Web3 is Going Just Great

Goledo Finance contacted the attacker to offer a 10% "bounty" for the return of the remaining assets. In a message on January 29, the attacker wrote: "I hacked Goledo and want to negotiate".

Anyway, the South Korean Somesing platform — which is really more of a TikTok-but-just-for-song-covers clone than anything to do with karaoke — suffered a breach in which 730 million SSX tokens were stolen. These tokens are nominally priced at around $11.5 million, but around 2/3 of the stolen tokens were as yet undistributed and not a part of the circulating supply.

Singh pled guilty to conspiracy to possess with the intent to distribute controlled substances and conspiracy to commit money laundering, charges for which he's expected to serve around 8 years in prison.

The attackers were able to siphon 769 million $WSM from the contract, which was notionally worth around $7 million. However, the token lacks liquidity to support swapping hundreds of millions of tokens without depressing the price, and the token price dropped around 35% in the wake of the attack as the thief began to cash out over several days.

Meanwhile, WSM announced that they would be issuing a new token to replace the stolen tokens, and "renew[ing] the liquidity pool"... somehow.

The emails appeared to announce airdrops and exclusive offers from those companies, and recipients were invited to connect their wallets to claim tokens. Those wallets were then drained.

The attackers stole a variety of cryptocurrencies, and some outlets have reported the theft has totalled more than $3.3 million. However, because a substantial amount of that number comes from the illiquid Xbanking token, the actual liquid value of the tokens is likely closer to $700,000. The attackers have begun mixing the stolen funds through the Railgun privacy service.

GMEE is the token belonging to the Gamee blockchain-based gaming platform, which was acquired by the Animoca Brands company in 2020. Animoca is mostly known for its crypto-metaverse project, The Sandbox.

Tokens priced at around $1.8 million were drained from the project vaults. In a tweet, Concentric urged users to revoke contract approvals to avoid further losses.

The wallet addresses used by the exploiter appeared to connect the attacker to the $2.7 million OKX DEX theft in December 2023.

Despite all of that, Terraform Labs had continued to operate. However, it is now in dire financial straits, and has now filed for Chapter 11 bankruptcy in an attempt to sort out its financial obligations amid costly legal cases. Terraform Labs is currently a defendant in a complaint by the SEC, as well as several class-action lawsuits.

According to the company's bankruptcy filing, it has between $100 million and $500 million in assets, and liabilities in the same range.

After the dismal launch, Howard tried a few somewhat desperate-seeming moves to try to attract interest in the project: promising to send free crypto to some holders, redoing all the art after criticism of its quality, and slashing the NFT supply to 1,500. Despite all that, only 465 NFTs have sold (15% of the original supply, netting Howard 930 AVAX — around $28,400).

The flop was so bad that a member of the team behind the Avalanche blockchain put out a tweet distancing themselves from the project, stating that they didn't even know about the project until he announced it. "Gone are the days that individuals/Brands with large followings can just drop IP related NFTs out of nowhere and expect it to do well," they wrote, seemingly criticizing Howard's approach by writing that NFT creators must "mak[e] sure to do it in an organic way with proper intentions."

Debiex, however, only resembled a cryptocurrency trading platform. In reality, the website merely mimicked a trading platform, and the funds supposedly deposited there for trading purposes were taken by Debiex.

The CFTC identified five victims who were allegedly defrauded of a combined $2.3 million.

Regalado posted a video to his supporters explaining that he had been sued by the Colorado state securities regulator. "So the charges are that Kaitlyn and I pocketed $1.3 million, and I just want to come out and say that those uh charges are true," said Regalado in the video, presumably causing a cold chill to run down the spine of his defense attorney in the middle of whatever he was doing.

According to Regalado, God told them to first invest in a separate coin, which turned out to be a scam. Then, says Regalado, God told him to make his own currency, which Regalado called INDXcoin, "but also give them a 10x". Who knew God was a degen! Regalado had told investors that the funds would be going to "widows and orphans", but spent most of it on himself and his wife.

In an announcement posted on Rubiales' Twitter account, the South Korean Moon Labs wrote: "Yes, we agree that Mr. Luis Rubiales made a small mistake in women world cup." The statement went on to condemn "extremism and radical feminism", and downplay Rubiales' actions as not "really" sexual assault. "Yes, Luis did small mistake but probably the biggest mistake was losing Luis Rubiales in football part [sic]."

Now, another $2.7 million is gone after an apparent thief was able to exploit a smart contract that was intended to distribute payouts to Hector's token holders. They then swapped the tokens from the USDC stablecoin to ETH.

Investors in the project are furious, especially because various parties had warned Hector Network about apparently insecure practices. Hector Network's team, meanwhile, have not acknowledged the theft, although a law firm involved in the project liquidation promised a statement would be forthcoming.

Adding to those is the fact that TrueUSD recently paused its real-time reserves attestations, due to systems reporting liabilities that exceeded assets, though TrueUSD (obviously) claimed this was just an error.

A little over 700 victims were affected, and the highest loss from a single wallet was around $657,000. 121 wallets lost assets priced at more than $10,000.

