In May 2026, SUPERFORTUNE AI, a Web3 project that offers fortune readings and crypto market insights based on AI and traditional Eastern metaphysics, was the victim of a hack. The attacker redirected funds intended for an airdrop to steal an estimated $15.18 million in the project’s GUA tokens.
Inside the Attack
The SUPERFORTUNE AI hacker took advantage of an intended transfer of GUA tokens to an airdrop account. The source wallet for the transfer was protected by a multisig wallet and various address verification controls designed to protect against address poisoning and similar attacks.
Despite these security controls, the attacker managed to modify the destination address of the airdrop to a lookalike address (0x70AE678b457C5E1b3fD7AD9537F234dFc1795C15 instead of 0x70ae7D3DECfB4C3aE996fb1c07092566F73D5c15). Like those addresses used in address poisoning attacks, this address begins and ends with the same four characters as the real address, so it might be summarized as 0x70AE…5C15.
However, the SUPERFORTUNE AI hack didn’t involve a classic address poisoning attack. These attacks require a past transaction history with the address, where the transaction creator copies and pastes the wrong address from their transaction history. Since the SUPERFORTUNE AI project had never interacted with the attacker's address in the past, this couldn’t be the root cause of the incident. Other potential causes include compromised tooling, operational errors, or some other vulnerability within the project’s multisig workflow.
In total, the attacker was able to steal approximately 15 million GUA tokens, which were later dumped on markets, profiting the attacker about $5.66 million. This caused an estimated 60% drop in the token’s value on the day.
Lessons Learned from the Attack
The SUPERFORTUNE AI attack is an example of a sophisticated off-chain attack designed to slip through the cracks of a Web3 project’s defenses. The project had a multisig wallet and address verification controls built into its multisig workflow to protect against address poisoning and similar attacks. However, the attacker still managed to redirect a critical transaction, dump the tokens on the market, and make a profit while tanking the GUA token’s value.
This incident demonstrates the importance of having carefully designed and well-tested security controls and processes to protect a Web3 project’s assets and infrastructure both on-chain and off. Halborn offers security advisory services that help teams ensure that their security programs are aligned with industry best practices and tested for potentially exploitable vulnerabilities that could lead to major hacks. Get in touch to find out more.