Cross-Chain Oracle Attack Drains $388K from Ploutos Money

A coordinated attack using malicious oracles compromised the deployments of lending protocol Ploutos Money across five different blockchain networks.

The attack, which occurred on February 26, 2026, resulted in the transfer of $388,000 from Ploutos' accounts on Hemi, Ethereum, Arbitrum, Hyperliquid, and Avalanche.

The attackers exploited vulnerabilities in Ploutos' oracle system, manipulating it to mint unbacked collateral tokens and pull out invalid loans. This allowed them to quickly drain funds from all five chains before security monitors could detect the malicious activity.

Hemi has published a detailed breakdown of the incident on its official blog and has urged affected users to revoke permissions for Ploutos' contracts on their accounts. The protocol's team has gone dark since the attack, with no explanation or communication provided.