White-Hat Hacker Pulls $2 Million from a Forgotten 1016 ICO Smart Contract

A white-hat hacker just did something most crypto old-timers thought was basically impossible. They cracked open a nine-year-old smart contract from Hong Coin’s 2016 ICO and walked out with $2 million — handed straight back to the project’s creators.

The flaw had been sitting there the whole time. The contract’s admin function was misconfigured, probably from the day it launched, and nobody caught it. Not the developers, not any auditor, not the investors who put money in. For nearly a decade it just sat dormant on-chain, locked and forgotten, while the broader crypto market went through multiple boom-and-bust cycles. Then someone looked closely enough to find it.

The hacker didn’t just exploit the bug and disappear.

How the Recovery Actually Worked

Instead of draining the funds for personal gain — which, let’s be honest, would’ve been the easier path — the hacker guided Hong Coin’s creators through the process of exploiting their own contract. Securely. That’s the part worth sitting with for a second. The vulnerability was real enough that it required active exploitation to move the funds, but the hacker walked the team through it step by step, making sure the $2 million ended up in the right hands rather than vanishing into a mixer somewhere.

No further details about the hacker’s identity have come out. The creators of Hong Coin didn’t name them. Unclear if there was any bounty or compensation involved — the source didn’t specify.

The recovery let the project reimburse affected investors. That’s rare. Genuinely rare. Most ICO-era losses are permanent. The contracts either get abandoned, the teams disappear, or the funds are long gone. Getting money back from a 2016 ICO in 2025 or 2026 isn’t something that happens on a normal Tuesday.

The Bigger Problem With Old Smart Contracts

The Hong Coin case is probably not a one-off. The early ICO wave, roughly 2016 through 2018, produced hundreds of smart contracts written before Solidity best practices were well established, before formal audit firms were common, and before the industry had any real consensus on what “secure” even meant for on-chain code. A lot of those contracts are still sitting there. Some hold real value. Some are empty. Some, apparently, hold $2 million with a broken admin function that nobody noticed.

See also: Gravity Bridge Down After $5.4 Million Signing Key Breach

It’s a strange corner of crypto history. The code is immutable — it can’t be patched. If a flaw exists, it exists forever, or until someone does exactly what this hacker did: find it, and use it constructively before someone else uses it destructively.

Security audits have gotten significantly more rigorous since then. Firms dedicated entirely to smart contract review now run through codebases line by line before anything goes live. But that doesn’t help the contracts that never got that treatment. Older projects from the ICO era are kind of in a permanent gray zone — too old to easily upgrade, too obscure to attract ongoing scrutiny, but sometimes still holding funds.

The Hong Coin situation drew attention to exactly that problem. And it probably won’t be the last time something like this surfaces.

What Hong Coin Said — and Didn’t Say

The creators haven’t released a formal statement about future security measures. They haven’t said whether they plan to revisit other parts of their infrastructure, bring in an external auditor, or do anything differently going forward. No comment on next steps. The focus, at least publicly, has stayed on the recovery itself.

Read also: Gnosis Pay Exploit Forces Co-Founder Martin Köppelmann to Promise Full User Refunds

That silence is a little frustrating for anyone hoping this turns into a broader industry lesson. Maybe it still does. The case has already sparked some discussion about whether other early-era projects should proactively hire ethical hackers to review old contracts before a less scrupulous actor finds the same flaws first.

The hacker’s methods remain undisclosed. That’s probably intentional — you don’t want a detailed public playbook for exploiting admin function misconfigurations floating around while similar contracts still hold funds.

What’s clear is that $2 million moved from a broken nine-year-old contract back to the people it was supposed to belong to. The identity of the person who made that happen stays anonymous, at least for now.