A developer has used a whitehat exploit to unlock roughly $2 million in Ether that has sat inaccessible inside a 2016 initial coin offering (ICO) smart contract for nearly nine years, according to reporting by The Block published May 31. At current prices near $2,021 per ETH, the contract holds approximately 990 ETH in total. According to The Block, which is the sole public source for these figures, two of the 48 eligible investors have already claimed 96.5 ETH, worth close to $195,000, leaving the remaining funds available for the other 46 claimants. The investor count and claimed total have not been independently verified.

The developer communicated the findings directly to The Block. Specific details about the ICO project's name, the developer's identity, and the precise nature of the vulnerability had not been publicly indexed at the time of publication.

What a Whitehat Exploit Actually Means

A whitehat exploit involves intentionally triggering a security vulnerability in a smart contract, not to steal funds, but to move them to safety before a malicious actor can do the same. Smart contracts are self-executing programs stored on a blockchain; once deployed, their code is generally immutable, though upgradeable proxy contracts represent a well-established exception. In contracts without admin recovery mechanisms, the practical path is to run the vulnerable function before a malicious actor discovers and uses it first.

In this case, the contract was deployed during the early Ethereum ICO era, when Solidity, the programming language used to write Ethereum contracts, was less than two years old and formal security audits were rarely conducted. The code has sat on-chain, inaccessible to its intended recipients, ever since.

Security firm Cyfrin has described the standard whitehat approach as batching all rescue transactions together so that the exploit cannot be front-run by observers watching the mempool (the queue of pending blockchain transactions) for opportunities to copy the technique.

A Pattern From a Volatile Era

The 2016 to 2017 ICO boom generated hundreds of token sales that collectively raised hundreds of millions of dollars under minimal oversight. The era also produced some of the most consequential smart contract failures on record.

In June 2016, an attacker exploited a reentrancy bug in The DAO, a decentralized investment fund, draining 3.6 million ETH worth roughly $60 million at the time. Ethereum ultimately executed a hard fork to reverse the theft, a decision so contentious it split the network into Ethereum and Ethereum Classic. In July 2017, a group known as the White Hat Group executed a large-scale whitehat rescue of approximately 377,000 ETH, worth around $208 million at the time, from nearly 500 vulnerable wallets sharing the same flaw, moving the funds to safety before malicious actors could drain them. That operation remains one of the most significant coordinated whitehat rescues on record and stands as a direct precedent for the kind of community-led recovery now being applied to smaller legacy contracts. Then in November 2017, a GitHub user accidentally triggered a self-destruct function in a shared Parity wallet library, permanently freezing approximately 513,000 ETH. Those funds have never been recovered.

The 2026 picture is not much tidier. The platform ForgottenETH.com currently tracks more than 165,000 ETH, worth roughly $333 million calculated at current ETH prices, stuck across 116 defunct smart contracts from the 2015 to 2022 period. The list includes old decentralized exchange contracts, ICO escrows, Ponzi-era token pools, ENS deed deposits, and DAO refund contracts.

Earlier this year, in February 2026, members of the Security Alliance (SEAL) and Giveth executed a separate whitehat rescue of more than 50 ETH, worth approximately $100,000, from a decade-old DAO-adjacent contract. A SEAL member described it at the time as "a long-planned white hat rescue," as quoted by Protos, with unclaimed funds directed toward the Ethereum Security Fund. Separately, a broader initiative backed by Ethereum co-founder Vitalik Buterin, Giveth founder Griff Green, and others is currently converting roughly 75,000 ETH in unclaimed DAO recovery funds into a staked security endowment projected to yield between $7.8 million and $11.1 million annually for ecosystem security grants.

Why Emerging Market Investors Should Pay Attention

The 48 investors in this particular contract are not identified publicly, but the 2016 ICO wave was a genuinely global phenomenon. Retail investors across India, Nigeria, Kenya, and other emerging markets were among global participants in that wave, often through informal channels with no consumer protection backstop.

That context matters now. India ranked first in the 2026 Global Crypto Adoption Index, leading in both centralized exchange and decentralized finance activity. Nigeria ranked second, and Ethiopia, Kenya, and Ghana entered the top 20 for the first time. Pakistan, ranked eighth, continues to navigate regulatory uncertainty alongside Bangladesh and other South Asian markets working through evolving crypto frameworks. Sub-Saharan Africa recorded stablecoin volume growth above 180 percent year over year, driven largely by remittances and savings dollarisation, with stablecoins functioning increasingly as a dollar substitute rather than a general savings vehicle.

For participants in those markets who contributed to 2016-era ICOs and wrote the investment off entirely, this case is a reminder that on-chain funds do not disappear. Recovery remains a technical possibility, though the practical outcome depends on whether the right conditions can be met and whether original wallet credentials have survived nearly a decade.

The case also carries regulatory weight. With India's crypto framework still taking shape and African regulators building out their own rules, courts in Nigeria, Kenya, and South Africa have shown increased willingness to adjudicate crypto disputes. Smart contract bugs specifically fall into a grey zone, however, and the question of who bears legal responsibility when a contract malfunctions and locks user funds for nearly a decade remains largely unsettled.

What Comes Next

The 46 remaining investors will need to come forward to claim their share. The specific mechanism for doing so, whether through a new smart contract interface, a direct wallet interaction, a claims portal, or another process, has not been publicly disclosed. Eligible claimants should monitor The Block's coverage directly for procedural updates. It is also worth noting that the standard whitehat industry convention, as documented by Cyfrin, is a 10 percent bounty on rescued funds. Whether this developer has taken or expects to take such a fee is unconfirmed, but potential claimants should be aware that their recoverable amount may reflect a deduction before they receive their share.

Whether the remaining investors can be located at all, or still hold the private keys to wallets they used in 2016, is an open question. The whitehat rescue creates the technical possibility of recovery; the practical reality depends on documentation and access that may not have survived nine years.

SEAL currently operates a network of 79 active members and reports covering more than $7 billion in protocol value through its Safe Harbor agreement framework, which pre-authorizes rescue operations under defined terms. The growing institutionalization of that infrastructure may point toward more rescues of long-dormant contracts in the years ahead, as the industry works through the accumulated technical liabilities of its earliest era.