Whitehat Helps Recover $2M in ETH Stuck Since 2016 ICO
A whitehat developer helped return funds from HongCoin's failed 2016 token sale after a bug left investor refunds frozen for nine years.
By Vince DioquinoEdited by Stephen GravesJun 1, 2026Jun 1, 20263 min read
In brief
- A whitehat helped return $2 million worth of ETH frozen since HongCoin's 2016 ICO.
- HongCoin’s team used the developer’s fix to unlock refunds that had been bloced because of a smart contract bug.
- Such recoveries are rare but may unlock dormant value, Decrypt was told.
An Ethereum developer helped recover more than 1,000 ETH, worth about $2 million, from a failed 2016 crypto project, returning funds that had been stuck in an old smart contract for nine years.
In a tweet Sunday, the developer, who goes by 0xFlorent_, said HongCoin’s 2016 ICO contract was supposed to refund investors after the project missed its funding goal, but a bug broke the refund function and left the ETH stuck.
First white-hat exploit on Ethereum: I unlocked 1,003.62
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7
— 0xflorent.eth (@0xFlorent_) May 31, 2026
ICOs, or initial coin offerings, were a common way for crypto projects to raise money during Ethereum’s early years. Investors sent ETH to a smart contract, a program running on Ethereum, in exchange for tokens tied to a project that often had not yet launched.
0xFlorent_ said he found a way for HongCoin’s old contract to recognize blocked investors again and release their refunds. The recovery covered 48 investors, and he pointed to Etherscan records for the contract and unlocked wallet as on-chain proof.
For years, the contract had relied on the wrong number to decide who could get ETH back. His workaround corrected that for each blocked holder, after which HongCoin’s team carried out 41 unlock transactions.
A whitehat like 0xFlorent_ is a security researcher or developer who finds bugs and uses them to protect systems or recover funds, instead of stealing them.
The recovery comes as attacks on the decentralized finance sector continue to mount, with more than $840 million lost in the first five months of 2026 and April alone accounting for more than $600 million in stolen funds.
A rare instance
Because smart contracts can keep running long after projects fade, old mistakes can leave money frozen for years. HongCoin’s recovery suggests some of that money could still move, if the original team can be reached and the contract still gives them a way in.
But recoveries like these remain “unique,” and do not necessarily mean large amounts of lost funds could just “routinely be recovered,” Andy Yajin Zhou, associate professor at the Chinese University of Hong Kong and co-founder of on-chain security firm BlockSec, told Decrypt.
“The recovery was possible because the contract happened to contain a vulnerability that allowed a whitehat developer to safely extract and return the funds,” Zhou said. “Unfortunately, we cannot assume that old Ethereum contracts generally have such flaws.”
Locked funds can remain inaccessible because of "lost keys or irreversible contract logic," Zhou noted, while no reliable estimate exists for how much ETH is permanently trapped in old contracts.
Still, the case suggests that some funds written off as "lost" may not be beyond reach, shows that smart contracts aren’t necessarily “dead ends,” Dominick John, analyst at Zeus Research, told Decrypt.
Better security research and blockchain tools could help recover more stranded assets from old on-chain systems, potentially unlocking "dormant value" while exposing “limitations” in earlier smart contract design, he added.
