Main attacker
Confirmed exploit wallet
0xd8010aca201f6113160200b8a521F35BE9f94C24
Evidence guide
This page helps affected Purrlend users organize the information needed to file a police or cybercrime report.
This is not legal advice. It is a community-created evidence guide.
Never submit private keys, seed phrases, passwords, or wallet recovery phrases.
Do not upload ID documents or private personal documents to public Discord/X channels.
Before filing, prepare:
Short version for forms that only allow a brief incident summary.
I am reporting a cryptocurrency cybercrime involving Purrlend, a DeFi lending protocol on HyperEVM and MegaETH. I was a user/liquidity provider and lost approximately USD [INSERT LOSS] when the protocol was exploited on or around April 25, 2026. The reported total loss across users is approximately USD 1.5M. The exploit appears to have involved privileged admin/role-change activity, minting of unbacked aTokens, borrowing against unbacked collateral, and draining protocol markets. The main attacker address is 0xd8010aca201f6113160200b8a521F35BE9f94C24. The stolen funds were initially routed to the holding wallet 0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29 and have since been transferred to a new holding wallet 0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c, which currently holds the stolen funds. The attacker wallet appears to have been funded via Tornado Cash: https://etherscan.io/tx/0xd54c8b9b2e7a2a06ad7236bffbff026b22c045237cfee5c83483324806fa8ef0. I request that a cybercrime report be opened and that I receive a case/reference number for follow-up with exchanges, service providers, KYC providers, and investigators.
Structured version for investigators, exchanges, KYC providers, and cybercrime portals.
Purrlend Exploit Cybercrime Report Summary 1. Incident Overview I am reporting a cryptocurrency cybercrime involving Purrlend, a DeFi lending protocol deployed on HyperEVM and MegaETH. I was a user/liquidity provider of Purrlend and lost funds when the protocol was exploited on or around April 25, 2026. The reported total loss across affected users is approximately USD 1.5 million. My estimated personal loss is approximately: USD [INSERT PERSONAL LOSS] This report is submitted to request that a formal cybercrime case be opened and that a case/reference number be issued for follow-up with exchanges, service providers, KYC providers, and investigators. 2. Summary of Suspected Exploit Method Based on public transaction evidence and community investigation, the exploit appears to have involved: - use of a privileged admin or role-change path; - execution of set_unbacked / mint_unbacked style transactions; - minting of unbacked aTokens; - borrowing against unbacked collateral; - draining of Purrlend protocol markets across HyperEVM and/or MegaETH. This appears to be a privileged-role/admin-path exploit rather than a normal user trading loss. 3. Primary Attacker Wallets Main attacker address: 0xd8010aca201f6113160200b8a521F35BE9f94C24 Current holding wallet (stolen funds): 0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c Etherscan: https://etherscan.io/address/0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c Previous holding wallet: 0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29 Previously reported holding: 652 ETH. Funds have since been transferred to the current holding wallet above. Etherscan: https://etherscan.io/address/0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29 Relevant links: HyperEVM attacker transaction list: https://hyperevmscan.io/txs?a=0xd8010aca201f6113160200b8a521F35BE9f94C24 Example exploit transaction: https://hyperevmscan.io/tx/0xcaf098f607cab97a01d22205ac7471d0511c420061dca8e9bd7945bbb6704594 Ethereum attacker address: https://etherscan.io/address/0xd8010aca201f6113160200b8a521F35BE9f94C24 Attacker wallet funding lead via Tornado Cash: https://etherscan.io/tx/0xd54c8b9b2e7a2a06ad7236bffbff026b22c045237cfee5c83483324806fa8ef0 MegaETH attacker address: https://mega.etherscan.io/address/0xd8010aca201f6113160200b8a521f35be9f94c24 4. Purrlend Safe / Multisig The following Safe / multisig appears relevant to protocol administration: 0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc Relevant links: Safe on MegaETH: https://app.safe.global/home?safe=megaeth:0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc Safe on HyperEVM: https://app.safe.global/home?safe=hyper-evm:0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc Arkham multisig entity: https://intel.arkm.com/explorer/entity/6a04b931-e0e1-4ec5-9c2c-0999742ed76f 5. Signer / Admin Linkage Leads The signer/admin wallets appear linked through funding paths. These links are transaction-based leads and should be independently reviewed by investigators. The current working theory is: - S1 was funded by Binance on Ethereum. - S2, S3, HyperEVM activity, and MegaETH activity appear to have been funded by S1. - These wallets may be relevant to protocol administration, multisig activity, or the exploit path. S1 / Signer 1: 0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB S1 Binance funding transaction: https://etherscan.io/tx/0x3502498c9ddd1407d8c631094c8aa7cb8d9d8bbf0cf6fa8fc3871d6b4055eb54 S2 / Signer 2: 0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E S2 appears funded by S1: https://hyperevmscan.io/tx/0xb206a9cc2eb81e2d534d34de268cd3b1cf4bd931b6860ac85e949d13c673c88f S3 / Signer 3: 0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD S3 funded by S1: https://hyperevmscan.io/tx/0x6f566d51e30ddf850bf1bb35e606818fbc42a9295e960b6b4e6a54d7e39dd6ee HyperEVM funded by S1: https://hyperevmscan.io/tx/0xb206a9cc2eb81e2d534d34de268cd3b1cf4bd931b6860ac85e949d13c673c88f MegaETH funded by S1: https://mega.etherscan.io/tx/0x0eb65003f72f7dc38058eb52ba9e9828f305f135dfde6ea5ad1219a75e1b1917 6. Additional Funding Path Leads Campaign Manager Funding Path A related campaign manager wallet appears to have been funded via deBridge. Funding transaction: https://hyperevmscan.io/tx/0xbf8b62f5a36115b91f07d06159af4e497aa1530fff442b2bbefbf86c6cb99844 Origin wallet: 0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3 Origin wallet funded by: 0x20044619f284dab78A61c308eb9bedC9d3f591aC Final Binance funding transaction on BSC: https://bscscan.com/tx/0xc1ecdac8799b2ecd37e1f84112d195e31fca02809fa39f01e449235e83ff1ed9 Founder New Wallet Funding Path Founder-linked new wallet: 0x63aB25C168319388d6CF214ED95C05e29f459946 This wallet appears to have been funded by deBridge from the following Solana wallet: BvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc The Solana wallet was reportedly funded by Bybit: https://solscan.io/tx/5jCJXNtbzTpKyLtGv9W9fwQ8JSvV8GPjHJ7n6VALwNowrgZUnmd2h7gcxNfXJrnnBNQdkTqwtqfLuLp4JECWXrEN 7. Community and Supporting Reports Community claim snapshot: https://purrhack.io Purrhack X incident article: https://x.com/PurrHack/status/2050226223683366996?s=20 Hyperlend founder X article: https://x.com/fbsloXBT/status/2049906482808779073?s=20 Chainabuse report: https://chainabuse.com/report/fa7d8097-6474-4d1c-9817-e384dded6445 SEAL 911 has reportedly been contacted by affected users. Relevant wallet addresses have also been submitted to abuse/reporting channels and exchanges for preservation, monitoring, and potential KYC escalation. 8. Requested Action I respectfully request that: 1. a formal cybercrime report be opened; 2. a case/reference number be issued; 3. the listed wallet addresses and transactions be preserved as evidence; 4. exchanges and service providers connected to the funding paths be contacted where appropriate; 5. Binance, Bybit, deBridge, and relevant chain analytics providers be asked to preserve logs, KYC records, and transaction metadata connected to the listed addresses and transactions; 6. affected users be allowed to reference this case number in further reports to exchanges, KYC providers, service providers, and investigators. 9. Key Evidence Table Category | Address / Link Main attacker | 0xd8010aca201f6113160200b8a521F35BE9f94C24 Current holding wallet | 0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c Previous holding wallet | 0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29 Purrlend Safe / multisig | 0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc S1 / Signer 1 | 0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB S2 / Signer 2 | 0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E S3 / Signer 3 | 0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD Campaign origin wallet | 0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3 Campaign upstream funder | 0x20044619f284dab78A61c308eb9bedC9d3f591aC Founder-linked new wallet | 0x63aB25C168319388d6CF214ED95C05e29f459946 Solana funding wallet | BvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc
Signer/admin/founder-related wallets and entities are investigation leads only. They may have been compromised or mislabeled. Do not treat them as confirmed attacker identities.
