Unverified smart contracts were linked to at least $36.7 million in losses across four DeFi exploits over the past six months, as attackers increasingly target protocols whose source code is not publicly available, according to Chainalysis.

The largest incident involved Truebit, which lost $26.2 million after an attacker exploited an integer overflow vulnerability in a contract that had remained unverified on Ethereum since 2021. The other incidents involved Trusted Volumes, Aperture Finance and Ekubo, according to the report.

In each case, the exploited contract had not been verified on a blockchain explorer, meaning its source code was not publicly available for review. According to Chainalysis, that limited scrutiny from security researchers and excluded the contracts from many bug bounty programs despite controlling user funds.

Five protocols saw exploits on unverified smart contracts. Source: Chainalysis

Chainalysis attributed the trend in part to advances in decompilation tools and artificial intelligence, which can help attackers reverse-engineer smart contract bytecode and identify vulnerabilities even when source code is not publicly available. According to the report, what once required “a skilled reverse engineer spending days on a single contract” can now be partially automated across large numbers of unverified contracts.

The report challenges a longstanding assumption in DeFi that keeping smart contract code private provides an additional layer of security. According to Chainalysis, protocols relying on hidden code are increasingly depending on “obscurity as a security measure,” an approach the company said is rapidly losing effectiveness. 

Chainalysis recommended source code verification, broader bug bounty coverage and real-time monitoring tools as safeguards against future exploits.

Related: Humanity Protocol token falls 85% amid $30M private key exploit

DeFi security concerns persist after record April losses

The report comes amid a broader rise in crypto exploits. According to DeFiLlama, hackers stole $629.7 million in April alone, the highest monthly total since February 2025.

Two incidents accounted for most of the losses. KelpDAO lost $293 million and Drift Protocol suffered a $280 million exploit, together representing more than 80% of the month’s stolen funds.

Although losses fell sharply in May, with CertiK reporting $68.3 million stolen from cryptocurrency exploits, the fallout from April’s largest attacks continued. In June, blockchain intelligence platform Arkham reported that the attacker behind the KelpDAO exploit had laundered nearly all of the roughly $220 million in unfrozen stolen funds.

Kelp DAO Hacker-tagged wallet, total balance. Source: Arkham

The KelpDAO exploit also prompted several DeFi protocols to review their security infrastructure, with projects including Solv Protocol announcing plans to migrate to Chainlink’s crosschain infrastructure following internal security reviews.

This month, Anthropic said 560 of the 832 accounts it banned for policy violations over a one-year period had used AI to help prepare cyberattacks, including writing malware and identifying vulnerabilities.

Magazine: The legal battle over who can claim DeFi’s stolen millions

The United Kingdom’s decision to sanction HTX, the exchange operated by Huobi Global’s Panamanian affiliate, has sparked debate across the crypto industry about the collateral damage sanctions can unleash on legitimate users and the broader DeFi compliance ecosystem. While authorities argue the move targets Russia-linked financial networks, researchers and on-chain investigators say the blanket approach may blur lines between illicit and ordinary activity and complicate decen­tralized tracing efforts.

Key takeaways

• The UK added HTX (Huobi Global S.A.’s entity behind HTX) to sanctions, citing indications of support for Russia’s government through sanctioned entities A7 and Garantex. The step broadens the choke point for HTX’s operations.
• Industry observers argue the designation risks penalizing ordinary users and could undermine long-running efforts to promote on-chain compliance in DeFi, especially around illicit-fund tracing.
• A Global Ledger analysis, cited by industry coverage, tallies HTX as processing about $21.06 billion in high-risk crypto flows from 2021 through May 2026, with roughly $7.64 billion connected to Russian-linked entities and darknet markets.
• Downstream effects have surfaced, including a DeFi project freezing HTX-linked addresses and HTX itself delisting a rival’s USD1 stablecoin and halting several trading pairs.

Regulatory action and its immediate implications

On May 26, the UK government sanctioned Huobi Global S.A., the Panamanian entity behind the HTX exchange, in connection with alleged support for Russia’s government through certain financial services and funds attributed to sanctioned entities such as A7 Limited Liability Company and Garantex. The sanctions connect HTX to a broader framework aimed at curbing Russia-related financial activity and signals the UK’s willingness to pursue cross-jurisdictional enforcement in crypto markets.

