BlockThreat - Week 19, 2026
$8.8M stolen across 13 incidents. The biggest warning signs were not the hacks, but two emerging threat signals pointing toward the next $100M+ incident.
More than $8.8M stolen this week across 13 incidents, most of it from just two hacks. Trusted Volumes ($6.7M) had an interesting kill chain by an attacker who clearly done their homework on an older 1inch exploit. Ekubo ($1.4M) was weirder with an arbitrary call payload assembled from multiple primitives inside a Huff contract.
Both are excellent case studies. However, BlockThreat’s job is not only to document what happened last week, but to identify threat signals that point to the next $100M+ incident. That means focusing on a few incidents that tend to slip under everyone’s radar.
In this edition, we cover a few such threat signals that DeFi protocols should add to their threat models immediately, a great case study of a DeFi protocol using defense in depth to fight off attackers, the latest on the Arbitrum Security Council and DeFi United recovery efforts, recent arrests and seizures, phishing and malware campaigns targeting DeFi developers, and post-mortems with root cause analysis for all 13 incidents this week. As always, we also cover plenty of defensive and offensive security research and tooling.
One quick reminder before we get started. This is the final week to support BlockThreat in the Ethereum Security QF Round which closes May 14. Donations sustain BlockThreat, fund free subscriptions for students and small projects, and enable public-good work like special reports, BlockThreat Today, and the Top 10 DeFi Attack Vectors. Quadratic funding means broad participation matters more than large individual donations, so even $5 or $10 helps unlock matching from the 500 ETH pool.
Donate here: