Kronos trading firm suffers key breach
The cryptocurrency trading firm Kronos Research announced on Twitter that they had stopped trading while they investigated "unauthorized access of some of our API keys". They claimed that "potential losses are not a significant portion of our equity". They later confirmed the loss at around $26 million.
Network of fake Twitter accounts impersonating crypto security firms phish panicked victims
On the evening of November 14 I logged on to Twitter to notice that #OpenSeaHackAlert and related hashtags were trending. But they were trending not because OpenSea had truly been hacked, but because a huge network of fake accounts with usernames similar to those of PeckShield, CertiK, and zachxbt — well-known accounts that alert crypto traders to possible scams — were spamming the hashtag. Hoping to spark panic into crypto holders who had used the popular service, as well as other services like Uniswap which they were claiming were breached, the phishers shared links to sites that would supposedly help users revoke access to their wallets by those services, securing their assets. Instead, however, those malicious sites would drain the wallets.
According to researcher zachxbt, who himself was one of the impersonated, the scammers have stolen more than $300,000 in various assets using this technique.
This is not the first time such a technique has been used — a scammer attempted a similar, though less successful, scheme in April 2022. Scams like this take advantage of the poor UX in the crypto world for tracking and revoking wallet permissions that have been granted, requiring people to use third-party websites created for this purpose. Some of them are legitimate, but there are many malicious copies of these revocation sites that prey upon users who may be acting quickly in fear that their assets are at risk.
Wallet linked to Binance deployer loses $27 million in apparent hack
An attacker apparently stole $27 million in the Tether stablecoin from a wallet that had just withdrawn the funds from their Binance account. The hacker quickly converted the funds to evade attempts at freezing the stolen assets.
Crypto researcher zachxbt observed that the wallet targeted for the theft had in 2019 received a transfer from the Binance deployer, suggesting that the compromised wallet may have some ties to Binance itself.
CoinSpot exchange exploited
The Australian cryptocurrency exchange CoinSpot appears to have been hacked for around 1,283 ETH (~$2.4 million). In two separate transactions, the ETH was transferred out of CoinSpot's hot wallet, then bridged to Bitcoin via Thorchain and another bridge.
Balancer frontend compromised
Balancer issued an urgent warning to stop using its web interface, as it was evidently compromised by malicious actors who redirected the funds to themselves. Within 30 minutes of the tweeted warning, $240,000 had already been stolen.
This is the second theft from Balancer in a month, after it warned of a critical vulnerability on August 22, and that vulnerability was exploited for around $2 million several days later.
Magnate Finance rug pulls for over $5.2 million
Magnate Finance, a lending protocol built on the new Base layer-2 blockchain, rug pulled within hours of a warning from crypto sleuth zachxbt. Zachxbt had discovered that a wallet address used by Magnate Finance was directly linked to Solfire Finance, a project that rug pulled for almost $5 million in January 2022. He warned his followers in a tweet that the project "will likely exit scam in the near future."
Sure enough, within an hour of zachxbt's tweet, the project drained $5.2 million from the protocol and deleted its website and Telegram group.
According to zachxbt, the project also shared on-chain links to the March 2023 Kokomo Finance rug pull, which saw its perpetrators profit around $4.5 million.
Scammers target victims via web3 job search boards
Scammers are constantly coming up with creative new ways to pull off their scams, and the latest seems to be targeting web3-interested individuals via dedicated web3 jobs portals. One Twitter user described an experience in which he applied for a beta testing job for a play-to-earn crypto game, only to have his wallet drained when he downloaded what was supposed to be the game file, but was actually malware. He lost 875 ARB ($1,032), 60 OP ($140), and various other tokens.
"Jobless and a bit poorer, thanks guys!" he wrote. "You're passionate about its technology, you wanna be part of it. You DCA. You hodl. You do everything you can to do things right... you're passionate, love the space, the tech. The people. Your willingness to get a job in Web3 is enormous! I stand for on-chain values, and I wanna be a part of the wave!" he wrote in frustration, trying to explain how he'd gotten scammed. "The apparent legitimacy of these [web3 job listing] sites made me remove the 'watch out filter', and boom."
CoinsPaid hacked for $37.3 million
The CoinsPaid crypto payment platform, which provides payment services to various online casinos, reportedly suspended withdrawals under mysterious circumstances. The company later deleted a handful of tweets pertaining to the incident, which they ascribed to a "technical issue".
After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.
Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.
Scammer "Soup" makes more than $1 million through Discord hacks
A Canadian named Dan, who goes by "Soup" online, made more than $1 million through various phishing scams targeting Discord projects including those belonging to the Pika Protocol and Orbiter Finance. In one scam, he impersonated crypto journalist Luke Hamilton, trying to convince victims to join a fake Decrypt Discord server so he could steal their credentials.
Soup was exposed by crypto sleuth zachxbt, who also described how the scammer had spent some of his ill-gotten funds on exclusive Roblox items that sell for "high 5 figs".
Machi Big Brother sues zachxbt
Crypto personality and creator of C.R.E.A.M. Finance Jeffrey Huang, aka "Machi Big Brother", has filed a defamation lawsuit against crypto sleuth zachxbt. Huang alleges that zachxbt has defamed Huang with false claims via a Medium article that accuses Huang of multiple pump-and-dump schemes that enriched Huang to the tune of 22,000 ETH (~$38 million at today's prices).
Huang is also annoyed at zachxbt's observations about the multiple hacks of C.R.E.A.M. Finance, which zachxbt wrote had been exploited three times "due to negligence". "Putting aside that Cream Finance was exploited two, not three times", Huang hilariously writes in the lawsuit, taking issue with the fact that zachxbt supposedly intentionally omitted that some funds were returned and that Huang claims to have been no longer involved with the project by that point. It's not made clear in the lawsuit which of the three hacks recorded on Web3 is Going Just Great — to the tune of $37.5 million (February 2021), $25–30 million (August 2021), and $130 million (October 27, 2021) — supposedly didn't happen.