HTX has subsequently denied the allegations, emphasizing that the sanctioned entity is a separate corporate vehicle from the online exchange. The dispute highlights a frequent tension in crypto policy: where to draw the line between a platform and the corporate entities behind it, and how to apply sanctions without unduly penalizing users who may have legitimate activity on the platform.

The move also dovetails with a string of UK regulatory actions targeting crypto promotions and exchange operators, raising questions about how different arms of government—policy, enforcement, and sanctions—interact in crypto markets. For context, UK authorities have previously pursued actions against HTX’s parent or affiliates alongside other sanctions measures against Huobi-linked entities.

Data-driven debates over the efficacy and consequences of such sanctions have intensified. In one analysis cited by researchers and journalists, HTX’s on-chain activity is described as having included substantial high-risk flows in the period 2021 through May 2026. While the total volume remains subject to ongoing verification, a sector-wide review has flagged notable Russian-linked flows and activity tied to known darknet markets.

Voices from the research and security community

Several prominent researchers and on-chain investigators weighed in on the implications for enforcement and compliance practices. Galaxy Digital’s head of research, Alex Thorn, argued on X that classifying “all of HTX” under sanctions could be problematic given the platform’s broad user base and the privacy-preserving nature of DeFi tools. Thorn pointed to the divergent practices among stablecoin issuers when it comes to freezing or restricting tokens, suggesting that blanket sanctions may not align with how different protocols assess risk and compliance.

Security researcher Taylor Monahan, also posting on X, contended that sweeping sanctions against HTX risk undermining established efforts to coordinate DeFi safeguards against stolen or illicit funds. Monahan emphasized that a majority of HTX users are legitimate and should not be penalized by association alone.

Crypto investigator ZachXBT added a pointed critique, describing the sanctions as an overreach and noting that on-chain tainting of HTX addresses could undermine tracing work essential to risk management. He warned that when risk categories become too broad, the practical value of tracing decreases, potentially hampering legitimate investigations and compliance workflows.

These perspectives underscore a broader industry concern: sanctions can blur the distinction between malicious actors and ordinary users, complicating the use of on-chain analytics as a risk-management tool and potentially driving legitimate activity underground or toward less-regulated alternatives.

For context, the discourse follows UK sanctions against Huobi Global S.A. in connection with HTX, linked to allegations of Russia-related support via intermediaries such as A7 and Garantex. The industry’s response reflects a tension between national security aims and the practical realities of operating in a decentralized, borderless financial system.

On-chain impact and downstream signaling

Beyond policy debates, the sanctions have produced observable downstream effects. A DeFi project—World Liberty Financial, associated with Trump-linked activity—responded to sanctions considerations by freezing HTX-linked addresses as part of its compliance checks. HTX then delisted this project’s USD1 stablecoin and suspended several trading pairs, signaling how sanction regimes can trigger rapid reconfigurations across the interconnected DeFi landscape.

The sanctioning itself has drawn attention to the broader question of how on-chain enforcement evolves when large, cross-border platforms are implicated. A Global Ledger report highlighted in industry coverage points to HTX processing approximately $21.06 billion in high-risk crypto flows from 2021 through May 2026, with at least $7.64 billion tied to Russian high-risk entities and darknet markets (including Garantex, its successor Grinex, A7A5 and Hydra). While such figures are contentious and subject to methodological caveats, they illustrate the scale of activity that regulators and policymakers are attempting to influence through targeted measures.

Critics argue that while sanctions aim to disrupt illicit networks, the on-chain consequences for legitimate users—ranging from freezing funds to tainting addresses—could complicate normal trading and risk management, potentially driving activity toward less transparent venues. The tension between enforcement objectives and practical usability for compliant users remains a focal point for investors, developers, and exchanges contemplating risk controls and due diligence standards.

What this means for the market and future policy

For investors and builders, the UK HTX action serves as a reminder that regulatory risk remains a material factor in cross-border exchange activity. Sanctions can rapidly alter the operational landscape, including how on-chain analytics are used for compliance and how counterparties assess risk in real time. The responses from researchers also illustrate that enforcement choices may shape how protocols implement sanctions screening, how they coordinate with cross-border regulators, and how they design governance around asset lists and blacklists in a decentralized environment.

