After zachxbt's investigation, BitBNS admitted that they had hidden the hack from customers. "Law enforcement advised us that the users should be educated about the incident only after the investigation is completed or reaches a dead end," said BitBNS CEO Guarav Dahake, who also said that some funds were ultimately recovered thanks to law enforcement and cooperation from other exchanges.
BitBNS discloses that they were hacked in February 2022, hid it as "system maintenance"
Friendsies NFT project rug pulls
After partnering with the renowned auction house Christies to sell nine early-access mint passes, the NFTs were launched in April 2022. Each one started minting at 3.33 ETH in a Dutch auction, which at the time was around $12,000. Now, the NFTs have been selling for around 0.01 ETH (~$17).
The project's social media accounts went dormant late in 2022. On February 21, 2023, the project announced that "As the project founders, we have decided that it would be best to put a pause on Friendsies and all future digital goods for the time being... However the volatility and challenges of the market have made it very difficult to move this project forward in a way we can be proud of. For now, we have decided that it's best to allow the space to further mature." Some who asked questions like "So no AI friendsies as promised in your roadmap? What's going on?" found themselves blocked, and shortly afterwards the project deleted its Twitter account.
After being called out by crypto sleuth zachxbt for rug-pulling, the Twitter account returned to insist that they were not rug-pulling, and that "we were overwhelmed with hate and threats". Some Friendsies holders also blamed crypto influencers who had promoted the project near the beginning.
Zachxbt reports phishing scammer "Loyalist" has stolen more than $4 million since early 2022
Although Loyalist had been largely inactive since October, shortly after zachxbt published his research in February 2023, Loyalist moved nearly $1 million in the DAI stablecoin out of one of the wallets identified by zachxbt.
Platypus Finance stablecoin exploited for $8.5 million ten days after launch
The exploit was a flash loan attack that allowed them to drain some protocol pools, also causing the stablecoin to lose its dollar peg and drop to around $0.48. A team member reported on the project's Discord that "all operations are paused until we get more clarity".
The following day, the project reported they had recovered $2.4 million of the stolen funds, and were working with crypto sleuth zachxbt, who had leads as to the hacker's identity. Later that month, Platypus announced that French police had arrested two suspects, who had tried to withdraw stolen funds through Binance — to whom they had submitted identification documents for KYC purposes.
3Commas finally owns up to API key leak
3Commas did not come off looking very good after this incident, after they spent weeks denying any breach and accusing those who were concerned 3Commas had been compromised of spreading misinformation and "FUD".
Researcher zachxbt wrote that he had verified 44 victims who had lost a combined $14.8 million due to the leak, although he acknowledged that this was only the number of people he could verify and that the total number of people affected was likely much higher.
Monkey Drainer steals dozens more NFTs, nets around $867,000
Monkey Drainer steals ~$1 million in 24 hours
Four NFTs valued at at least $150,000 stolen from Jason Falovitch
On September 25, Falovitch tweeted "I got hackled last night on Opensea. Apes, doodles, eth. It's not pretty." Four NFTs had been stolen from his wallet — two Doodles, and a Mutant and Bored Ape — along with 6 ETH (~$7,750). The Mutant and Bored Apes were both resold, for 15.99 ETH (~$20,700) and 82.69 ETH (~$107,000) respectively. Factoring in Doodle floor prices, the hacker is looking at at least $150,000 in profit.
The loss, however, is larger for Falovitch, who spent ~$377,000 on the four NFTs based on the price of ETH at the times of purchase. Falovitch tweeted after the hack, "Now I'm over $1M hacked in ETH and NFTs." It's not clear if he's referring to other wallets he may control that were compromised, previous hacks he's suffered, or if he's massively overestimating the value of the stolen NFTs. He also tweeted that he discovered his car was broken into as he went to drive to the police department to report the NFT thefts.
Well-known crypto researcher zachxbt, who is known for helping victims of wallet hacks recover their assets, tweeted to Falovitch: "Karma for all of the people you rekt with the scams promoted on your Instagram page. Definitely won't be tracking this one."
Vulnerability discovered in vanity wallet generator puts millions of dollars at risk
0xdeadbeef52aa79d383fd61266eaa68609b39038e
(beginning with deadbeef), or one with lots of 0s at the end, or some other address the user thinks looks cool.However, because of the way the Profanity tool generated addresses, researchers discovered that it was fairly easy to reverse the brute force method used to find the keys, allowing hackers to discover the private key for a wallet created with this method.
Attackers have already been exploiting the vulnerability, with one emptying $3.3 million from various vanity addresses. 1inch wrote in their blog post that "It's not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions."
The maintainer of the Profanity tool removed the code from Github as a result of the vulnerability. Someone had raised a concern about the potential for such an exploit in January, but it had gone unaddressed as the tool was not being actively maintained.
Researcher zachxbt alleges that teenager who stole crypto worth $37 million in 2020 is responsible for a spate of crypto-related Twitter hacks
Now, crypto investigator zachxbt thinks the same individual is indirectly responsible for a slew of compromised Twitter accounts that have then been used to promote crypto scams, including those of Beeple, DeeKay, and others. According to zachxbt, he has been selling access to a Twitter admin panel, which allows employee-level access to Twitter tools. This might explain how many of the accounts were compromised despite being protected by multi-factor authentication. According to zachxbt, "It's still unclear as to how Redman gained access to the panel to make elevated requests & reset passwords. As of now it appears the method stopped working".