Massachusetts prosecutors seek to seize $2.3 million from crypto romance scam
The U.S. Attorney's Office in the District of Massachusetts announced that they had filed a civil forfeiture action to seize cryptocurrency priced at around $2.3 million from two Binance accounts. Those accounts had received cryptocurrency of various kinds from at least 37 American victims, one of whom was based in Massachusetts and who lost $400,000 in crypto assets to the scammers.
- "United States Files Forfeiture Action to Recover Cryptocurrency Traceable to Pig Butchering Romance Scam", United States Attorney's Office, District of Massachusetts [archive]
Phishing attack drains $2 million from one victim
An Ethereum holder who had been staking their ETH through a liquid restaking protocol called Ether.fi suffered a 501 ETH (~$2.025 million) loss when they fell victim to a phishing scam. They inadvertently signed a malicious transaction that granted the attacker "increase allowance" permissions, enabling them to siphon almost the entire sum of funds from the wallet. The individual was left with less than $1,500 in the wallet.
Incognito Market drug marketplace pulls multi-million dollar double scam
Since March 5, those who used the Incognito Market darkweb narcotics marketplace have found themselves unable to withdraw the Bitcoin and Monero they had on the platform. It appeared the platform had exit scammed for somewhere between $10 and $30 million.
Making matters worse, on March 10 the website posted a message reading, "Yes, this is an extortion !!" They wrote that, although the platform promised to "auto-encrypt" messages between buyers and sellers, and auto-delete after an expiry date, messages were not encrypted or deleted. They demanded that users pay an additional $100 to $20,000 to have their information removed from the dataset, which they promised to release at the end of May. "Whether or not you and your customers' info is on that list is totally up to you."
The tactic is reminiscent of that of ransomware groups, which often demand double fees: one from victims of hacks first to regain access to their systems, and another in exchange for a promise to destroy stolen data.
- Incognito Darknet Market Mass-Extorts Buyers, Sellers, Krebs on Security [archive]
Kickstarter's bizarre "pivot to blockchain" spurred by secret $100 million Andreessen Horowitz investment
Web3: a technology so promising you can't even pay a company $100 million to use it.
Crowdfunding website Kickstarter surprised and dismayed many of its users in December 2021 when they announced they would be moving the product to the blockchain in December 2021 for... reasons. That blockchain would just so happen to be the relatively unknown Andreessen Horowitz-backed Celo blockchain. "How this will actually work, beyond Kickstarter being able to yell 'blockchain' like a spell to summon investors ... is unclear," wrote Tom McKay at Gizmodo.
He probably didn't realize how right he was, but now it's been revealed that KickStarter was able to land a $100 million investment from Andreessen Horowitz with handwavy proclamations about the blockchain that its own COO didn't seem to quite understand.
The company seems to have since given up on its blockchain ambitions — in no small part thanks to user revolt. It seems that $100 million windfall didn't include any terms actually requiring Kickstarter to follow through.
Twitter phishers steal over $46 million from 57,000 victims in February
Scam Sniffer's February 2024 report describes 57,000 victims who collectively lost almost $47 million thanks to various phishing schemes on the Twitter platform. Many of the losses came from accounts designed to impersonate various popular cryptocurrency projects, who diverted users to scam websites resembling the real ones.
The largest individual loss was the phishing attack against kirilm.eth, who had over 180 million $BEAM tokens notionally worth over $5 million drained from their crypto wallet. The attacker sold the tokens for around $4.5 million.
The total amount stolen is down slightly from January, in which $55 million was taken. Altogether, scammers have stolen over $100 million via Twitter phishing alone in the first two months of 2024.
Crypto4Winners investment firm claims funds were stolen
A investment firm called Crypto4Winners announced in their Telegram channel that "Our investigations lead us to suspect an individual of committing fraudulent acts that may have compromised the integrity of assets. It is also possible that the current and historical data at our disposal has been tampered with, with a high degree of sophistication."
The company had paused withdrawals the previous day, and has not re-enabled them. They also have not disclosed the amount that was allegedly stolen.
Crypto4Winners claims it has earned 377% returns on customer investments since 2019, producing 3–20% monthly returns.
The company is co-owned by Luc Schiltz, who was sentenced to six years in prison in 2017 for defrauding victims of over $1.5 million through various investment frauds. He was released after two years, and quickly started the Crypto4Winners project after.
Unizen platform hacked for $2.1 million
The Unizen defi platform lost around $2.1 million in the Tether stablecoin in an attack that took advantage of a vulnerability an external call from the project smart contract.
The project team sent on-chain messages to the attacker, offering a 20% "bounty" for the return of the remaining funds.
WOOFi hacked for $8.75 million
An attacker was able to use a flash loan attack to manipulate an oracle on the WooFi DEX implementation on the Arbitrum network. By manipulating the price of $WOO, they were able to steal around $8.5 million.
Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".
- Woofi, Rekt [archive]
- "WOOFi sPMM exploit post-mortem", WOOFi [archive]
"The AI Protocol" burns tokens after holder suffers $4.3 million theft
Someone who held over 111.6 million ALI tokens from a project called The AI Protocol was phished by someone using a wallet drainer service using a permit phishing technique. The tokens were priced at around $4.3 million.
Blockchain sleuth zachxbt was able to coordinate with the project to organize a community governance vote to burn the stolen tokens before the attacker was able to cash out. Although this doesn't return the stolen funds to their original owner, it at least keeps the attacker from profiting.
Shido exploited for at least $3.3 million
The Shido blockchain suffered an exploit of their staking smart contract, in which an attacker was able to transfer ownership of the contract to another address and then upgrade the contract with a function that allowed them to withdraw staked tokens. Altogether, the attacker withdrew all 4.3 billion staked $SHIDO tokens — over half the entire circulating supply.
Although the stolen tokens were nominally priced at $35 million, the massive theft caused the price to plummet 94%. The attacker has converted the stolen tokens to around 956 ETH ($3.3 million).
The Shido team announced that they would be trying to offer a "bounty" to the hacker.