Fortis · By Totemic Investors
Over $610 million in crypto was stolen in the last 12 months.
How exposed is your portfolio?
We help crypto investors understand and reduce the risks hidden in their holdings — the exchanges they trust, the protocols they use, the wallets they sign from.
Why this matters to you.
If you hold tokens in a hot wallet, use a centralized exchange, interact with DeFi, or have ever signed a token approval — at least one of these incidents involved a risk that applies to you.
The losses are happening right now.
Recent significant incidents across the industry, newest first.
| Date | Target | Loss | Attack class | Summary | Source |
|---|---|---|---|---|---|
| Apr 19, 2026 | Kelp DAO Multi-chain | $293.0M | Bridge & cross-chain attack | Attackers exploited a single point of trust in the cross-chain messaging infrastructure used by a major liquid-staking protocol, minting unbacked tokens and draining hundreds of millions in collateral. | Cointelegraph coverage → |
| Apr 15, 2026 | Zerion Off-chain | $100K | AI-powered social engineering | Attackers used AI-driven social engineering in a long-running campaign to steal roughly $100K from the wallet provider's hot wallets — an early example of AI-augmented phishing succeeding against a security-aware team. | Zerion disclosure coverage → |
| Apr 15, 2026 | Drift Protocol Solana | $280.0M | Protocol exploit | A decentralized trading platform was drained of roughly $280M in an exploit linked to North Korean threat actors. | Crypto.news coverage → |
| Mar 22, 2026 | Resolv Labs Ethereum | $25.0M | Private-key compromise | An off-chain service holding a privileged private key was compromised, letting an attacker mint $25M of unbacked stablecoins. | OWASP SC Top 10 commentary → |
| Jan 21, 2026 | SagaEVM bridge Multi-chain | $7.0M | Bridge & cross-chain attack | An integer boundary bug in cross-chain message handling let an attacker manipulate transferred values and extract $7M. | Dev.to writeup → |
| Sep 1, 2025 | Symbiosis Multi-chain | $5.3M | Bridge & cross-chain attack | Source-chain event leakage enabled MEV bots to sandwich cross-chain transactions on the destination chain, extracting $5.27M from users. | OWASP commentary → |
| Sep 3, 2024 | Penpie Ethereum | $27.0M | Protocol exploit | A flaw in a staking contract let an attacker repeatedly call back into it mid-transaction and drain $27M in ETH from the DeFi protocol. | TechTarget summary → |
| Mar 28, 2024 | PrismaFi Ethereum | $11.6M | Protocol exploit | A flash loan was used to manipulate the price of an asset within the protocol, letting the attacker artificially inflate collateral and extract funds. | Nethermind writeup → |
| Mar 25, 2024 | Abracadabra Money Ethereum | $13.0M | Protocol exploit | Attackers used a flash loan to exploit logic flaws in the lending platform and steal roughly $13M in ETH. | TechTarget summary → |
| Mar 13, 2023 | Euler Finance Ethereum | $197.0M | Protocol exploit | An attacker chained flash loans with collateral-calculation flaws to drain $197M from a major lending protocol — funds were later largely returned after negotiation. | SecureDApp writeup → |
| Feb 2, 2023 | Orion Protocol Multi-chain | $3.0M | Protocol exploit | A flaw in a token-swap function let an attacker repeatedly re-enter the contract and drain liquidity from the trading platform. | ChainSec timeline → |
| Dec 25, 2022 | Rubic Multi-chain | $1.4M | Private-key compromise | Attackers gained access to an admin's private keys and drained the cross-chain swap service of $1.4M. | ChainSec timeline → |
| Oct 6, 2022 | BNB Chain bridge BNB Chain | $100.0M | Bridge & cross-chain attack | An exploit in the cross-chain bridge let attackers mint roughly $100M in unauthorized tokens; the chain itself was paused as an emergency response. | ChainSec timeline → |
| Oct 1, 2022 | Transit Swap Multi-chain | $21.0M | Protocol exploit | An internal bug in a swap contract on a multichain DEX aggregator let attackers steal $21M; partial recovery followed. | ChainSec timeline → |
| Apr 17, 2022 | Beanstalk Ethereum | $182.0M | Governance takeover | An attacker took a massive flash loan to gain a supermajority of governance votes and instantly passed a proposal that drained $182M from the protocol's treasury. | Hacken writeup → |
| Dec 13, 2021 | Vulcan Forged Multi-chain | $140.0M | Private-key compromise | 96 user private keys were stolen from a crypto gaming ecosystem, allowing the attacker to drain $140M from affected wallets. | ChainSec timeline → |
| Dec 2, 2021 | Badger DAO Ethereum | $120.0M | Approval & permission scam | Attackers compromised the protocol's frontend to inject malicious approval requests, draining roughly $120M from users who unknowingly signed away wallet permissions. | ChainSec timeline → |
| Oct 27, 2021 | Cream Finance Ethereum | $130.0M | Price-feed manipulation | Flash-loan-driven price manipulation on the lending protocol's collateral price feed let an attacker borrow $130M against artificially inflated collateral. | Industry recap → |
| May 19, 2021 | PancakeBunny BNB Chain | $45.0M | Price-feed manipulation | An attacker used a series of flash loans to manipulate the protocol's pricing logic and mint massive quantities of the native token, dumping it for $45M. | Industry recap → |
| Jun 17, 2016 | The DAO Ethereum | $60.0M | Protocol exploit | $60M was drained from the first major on-chain investment fund, forcing the Ethereum chain to split. Historical, but still the canonical case study. | Industry recap → |
Attackers exploited a single point of trust in the cross-chain messaging infrastructure used by a major liquid-staking protocol, minting unbacked tokens and draining hundreds of millions in collateral.
