufacturing present additional threats. For law enforcement agencies, this creates a significant dilemma. They must balance security with accessibility, as evidence may need to be accessed or transferred for legal proceedings. The South Korean case suggests that standard operating procedures for managing seized crypto may be dangerously outdated. A comparative analysis shows varied approaches globally: Jurisdiction Typical Seizure Custody Method Notable Incidents United States Transfer to government-controlled wallets, use of third-party custodians Department of Justice auctions seized Bitcoin United Kingdom Similar to US, with increasing use of regulated custodian services National Crime Agency has specialized crypto units South Korea (prior to incident) Hardware wallet storage under shared management Current investigation into phishing loss Expert Analysis on Institutional Crypto Custody Cybersecurity specialists emphasize that institutional custody, especially for legally seized assets, requires enterprise-grade solutions far beyond consumer hardware wallets. These include multi-signature setups requiring several authorized keys, dedicated hardware security modules (HSMs), and rigorous transaction approval workflows. The apparent use of a standard hardware wallet in a shared management context, as described by prosecutors, indicates a potential gap between the technical complexity of cryptocurrencies and existing asset management protocols within some government bodies. This gap represents a systemic risk as the volume of seized digital assets continues to grow worldwide. The Broader Impact on Crypto Regulation and Enforcement The financial loss, while significant, may have a more profound impact on regulatory confidence and operational tactics. Firstly, it could strengthen regulatory arguments for stricter oversight of all cryptocurrency custody solutions, including those used by private entities. Secondly, it may force law enforcement agencies globally to audit and overhaul their digital evidence handling procedures. Finally, the incident provides a stark, real-world case study for legislators debating new digital asset laws, highlighting that security failures can occur at any point in the chain, even under state control. Moreover, the timing is critical. South Korea has been actively refining its regulatory framework for cryptocurrencies, aiming to enhance consumer protection and prevent financial crimes. A high-profile failure within the prosecutorial system itself could accelerate calls for more robust, standardized national protocols for handling digital assets. This event may also influence ongoing discussions about central bank digital currencies (CBDCs), where security and custody are paramount concerns for policymakers. Conclusion The suspected phishing attack leading to the loss of seized Bitcoin in South Korea serves as a critical warning for institutions worldwide. It demonstrates that even hardware wallets, when mismanaged or exposed to social engineering, can fail. The investigation underscores the urgent need for specialized, secure, and auditable custody frameworks for digital assets, particularly within law enforcement and government agencies. As cryptocurrency adoption progresses, developing and implementing these ironclad protocols will be essential to maintaining legal integrity and public trust. This South Korean Bitcoin incident is likely to become a benchmark case, driving significant changes in how seized digital assets are secured globally. FAQs Q1: What exactly happened in the South Korean seized Bitcoin case? South Korean prosecutors lost access to seized Bitcoin worth tens of billions of won. They suspect a phishing attack compromised the hardware wallet storing the crypto, though insider theft is also under investigation due to shared management of the assets. Q2: How can a hardware wallet be vulnerable to a phishing attack? While hardware wallets keep private keys offline, they must connect to software (on a computer or phone) to sign transactions. If a user is tricked into visiting a phishing site and approves a malicious transaction signature, funds can be stolen without the wallet itself being hacked. Q3: What does “shared management” of the seized assets imply? It suggests multiple individuals or departments had access or authority over the hardware wallet and its credentials. This complicates the investigation, as it raises the possibility that someone with legitimate access intentionally stole the cryptocurrency. Q4: How do other countries typically handle seized cryptocurrency? Methods vary. Many transfer seized crypto to government-controlled wallets, often using multi-signature technology or third-party custodian services with enterprise-grade security. Some, like the U.S. Department of Justice, eventually auction seized assets. Q5: What are the likely long-term effects of this incident? The case will likely pressure global law enforcement to adopt stricter, more secure digital asset custody protocols. It may also influence cryptocurrency regulation, emphasizing the need for robust institutional security standards and potentially accelerating the development of more secure custody solutions for government use. This post South Korean Bitcoin Catastrophe: Prosecutors Pinpoint Phishing in Staggering Loss of Seized Crypto first appeared on BitcoinWorld .