On January 23, the protocol announced they had recovered 1,032 ETH (~$2.23 million) of the stolen funds.

Evidently the platform has still been running since then, though it rarely enjoys much mention alongside its many competitors.

Now, rolling out the classic "regulatory uncertainty" line, GameStop has announced it will be shutting down the marketplace. After shutting down a crypto wallet project in November, the company seems to have fully exited the crypto world.

The bug was fixed about a week later. There has been a dispute since then between Harmony employees and a consultant who was involved in identifying the bug, and the consultant has been accused of delaying action to profit from the excess tokens. The consultant also balked at destroying some of the tokens he mistakenly received.

The consultant claims that he didn't profit from the bug, and objected to a Harmony employee coming after him to destroy the excess tokens when he'd done little towards others who profited from the error. He did, however, say later that he had destroyed the tokens.

According to the consultant, a Harmony employee claimed that he had filed reports to the FBI and IRS about the consultant's behavior, and had the consultant banned from the annual ETH Denver event.

The failures included poor anti-money laundering programs, deficiencies around filing suspicious activity reports, and poor cybersecurity.

The NYDFS action is only one of Genesis' many worries these days, as it undergoes bankruptcy proceedings and is facing various other legal woes.

With the malfunctioning hardware wallet and no recovery key, Bentley has lost access to assets including 1.2 million EUL tokens — over 4% of the total EUL token supply. These tokens are priced at about $3.8 million today, though at other times the tokens would have been worth up to about $15 million.

"I've now lost a substantial percentage of the crypto assets I held in cold storage, accumulated over more than seven years, including the majority of the EUL allocated to me for participating in Euler governance," said Bentley.

Some have speculated that the trade might be an expensive marketing stunt to increase attention to WIF, which was losing some steam.

I'll give it to them: the token's namesake is pretty cute. But not $9 million cute.

It's unclear if the move is spurred by the massively waning interest in NFTs, or if it's part of Twitter's broad slashing of functionality in the wake of Elon Musk's disastrous takeover and cost-cutting attempts.

Those who already had the hexagonal profile pictures now seem to have had them restored to their usual circular shape, and there's no longer any mention of the feature in Twitter's support documentation, and new NFT profile photos can't be uploaded. People can, of course, still right-click and save the images and upload them that way.

Bitcoin briefly spiked by about $1,000 before dipping around $1,000 below its previous price, as traders excitedly reacted to the news, and then the news that the news was fake.

Bitcoin Rodney has been charged with operating an unlicensed money transmitting business and conspiracy to operate an unlicensed money transmitting business.

When investigators subpoenaed Discord for Rhoden's chat logs, they found messages celebrating the rug pull. "good shit on us making a fuck ton of money," he wrote to his co-conspirator.

MangoFarmSOL is unrelated to the other Solana-based mango-themed project, Mango Markets, which was exploited in October 2022 for more than $100 million.

However, investigation by the CertiK blockchain security firm suggests that the "hack" may have been an inside job, with much of the $1.5 million that was "stolen" going to wallets with links to the Narwhal team.

The Narwhal project had launched in mid-December.

On January 6, the project's creators drained the tokens that had been put into the project, then deleted their website and social media accounts. Altogether, they withdrew 558.3 ETH (~$1.25 million).

In July 2023, an attacker stole $37.3 million from the CoinsPaid platform. CoinsPaid said at the time that they suspected the attacker was the North Korean Lazarus hacking group, which has been a prolific perpetrator of cryptocurrency thefts.

CertiK quickly regained control of the account and deleted the tweets, later explaining that an employee had been contacted by a "verified account, associated with well-known media". The journalist's account, apparently compromised, successfully phished the CertiK employee by sending what looked like a Calendly meeting scheduling link, but what was in fact a malicious link used to take over the CertiK Twitter account.

Blockchain sleuth zachxbt criticized CertiK, which describes itself as a leading blockchain security firm, for not protecting against the attack, and asked if they would be reimbursing phishing victims.

Gamma has contacted the hacker to try to negotiate a return of some of the assets, and also says they have engaged law enforcement. Although they have promised to try to repay some of the stolen assets, they are estimating between 25% and 40% recoveries for various categories of users.

Radiant Capital sent an on-chain message to the attacker, offering to negotiate a bounty.

"I just got scammed out of $125k of stEth while trying to claim the $LFG airdrop. And I'm a fking founder of a wallet startup that's trying to improve wallet security..." wrote Lou on Twitter. "This is the first time I've been scammed. I always read about others but you never think it could happen to you..." he wrote.

If the founder of a wallet security project can't avoid scams in the crypto world, what hope do the rest of us have?

Orbit began sending the attacker on-chain messages, writing that "we will track you down and restore the damage you incurred to the ecosystem. And we will not stop." Orbit also wrote on Twitter that they were working with various law enforcement agencies.

The attack was perpetrated by the Pink Drainer group, which had recently compromised the Twitter account of Compound Finance to try to lure its more than 250,000 followers into authorizing the malicious drainer. It's not clear if that's how this wallet was drained, however, as Pink Drainer uses numerous strategies to attract victims.