Confirmed exploit wallet
0xd8010aca201f6113160200b8a521F35BE9f94C24
Current wallet holding the stolen funds. Funds were transferred to this wallet from the previous holding wallet listed below.
0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c
Previously held the stolen funds (reported 652 ETH). Funds have since been transferred to the current holding wallet above.
0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29
Admin / multisig investigation lead
0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc
Signer/admin leads. Attribution unconfirmed. These wallets may have been compromised.
0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB
0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD
0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E
Public Arkham entity / investigation reference. Attribution and responsibility should be handled by investigators.
Community article describing the hack and evidence references.
Related article for investigators reviewing founder-linked context.
These funding paths are transaction-linkage leads for investigators. They identify wallet funding patterns and possible origination sources, not confirmed personal identity or responsibility.
These are transaction-linkage leads for investigators. They show funding paths between wallets and services, not confirmed personal identity.
S1 was funded by Binance on Ethereum.
0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB
S2 appears funded by S1 on HyperEVM.
0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E
S3 appears funded by S1 on HyperEVM.
0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD
HyperEVM and MegaETH activity appears funded by S1.
Origin wallet and upstream wallet in the funding path.
0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3
0x20044619f284dab78A61c308eb9bedC9d3f591aC
New wallet reportedly funded by deBridge from Solana.
0x63aB25C168319388d6CF214ED95C05e29f459946
BvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc
Investigator-ready address list for quick copying and review.
| Category | Address / link |
|---|---|
| Main attacker | 0xd8010aca201f6113160200b8a521F35BE9f94C24 |
| Current holding wallet | 0x6dbc377c5261225594f7ff7aaf3f691b8fb9685c |
| Previous holding wallet | 0x09CF48BEb67e8Ca3573CBfEb32F03363FFf0cb29 |
| Purrlend Safe / multisig | 0x4c2444d88AD61B0842Fba7CCdCb226260eBfA1bc |
| S1 / Signer 1 | 0x7312F0b280f4Bbaa47fC6485809f1C5Cc629d7bB |
| S2 / Signer 2 | 0x2BceF069eAEA664397A28F99b0DE5D4A4f78E23E |
| S3 / Signer 3 | 0xB4837962855A1594E7ADe6B87dAA3E8F4a34baeD |
| Campaign origin wallet | 0xbfceedca763d1a88b08b9bf4f2555ca0c25e0eb3 |
| Campaign upstream funder | 0x20044619f284dab78A61c308eb9bedC9d3f591aC |
| Founder-linked new wallet | 0x63aB25C168319388d6CF214ED95C05e29f459946 |
| Solana funding wallet | BvRnapENboELiVGex6Y9Ge2Jg44wNbk4B5JByRnuRkwc |
Attach if possible:
https://www.dubaipolice.gov.ae/wps/portal/home/services/individualservices/eCrime?lang=en
Use the closest category to cybercrime, online fraud, cryptocurrency theft, or hacking.
You may also use UAE Ministry of Interior eCrime channels, My Safe Society app, nearest police station, or emergency services for urgent situations.
Use if you are US-based, a US person is affected, or funds touched US infrastructure, US exchanges, or USDC/Circle.
File with your local police or cybercrime unit. Use the incident summary above and request a case/reference number.