DeFi attacker steals $6.7M from 1inch market maker

1inch liquidity provider and market maker TrustedVolumes has fallen victim to an ongoing exploit on the Ethereum network. As of now, approximately $6.7 million has been drained in wrapped assets and stablecoins. 

According to security company Blockaid, the hack took place on May 7, 2026, through which a complex attack was carried out against the resolver contract of the project. The exact amount of tokens drained included WETH, USDT, WBTC, and USDC.

What happened in the TrustedVolumes exploit on-chain?

According to Blockaid’s detection systems, the attack hit TrustedVolumes’ resolver contract at address 0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31.

The exploiter wallet 0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100 executed the primary transaction.

As earlier stated by Blockaid and confirmed on Etherscan, the $5.87 million in drained tokens consisted of 1,291.16 WETH, 206,282 USDT, 16.939 WBTC, and 1,268,771 USDC.

As of now, TrustedVolumes has confirmed the hack, which now stands at the north of $6.7M from the earlier reported $5.87M. The entity is considering a bug bounty.

PeckShieldAlert further disclosed that the hacker aggregated all drained assets into 2,513 ETH via internal swapping using a custom proxy. 

The vulnerability in question exploited a custom RFQ (request-for-quote) swap proxy controlled by TrustedVolumes at the address 0xeEeEEe53033F7227d488ae83a.

For blockchain analysts, the connection between the two events was easy to make; it appears that the same hacker who pulled off the March 2025 hack on 1inch Fusion V1, netting them around $5 million, is behind this latest attack. 

Blockaid reports that the flaw leveraged in this instance is completely different from the one exploited during the previous incident, targeting the company’s unique RFQ system rather than the Fusion V1 codebase.

As of now, TrustedVolumes has confirmed the hack, which now stands at the north of $6.7M from the earlier reported $5.87M. The entity is considering a bug bounty.

Hackers drained approximately $8.23M from investors in May 2026

The latest breach on TrustedVolumes is the fifth major DeFi breach within just days of May 2026. Security monitoring tools have already detected five major breaches, totaling a loss exceeding $8 million.

The above cases involving Ethereum, cross-chain bridges, and decentralized exchanges now show a disturbing trend: the month of April’s unprecedented $625-$635 million theft in 28-30 attacks. 

On May 1, Sharwa.Finance was reported to be the first victim. Oracle price manipulation in the protocol logic led the attackers to drain $32,850 from the platform. On the same day, Bisq, one of the oldest decentralized peer-to-peer exchange platforms, was attacked using the Bisq V1 client exploit, resulting in a loss of $858,000 in funds.

As reported by Cryptopolitan, one of the project’s contributors, Henrik Jannsen, released a comprehensive plan for reimbursement on GitHub, highlighting the aim of providing a “fast, full reimbursement with as little friction as possible.” In the process, victims will be able to opt for compensation mainly in Bitcoin, with BSQ being the secondary option.

Attacks picked up in the middle of the week. First, on May 4, a flash loan attack on the SmartCredit protocol extracted $72,000 through malicious use of the borrowing mechanism. 

Second, the liquidity-focused Ekubo protocol lost $1.4 million (17 WBTC) due to an improper access-control vulnerability in its router module on May 5. According to on-chain data, the attacker performed 85 fast transactions, funneling the pilfered funds through DeFi platforms connected via Velora before swapping some of it for USDC, DAI, and ETH.

Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank