Privacy-preserving crypto protocol Umbra has pulled its front-end hosting offline in a bid to complicate misuse by hackers who have been moving funds from recent high-profile breaches. The move comes as Umbra disclosed that roughly $800,000 worth of stolen funds were routed through its protocol, a signal that attackers continue to exploit cross-chain bridges and related services despite ongoing security efforts.

In a post on X, Umbra said it had transitioned the hosted front end into maintenance mode and would bring it back online only when it can be done without disrupting recovery efforts. The team stressed that the decision was a precaution aimed at safeguarding the recovery process while acknowledging that the open-source nature of its front end means other implementations could still be used by malicious actors.

Key takeaways

• Umbra paused its hosted front end to hinder attacker use, citing approximately $800,000 in stolen funds moved through its protocol.
• The development follows a high-profile sequence of exploits, including the Kelp protocol breach that netted around $280 million, with investigators suspecting North Korean actors were involved.
• Despite the suspension, Umbra emphasized that on-chain activity and self-hosted or locally deployed interfaces remain possible, underscoring the limits of front-end restrictions.
• Analysts and commentators warn that front-end freezes alone may not satisfy regulators or prosecutors who view interface changes as indicative of broader control over a protocol.
• Ambiguity persists about how to balance privacy objectives with anti-fraud and sanctions enforcement in decentralized systems.

Umbra’s action in a shifting security landscape

Umbra’s decision to take its front end offline highlights a growing debate about defensible responses when breaches spill over into the tooling that users rely on most. The targeted move aims to reduce the surface area hackers can exploit for money movement tied to the latest breaches, according to Umbra’s statement. The project noted that the protocol “protects the identity of the receiver, not the sender,” a distinction it says does not assist hackers trying to conceal fund trails. It also stressed that every stolen fund routed through its contracts can be identified, and that it has been collaborating with security researchers involved in the investigation.

In parallel, security researchers and industry observers have repeatedly warned that the tokenized services bridging assets across networks remain a common vector for theft. The Kelp breach, which saw illicit gains reach hundreds of millions of dollars, has intensified scrutiny of cross-chain activity and the ways in which attackers pivot across networks to move funds. PeckShield and other monitoring outfits have flagged Umbra as a target of interest for opportunistic attackers attempting to bridge stolen Ether into Bitcoin and other assets, underscoring the ongoing liquidity risk within the bridge ecosystem.

The front end debate: is a UI pause enough?

Roman Storm, a co-founder of the crypto mixer Tornado Cash, has argued that a temporary freeze on the front end may not be sufficient to placate authorities or deter illicit use. Storm’s comments reference his own legal battles over sanctions-related charges, where prosecutors characterized control over a protocol as equivalent to controlling its operations. He has argued that limiting user interfaces may be read as exerting influence over a broader system, raising questions about what constitutes meaningful control in decentralized architectures.

Umbra’s own note touched on this tension, noting that the protocol’s core remains usable through smart contracts and, in many cases, through self-hosted front ends. The company asserted that even if the hosted front end goes offline, attackers could still access the open-source components if they choose to deploy their own interfaces or use local deployments. The broader implication is that while operators can reduce risk through UI changes, the core protocol’s code and governance remain the ultimate locus of control—and the primary determinant of how funds move once a user interacts with the protocol on-chain.

Privacy versus enforcement: what changes for users and investigators?

Umbra’s framing of its front-end pause as a protective measure for recovery efforts reflects a nuanced approach to privacy-preserving design. The project reiterated that its technology is intended to protect recipient anonymity, rather than to obscure the sender’s trail. In practice, this means that investigators and security researchers can, with cooperation and the right tools, trace flows of stolen funds even when they pass through privacy-centric constructs. Umbra’s statement that all stolen funds can be identified when appropriate signals and data are available is consistent with ongoing industry norms that seek a balance between user privacy and fraud prevention.

For investors and builders, the incident reinforces a persistent theme in crypto: even advanced privacy protocols operate within a broader ecosystem where law enforcement, sanctions regimes, and compliance expectations shape what is feasible in practice. The ongoing sanctions regime targeting North Korean cyber actors adds a layer of regulatory risk to the activity around cross-chain platforms and mixers, as authorities increasingly couple enforcement actions with industry-wide stances against funding networks linked to sanctioned entities.

What to watch next

As recovery efforts continue, observers will be watching for updates on when and how Umbra will restore front-end access without compromising investigators’ ability to trace and recover funds. The episode also raises questions about the durability of privacy-first designs in the face of coordinated enforcement and incident response. Other protocols with similar privacy-centric aims may reassess their own front-end exposure, governance processes, and incident-response playbooks in light of Umbra’s experience.

In the near term, market participants should monitor whether other bridges and privacy-focused contracts adjust their public interfaces or deploy additional mitigations to reduce exploit risk. Regulators and prosecutors will likely keep a close eye on how developers balance user privacy with the need to curb illicit finance, particularly as high-profile attacks continue to test the resilience of cross-chain ecosystems.

Ultimately, the event underscores a core dynamic in the crypto security landscape: improvements in on-chain privacy and usability must be matched by robust off-chain collaboration, transparent communications, and adaptable incident response plans if communities are to navigate the evolving threat environment without stifling innovation.

readers should stay tuned for further disclosures from Umbra and for subsequent analyses from security researchers detailing how such vulnerabilities are being addressed and what this portends for the broader privacy-centric segment of DeFi.

Another day, another exploit. The security crisis in blockchain-based decentralized finance (DeFi), once touted as a challenger to legacy infrastructure, is only getting worse.

The latest victim is Volo Protocol, a platform built on the Sui blockchain, where users deposit assets into yield-generating “vaults,” which function as pooled investments. Deposited tokens such as bitcoin, stablecoins and tokenized assets are deployed using various onchain strategies to generate returns.

Early Wednesday, the protocol confirmed a security breach that drained a total of roughly $3.5 million in digital assets from three of the vaults. Assets locked in other vaults were not affected, it said in a post on X.

“The ~$28M in TVL across all other Volo vaults is safe. The exploit was isolated to 3 specific vaults, and we have confirmed no shared attack vector exists with the remaining vaults,” the protocol said, adding that it is “prepared to absorb” the financial loss rather than pass it on to users.

The attack hit vaults holding wrapped bitcoin (WBTC), Matridock’s tokenized gold token, XAUm, and the dollar-pegged stablecoin USDC. In response, the protocol froze all vaults and began working with the Sui Foundation and onchain investigators to contain the damage and trace funds.

Since the incident, Volo has “frozen” $500,000 in assets through coordination with ecosystem partners, meaning those funds have been immobilized onchain to prevent any movement or withdrawal. Still, the majority of the stolen funds remain under investigation.

Growing unease

The breach adds to growing unease across decentralized finance, where a string of exploits has raised questions about smart contract security and protocol oversight. The timing is particularly sensitive, coming just days after the weekend’s KelpDAO exploit, in which an attacker drained millions by artificially minting unbacked liquid restaking tokens, rsETH.

The aftermath has rippled across the DeFi, triggering collateral damage in multiple protocols, including leading lending platform Aave, where users rushed to withdraw funds because of the heightened uncertainty.

To date, decentralized finance has suffered roughly $7.78 billion in hacks, according to data from DeFiLlama. Bridge protocols — which enable the transfer of assets across blockchains — account for another $2.90 billion in losses. Combined, the figure exceeds $10 billion, roughly equivalent to the market capitalization of cryptocurrencies ranked between 10th and 15th globally.

Volo says it will publish a full post-mortem once its investigation is complete and remediation steps are finalized.

But for DeFi users and investors, a broader pattern is becoming harder to ignore: while institutional adoption is accelerating, relatively little of that capital appears to be flowing into improving security, with exploits continuing to arrive in clusters.

Read more: The $13 billion DeFi wipeout in two days, and it started with KelpDAO attack

TLDR

• Justin Sun, founder of Tron, initiated legal proceedings against World Liberty Financial in California’s federal court system
• The lawsuit alleges WLFI improperly froze Sun’s token holdings, stripped voting privileges, and issued threats to destroy his assets
• Sun attempted private resolution before pursuing litigation
• A new governance measure would permanently lock tokens of holders who don’t consent to new terms
• Sun maintains his support for President Trump’s cryptocurrency initiatives despite the legal conflict

Justin Sun, the blockchain entrepreneur behind Tron, has initiated legal proceedings against World Liberty Financial—a cryptocurrency venture supported by the Trump family—in California’s federal court.

According to Sun’s complaint, the World Liberty Financial team improperly locked his token holdings, eliminated his governance voting capabilities, and issued threats to permanently destroy his investment without providing adequate justification.

Sun maintains he pursued private negotiation channels before resorting to legal action. When the WLFI management refused to restore access to his frozen assets, he determined that litigation was his only remaining recourse.

Previously recognized as World Liberty Financial’s most significant external investor, Sun has now emerged as the project’s most outspoken detractor.

On April 12th, Sun made public allegations that WLFI developers had secretly incorporated a blacklist mechanism within the project’s smart contract infrastructure. This hidden functionality, he asserts, grants the development team authority to freeze, limit, and essentially seize investor assets.

World Liberty Financial addressed these accusations on their social channels, dismissing them as “baseless allegations” and portraying Sun as someone “playing the victim.” The organization suggested imminent legal proceedings with the statement: “See you in court pal.”

The Governance Dispute

The situation intensified following World Liberty‘s April 15th release of a governance resolution. This measure proposes converting more than 62 billion WLFI tokens from unlimited lockup periods into predetermined vesting timelines.

The resolution establishes that founders, development personnel, and advisors would face a two-year token freeze, followed by incremental distribution across three additional years. Additionally, a 10% token destruction would occur upon proposal approval.

Investors declining to accept these revised conditions would see their holdings locked permanently under the current framework.

Sun characterized the resolution as “one of the most absurd governance scams” he’s encountered. He contends it masquerades as a governance initiative while actually functioning as an investor trap for those who don’t actively participate.

Due to his frozen token status, Sun reports he’s completely unable to participate in the voting process—neither in support nor opposition.

Sun Still Backs Trump Despite Legal Fight

Sun emphasized through his public statements that this legal action doesn’t represent opposition to President Trump or his administration’s initiatives.

“Unfortunately, certain individuals on the World Liberty project team have been operating the project in a manner that goes against President Trump’s values,” Sun wrote.

Sun reportedly ranks among the top holders of the TRUMP memecoin. This substantial investment secured him access to an exclusive cryptocurrency gala dinner in May 2025, where he received a commemorative watch during the event.

Analytical data from CoinCarp reveals 642,882 holders of the TRUMP memecoin currently exist. More than 91% of total supply concentration resides within the top 10 wallet addresses.

World Liberty Financial has not issued any official statement regarding the lawsuit when approached by journalists.

A senior U.S. military commander has described Bitcoin as a cybersecurity tool with potential use in national defense.

At a Senate Armed Services Committee hearing on Tuesday, Samuel Paparo said Bitcoin’s role goes beyond financial use cases and can support security systems tied to U.S. strategic interests.

“It is a valuable computer science tool, as a power projection,” Paparo said, adding that the network’s proof of work design “imposes more cost” on attackers attempting to interfere with it. 

“Outside of the economic formulation of it, it has got really important computer science applications for cybersecurity.”

The hearing focused on the U.S. military’s posture in the Indo-Pacific, with discussions spanning ongoing conflicts in Ukraine and the Middle East, China’s military activity, and threats linked to North Korea.

Paparo’s remarks follow earlier comments from Jason Lowery, who has argued that proof-of-work networks can be used to secure digital systems in a cyber conflict. He said Bitcoin is often seen only as a monetary system, while its design can also secure “all forms of data, messages, or command signals.”

State-linked cyber operations have increased in recent years, with attacks such as ransomware, phishing, and denial of service targeting infrastructure and financial systems. The Lazarus Group remains one of the most prominent examples, having stolen billions in crypto over the past decade, funds that U.S. officials say have supported North Korea’s nuclear program.

Paparo’s comments came after Tommy Tuberville asked how the U.S. could lead in Bitcoin-related competition, noting that Chinese policy groups are also examining the asset as a strategic tool. Paparo did not directly address policy steps but pointed to Bitcoin’s underlying structure.

“Bitcoin is a reality. It is a peer to peer zero trust transfer of value. Anything that supports all instruments of national power for the United States of America is to the good,” he said.

Concern over reliance on foreign-made mining hardware has also drawn attention in Washington, even as the U.S. holds the largest Bitcoin reserves among nation states and a significant share of global hashrate.

Last month, Bill Cassidy and Cynthia Lummis introduced the Mined in America Act, aimed at expanding domestic production of Bitcoin mining equipment. The proposal also seeks to formalize the Strategic Bitcoin Reserve established under an executive order signed by Donald Trump.

The attacker behind the roughly $290 million Kelp DAO exploit began moving tens of thousands of Ether to newly created blockchain addresses on Tuesday, in what appears to be an effort to start laundering the stolen funds.

The wallet tagged by Arkham as linked to the Kelp DAO exploit moved about 75,700 Ether (ETH) worth roughly $175 million across three transactions on Tuesday, including a 25,000 ETH transfer to one newly created address and transfers of 50,700 ETH and 0.7 ETH to another.

Blockchain investigator ZachXBT wrote in a Tuesday Telegram post that addresses tied to the exploit had begun moving funds through THORChain and Umbra. He flagged three THORChain transactions totaling about $1.5 million and a separate $78,000 transfer through Umbra.

On Saturday, an attacker drained about 116,500 restaked Ether (rsETH), worth roughly $290 million to $293 million at the time, from Kelp DAO’s LayerZero-powered rsETH bridge.

LayerZero said Kelp DAO’s 1/1 decentralized verifier network (DVN) setup created a single point of failure by relying on a single verifier path for cross-chain messages. LayerZero said it had previously advised against that configuration.

Fallout spreads across DeFi

The transfers came hours after Arbitrum said its 12-member security council had taken emergency action to freeze 30,766 ETH tied to the exploit and move the funds into an “intermediary frozen wallet” accessible only through Arbitrum governance.

The exploit also hit other DeFi protocols, including Aave, where the attacker used the stolen funds as collateral to borrow against the protocol. Early estimates put the hole at about $195 million, but Aave’s Monday incident report later outlined two potential outcomes: roughly $123.7 million in bad debt under one scenario and about $230.1 million under another.

The transfers suggest the attackers had begun moving funds through non-custodial protocols that can complicate tracing and recovery. THORChain does not require traditional Know Your Customer checks.

During the $1.4 billion Bybit hack in 2025, attackers converted about 83% of the stolen Ether into Bitcoin (BTC), with 72% of the funds moving through THORChain, according to Bybit CEO Ben Zhou. Zhou said at the time that 77% of the stolen funds were still traceable.

Related: ZachXBT asks MemeCore to explain valuation and token supply

Aave unfreezes Ethereum V3 market as borrow rates spike

On Tuesday, Aave said it had unfrozen Wrapped Ether (WETH) reserves on the Ethereum Core V3 market, enabling users to supply WETH to the V3 lending protocol once again. However, WETH reserves across Ethereum Prime, Arbitrum, Base, Mantle and Linea remain frozen.

Meanwhile, the thinning liquidity saw Aave’s borrowing rates for USDt (USDT) rise from 3% to 14%, marking the highest figures since December 2024, wrote Julio Moreno, the head of research at analytics platform CryptoQuant, in a Monday X post.

Fears over a potential contagion caused significant outflows from Aave, as its total value locked (TVL) fell by about $10 billion since the exploit to $16.4 billion as of Tuesday, DefiLlama data shows.

Magazine: 53 DeFi projects infiltrated, 50M NEO tokens could be ‘given back’: Asia Express