Looking ahead, market participants will be watching whether the sanctions regime surrounding HTX prompts additional, more precise guidance on which entities and activities are targeted and how due process is applied. Questions remain about the consistency of enforcement across jurisdictions and the degree to which sanctions risk can be anticipated by exchanges, wallets, and DeFi protocols that rely on open, permissionless on-chain activity. Additionally, observers will be watching to see whether sanctioned entities refocus their strategies, whether more sanctions-linked data becomes publicly accessible, and how institutional risk tooling adapts to evolving regulatory expectations.

In sum, the HTX sanctions illuminate a pivotal moment in crypto policy: authorities aim to curb support to malign networks, but the path forward will require careful calibration to protect legitimate users and maintain the integrity of on-chain ecosystems that rely on transparent, auditable flows of funds.

Readers should monitor ongoing regulatory updates, industry responses from compliance teams, and the evolution of on-chain tracing practices as the sector navigates this complex, high-stakes landscape.

The Hashgraph Group and Merck have integrated the German tech maker’s product authentication technology with TrackTrace, a Hedera-based digital product passport platform introduced in February, as businesses seek to comply with new European Union supply-chain transparency and traceability requirements.

Under the arrangement, Merck’s M-Trust technology embeds security markers into products and packaging that can be verified with a handheld scanner. Authentication data is then recorded on The Hashgraph Group’s TrackTrace platform, creating a digital record linked to a product’s Digital Product Passport.

The companies said the integration combines physical product authentication with blockchain-based traceability, allowing businesses to verify both the authenticity of a product and the records associated with it.

Source: The Hashgraph Group on X.com

The platform targets two emerging EU compliance frameworks: Digital Product Passports under the Ecodesign for Sustainable Products Regulation and traceability requirements under the EU Deforestation Regulation.

Merck is a science and technology company focused on healthcare, life sciences and electronics, while Swiss-based Hashgraph develops enterprise blockchain and AI applications within the Hedera ecosystem.

According to the companies, the technology has already been demonstrated in an undisclosed supply-chain pilot. Potential use cases include food, pharmaceutical, luxury goods and electronics supply chains, where businesses face increasing scrutiny over sourcing and product authenticity.

Related: ECB pushes back on euro stablecoin proposals, citing financial stability risks

EU sustainability rules create market for product traceability

The collaboration comes as companies prepare for forthcoming Digital Product Passport requirements under the European Union’s Ecodesign for Sustainable Products Regulation (ESPR), which entered into force in July 2024.

The regulation applies to most physical goods sold in the EU and forms part of the European Green Deal, a broader effort to improve resource efficiency, expand the circular economy and increase transparency around product environmental impacts.

Source: European Commission

Interest in blockchain-based trade and supply-chain infrastructure extends beyond the EU. In March, authorities in Hong Kong and Shanghai agreed to study a blockchain-based cross-border platform under the Hong Kong Monetary Authority’s Project Ensemble initiative, which explores tokenized market infrastructure and digital financial rails.

The project will examine how trade documentation and commercial data can be integrated into trade finance applications, with the goal of streamlining cross-border commerce and related financial services.

Magazine: Vietnam preps crypto pilot, HK pushes tokenization: Asia Express

StarkWare has launched a new privacy framework for Starknet tokens that allows users to conceal balances and transaction details while preserving tools for compliance reviews and regulatory disclosures.

According to StarkWare, the newly released STRK20 standard brings privacy features to ERC-20 tokens on Starknet by enabling users to shield balances and transaction information on-chain.

The framework was announced on Tuesday as developers across the crypto industry continue looking for ways to offer transaction privacy without removing oversight mechanisms relied upon by institutions, exchanges, and regulators.

Providing details on how the system works, StarkWare co-founder and CEO Eli Ben-Sasson notes that STRK20 should not be viewed as a guarantee of regulatory approval or legal compliance. Instead, he said the framework follows a risk-based approach where privacy remains conditional.

Ben-Sasson explained that screening occurs before assets enter shielded pools and that viewing-key technology can be used to disclose information when lawful requests require access.

Unlike traditional privacy-focused cryptocurrencies that seek to obscure most transaction data, STRK20 introduces disclosure tools designed to balance confidentiality with accountability. 

Under the model described by StarkWare, transaction details remain hidden from the public while authorized disclosure remains possible under specific circumstances.

Privacy tools are adding disclosure mechanisms

Elsewhere in the sector, developers are adopting similar approaches to encrypted transactions. According to an announcement published on June 8, Sui opened public testing for confidential transfers on its Devnet. The feature encrypts token balances and transfer amounts while leaving sender and recipient addresses, token types, and transaction timestamps visible on-chain.

