Over recent weeks the crypto sector experienced multiple breaches, ranging from token mint exploits to administrator key compromises and supply‑chain attacks.

Echo Protocol (Monad)

Nominally reported as $76 M, the incident’s effective loss was about $816 K after remediation by the team.

An attacker compromised the administrative key for the $eBTC contract and minted 1 000 $eBTC (≈$76.6 M), then began laundering funds via Curvance, Ethereum and Tornado Cash.

The project restored control over the keys and burned 955 $eBTC recovered from the attacker; the $ECHO token fell by 11%.

Monad itself avoided protocol damage, but teams froze cross‑chain operations and paused several bridges and lending products on Aptos as a precaution.

Verus–Ethereum bridge

The bridge suffered an outflow valued at approximately $12 M after reserves were released without verifying on‑chain backing on the Verus side.

The attacker withdrew 1.625 ETH, 103 tBTC and 147 K USDC, exploiting a logic gap rather than key compromise.

THORChain

Another cross‑chain loss totaling about $10 M followed, with details still being clarified but showing a similar bridge‑reserve pattern.

Bridges remain a leading root cause: across eight major incidents since the start of 2026 the industry has reported combined losses of $328.6 M, excluding the newest cases.

TrustedVolumes (07.05.2026)

The protocol lost about $5.87 M after a public authorization function in a custom RFQ proxy allowed any address to register as an allowed order signer.

Because the contract validated the attacker’s receiver permission rather than the real liquidity owner, one transaction drained 1.291 WETH, 206.282 USDT, 16.939 WBTC and 1.268.771 USDC.

The team, silent for over a year, returned to X with a public notice about the exploit following the incident.

Wasabi Protocol

No smart contract bug was involved; an attacker obtained the private key of the single EOA administrator and used it to execute upgrades and drains.

The wallet wasabideployer.eth held unlimited ADMIN_ROLE across upgradable vaults without multisig, timelock or governance protections, enabling rapid emptying.

More than a dozen vaults across Ethereum, Base, Berachain and Blast were drained, with 840.9 WETH moved in a single transaction.

Npm ecosystem supply‑chain compromise (11.05.2026)

Attackers compromised over 170 npm packages totaling 518 million downloads, impacting projects including TanStack and packages tied to Mistral AI, UiPath and Guardrails AI.

A malicious hook inserted into .claude/settings.json executed when repositories opened in Claude Code and persisted after package removal and reload.

OpenAI confirmed a compromise of two corporate devices and signing certificates for macOS, iOS and Windows used in the incident.

Context and outlook

The May incidents highlight recurring vectors: compromised administrator keys, authorization logic flaws in smart contracts, and developer‑tooling supply‑chain risks driving notable monetary losses.