Two NFT fraudsters charged for rug pulls amounting to over $22 million

An illustration of a person with green skin and a face shaped like a square-cut gem. They're wearing a white bandana, sunglasses with dollar sign patterns, and a prison uniform, and they have a party horn in their mouth.Vault of Gems #2509 (attribution)
Gabriel Hay and Gavin Mayo, two LA-based NFT creators, have been charged for defrauding investors of more than $22.4 million through a series of NFT rug pulls and other crypto scams. The duo launched various projects with detailed and false roadmaps to lure NFT buyers, then abandoned the projects without following through.

For example, a "Vault of Gems" NFT project falsely claimed to be the "first NFT pegged to a hard asset, like jewelry", which would have its own exchange. A "Faceless" NFT project promised to produce comic books, a movie, and a clothing company. None of the promises ever materialized, and Hay and Mayo abandoned the projects soon after launching them.

Hay and Mayo worked to hide their involvement with their scams, and have been charged with harassment for attempting to threaten those who connected them. In one case, after a person revealed Hay and Mayo to be the ones behind the Faceless NFT project, the duo sent threatening emails and text messages to the man and his parents. In an email to his parents, they impersonated a law firm, and even threatened to make false sexual abuse claims against the man.

Crypto holder loses assets priced at $2.5 million

A crypto holder tweeted at the Ledger hardware wallet manufacturer to report that 10 BTC (~$1 million) and "~1.5m of NFTs" had been stolen from them. "The ledger was purchased directly from you. The seed phrase was stored in a secure location, never entered anywhere online. I never signed any malicious transactions. Everything is in my physical possession.I haven’t touched this ledger in 2 months," they wrote.

Some blamed the theft on an apparent malicious Ethereum transaction the user had signed nearly three years prior. However, while a malicious transaction signature on Ethereum could explain the NFT thefts, it should not alone enable the theft of assets on the separate bitcoin blockchain.

Despite this, Ledger blamed its customer, telling a media outlet that "As we know, the user got phished when it comes to the ETH wallet, we can assume user error on the BTC side too".

Clober gets clobbered

Clober, a DEX built on Coinbase's Base Ethereum layer-2, suffered an exploit only about a week after its launch. A re-entrancy bug in the project allowed an attacker to siphon 133.7 ETH (~$501,000) from the project. Although the project boasted of audits, Clober had made changes to a contract after the audits that introduced the vulnerability.

Clober has offered a 20% "bug bounty" to the exploiter vi on-chain message, though they have not yet received any public reply.

Clipper DEX suffers $450,000 hack

The Clipper decentralized exchange suffered a $450,000 exploit across two Ethereum layer-2 chains. Although some speculated that the issue may have been a private key leak, Clipper denied this, and instead said that an attacker had exploited a feature allowing people to make withdrawals denominated in a single token by performing swaps along with the withdrawal.

Although the $450,000 theft is relatively small compared to some other crypto hacks, it represented around 6% of the total value locked on Clipper. Clipper stated they were working to trace and attempt to recover funds, and asked the hacker to contact them to potentially negotiate a return of some funds.

DeltaPrime loses $4.8 million in second hack

The DeltaPrime defi protocol was hacked for the second time in two months, losing $4.8 million in Arbitrum and Avalanche tokens. The attacker appeared to have exploited a flaw in one of the platform's smart contracts that enabled them to borrow more than they put up in collateral.

DeltaPrime paused the protocol on both Arbitrum and Avalanche, stopping the attacker from being able to steal more funds than they already had.

DeltaPrime was hacked previously on September 16, losing $6 million after a leaked private key enabled an attacker to mint a huge number of the platform's stablecoin deposit receipts.

Trader reveals he lost $28 million to bad copy-paste

After apparently exhausting all his other options, a trader has put out a call to "all skilled hackers and white hats out there" to help him recover 7,912 Renzo staked ETH (ezETH) he inadvertently sent to an inaccessible address back in June. The tokens were priced at a little over $28 million at the time, and are currently priced at a little less than $26 million. According to the trader, he copied the wrong address to his clipboard before making the trade, which rendered his funds permanently inaccessible.

Short of finding a vulnerability in Renzo, the trader's only real choice is to plead with Renzo to change their smart contract in such a way as to release the funds. While this is technically possible, Renzo has told the trader they could not grant his request due to "regulatory limitations".

CoinPoker exploited for $2 million

Crypto-powered poker website CoinPoker was apparently exploited for around $2 million when an attacker was able to compromise a hot wallet controlled by the platform. The attacker then laundered most of the funds through the Tornado Cash mixer.

The platform sent a message to the exploiter attempting to negotiate a return of some of the funds.

M2 cryptocurrency exchange hacked for $13.7 million

The UAE-based M2 cryptocurrency exchange was hacked for $13.7 million in bitcoin, ether, and Solana tokens. The exploiter compromised several of the exchange's hot wallets to take the funds.

Shortly after the theft, M2 acknowledged the hack and announced that "the situation has been fully resolved". This apparently involved M2 restoring customer funds from their own assets, rather than recovering the stolen assets.

Sunray Finance hacked for $2.7 million

A perpetuals trading platform called Sunray Finance was hacked on October 30 by an attacker who was able to upgrade a smart contract used by the protocol. They then were able to mint a massive number of the protocol's SUN token — 200 sextillion, to be precise. Then, they cashed out what they were able to, crashing the SUN token price in the process. Ultimately, the attacker made off with about $2.1 million of the Tether stablecoin.

In the process of selling off tokens, an arbitrage bot was able to take advantage of the price difference by selling the rapidly crashing SUN token into a second liquidity pool that apparently went unnoticed by the hacker, and the bot operator also profited around $560,000.

$20 million moved from US government wallet in possible theft

More than $20 million in stablecoins and Ethereum were transferred from a wallet identified as belonging to the US government, and holding funds connected to the 2016 hack of the Bitfinex cryptocurrency exchange. While the government does occasionally shuffle cryptocurrency around, these funds were moved to a brand new wallet and then began to be shuffled through cryptocurrency exchanges — something that crypto sleuth zachxbt noted "looks nefarious".

The government has not made any statements regarding the movement of assets.

The following day, $19.3 million in tokens were returned to the original wallet.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.