In a shocking development, Pond.fun, the meme coin launchpad hosted on Linea, has suffered a devastating hack, which its own lead software engineer allegedly perpetrated.
The attack, which occurred early on March 5, stole liquidity from Pond.fun’s smart contract. The stolen funds were swiftly transferred to Railgun, a blockchain privacy protocol that obscures transaction trails.
The Pond.fun team confirmed the incident in an official statement on X, urging users to avoid interacting with the website and its affiliated projects, efrogs and croak, until further security assessments are completed.
However, they reassured the community that Discord and Telegram channels remain secure.
Blockchain analytics firms Chainalysis and Elliptic have been hired to track stolen assets and prevent hackers from laundering them through centralized exchanges and other off-ramps.
These firms aim to block any attempts to cash out the stolen assets by leveraging Proof of Innocence (POI) checks, a security measure many major exchanges require under Railgun.
A Software Engineer Turns Against Pond.fun
Initial on-chain and off-chain evidence points directly to Genesis, the lead software engineer of Pond.fun, as the culprit.
Leveraging privileged access to the project’s smart contract infrastructure, Genesis executed a meticulously planned attack by manipulating the contract’s withdrawal functions.
This allowed the developer to drain liquidity pools systematically, swapping the extracted assets for ETH before spreading them across multiple Ethereum wallets.
By fragmenting the funds into smaller amounts, the attacker attempted to evade detection by blockchain analysis tools.
The investigation has so far identified 64.8 ETH being funneled through a network of flagged addresses on Etherscan.
Source: @ponddotfun on X
Transactions were executed in multiple tranches, with one address receiving 4.8 ETH while three others were credited with 20 ETH each—suggesting a premeditated strategy to disperse and obscure the flow of stolen assets.
Once the assets were adequately scattered, they were ultimately deposited into Railgun, a privacy-enhancing blockchain protocol designed to mask transaction histories.
With the Pond.fun website compromised and the stolen funds successfully bridged off Linea, the project’s team is actively collaborating with Linea developers to assess the full scale of the security breach.
Every effort is being made to trace the illicit transactions, and the team has pledged to provide continuous updates as the investigation unfolds.
A Growing Trend: Insider Attacks in Crypto
The Pond.fun exploit follows a disturbing trend of insider-driven crypto thefts. Just days earlier, Infini, a stablecoin neobank, fell victim to a similar scheme.
A developer who had retained admin rights to Infini’s smart contract used them to drain nearly $50 million through Tornado Cash, another blockchain obfuscation tool.
Despite Infini’s efforts to negotiate a return of the funds—offering a 20% bounty and threatening legal action—the assets remain in the hacker’s possession.
These incidents contribute to an alarming rise in crypto-related cybercrime. In February alone, total losses from hacks and exploits reached $1.53 billion, representing a staggering 1,500% increase from January.
The largest attack of the month targeted Bybit, where North Korea’s notorious Lazarus Group orchestrated a $1.4 billion heist — the biggest in crypto history, surpassing even the infamous Ronin Bridge hack of 2022.
With insider threats emerging as a major security concern, crypto projects are under increasing pressure to implement stricter access controls, conduct rigorous security audits, and deploy advanced monitoring systems.
As it stands now, the Pond.fun team has pledged effort, transparency, and commitment to root out the cause of the incident and a coming discussion on how to compensate affected users.
The post Pond.fun Hacked by Insider; Chainalysis and Elliptic Tapped to Block funds’ Withdrawal appeared first on Cryptonews.