25 Jan 2026, 19:08

John Lick Daghita’s flamboyant lifestyle outed him

John “Lick” Daghita’s sloppy story has taken an even more serious turn as ZachXBT reveals that his father allegedly owns CMDSS, a company that is currently doing work for a government agency. According to a new tweet from onchain sleuth ZachXBT, John is not just an opportunist who happens to know how to hack and has a deep grudge against the deep state. His name is reportedly John Daghita, and he is more of a nepo-baby who may just be abusing privileges from daddy dearest. Zach claims John’s father is Dean Daghita, the owner of CMDSS, a company that currently holds an active US government IT contract in Virginia. That contract specifically involves providing assistance to the US Marshals Service (USMS) by helping them manage and dispose of seized or forfeited crypto assets. It all sounds mundane at first, but it all comes together nicely when one takes into account the recent scandal linked to John Lick. The contract access his father’s company enjoys is thought to have helped John obtain some insider information or even direct access, which allowed him to steal from government-controlled wallets. According to Zach, it is still unclear how John may have gotten direct access. However, it is clear that he is linked to digital crimes that have seen millions vanish, and not just from government-controlled wallets. For now, there have been no public arrests or DOJ confirmations, but the onchain evidence has been making rounds across the Internet. Law enforcement could eventually intervene. John Lick Daghita’s flamboyant lifestyle outed him Up until two days ago, John Lick had avoided detection. He had over $20 million in crypto wallets. However, things started to unravel when he got into a heated argument with another threat actor known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets. By the time the showoff session wrapped up, John had flaunted $23 million in total, moving the funds between wallets ZachXBT claims he clearly controls. After that, Zach began tracing backwards to verify the source of funds and found that one of the wallets, the 0xc7a2 wallet, had previously received $24.9 million from a U.S. government wallet back in March 2024. That transaction was linked to funds the government seized in the Bitfinex hack, and Zach had already flagged that same address in a post from October 2024. Another wallet was linked, the 0xd8bc wallet, which goes back to $63 million obtained from sketchy wallets during Q4 2025. John just enjoys showing off According to reports, it was only a matter of time before this happened, given how much John loves to show off. The Telegram account linked to him reportedly has a long history of bragging about his riches and brokeshaming people. His username is tied to TG ID 8269661864. After he was outed by Zach, he allegedly wiped out his NFT usernames and quickly changed his screen name, but the damage was already done. Zach later revealed that there are rumors circulating in cybercrime Telegram circles indicating John could be John Daghitia, who had previously been arrested in September 2025. He did concede that more research was needed to fully confirm it. Since he made the link between John and his father, Zach claims the CMDSS company X account, website, & LinkedIn were all deactivated, and John Daghita (Lick) began trolling again on Telegram shortly after. Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.

25 Jan 2026, 11:49

Hackers Impersonate X Staff Using Compromised Scroll Founder Account

Scroll co-founder Ye Chen’s X account was hijacked in a sophisticated phishing operation where attackers posed as platform employees to target crypto industry figures. The compromised account, which commands substantial influence among crypto leaders, began distributing fraudulent messages claiming copyright violations and threatening account restrictions unless users clicked on malicious links within 48 hours. The hackers transformed Chen’s profile to mimic X’s official branding, updating the bio to reference Twitter and nCino while warning followers about security breaches. Screenshot from X The attackers flooded the feed with reposts from X’s verified accounts to enhance perceived legitimacy, then launched their phishing campaign via direct messages. Sophisticated Attack Mirrors Growing Pattern The breach follows established tactics where hackers exploit trusted accounts to distribute malicious links disguised as urgent platform notifications. Recipients received messages appearing to come from X’s rights management team, complete with fake compliance warnings and time-sensitive appeals processes designed to create panic and bypass security awareness. Blockchain security researcher Wu Blockchain first identified the compromise and alerted the community to ignore any communications from the account. The warning emphasized particular concern given Chen’s extensive network of high-profile cryptocurrency executives, developers, and investors who might trust messages from his verified account. Scroll co-founder @shenhaichen 's X account has been hacked and is currently sending phishing private messages impersonating X employees. This account has a large following among prominent figures in the crypto industry; the community and users are advised to be aware of the… pic.twitter.com/ctXk2G0bQm — Wu Blockchain (@WuBlockchain) January 25, 2026 The attack represents the latest escalation in social media compromises targeting crypto industry leaders, in which hackers increasingly leverage delegated account access and expired domain registrations to bypass security measures, including two-factor authentication. Industry Faces Relentless Social Engineering Wave BNB Chain’s official account suffered a similar breach in October when hackers posted fake reward programs with phishing links after Binance co-founder CZ warned followers against clicking suspicious content. The compromised account promoted fraudulent BSC token distributions, promising early payouts to users who voted on reward dates through malicious URLs designed to drain digital wallets. Binance co-CEO Yi He’s WeChat account was also hijacked in December to promote meme coin schemes, with attackers conducting a coordinated pump-and-dump operation around the token MUBARA. Two wallets created hours before the breach accumulated 21.16 million tokens before dumping holdings as retail traders flooded in, netting attackers approximately $55,000 while leaving later buyers exposed to price collapse. Changpeng Zhao @cz_binance warned that new co-CEO Yi He’s @heyibinance abandoned WeChat account was hacked and used to push a meme coin called MUBARA. #Binance #Memecoins https://t.co/sdyH325OMD — Cryptonews.com (@cryptonews) December 10, 2025 Among other notable accounts hacked were ZKsync and Matter Labs, which were compromised in May through what the team described as “ delegated accounts ” with limited posting privileges. Hackers published false claims about an SEC investigation alongside fake airdrop promotions, triggering a 5% drop in the ZK token price despite a prior 38.5% weekly rally. The prominent crypto media company, Watcher.Guru also confirmed its account breach in March after fake Ripple-SWIFT partnership claims spread across connected Telegram, Facebook, and Discord channels through automated content bots. The team suspects the compromise originated from a suspicious link containing unusual query strings shared in their Telegram group weeks earlier. Record Theft Year Exposes Escalating Threats The crypto ecosystem witnessed over $3.4 billion stolen in 2025, according to Chainalysis’s 2026 Crypto Crime Report , with North Korean state-backed hackers accounting for a record $2.02 billion across fewer but increasingly sophisticated attacks. Source: Chainalysis The Democratic People’s Republic of Korea now represents 76% of all service compromises, bringing cumulative DPRK cryptocurrency theft to $6.75 billion since operations began. Personal wallet compromises surged to 158,000 incidents affecting at least 80,000 unique victims, triple the 54,000 cases recorded in 2022. Address poisoning scams drove December’s single-largest loss , when one victim transferred $50 million to a fraudulent wallet mimicking their intended destination, while private key leaks resulted in $27.3 million stolen from multi-signature wallets. Personal Security Breaches Surge Across Platforms Most recently, Ubuntu developer Alan Pope warned that attackers are hijacking Snap Store publisher accounts by registering expired domains linked to legitimate developers, then pushing malicious updates to previously trusted packages. The technique exploits automatic update systems and established trust signals, with at least 2 confirmed cases of wallet-stealing malware distributed through seemingly normal applications. Hackers are exploiting trusted Snap Store packages to steal cryptocurrency by hijacking existing publisher accounts. #Hack #Crypto https://t.co/YV5Yoiwb0F — Cryptonews.com (@cryptonews) January 21, 2026 Given these growing, multifaceted attack vectors, Better Business Bureau officials are warning consumers about phishing campaigns that lock X users out of their accounts and are subsequently used for cryptocurrency promotions. Kentucky journalist Jennie Rees described receiving direct messages from apparent colleagues requesting contest votes, only to find her account posting fake Audi purchase claims tied to crypto earnings after clicking the malicious link. The post Hackers Impersonate X Staff Using Compromised Scroll Founder Account appeared first on Cryptonews .

24 Jan 2026, 19:55

$6.2M of the funds stolen during the SagaEVM exploit has been deposited into Tornado Cash

