Nearly nine years after the failed ICO of the HongCoin project, a white hat hacker known as Florent has unlocked 1,003.62 ETH (approximately $2 million).

First white-hat exploit on Ethereum: I unlocked 1,003.62
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.

The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7

— 0xflorent.eth (@0xFlorent_) May 31, 2026

The funds had been stuck in the HONG smart contract, deployed on August 29, 2016. The sale did not meet its minimum target, and investors were supposed to have their Ethereum automatically refunded. However, due to a critical error in the refund function, the coins became frozen.

The mechanism rejected user requests if their balance exceeded the value of the global counter.

Florent discovered a vulnerability in the contract's administrative function, which was written in Solidity v0.3.5. Older versions of the language lacked protection against integer overflow. The hacker found that a specific function call could reset an address's balance, allowing the function check to pass successfully.

Since access to the admin function was restricted by a multisig controlled by the HongCoin team, the researcher reached out to the developers. Together, they executed 41 transactions to unlock the addresses of the 48 investors.

Two investors have already withdrawn 96.5 ETH and voluntarily sent a reward to the hacker.

HongCoin was marketed as "venture capital for everyone." The ICO ran from August 29 to October 28, 2016. All 1,003.62 ETH had been sent to this contract and remained there until now.

Florent has previously assisted in recovering access to assets in other outdated protocols, including a failed ICO from 2018 and atomic swaps on Liquality. He claims to use his own software and AI tools for initial code analysis to find vulnerable contracts with balances over 100 ETH.

It is worth noting that in April, the crypto industry experienced a record number of hacks in a single month, resulting in losses of $651 million across more than 20 incidents.