In May 2026 , an attacker leveraged legacy locker contracts on DxSale, a token launch and liquidity-locking service, to siphon approximately $7.3 million from over 1,400 BNB Chain liquidity pools that had been locked since 2021. The incident is part of a broader surge: by the end of May, total crypto-related thefts across decentralized finance (DeFi) platforms had reached a record $854 million, with May alone accounting for more than $52 million in stolen assets, according to the DxSale investigation .

The $7.3 Million Vulnerability in Legacy Lockers

The DxSale attacker focused on legacy lockers that had been transferred to unverified contracts almost a year before the exploit. By manipulating ownership, bypassing fees, and back-dating unlock periods, the perpetrator drained 2,958 BNB — valued at about $1.87 million — into two primary wallets before funneling the funds into several Binance deposit addresses, as reported in the detailed on-chain analysis.

This specific attack vector highlights the risk of abandoned or unverified smart contracts in DeFi. The DxSale platform had not updated these legacy lockers , leaving a window for a single, highly efficient transaction that incurred near-zero fees.

How 2,958 BNB Traversed a Custom Draining Contract

On-chain analyis revealed that the attacker employed a custom draining contract to execute the theft in a single transaction, minimizing costs and maximizing efficiency. The funds then moved through multichain.org mixing services to obscure the trail, according to the investigation. This level of sophistication — combining legacy contract knowledge, custom code, and mixing tools — underscores the evolving tactics of DeFi attackers in 2026.

The choice of Binance deposit addresses suggests an intent to convert the stolen crypto into fiat or other assets, though the wallet trail has been partially obscured by the mixing service.

An All-Time High of $854 Million in 2026 DeFi Hacks

The DxSale breach is not an isolated event. By the end of May 2026, total crypto thefts across DeFi platforms had crossed an all-time high of $854 million, according to the report. may alone saw over $52 million stolen, placing 2026 on track to surpass previous years. This trend reflects a persistent security crisis in DeFi, where the proliferation of new protocols and outdated smart contracts creates fertile ground for exploitation.

Comparisons to prior years — such as the $3.8 billion stolen in 2022 — are difficult due to changing asset prices and reporting methods, but the velocity of losses in 2026 is concerning. The DxSale incident is emblematic of a larger pattern: attackers increasingly target inefficiencies in legacy infrastructure.

What the Unverified Contracts Reveal About Platform Risk

The unverified contracts at the heart of the DxSale exploit were transferred to new addresses in 2025, but the original owners or administrators appear not to have updated or audited them. This raises questions about platform due diligence: why were these lockers left unverified for nearly a year? As reported, the attacker exploited loopholes that should have been patched in routine security reviews.

Open questions remain: Who is the attacker, and could they have had insider knowledge of the contract transfer? Are other legacy lockers on DxSale or similar platforms still vulnerable? The investigation did not name a suspect or identify a specific group, leaving the identity of the perpetrator unknown. Additionally, the full extent of the mixing service's role is not yet clear, and no arrests or charges have been reported.