Rescue Mission Unlocks Seven-Year-Old Ethereum Cache Worth $2 Million

Table of Contents A cybersecurity expert has successfully released approximately 1,003 Ether valued at around $2 million that remained trapped in a 2016 ICO smart contract for almost ten years. The cryptocurrency belonged to participants in HongCoin, an Ethereum-based token offering marketed as a community-driven investment vehicle. The ICO operated from August 29 through October 28, 2016, but ultimately fell short of its fundraising target. Following the unsuccessful sale, the smart contract should have automatically returned funds to investors. However, a coding error in the refund mechanism silently prevented this from occurring. First white-hat exploit on Ethereum: I unlocked 1,003.62 Ξ ($2,000,000) trapped in a 2016 ICO smart contract for 9 years. The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7 — 0xflorent.eth (@0xFlorent_) May 31, 2026 The cybersecurity professional, identified online as “0xflorent” or Florent, detailed the technical problem in a social media post on X. The refund mechanism would decline any token holder whose balance exceeded a global tracking variable. Through years of partial withdrawals, this counter had decreased to 356, effectively limiting total refunds to merely 3.56 ETH — significantly less than what most participants were entitled to receive. The contract was developed using an outdated version of Solidity, the coding language for Ethereum smart contracts. It lacked safeguards against integer overflow vulnerabilities — a defect where numerical values increase beyond their maximum limit and reset to zero or one. The blockchain industry subsequently addressed this weakness through SafeMath, a protective library. Florent discovered a solution by utilizing the HongCoin team’s administrative function. Executing it with a particular input value reset a participant’s token balance to one, enabling the refund verification to succeed and releasing the ETH. This wasn’t an independent exploit. The administrative function required authorization from the HongCoin team’s multisignature wallet, necessitating team approval for each transaction. Florent contacted the team via email, validated the solution on a test network, and the team subsequently approved 41 transactions — one for each affected investor. The entire operation required approximately one week. Among the 48 qualified investors, 41 required the balance adjustment. The remaining seven held sufficiently small amounts to receive direct refunds. Two participants have already withdrawn a total of 96.5 ETH, worth approximately $193,000. Both voluntarily compensated Florent with whitehat rewards, though no payment was obligatory. “There were no fees, no cut, no commission,” Florent stated to The Block. This isn’t Florent’s inaugural recovery operation. On May 24, he documented liberating 19.33 Ethereum from two different legacy contracts — a defunct 2018 ICO and a Liquality Wallet account whose assets were stuck in expired atomic swaps. Florent explained that he recently deployed his own Ethereum node and developed a scanning tool to identify contracts holding over 100 ETH. He then systematically reviewed candidates searching for exploitable weaknesses. He also utilized Claude Code to assist with sorting and categorizing contracts, though he acknowledged the AI platform has limitations when directly analyzing smart contract security flaws. Florent expressed his hope to see more individuals working to safeguard funds rather than exploit them. “It’s more rewarding morally, and it can also pay well,” he remarked.