A white-hat hacker has recovered $2 million from a faulty smart contract tied to Hong Coin's 2016 initial coin offering, paving the way for investor refunds nearly a decade later. The hacker identified a flawed admin function in the contract and worked with the project's creators to exploit it—not for personal gain, but to unlock funds that had been stuck since the ICO era.
How the flaw was found
The vulnerability sat unnoticed in Hong Coin's smart contract code for years. A white-hat hacker—an independent security researcher—discovered that an admin function could be manipulated to drain the contract. Instead of keeping that knowledge private, they contacted the Hong Coin team and demonstrated exactly how to trigger the exploit.
By walking the creators through the attack, the hacker showed them the precise steps needed to recover the trapped funds. The team then executed the exploit themselves, pulling $2 million out of the contract.
The white-hat's role
White-hat hackers typically hunt for bugs to help projects patch them, often earning bounties. In this case, the hacker didn't just report the issue—they actively assisted in the recovery. The contract's faulty design had locked investor money in a way that standard fixes couldn't touch. The hacker's hands-on approach was the only way to free it.
The Hong Coin team has not publicly named the hacker, but confirmed that the recovery was a collaborative effort. No payment or bounty has been disclosed for the work.
Refunds for long-waiting investors
The $2 million now covers refunds for investors who put money into Hong Coin during the 2016 ICO. At the time, the project promised a decentralized platform, but the smart contract flaw froze funds before any real product launched. Investors have waited roughly a decade to see their money again.
The refund process is underway. The Hong Coin team is contacting original contributors to return their contributions. For many, the recovery is a rare bright spot after years of lost hope in a market riddled with failed ICOs and forgotten tokens.
The contract itself has been closed out, preventing further issues. The hacker's intervention turned a decade-old liability into a chance for closure.
