What connects the Aperture and 0xswapnet hacks

In late January 2026, the decentralized finance (DeFi) ecosystem was hit by a series of linked attacks targeting two crypto projects — Aperture Finance and 0xswapnet. While the protocols served different purposes and catered to different user segments, both were compromised for the same underlying reason. GetBlock AML Research explains why both projects lost funds.

At the core of the attacks was a critical architectural flaw related to the improper handling of so-called unlimited token approvals. On-chain analysis of the stolen funds revealed a well-structured laundering operation and a direct connection to a known threat actor previously involved in attacks on the Li.Fi protocol.

How the attack worked

The exploit was made possible by an arbitrary call vulnerability. In simple terms, the attackers found a way to force a smart contract to execute instructions it was never designed to perform.

How a hacker got trillions of tokens for free: why the Truebit project was exploited

The attacker exploited a smart contract flaw that made it possible to mint 240,442,509,453,545,333,947,284,131 TRU tokens while paying 0 ETH

Читать дальше

What “unlimited token approval” means — in plain English

When a user connects their wallet to a DeFi application, they are typically asked to approve token usage.

In most cases, there are two options:

• approve a limited amount, or
• approve unlimited usage — commonly referred to as an unlimited approval.

This is similar to either:

• lending someone exactly $1,000, or
• handing them your debit card with no spending limit, trusting they’ll only take what’s necessary.

Across DeFi, users often leave these unlimited approvals active for years, unaware of the risk. The attackers exploited exactly this behavior.

How funds were stolen

By abusing the vulnerability in the contract logic, the attackers were able to:

• execute calls that appeared legitimate on the surface,
• but in reality triggered unauthorized token transfers from user wallets,
• without compromising the wallets themselves.

Any user who had previously granted unlimited approval to the affected protocols was at risk. Their balances were drained directly to attacker-controlled addresses.

The LastPass hack in 2022: consequences and the Russian connection

Over the past few years, hackers have used stolen data from LastPass to steal $28 million worth of assets.

Читать дальше

Tracking the stolen funds on-chain

Transaction analysis made it possible to reconstruct the primary flow of funds, starting from a key attacker address on Base, an Ethereum-compatible blockchain network.

Primary attacker address (Base):

Stolen funds flow graph

The Aperture Finance and 0xswapnet hack — step by step

Phase 1: Aggregation and conversion of stolen assets

In total, the attacker extracted approximately $13 million across multiple crypto assets.

What happened next:

Roughly $3 million in USDC remained on the original Base address. This was likely due to concerns that stablecoins could be:

• frozen,
• easily traced,
• or flagged due to their transparency.

All other tokens were quickly swapped into ETH, a more liquid and operationally flexible asset.

As a result, around 540 ETH accumulated on the primary address, serving as the launch point for the next stage.

The math of crime: how a hacker managed to hack Yearn for $9 million

A minor error in the calculation algorithm led to the theft of crypto assets from one of the oldest and most reputable projects on the crypto market.

Читать дальше

Phase 2: Cross-chain laundering

To further obscure the trail, the attacker employed a professional laundering strategy typical of experienced hacking groups. Funds were bridged from Base to Ethereum mainnet using high-throughput cross-chain bridges — services that allow assets to move between different blockchains.

In simple terms, this is similar to routing money through multiple payment networks across different banks.

Once on Ethereum mainnet:

• ETH was distributed across numerous newly created, previously inactive wallets.
• These wallets currently remain dormant, holding large balances without further activity.

An interesting side effect: due to the sizable balances, these addresses became targets of address poisoning attacks, where unrelated scammers send small transfers in an attempt to trick owners into sending funds to the wrong address later.

Secondary attack phase and links to previous exploits

Several hours after the initial exploit, a second wave of activity was observed, this time involving Aperture Finance only.

Connection to earlier attacks

These addresses have previously appeared in exploits involving Li.Fi and Jumper Exchange.

This strongly suggests the incidents were not isolated or opportunistic. Instead, they point to a single, experienced threat group specializing in vulnerabilities related to unlimited token approvals.