Aevo exchange hit as hackers drain legacy wallets

Hackers have siphoned about $2.7 million worth of digital assets from old wallets linked to Aevo, a decentralised options and perpetuals exchange, underscoring persistent security risks tied to legacy infrastructure in the crypto market. The breach did not affect Aevo’s core trading systems or user funds held in active contracts, but it has revived scrutiny of how exchanges manage dormant or transitional wallets long after platform upgrades.

Aevo disclosed that the compromised addresses were associated with earlier versions of its wallet architecture, used before a series of protocol and custody changes. According to statements from the exchange and security specialists who reviewed on-chain data, the attackers exploited private keys tied to those older wallets, enabling unauthorised transfers over several transactions that cumulatively reached roughly $2.7 million at prevailing prices.

The exchange said the breach was detected through abnormal on-chain movements rather than internal system alerts, highlighting how assets left idle on public blockchains can remain exposed even when a platform’s primary infrastructure has been hardened. Aevo moved quickly to flag the addresses, notify analytics firms and begin tracing the stolen funds as they were dispersed across multiple wallets, a common tactic used to complicate recovery efforts.

Founded by former executives of Ribbon Finance, Aevo operates as a high-speed derivatives venue focused on options and perpetual contracts, primarily on Ethereum and layer-two networks. It has gained attention for combining decentralised settlement with an off-chain order book designed to match the performance of centralised exchanges. That hybrid design has drawn sophisticated traders, but it also means the platform has undergone several technical transitions, including wallet migrations, as it scaled.

Security analysts following the incident said the case illustrates a recurring weakness across the industry: assets or keys left behind after migrations can become attractive targets months or even years later. “Legacy wallets are often forgotten once balances drop or systems move on, but from an attacker’s perspective they are low-hanging fruit if key management was weaker at the time,” said one blockchain forensics specialist involved in tracing the Aevo transfers.

Aevo stressed that no user positions, margin accounts or active liquidity pools were touched and that trading continued without interruption. The exchange added that it has begun reimbursing the affected treasury accounts and is reviewing historical wallet practices to ensure no other residual exposure remains. It also said it is working with law enforcement in relevant jurisdictions, although the pseudonymous nature of blockchain transactions makes identification and asset recovery uncertain.

The incident comes amid a broader pattern of crypto thefts that increasingly target peripheral infrastructure rather than core protocols. While large-scale exploits of smart contracts and bridges have dominated headlines in earlier cycles, attackers have shifted towards social engineering, compromised keys and outdated wallets, areas where human and operational controls matter as much as code audits.

Industry data compiled by blockchain analytics firms show that losses from private key compromises have risen as a share of total crypto theft, even as vulnerabilities in flagship protocols have become harder to exploit. Exchanges and decentralised platforms alike are being pushed to adopt stricter lifecycle management for wallets, including systematic key rotation, formal decommissioning processes and public attestations that old addresses hold no material funds.

Aevo’s response has been watched closely by traders because the exchange is part of a competitive segment that includes platforms such as Deribit, dYdX and GMX, where confidence in custody and risk controls is critical. Any perception that legacy issues are not fully addressed can influence liquidity, particularly among institutional participants who are already cautious after a series of high-profile collapses and hacks across the sector.