A serial hacker is targeting DeFi lending protocols, with approximately $3.5 million stolen so far. In the latest incident, they exploited an oracle misconfiguration in lending platform Ploutos Money, leading to a loss of almost $400,000.
Crypto security firm CertiK noted that the project appears to have deleted its website and social media presence.
#CertiKInsight
— CertiK Alert (@CertiKAlert) February 26, 2026
Earlier this morning @ploutos_money was exploited and lost 187.36 (~$388k) due to an apparent price oracle misconfiguration.https://t.co/FfwBDxF4wB
Since the attack, the Ploutos website and social media accounts have been deleted. pic.twitter.com/TAAwcfzezP
Read more: YieldBlox lending pool hit by $10M hack on Stellar
According to analysis by blockchain auditor BlockSec, Ploutos Money used Chainlink’s bitcoin (BTC)/USD feed as an oracle for USDC price. “The attacker was able to borrow 187 ether (ETH) by posting only eight USDC as collateral,” the post explains.
BlockSec also points to the timing of the exploit, just one block after the misconfiguration was confirmed. While the firm suggests “the attacker closely monitored and acted on the configuration change,” many of the replies to CertiK and BlockSec’s posts suspect insider involvement.
Pseudonymous blockchain investigator Tanuki42 linked the exploiter to at least four other hacks, including two million-dollar losses for Moonwell.
Last week, Moonwell was left with $1.8 million of bad debt when a misconfigured oracle returned a cbETH price of $1.12 instead of approximately $2,200. The code change which caused the loss had been co-authored by Claude Opus 4.6, alongside a Moonwell contributor.
Read more: DeFi, meet Claude: Moonwell’s ‘vibe-coded’ oracle in $1.8M blowup
The (bad) luck of the draw
Also today, in an apparently unconnected attack, Ethereum-based “private ZK lottery,” FOOM CASH, lost $1.6 million when its “broken ZK verifier” was compromised.
According to blockchain security firm QuillAudits, the project lost $1.3 million on Ethereum and $316,000 on Base. The firm’s analysis explains that the project’s use of its ZK verifier was flawed.
In setting two constants to the same value, “anyone can compute it [the verification equation], no secret needed.”
A similar attack affected Veil.Cash, a privacy protocol on Base, last week. However, losses were small at only 4.5 ETH, of which 2 ETH were recovered by white hats Decurity.
Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
The post DeFi exploiter targets lending protocols with oracle tricks appeared first on Protos.