$6.2 million of the funds stolen during the SagaEVM exploit has been traced to deposits into Tornado Cash, a privacy mixer on Ethereum that helps obscure transaction trails. The tactic is common among hackers trying to launder considerable stolen funds and make recovery almost impossible. The exploit that targeted SagaEVM, described as an L1 to launch L1s, occurred on January 21. After the incident, the team posted on X that the L1 had been paused at block height 6593800 in response to the confirmed exploit on the SagaEVM chainlet. How the hackers laundered the stolen funds According to the report by blockchain security firm CertiK, the attackers initially distributed the funds across five separate wallets before they funneled them into the privacy mixer via multiple transactions. “Mitigation is underway, and the team is fully focused on a solution,” the team wrote at the time. The exploit saw nearly $7,000,000 in USDC, yUSD, ETH, and tBTC transferred to the Ethereum mainnet. The exploiter’s wallet had been identified and fed to exchanges and bridges to blacklist it and possibly reclaim the stolen funds. According to Certik’s report, $6.2 million out of those funds is what has now been split into deposits fed into the Tornado Cash mixer. This is expected to frustrate remediation and recovery efforts. The latest deposit adds to the notoriety of Tornado Cash, adding to a past checkered with US sanctions and legal issues still plaguing its developers. Attackers continue to use it to obscure their trails post-exploit, and it does exactly what it was designed to do — help them disappear. What happened to SagaEVM? According to a post-mortem the team shared on January 21, the incident involved a coordinated sequence of contract deployments, cross-chain activity, and subsequent liquidity withdrawals. The document revealed that the team paused the chain out of an abundance of caution while they actively investigated and mitigated. It revealed the focus was stopping further impact by keeping SagaEVM paused while mitigation is implemented; validating the full blast radius using archive data and execution traces; and hardening the relevant components before a restart. The main components affected by the exploit include the SagaEVM chainlet, as well as Colt and Mustang. Others, like the Saga SSC mainnet, Saga protocol consensus, validator security, and other Saga chainlets, went unaffected. “There has been no consensus failure, validator compromise, or signer key leakage,” the document read . “The broader Saga network remains structurally sound.” The team claimed its next steps would be to complete root cause validation, patch and harden affected cross-chain and deployment components, coordinate with ecosystem partners where relevant, and publish a more comprehensive technical post-mortem. Vulnerability links back to Cosmos After receiving support from Cosmos Labs engineers, the team has revealed that the issue originated from the original Ethermint codebase, making it an inherited issue. In response to that post, Cosmos Labs shared a statement, admitting they are aware of the incident and claiming they have been working closely with Saga and external security partners to investigate and remediate the “confirmed vulnerability.” They revealed they had contacted a subset of EVM chains they deemed affected by the incident and provided short-term mitigations. “As always, we recommend all projects continue to implement baseline security practices such as rate-limiting and security monitoring to strengthen early detection and mitigation,” they wrote on X. Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.

24 Jan 2026, 11:10

Paradex moves on from chain rollback triggered by maintenance bug with $650K refund

Paradex refunded $650,000 to about 200 users after a planned 30-minute maintenance upgrade on January 19, triggering unexpected liquidations across multiple markets on Paradex Chain. The platform shared a post-mortem on X on January 23 stating that the incident happened when an unexpected scale-up error reset funding indices to zero, distorting funding P&L and forcing liquidations during the brief maintenance window. Paradex confirmed that the issue was operational, not the result of a hack or security breach. Paradex is an on-chain derivatives platform that allows traders to take leveraged, permanent bets while maintaining control over their money, rather than depositing assets with a centralized exchange. Paradex implements rollback after database upgrade malfunction Incident Post-Mortem – Jan 19 What happened On Jan 19, a planned 30-minute maintenance window to upgrade our database (to support growing demand) encountered unexpected issues during the scale-up process. A race condition during a service restart, while critical data… — Paradex (@paradex) January 23, 2026 Paradex said that a complete rollback to a healthy pre-maintenance condition was necessary due to the extent of the interruption across several users and marketplaces, making targeted solutions impractical. The platform briefly blocked access and initiated rollback procedures to restore the chain to a snapshot taken before the upgrade began. To ensure a controlled recovery, it canceled all open orders except take-profit and stop-loss orders. The platform further revealed that during a brief post-only period, a few users were impacted by aggressive trades that skewed prices and led to additional liquidations, mostly in PAXG. In response to impacted users, the platform stated that it had refunded $650,000 to 200 accounts from the Liquidator Vault after auditing every account affected by improper liquidations (as well as other lingering issues ). It further revealed that by Monday, January 26, all remaining data inconsistency concerns on the Portfolio and Vault pages should be fixed. Following the incident, Paradex said it implemented enhanced service restart procedures and additional data validation safeguards. The platform went on to say that it implemented a revised scale-up process for full-downtime maintenance periods. It also rolled out post-only period price band protection. The exchange further said that the changes it introduced since then strengthen its ability to operate safely as the system scales. Paradex, however, acknowledged the incident as its first chain rollback, describing it as “an undesired but necessary action to protect users and restore network integrity.” Infrastructure failures expose fragility across global trading platforms Recent incidents demonstrate how access to the cryptocurrency market and futures trading can be hampered by operational and infrastructure issues rather than hacking. On October 10 of last year, the decentralized exchange dYdX suspended trading for around eight hours due to mispriced trades and liquidations caused by a code-ordering issue and delayed oracle restarts. Cryptopolitan reported that the exchange proposed a governance vote to compensate impacted traders with up to $462,000 from the protocol’s insurance fund. Apart from dYdX, this incident put Binance’s trading services under pressure due to significant price fluctuations, user complaints, and regulatory attention. Traders expressed their displeasure with Binance due to technical issues that prevented them from completing their holdings. This entailed the depeg of Ethena’s USDe synthetic stablecoin and UI issues that showed several tokens with prices below zero. Following the outage, sources reported that Binance did not take responsibility for traders’ losses. Nonetheless, the crypto exchange launched a $400 million assistance program for affected individuals . The project included $100 million for affected industry participants and $300 million in token vouchers. Technical issues have also affected traditional derivatives markets. In November of 2025, the Chicago Mercantile Exchange (CME) suspended trading for almost ten hours due to a cooling failure at a CyrusOne data center in Illinois following concerns from traders. In the same month, Cloudflare, a provider of internet infrastructure, announced a “internal service degradation.” Users were temporarily unable to access exchanges, wallets, and data dashboards due to a problem affecting the front ends of numerous major cryptocurrency platforms. The downtime affected crypto firms such as Coinbase, Blockchain.com, BitMEX, Ledger, and DefiLlama. If you're reading this, you’re already ahead. Stay there with our newsletter .

24 Jan 2026, 10:05

BNB Chain points to past vulnerability in CoinMarketCap account hack

The BNB Chain’s official team has revealed it is looking into a suspected compromise of its CoinMarketCap profile after attackers posted an AI-generated picture on the profile. BNB Chain’s Chief Growth Officer, Nina Rong, announced the compromise on X late on January 23, claiming the team had received reports about their CoinMarketCap account being hacked. At the time, she said they were still trying to confirm the details with the security and internal audit team. She warned users to be cautious when making any investment decision on any content posted on social media. How was the BNB Chain account compromised? Some hours after her first post, Rong shared another update that revealed the results of the investigation. According to her, the findings led them to believe the attack originated from a previous vulnerability linked to the CoinMarketCap community platform. “We have taken immediate action to keep the account secure and added safeguards to prevent a recurrence,” Rong wrote on X. Meanwhile, in the official post mortem, the community was commended for its vigilance which helped them flag the compromise quickly. “Security and user protection remain top priorities, and we’ll continue to monitor the situation closely,” the post mortem read . The previous CoinMarketCap vulnerability it spoke of was one that surfaced last year June when the security team identified a vulnerability related to a doodle image displayed on its homepage. BNB Chain’s account was hacked in 2025 Unlike the AI-generated image shared on the BNB Chain’s account on the platform, which seemed harmless, the doodle image the attackers posted on June 20, 2025, contained a link that triggered malicious code via an API call. This resulted in an unexpected popup for some users who visited the homepage. Once discovered, the CoinMarketCap team jumped into action to get rid of the problematic content. They identified the root cause and put comprehensive measures in place to isolate and mitigate the issue. “We can confirm all systems are now fully operational, and CoinMarketCap is safe and secure for all users,” the team wrote in the post mortem at the time. Account compromise has led to memecoins The AI-generated picture that was posted on BNB Chain’s CoinMarketCap account was one that depicted crypto’s golden boy, Changpeng Zhao posing with a pup named WAFFLE that had on a Binance hat. People on X seem to believe the same people behind the image may have bundled or promoted a memecoin called $WAFFLE on the BNB Chain . The picture made it look like an official endorsement from the BNB Chain’s team or, at the very least, a fun tie-in. The opportunists did not wait too long before they pulled the rug on the token around a $40k market cap. However, after the rug, the BNB trenches took over, running a CTO in an attempt to revive the token. The playbook is not a new one. In the past, a similar incident occurred, where hackers promoted a memecoin called $4, which pumped as high as 500% before rugging the token for around $4k in profits. Victims were later compensated, and rather than letting the token die, the BNB community rallied together in a bid to “mock the hacker.” They collectively bought the token and pumped it higher than it had previously been, flipping off the scammer and turning it into a viral narrative. Even CZ got involved at the time, highlighting what happened in a post on X where he revealed the hacker “dumped ALL his tokens for a $4k gain,” while “the community took over and bought the meme coin higher, as a mock to the hacker. Funniest come back by the community!” he wrote . Following the CTO and that vague endorsement from CZ, the token ran on steroids, reaching peaks of around $200M market cap at some point and helping many traders make bank in the process. The token became yet another symbol of community resilience on the BNB Chain and spawned related hype around BNB’s Four.meme as a token launchpad. The smartest crypto minds already read our newsletter. Want in? Join them .