White Hat Recovers $2M in ETH Stuck Since 2016 ICO
A pseudonymous white hat hacker named 0xflorent recovered about 1,003 ETH ($2 million) from a buggy Hong Coin ICO smart contract, locked since 2016. By exploiting an integer overflow flaw, they triggered refunds for 48 investors, with the first receiving 96 ETH.
Quick Take
White hat 0xflorent retrieved 1,003 ETH from failed 2016 Hong Coin ICO.
Exploited admin function with integer overflow to unlock refunds for 48 investors.
One investor already refunded 96 ETH, worth about $192,500.
Funds had been locked since 2016 due to broken auto-refund bug.
Market Impact Analysis
NeutralRecovery of long-lost funds is a feel-good story but has negligible impact on crypto prices or market structure.
Speculation Analysis
Key Takeaways
- White hat hacker 0xflorent recovered 1,003 ETH from the failed 2016 Hong Coin ICO, unlocking funds stuck for nearly nine years.
- By exploiting an integer overflow in the contract’s admin function, they reset balances and triggered the broken refund mechanism.
- One investor received 96 ETH ($192,500), marking the first payout from the 48 affected wallets.
- The ICO’s auto-refund feature had been silently broken due to a code bug, trapping investor funds.
What Happened
A pseudonymous white hat known as 0xflorent successfully drained over $2 million in Ether from a defunct ICO smart contract, nearly a decade after it failed. The Hong Coin (HONG) project, pitched as a community-run venture fund, raised funds in 2016 but never launched because it missed its target. When the ICO collapsed, a refund function designed to return investors’ ETH malfunctioned, leaving 1,003 ETH locked and inaccessible. 0xflorent identified a critical integer overflow flaw in an administrative tool that reset token balances. By calling the function with a specific input, they bypassed the glitch and activated refunds for 48 victims, with one receiving 96 ETH on May 26.
The Numbers
The rescue involved 1,003 ETH—roughly $2 million at today’s prices—trapped since the ICO’s close in October 2016. Of the 48 investors who sent ETH to the contract, one wallet received 96 ETH ($192,500) within hours of the exploit. Another 0.5 ETH went out to a second address, according to Etherscan. The total distributed so far represents just under 10% of the locked pool, with the remainder set to flow to the other 46 participants. The ICO had aimed to sell 250 million HONG tokens across five stages but fell short, triggering the broken auto-refund that 0xflorent ultimately overrode.
Why It Happened
The freeze traced back to a logic error in the smart contract’s refund function. When the ICO failed, the code should have automatically returned each investor’s deposit. Instead, a bug blocked the process, leaving balances stranded. 0xflorent reverse-engineered the contract and found an admin-level function susceptible to integer overflow—a classic vulnerability in older Solidity code. By feeding it a carefully chosen value that overflowed, they forced the system to reset a holder’s balance and clear the refund check, something the original developers never intended. The flaw had gone unnoticed for almost nine years, underscoring how immutable code can permanently trap funds without white hat intervention.
Broader Impact
While the recovery doesn’t move markets, it spotlights persistent risks in unmaintained smart contracts. Even audited ICO-era code can harbor deadly bugs, and 0xflorent’s work serves as a reminder that selfless hackers can undo some of the damage. The episode may encourage other white hats to scrutinize old contracts, potentially unlocking millions in forgotten crypto. It also reinforces the need for formal verification in DeFi to prevent such lockups.
What to Watch Next
- Monitor 0xflorent’s on-chain activity as they continue refunding the remaining 47 investors; full distribution could take weeks.
- Other stalled ICOs or locked wallets may come under renewed scrutiny, with white hats hunting for similar flaws.
- The Ethereum Foundation or security firms might issue guidance on auditing legacy contracts, given heightened attention.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