This is a major decision in the crypto world, which recently celebrated a decision in the SEC v. Ripple case, which found that some sales of Ripple's XRP token did not constitute unregistered securities offerings.

The SEC has maintained a position that the majority of crypto asset offerings are securities offerings, which has been an unpopular opinion among those in the cryptocurrency industry — which broadly does not wish to be regulated by the SEC.

The attack was unusual in that it lasted almost two weeks, going unnoticed because it was draining pools slowly enough that the Levana team assumed it was organic activity. However, when the network became congested, the attack suddenly became more profitable — and more noticeable.

Grayscale is in the midst of an application process with the SEC for approval to convert the trust into a spot bitcoin ETF. This has been an ongoing effort by Grayscale, and has been denied before.

DCG, meanwhile, is in the middle of financial difficulties and ongoing legal battles, including a lawsuit from the New York Attorney General alleging a $1 billion fraud by DCG and its Genesis subsidiary. The lawsuit from the NYAG also names Silbert personally.

Telcoin later announced that they "plan[ned] to restore all wallets to their previous balances", though did not say whether or how they would be making up the $1.25 million deficit.

Telcoin had been audited by CertiK, though CertiK tweeted to say that "this contract was not in the scope of the audit conducted by CertiK".

On December 25, Tether minted 1 billion of its USDT dollar-pegged stablecoin. CEO Paolo Ardoino announced on Twitter that the mint was an "authorized but not issued transaction, meaning that this amount will be used as inventory for next period issuance requests and chain swaps". This seems to be a recent trend for Tether, as similar language was used for a $1 billion mint in September.

The activity has raised more questions around where the real money backing Tether is coming from, and if it even exists at all. Some have argued that these recent Tether mints are being used to artificially inflate the price of Bitcoin, which has been on an upward trend since mid-October.

Tether, which boasts a market cap of more than $90 billion, has never been audited, and has lied about its backing in the past.

Megabot had advertised itself as an AI trading bot that would earn users "up to 30% monthly". The team had promised that the bot would perform trades while "sidestepping potential risks such as honeypots, rugs, and slow rugs".

"No one will be able to rug you anymore", their website boasted. Ah, well.

The SEC charged that the group had not registered their sale of the bonds as was required under US securities laws. BarnBridge shut down very shortly after the complaint was filed, without any input from its community, despite ostensibly being community governed.

Catalyx announced in a press release on December 28 that they had "recently discovered a security breach on the Platform in connection with the holding of crypto assets on behalf of clients. Management suspects that this security breach, which may involve an employee, has resulted in the loss of a portion of the crypto assets held by the Company on behalf of its clients".

Catalyx did not state how much had been stolen.

Qredo had already been forced to perform layoffs in September and then November, and in November was searching for a rescue after saying their user "activity ha[d] fallen" in the "prolonged cryptowinter".

On December 15, Qredo had also announced that they would be shutting down their Ankex trading platform, which was previously led by Michael Moro, who was previously booted as CEO from Genesis Trading.

The Aurory team posted on Twitter to acknowledge the hack, writing that they'd disabled SyncSpace as they investigated. They also wrote that SyncSpace had been audited months ago, but that the audit had failed to detect the vulnerability.

One attacker claimed in on-chain messages that the original attack had been perpetrated by someone else, but that they were one of the many copycat attackers, describing themselves as someone who had "[come] here to pick up residual garbage". They requested victims send additional ETH to get their NFTs back. "If you want the monkey nft back, then you need to pay me a bouty, which is what I deserve", they wrote, asking for NFT holders to send them 10% of the Ape floor price.

Meanwhile, NFT holders were urged to revoke access to NFT Trader, since the platform seemed aware of the attack but unable to stop it. NFT Trader was ultimately able to thwart the attacker to stem additional bleeding, likely thanks to help from community members who pointed out a way the contract could be shut down.

Later, the "residual garbage" attacker returned 36 Bored Apes and 18 Mutant Apes after a Yuga Labs co-founder paid the 120 ETH (~$260,000) ransom.

Although SafeMoon claimed to have created a token that would "safely go to the moon", executives allegedly siphoned millions of dollars of investor funds to spend on personal expenses including luxury cars and real estate.

In the bankruptcy filing, SafeMoon has claimed to have 50–99 creditors, between $10 and $50 million in estimated assets, and $100,000 to $500,000 in estimated liabilities.

A hacker was able to obtain access to Ledger's source code management tool and push out a new release that contained code that would drain wallets as users connect them. Because the library is so widely used, many crypto applications were vulnerable — including Revoke.cash, a security-focused project intended to help people guard against attacks on their wallets.

CTO of the Sushi crypto project issued a broad warning: "Do not interact with ANY dApps until further notice." At least $600,000 has been drained from multiple users so far.

CoinList reportedly allowed 89 users to sign up for accounts on the platform, most of whom had stated that they were residents of Russia but provided addresses in Crimea.