This was also not the first time that the white hat stepped in to help out a crypto company after an exploit. Meanwhile, a wave of sophisticated cyberattacks—including address poisoning scams and malware hidden in developer tools—are targeting wallets like Atomic and Exodus. These kinds of scams contributed to almost $2 billion in crypto losses in Q1 of 2025. In response to escalating threats and high-profile scams, the Illinois Senate passed a landmark bill to regulate digital asset businesses and boost investor protections.
White Hat Hero Saves $2.6 Million
A well known white hat maximal extractable value (MEV) operator, “c0ffeebabe.eth,” was able to successfully intercept close to $2.6 million in stolen crypto assets after a vulnerability in Morpho Labs’ decentralized finance (DeFi) protocol. The exploit happened after Morpho Labs implemented a front-end update on its Morpho Blue application on April 10.
The very next day, a hacker exploited a flaw that was introduced by this update, which led to the loss of funds from a user address. Blockchain security firm PeckShield identified the vulnerability and confirmed that the hacker's transaction was front-run by the white hat MEV actor.
While the funds have since been transferred to another wallet, it is still unclear whether they have been returned to the affected user. In response to the breach, Morpho Labs very quickly reverted the front-end update and confirmed via X that all funds in the protocol remained safe and unaffected.
The team added that normal operations resumed and assured its users that no further action was necessary on their part. The root cause was identified as a misconfiguration in how certain transactions were crafted, stemming from the front-end changes that were designed to improve transaction flow. Morpho Labs is expected to release a detailed report next week to shed some more light on the incident.
This was not the first time c0ffeebabe.eth stepped in during a crisis. In July of 2023, the MEV operator recovered roughly $5.4 million worth of Ether by front-running a hacker in the Curve Finance exploit and returned the funds to the deployer address. A similar thing took place during the Blueberry DeFi hack in 2024, where all of the stolen funds were intercepted and returned thanks to the same operator.
Hackers Target Atomic and Exodus Wallets
Users of Atomic Wallet and Exodus Wallet are also facing a new cybersecurity threat as hackers deploy malicious software packages through online coding repositories to steal private crypto keys. Cybersecurity firm ReversingLabs uncovered the exploit, which involves hiding harmful code in seemingly legitimate npm software packages that are commonly used by developers. Once installed, the malware targets locally stored wallet files, modifying them in a way that alters the user interface to mislead users into unknowingly sending funds to scam addresses.
(Source: ReversingLabs)
This incident is part of the broader trend of increasingly sophisticated attacks being launched against the crypto community. Software supply chain attacks are emerging as a major threat vector, and are exploiting trusted development tools to gain access to users' funds. This latest scheme is now part of the growing game of cat-and-mouse between hackers and the crypto industry, with cybercriminals continuously changing their methods to bypass even the most trusted security measures.
The scale of damage from these attacks has been staggering. In the first quarter of 2025 alone, cyber exploits led to almost $2 billion in losses, with the single largest incident being the $1.4 billion Bybit hack in February. A post-mortem from SafeWallet revealed that the attack stemmed from hackers compromising a developer’s machine and hijacking Amazon Web Services session tokens, granting them access to the company’s internal environment.
Summary of hacks and exploits during Q1 2025 (Source: Hacken)
In a separate but equally alarming threat, address poisoning attacks are also becoming more common. Casa’s chief security officer Jameson Lopp recently raised awareness about these scams, which trick victims into sending funds to addresses that closely mimic legitimate ones.
Hackers craft fake addresses that match the first and last characters of a known address, then send tiny transactions to the target so the fake address appears in their history. If a victim fails to double-check the full address, they may inadvertently transfer funds to the attacker. According to Cyvers, address poisoning alone accounted for $1.2 million in stolen crypto in March of 2025.
Illinois Passes Crypto Fraud Crackdown Bill
Luckily, there are people hard at work to protect the crypto space against these kinds of threats. The Illinois Senate recently passed a new bill that is aimed at cracking down on cryptocurrency fraud and enhancing investor protections.
(Source: Ilga.gov)
On April 10, lawmakers approved Senate Bill 1797, which is also known as the Digital Assets and Consumer Protection Act, by a 39 to 17 vote. It was introduced by Senator Mark Walker in February, and it grants the Illinois Department of Financial and Professional Regulation the authority to oversee digital asset business activity in the state. Any individual or business engaging with Illinois residents in digital asset transactions will be required to register with the department, and crypto service providers must fully disclose all user fees and charges in advance.
Senator Walker believes that there is an urgent need to tackle the growing instances of fraud in the crypto space, and stated that while digital assets present financial opportunities, they have also opened the door to bankruptcy, scams, and misleading practices. The legislation was passed during a wider push across the US to increase regulatory scrutiny, especially after the series of high-profile meme coin failures and insider-led scams that inflicted major losses on retail investors.
In one particularly notorious case, the Libra token that was allegedly endorsed by Argentine President Javier Milei, collapsed after insiders reportedly withdrew over $107 million in liquidity. The move triggered a 94% crash in token value and erased close to $4 billion in market capitalization.
Another collapse followed the launch of the Wolf of Wall Street-themed token (WOLF) by Hayden Davis, who was also the co-creator of the Libra token and the Official Melania Meme (MELANIA). Over 82% of WOLF’s supply was controlled by a single entity, and the token plummeted by 99% after peaking at a $42 million valuation.
As a result of these kinds of collapses, calls for harsher legal consequences intensified. Argentine lawyer Gregorio Dalbon even requested an Interpol Red Notice for Davis, and warned that his access to vast financial resources poses a serious risk of flight. Anastasija Plotnikova, CEO of blockchain regulatory firm Fideum, pointed out that activities like rug pulls and insider scams are not just unethical but also clearly illegal and should be dealt with by law enforcement.
Similar regulatory initiatives like the one from Illinois were also filed in New York.
