Rhea Finance: 423 Fake Wallets, Two Days of Prep, $18.4 Million Gone

Someone spent two days building 423 fake wallets before robbing NEAR's biggest DeFi protocol. $18.4 million gone. Half came back. The person who took the other half has never been caught.

Rhea Finance - NEAR Protocol's largest DeFi hub lost $18.4 million after two days of meticulous preparation by an attacker who built 423 fake wallets before striking

Imagine a bank. You walk in, deposit some fake IOUs the teller mistakes for real money, borrow against them, and walk out with $18.4 million in cash. The bank only figures out the IOUs were fake after you are gone.

That is roughly what happened to Rhea Finance.

Rhea Finance is a DeFi protocol on the NEAR blockchain. DeFi stands for decentralized finance - financial services like lending, borrowing, and trading that run on code instead of banks. No humans in the middle. Just smart contracts executing automatically based on rules written into them. Rhea was built from the merger of NEAR's two biggest DeFi platforms and by early 2026 it was handling hundreds of millions in user funds.

The attacker studied it for a while before striking.

Starting April 13, three days before the exploit, someone began building. They created 423 separate crypto wallets in rapid automated succession - a web of fake identities to hide their tracks. Then they deployed fake token contracts. A token contract is essentially a piece of code that says "this is a cryptocurrency worth X amount." The tokens they created were worth nothing. But the code made them look legitimate.

Here is where it gets clever.

DeFi protocols use something called an oracle to figure out what things are worth. An oracle is a price feed - software that looks at recent trading activity and assigns a value. If someone creates a fake token and then trades it back and forth with themselves a few times, the oracle can be tricked into thinking it has real value. That is exactly what the attacker did. They seeded their fake tokens into fresh liquidity pools and made the oracle believe the worthless tokens were worth something.

On April 16 they struck.

Rhea's lending system had a flaw in its slippage protection - the safety mechanism that stops users getting ripped off during trades. The flaw counted the same value twice across sequential steps. The attacker used their fake tokens as collateral, exploited the double-counting to borrow far more than the collateral was worth, and drained the reserve pool. When the protocol finally noticed, the attacker was gone.

CertiK, a blockchain security firm, initially flagged a $7.6 million loss. Rhea's own post-mortem told a different story. The real figure was $18.4 million.

Then the chase began.

Tether - the company behind the USDT stablecoin - froze $3.29 million directly in the attacker's wallet within hours. This is one of the few real tools in crypto enforcement: centralized stablecoin issuers can blacklist specific wallets and make the funds untouchable. Alex Shevchenko, CEO of Aurora and a senior figure in the NEAR ecosystem, posted publicly on X: "We have identified you, sir. Maybe I even followed you. Maybe not. Return the funds now."

The pressure worked. Partially.

On-chain records show approximately $3.5 million in USDC was returned to Rhea. A separate Zcash transaction of 13,500 ZEC, worth about $4.4 million at the time, arrived hours later. Total recovered or frozen across all methods: approximately $9 million.

Total permanently gone: approximately $9.4 million.

As of the time of writing, no arrest has been made. The attacker has not been publicly identified. Rhea Finance paused all lending contracts and pledged to use its own reserve funds to compensate affected users - a common but painful promise in DeFi. No relaunch date has been given. The $9.4 million that was not recovered is gone.

423 fake wallets. Two days of silence. Twenty minutes of execution. Half the money came back. The other half did not.