$12M DeFi Exploits, Wallet Update, and New Rules

Aztec Connect, Taiko, and an MEV bot lost over $12 million this week.

Over $12 million was lost in a week of DeFi attacks, while Illinois approved a digital asset transaction tax and the EU advanced tighter identity and cash rules. A wallet app also shipped a major update with UTXO address generation, new trading providers, and clearer transaction tools.

What changed

Security incidents were the biggest headline. The roundup says Aztec Connect was hit twice, with separate drains of about $2.1 million and $2.15 million tied to deprecated bridge components. It also describes a Taiko exploit in which forged message proofs were accepted on Ethereum mainnet, leading to roughly $1.7 million in USDC and ETH losses, plus nearly 2 million TAIKO tokens.

The week also included a large MEV bot incident on Ethereum. According to the report, attackers used fake wrapped assets and liquidity pools to trick the bot into a simulated sandwich trade, then pulled about $7.5 million through permissions already granted to the system.

• Aztec Connect was drained in two separate incidents.
• Taiko’s issue centered on proof verification.
• An MEV bot was fooled by fake liquidity and asset signals.
• Illinois passed a budget that includes a 0.2% digital asset tax.

On policy, Illinois’ Digital Asset Privilege Tax Act would apply a 0.2% levy to crypto activity handled by brokers, exchanges, and custodians serving state customers. The roundup says noncompliance could bring registration problems and felony charges. In the EU, the proposed rules would ban cash payments above €10,000, require identity checks for cash transactions over €3,000, and require checks for crypto transactions of €1,000 or more through regulated providers.

The wallet update, labeled v5.39, added MoonPay Trade, Apple Pay support through Mercuryo on iOS, dynamic address generation for selected UTXO networks, Solana transaction history, and changes to Tangem Pay card controls. Users can also filter providers, rate swap routes, reissue or rename a card, and adjust daily spending limits.

Why it matters

For builders, the incidents show that old contracts and bridge code can still be attacked after a project is marked deprecated. The Taiko case also shows how proof verification remains a high-risk layer for rollups and cross-chain systems, where one bad validation path can turn into direct loss.

For exchanges, custodians, and payment providers, the policy changes point to more identity checks, stricter routing, and higher compliance costs. That can affect how users move funds on and off centralized services, and it may also shape which assets and payment paths remain easy to access.

The wallet update is smaller than the exploits and policy shifts, but it matters because app-level controls now sit closer to the user experience around custody, swaps, and spending. Better address handling and provider controls can reduce friction, yet they also show how fast crypto apps are adapting to compliance pressure.

The key question is no longer whether crypto security and regulation are moving together, but which intermediaries will absorb the cost first.