Hemi confirms the Ploutos Money exploit on Feb 26, 2026, draining $388K across Hemi, Ethereum, Arbitrum, Hyperliquid, and Avalanche via oracle manipulation.
A DeFi lending protocol just got wiped clean. Ploutos Money lost roughly $388,000 on February 26, 2026, in a coordinated oracle attack that swept across five separate blockchains simultaneously.
Hemi published a full incident breakdown on its official blog at hemi.xyz. The attack hit at approximately 05:00 UTC. By then, funds were already moving off-chain through cross-chain bridges.
Must Read: Trust Wallet Security Hack: How to Safeguard Your Assets
Five Chains Hit. Funds Gone in Minutes.
The attack did not target one chain and stop there. Ploutos deployments on Hemi, Ethereum, Arbitrum, Hyperliquid, and Avalanche were all compromised. Every chain. Every deployment.
Attackers pushed through two primary methods. They swapped legitimate oracles for malicious contracts. They also minted unbacked collateral tokens and used those tokens to pull out invalid loans. The combination moved fast and left little behind.
Assets exfiltrated from Hemi crossed out through the Stargate bridge. Funds stolen from Arbitrum, Hyperliquid, and Avalanche all routed through Li.Fi. Both bridges delivered everything to the Ethereum mainnet.
As @hemi_xyz posted on X, on-chain security monitors @CertiK and @BlockSecTeam had flagged the malicious oracle updates in real time. The transactions were visible. The damage was already done.
You Might Also Like: Senator Raises Concerns Over $1.7B in Alleged Binance Transfers
Ploutos Went Dark. No Explanation Given.
After the exploit, Ploutos Money’s website, GitHub, and all social feeds went offline. No announcement. No explanation from the team.
A message did surface in the official Ploutos Telegram channel shortly after. Hemi has not confirmed it as verified team communication. Users should not follow any recovery steps from that message until independent security firms and blockchain project teams authenticate it, Hemi warned.
That silence is making things harder for affected users right now.
Ploutos Money had been one of several lending protocols running on Hemi and was previously incentivized through Merkl campaigns. That relationship ends here. The exploited vulnerability sat entirely within the Ploutos deployments.
Hemi stated clearly that the core protocol and all other integrated protocols remain unaffected. An internal investigation is ongoing.
Must Read: Kraken Launches Flexline Crypto-Backed Loans for Pro Traders
Revoke These Permissions Now
Anyone who ever touched Ploutos needs to act. That includes interactions on any of the five chains.
Hemi’s blog and the @hemi_xyz post on X both list twelve contract addresses on Hemi that require immediate permission revocation. Tools like Rabby wallet or web-based revoke platforms can handle this. For Hemi specifically, pure.finance/token-revokes works. Third-party tools cover the other chains.
The full list of Hemi contract addresses requiring revocation:
0xDdc98fF53945e334Ecca339b4DD8847b3769e8f0 0x5E660Deb9F5122bc185681b194a442590BcFcb64 0x87c6f09FA2DFd99717bDEeDf19496970Ca84264d 0x3FaA464dE86ca69863FF0ae029A7A0F0466B8fD9 0xB75a86dEedb9b4c95543D2dD0cc41CB641a28C24 0xA8F2DcaEE054809017FDF6EFbacdD5387a065Bc9 0x9DF7B63fD5295944038E061cb2e4637618227f85 0x682f12e6DD63495E31c24572F9997B3Bc7A99442 0x01d65Ded4C3c4F76Acd5EAE730320eBb4aF0E156 0xa9b9cCE44fe4150e87965bb31FB2b55D009812B1 0x9D7a3590cA6621893bC6B908B8Bce925d9407bB9 0xD6203b39b1e57301fd10CB946436Dda71D933F4D
The broader investigation is still running. Hemi says it will update affected users on next steps as findings develop.
You Might Also Like: Bitcoin Set to Drop to $44K-$35K in 2026, Analyst Warns
Cross-chain oracle attacks of this kind are not new. What stands out here is the speed and the scope. Five chains. One window. $388,000 drained before monitors could do anything but watch.
