Pond.fun Hack: Insider Attack on Meme Coin Launchpad

Pond.fun, the meme coin launchpad on Linea, has been compromised by its own chief software engineer.

According to an official disclosure by Pond.fun on X, the platform was hacked this morning. Initial evidence, both on-chain and off-chain, suggests involvement from a software engineer on the Pond.fun team. Users have been advised to avoid all interaction with the platform, including its efrogs and croak websites, while ensuring that their Discord and Telegram accounts remain secure.

> 1️⃣ Pond.fun has been hacked this morning. Do not interact with the platform in any capacity. The suspected exploiter is a software developer from the team. As a precaution, the efrogs and croak websites are also at risk, pending…
> — pond.fun (@ponddotfun) March 5, 2025

The hacker managed to steal liquidity from Pond.fun’s smart contract, transferring tokens to Railgun, a privacy protocol enabling transaction shielding on the blockchain. The platform has published a list of mainnet addresses that received and deposited the stolen assets, totaling 64.8 Ethereum (ETH).

In a similar incident, the founder of Infini reaffirmed a 20% bounty and legal immunity for the hacker who returns the stolen funds. Pond.fun has engaged Chainalysis and Elliptic—blockchain analytics firms—to track illicit transactions, preventing the hacker from laundering the funds through Railgun. Stolen funds will face obstacles, as some exchanges require proof of innocence (POI).

The current situation mirrors the Infini hack where an insider with admin rights drained nearly $50 million using Tornado Cash (TORN), marking it as the second-largest loss in February, according to Certik. Also notable, crypto losses reached $1.53 billion in February, driven by exploits at Bybit, Infini, and zkLend, as reported by Certik.