Web3 Wolves in Sheep's Clothing: The Disturbing Rise of Malicious Developers

How do you protect your protocol from rogue developers and mitigate internal threats so your protocol maintains security and trust with you

4 min read
Table of contents
Sneaky Wolf

The Rise of Rogue Developers

In our previous blog post, "The Third Party Problem of Web3" we explored the vulnerabilities DeFi protocols face due to their reliance on external resources. Here, we delve deeper into one of the issues that has become increasingly prevalent in recent months: rogue developers, also known as insider job hacks.

These malicious actors, often disgruntled or financially motivated, infiltrate development teams and exploit their access to wreak havoc. While this phenomenon is not entirely new, recent months have seen a disturbing rise in such attacks. So far, we have documented more than 12 cases in 2024 only.

2024 Key Exploit Examples

Here are some chilling examples from these cases:

  • Holograph (June 13, 2024):  Holograph ****is ****an omni-chain tokenization platform. A malicious actor, turned out to be a former developer in the project, exploited the Holograph Operator contract resulting in a substantial loss of $14.4 million. As a consequence of the exploit, 1 billion additional HLGs were minted by the hacker, causing a drop in the price of HLGs from $0.014 to $0.0064, while the market cap of the token also dropped from $22 million to $10 million (source & source).
  • Hack (May 16, 2024): is a Solana-based memecoin generator that has been enjoying immense success since the beginning of 2024. A disgruntled former employee, "staccoverflow," stole a staggering amount of $300K in a revenge hack, highlighting the potential for significant financial losses from insider threats. (Source)
     ([X post](<>) by Wintermute’s head of research, Igor Igamberdiev, referring to the hack)

  • Cypher Protocol Hack (May 15, 2024): Cypher is a Solana-based cross-margin decentralized exchange, still struggling to recover from its August 2023 hack, in which over $1 million worth of digital assets were lost. One of their developers, named "Hoak", exploited his access to siphon off over $300K from user reimbursement funds over a period of months. This case emphasizes the importance of robust internal controls to prevent developers from abusing their privileges. (Source)
  • Mozaic Hack (March 15, 2024): An AI-Optimized yield and liquidity strategies protocol, running on several different blockchain networks.  A developer with compromised access to a team member's data stole private keys and drained roughly $2 million from their vaults. Mozaic, with the launch of a third vault in sight, was just about to implement new security measures recommended by their security partner, in order to bulletproof both vaults. This incident underscores the critical need for secure data storage and access management practices. As stated by Mozaic in their announcement on X, they were alerted to the exploit by their monitoring service as well as by other security firms. Unfortunately, by the time action was taken the funds had already been lost. (Source & Source)
  • Munchables Hack (March 26, 2024): Exploiting admin privileges to steal over 17,000 ETH. Munchables is an NFT-based GameFi application built on the Blast platform. ****The project hired four developers who turned out to be the same person. This individual abused his admin privileges by upgrading the Munchables lock contract, and assigning themselves a fake balance of 1 million Ether before withdrawing the stolen funds, $62.45 million in Ether total. This highlights the importance of due diligence, restricting admin access and implementing proper security programs. (Source)
  • TICKER Hack (March 16, 2024): TICKER is a token deployed on Base. In this heist, a developer named Jolan was entrusted with distributing airdropped tokens from the project's presale, which raised $3.19 million. Jolan abused his access by selling off 13% (of the 14% he received) of the total supply for $900,000, leaving investors with nothing. This exemplifies the dangers of misplaced trust within development teams. (Source)

TICKER’S initial announcement on X admitting the involvements of an inside worker of the presale money loss.

These are merely a few examples from the past months. It is true that this is a new increasing trend, however delving further into the past, encompassing 2023, 2022, and earlier, one can uncover additional instances.

How Does This Happen?

The culprit often lies in rushed hiring practices. Project owners, eager to capitalize on innovative ideas, might overlook crucial background checks and verification processes. In April 2022, a tweet described interviewing a potential North Korean hacker. Our team at spherex has also encountered an inside job hack. During the course of investigating a hack that occurred at the beginning of 2024, we discovered that the attackers were, in fact, two developers associated with the project, whose true identity as North Korean hackers remained undisclosed until that moment.

Protecting Your Protocol

Here's how to fortify your defenses against malicious insiders:

  • Be Vigilant During Hiring: Thoroughly vet candidates. Check their references, conduct video calls with cameras turned on, and prioritize experience and reputation.
  • Implement Thorough Code Reviews and Audits:  Conduct frequent and thorough code audits by independent, reputable firms to identify and mitigate vulnerabilities. In addition,  ensure that all code changes are reviewed by multiple developers to catch potential issues early. Keep in mind that it is not an easy task to make sure that every single code change in being reviewed and audited.
  • Activity Logs: Maintain detailed logs of all developer activities and regularly review them for any suspicious behavior.
  • Enforce Access Controls and Permissions: Implement strict role-based access controls to limit what actions each developer can perform. Ensure that developers only have access to the information and resources necessary for their roles.
  • Bug Bounty Programs: Implement bug bounty programs to incentivize the community to identify and report vulnerabilities.
  • Embrace Security Solutions: Look for real-time protection tools that can identify and stop malicious transactions before they cause damage. In the horror scenario where the  above points did not prevent rouge developers from penetrating your project, such security tools will be a crucial help. SphereXProtect is the only on-chain security solution which automatically detects and reverts suspicious transactions before they are finalized, while maintaining the contract’s continuity.
  • Most protocols currently lack adequate security solutions. Audit, which is considered a prevalent solution, lacks by being static. It cannot anticipate changes applied to the protocol once the contracts are deployed and mitigate them.  It can only identify issues present in the code before the audit is conducted. Rogue developers, however, have ongoing access to the project's code and can introduce vulnerabilities after the audit is completed without detection.
  • A monitoring service, another common solution, enjoy dynamism and the ability to alert on a suspicious activity once it is detected, however these alerts are for most “too little, too late”. The measures that can be taken in response to such alerts are highly limited, bear significant consequences for the protocol, and in most cases, are insufficient to prevent the theft of funds.


In the rapidly evolving world of Web3, protecting your protocol from rogue developers is essential for maintaining security and trust. Key takeaways from this post include the importance of double checking who you hire to join your project, thorough and regular code reviews, robust governance models, strict access controls, and embracing real-time protection solutions. By implementing these measures, you can significantly reduce the risk of insider attacks and safeguard your DeFi protocol's future.  By staying informed and regularly updating security practices, you can mitigate internal threats and ensure a secure environment for your users.

About the author

Chen Galed
Data Scientist

Chen has a Ms.c in Software and Information Systems Engineering from Ben Gurion University. She worked for several years as a data scientist and researcher in projects, both in the cyber and financial industries, before joining spherex’s research team.

Continue your reading with these value-packed posts
Go back to blog