TL;DR
- Project 0 said attackers hijacked a GitHub account and redirected visitors to a malicious site for 40 minutes, causing at least one $1,000 loss.
- Since Fusaka, Ethereum mainnet activity rose about 30%, new addresses 78%, and USDT dust transfers jumped 612%, pointing to a surge in address poisoning.
- Attackers have generated $79 million in confirmed losses across 17 million attempts, showing how cheap, high-volume fraud is reshaping Ethereum risk today.
Project 0 has joined crypto platforms finding out how exposed front-end risk can be, and the latest domain hijack shows how quickly a trusted interface can become a theft vector. Founder MacBrennan Peet said attackers compromised a team memberās GitHub account and redirected visitors to a wallet-draining website during a 40-minute window between 9:45 p.m. and 10:19 p.m. At least one user lost $1,000 after visiting the spoofed site, and Peet said verified losses will be fully refunded. Vaults and user positions were untouched, but the incident struck a protocol with almost $90 million locked.
From 9:45PM-10:19PM an application team member's github key was compromised. This enabled an attacker to redirect users visiting P0's website to a different website.
Within that 40 minute time frame, we quickly identified the compromise and stopped the redirect. This redirectā¦
— MacBrennan | P0 (@macbrennan_cc) March 13, 2026
Ethereumās cheaper rails are colliding with a bigger fraud problem
When the exploit hit, it landed inside an Ethereum environment already battling a surge in address poisoning, and the bigger alarm is that cheap activity appears to be making fraud easier to scale. Since the Fusaka upgrade in December 2025, Ethereum mainnet activity has risen about 30% and new address creation 78% over 90 days. In that same post-upgrade period, USDT dust transfers jumped from 4.2 million to 29.9 million, while USDC rose from 2.6 million to 14.9 million and DAI from 142,000 to 811,000. Cheaper transactions seem to be lowering the cost of harassment.
That pattern matters because address poisoning is not an edge case anymore, and the attack model now looks industrial rather than opportunistic. One of the biggest losses came in December, when a victim sent a $50 test transaction and later lost $50 million after attackers inserted lookalike wallet activity into the accountās history. Etherscan said just two stablecoin transfers were enough to trigger more than 89 address-watch alert emails. Only about one in 10,000 attempts succeeds, but attackers have already generated $79 million in confirmed losses across 17 million attempts aimed at 1.3 million users.
For Project 0, the breach is a reminder that smart contracts can stay safe while users get hit at the interface layer, and that is why this incident feels larger than a single $1,000 theft. The redirect lasted less than an hour, losses appear limited, and refunds have been promised. Yet the timing is brutal: Ethereumās liquidity-rich ecosystem now holds nearly $60 billion in DeFi value and over $160 billion in stablecoins, making every domain, browser session and transaction-history entry more valuable to attackers than ever. The exploit window was short. The warning was not.