As reported by crypto.news, Sui stated that authorized parties can access relevant data when required for auditing or compliance purposes. A Testnet rollout is scheduled for later this year.

Rather than removing transparency entirely, the Sui design keeps selected transaction information visible while concealing financial details. The network described the system as a way to support privacy requirements without limiting access for compliance teams and auditors.

Taken together, the launches from StarkWare and Sui highlight how blockchain developers are increasingly incorporating controlled disclosure features into privacy products instead of relying on complete anonymity.

Recent events have increased focus on oversight

At the same time, several privacy-focused projects have recently faced scrutiny over compliance and operational safeguards.

Earlier this month, blockchain privacy company Zama said it would speed up work on its compliance roadmap after approximately $12.5 million in USDC held within its confidential USDC wrapper was frozen under a court order. According to Zama, the restriction was later removed once the underlying legal request was resolved.

Following the incident, the company highlighted disclosure tools and regulatory coordination procedures available for encrypted transactions.

Meanwhile, developers behind Zcash recently disclosed a vulnerability that raised concerns about the possible creation of counterfeit tokens. According to the project, an emergency network upgrade completed in early June addressed the issue, and no evidence of exploitation has been found.

Zcash developers noted that reconstructing historical activity inside shielded pools can be difficult after vulnerabilities are disclosed, a limitation that has renewed discussion around how privacy systems can provide confidentiality while still supporting verification and oversight when needed.

TLDR

• Paradigm and Hyperliquid Policy Center urged the U.S. Treasury to revise the proposed AML rule for stablecoin issuers.
• The groups argued that secondary market liability would impose obligations issuers cannot control.
• They supported FinCEN’s focus on primary market compliance where issuers know their customers.
• The letter asked regulators to narrow the definition of stablecoin payment-related activity.
• Hyperliquid Foundation funded the advocacy group with about $29 million worth of HYPE tokens.

Paradigm and Hyperliquid Policy Center urged the U.S. Treasury to revise a proposed anti-money laundering rule. The groups said the draft would impose strict liability on stablecoin issuers for transactions they cannot control. They asked regulators to narrow certain provisions before finalizing implementation under the GENIUS Act.

Hyperliquid and Paradigm Outline Concerns Over Secondary Market Liability

Paradigm and Hyperliquid Policy Center submitted a joint letter to the Treasury on Tuesday. The letter addressed a proposal issued in April by FinCEN and OFAC. The agencies seek to implement GENIUS Act provisions under the Bank Secrecy Act.

The proposal would treat stablecoin issuers as financial institutions for compliance purposes. However, the groups said some obligations extend beyond primary market activity. They argued that secondary market rules would create strict liability for actions issuers cannot police.

The letter stated, “We broadly support the proposed rule,” and endorsed FinCEN’s focus on primary market compliance. The groups supported tailoring obligations where issuers know their customers. They urged agencies to clarify or narrow secondary market requirements.

They said issuers only see wallet addresses and transaction amounts in public blockchain environments. Therefore, they argued that agencies should align AML and sanctions requirements with that reality. They warned that smart contract liability would exceed issuer control.

They wrote, “An issuer facing obligations it cannot meet on the secondary market has a strong incentive to deploy only to permissioned environments.”

They added that such an outcome would remove U.S.-regulated stablecoins from DeFi platforms. They stated that offshore alternatives could fill any resulting gap.

Groups Propose Specific Revisions Under GENIUS Act Framework

The joint letter recommended narrowing the definition of “payment stablecoin-related activity.” The groups also asked regulators to reconsider OFAC’s treatment of smart contract interactions. They said the current draft extends liability beyond issuer capacity.

The GENIUS Act passed last year with support from President Donald Trump’s administration. Lawmakers advanced the legislation to provide clearer rules for digital assets. Regulators now work through the rulemaking phase before full implementation.

Hyperliquid Foundation established the Hyperliquid Policy Center in February. The foundation funded the group with roughly $29 million worth of HYPE tokens. Jake Chervinsky serves as the center’s chief executive officer.

Paradigm backed Hyperliquid and supported the center’s advocacy efforts. The venture firm co-signed the letter addressed to Treasury officials. The document forms part of the public comment process.

FinCEN and OFAC will review submitted comments before issuing a final rule. The agencies proposed the draft in April under existing statutory authority. The implementation phase continues as regulators evaluate industry feedback.