Scams

In March 2026, crypto holder Sillytuna suffered a combined on-chain and physical attack that drained about $24 million in aEthUSDC after an address poisoning scam. The thief rapidly moved the funds into 20.34 million DAI, routed part of the assets to Arbitrum and Hyperliquid, and allegedly aimed to convert them into Monero to hinder tracing. The case, which also involved weapons and kidnapping threats, underscores growing physical risks for large cryptocurrency holders and has prompted a 10% reward offer for any recovered funds.

In May 2023, Norton Healthcare Inc. in Kentucky suffered a cybersecurity breach that allegedly exposed personal information of patients and former patients. Court documents say the company has agreed to a class action settlement, creating an $11,000,000 fund to compensate victims with up to $2,500 each for out-of-pocket losses. The lawsuit claims Norton did not maintain adequate data security or promptly notify affected individuals after discovering the incident.

Google's security teams identified "Coruna", a sophisticated iOS hacking toolkit that compromises iPhones through a zero-click exploit and harvests seed phrases from 18 cryptocurrency apps such as MetaMask, Exodus, Phantom, Trust Wallet and Uniswap. The malware affects devices running iOS 17.2.1 or earlier and abuses previously known espionage exploits, while Apple's iOS 17.3 update released in January 2024 and Lockdown Mode can fully block the attack. Coruna has allegedly been used by both a suspected Russian espionage group and a financially motivated group in China, illustrating a thriving secondary market for high-end cyber tools.

In 2026, the FBI arrested John "Lick" Daghita in the Caribbean on accusations that he diverted $46 million in seized crypto assets from US Marshals Service wallets via his role at Command Services & Support, Inc. Investigations tied his addresses to funds allegedly siphoned in 2024 after he reportedly boasted about the theft to another offender. The case emerges amid broader crypto crime trends, including billions in stolen assets, large exchange hacks and growing threats from malware and operational security failures.

On March 5, 2026, FBI Director Kash Patel announced that John "Lick" Daghita was arrested on Saint Martin in a joint operation with French tactical units over an alleged multimillion-dollar crypto theft. Investigators allege he siphoned more than $46 million in digital assets from wallets managed for the U.S. Marshals Service by Command Services & Support, a firm owned by his father. Blockchain sleuth ZachXBT linked his on-chain activity and Telegram persona after Daghita flaunted about $23 million in wallets during group chats.

On March 5, 2026, Rebound Orthopedics & Neurosurgery agreed to a multi-million dollar class action settlement following a February 2024 security breach that exposed data on 426,536 patients. The deal includes a $2.5 million fund, two years of CyEx Medical Shield Complete and up to $5,000 for documented losses, with claims due by May 28th.

On March 5 2026, Dubai’s Virtual Asset Regulatory Authority issued a market alert against Kucoin Exchange and related entities operating under the Kucoin brand, citing unlicensed virtual asset services offered to Dubai residents. The regulator ordered Kucoin to cease all unauthorized crypto activities in or from Dubai and warned that unlicensed providers could expose consumers to financial and legal risks. Kucoin had previously obtained a MiCAR license in Austria in early 2026, but in February 2026 the Austrian Financial Market Authority barred KuCoin EU from onboarding new business over anti-money laundering compliance breaches.

Google's threat intelligence team reported that a new exploit kit dubbed "Coruna" targets iPhones running iOS 13.0 to 17.2.1 and has been used on fake crypto websites to capture wallet seed phrases. The toolkit, first identified in February 2025, contains multiple iOS exploit chains and was later found on spoofed Chinese financial and exchange sites seeking user funds and sensitive data. Security researchers say the tool may be linked to surveillance customers, while some industry experts dispute claims it originated from US intelligence code.

In an international operation on March 3 and 4, law enforcement agencies led by the FBI and Europol dismantled LeakBase, a cybercrime forum with more than 142,000 registered members and over 215,000 messages. Authorities in 14 countries seized user accounts, payment details and IP logs, issued prevention notices and replaced the site with seizure banners. LeakBase's predecessor Raidforums, which was shut down in 2022, had previously hosted leaked personal data of roughly 272,000 users of Ledger's crypto wallet service.

On Wednesday, Europol said a coalition including Coinbase and Microsoft dismantled key infrastructure of Tycoon 2FA, a phishing‑as‑a‑service platform used to bypass multi‑factor authentication. By mid‑2025, Tycoon 2FA represented 62% of phishing attempts blocked by Microsoft, with more than 30 million malicious emails in a single month, and Coinbase traced blockchain transactions linked to the alleged operator and customers.