Cointelegraph coverage →Attackers used AI-driven social engineering in a long-running campaign to steal roughly $100K from the wallet provider's hot wallets — an early example of AI-augmented phishing succeeding against a security-aware team.
Zerion disclosure coverage →A decentralized trading platform was drained of roughly $280M in an exploit linked to North Korean threat actors.
Crypto.news coverage →An off-chain service holding a privileged private key was compromised, letting an attacker mint $25M of unbacked stablecoins.
OWASP SC Top 10 commentary →An integer boundary bug in cross-chain message handling let an attacker manipulate transferred values and extract $7M.
Dev.to writeup →Source-chain event leakage enabled MEV bots to sandwich cross-chain transactions on the destination chain, extracting $5.27M from users.
OWASP commentary →A flaw in a staking contract let an attacker repeatedly call back into it mid-transaction and drain $27M in ETH from the DeFi protocol.
TechTarget summary →A flash loan was used to manipulate the price of an asset within the protocol, letting the attacker artificially inflate collateral and extract funds.
Nethermind writeup →Attackers used a flash loan to exploit logic flaws in the lending platform and steal roughly $13M in ETH.
TechTarget summary →An attacker chained flash loans with collateral-calculation flaws to drain $197M from a major lending protocol — funds were later largely returned after negotiation.
SecureDApp writeup →A flaw in a token-swap function let an attacker repeatedly re-enter the contract and drain liquidity from the trading platform.
ChainSec timeline →Attackers gained access to an admin's private keys and drained the cross-chain swap service of $1.4M.
ChainSec timeline →An exploit in the cross-chain bridge let attackers mint roughly $100M in unauthorized tokens; the chain itself was paused as an emergency response.
ChainSec timeline →An internal bug in a swap contract on a multichain DEX aggregator let attackers steal $21M; partial recovery followed.
ChainSec timeline →An attacker took a massive flash loan to gain a supermajority of governance votes and instantly passed a proposal that drained $182M from the protocol's treasury.
Hacken writeup →96 user private keys were stolen from a crypto gaming ecosystem, allowing the attacker to drain $140M from affected wallets.
ChainSec timeline →Attackers compromised the protocol's frontend to inject malicious approval requests, draining roughly $120M from users who unknowingly signed away wallet permissions.
ChainSec timeline →Flash-loan-driven price manipulation on the lending protocol's collateral price feed let an attacker borrow $130M against artificially inflated collateral.
Industry recap →An attacker used a series of flash loans to manipulate the protocol's pricing logic and mint massive quantities of the native token, dumping it for $45M.
Industry recap →$60M was drained from the first major on-chain investment fund, forcing the Ethereum chain to split. Historical, but still the canonical case study.
Industry recap →The risk categories you’re probably exposed to.
Recognize yourself in any of these? Most investors are exposed to at least three.
If your funds sit on an exchange or with a custodian, they're not yours during a breach, freeze, or insolvency. Recovery, when it happens, is partial and slow.
Recent example →One bad signature can empty a wallet that took years to build. Drainer kits are sold off-the-shelf and target investors through fake airdrops, fake support, and lookalike sites.
Recent example →Even audited protocols get drained. Audits are a snapshot in time, not a guarantee of safety. Funds in DeFi are exposed to bugs the protocol team itself didn't see.
Recent example →Moving tokens between chains is one of the highest-risk things you can do. Bridges concentrate value and trust assumptions, and have produced some of the largest single-day losses in the industry.
Recent example →In 2026, the “support agent” on your call may not be a person. Voice cloning and live deepfakes are reaching investors, founders, and signers — including ones who thought they’d recognize a fake.
Recent example →You may have already signed away access to tokens you still hold. Old approvals to dead apps and compromised contracts sit in your wallet until something on the other side calls them.
Recent example →How we help.
Portfolio risk assessment
We map your holdings — exchanges, wallets, protocols, approvals — to the attack categories that actually apply to you.
Custody & operational review
Wallet setup, signing process, recovery plan. Where the single points of failure are, and how to remove them.
Ongoing monitoring & advisory
For portfolios above a threshold, we monitor exposure as the threat landscape shifts and your holdings change.
Not financial advice. Independent security advisory only.
Find out where you’re exposed.
Tell us a little about your portfolio and we’ll come back with where the real risks are. One business day, no obligation, no sales pressure.
Not ready to talk yet? Get the monthly threat brief.
One email a month with the same incident data you see above — condensed, contextualized, no spam.
Data sourced from
Further reading: OWASP Smart Contract Top 10 · OWASP Top 10 Web3 Attack Vectors.