Scammer takes advantage of a platform's poor UX to steal several pricey Bored Ape NFTs

An illustration of a light yellow ape with lidded eyes with yellow irises, blowing a bubble of gum, wearing a red t-shirtBored Ape #1584 (attribution)
A trader who owned a Bored Ape and two Mutant Ape NFTs apparently reached a deal to trade them for three different Bored Ape NFTs. Because OpenSea doesn't support swapping NFTs directly, only buying and selling them for ETH, the traders used a less-known platform called KiwiSwap to do the trade. Like many platforms, KiwiSwap aims to help users spot faked NFTs by showing a "verified" badge — however, because the platform shows the badge overlaid on the NFT image, a scammer was able to create imitation Bored Apes that included the same checkmark as a part of the image, making them appear legitimate. KiwiSwap also does not include functionality that would allow a user to click through to verify the NFT is the one it claims to be.

When the user confirmed the transaction, they transferred their three pricey apes to the scammer, receiving three worthless ones in return. NFT trader 0xQuit estimated the loss at around $587,000.

Amidst rumors of market manipulation, Waves' USD-based "stablecoin" loses peg, drops to $0.82

A chart on CoinMarketCap showing USDN/USD. The price had been relatively stable at $1 for the entire three-month view, until suddenly dropping to around $0.80 on April 4Price chart showing USDN depeg (attribution)
The stablecoin belonging to the Waves protocol, "Neutrino dollar" (aka USDN), crashed nearly 20%, despite intending to maintain its 1:1 ratio to the US dollar. The volatility occurred amidst flying accusations on Twitter, where various people first accused the Waves team of manipulating the price of their own token and running a Ponzi scheme, and then Waves' CEO accused an outside trading firm of manipulating the $WAVES price and "organiz[ing] FUD campaigns to trigger panic selling".

User loses £55,000 (~$72,000) to Trezor phishing email

A black plastic rectangle that tapers towards the bottom. It has a "TREZOR" logo and a square screen displaying a lock icon.Trezor hardware wallet (attribution)
A Bitcoin holder using a Trezor hardware wallet fell victim to a phishing scam after attackers stole email lists from a third-party vendor use by Trezor. The user wrote on Reddit that they were "not paying attention and was on autopilot, just doing what it said. Was arguing with my gf via Telegram at the time... had not slept enough, was a bit hungover and was distracted" when they received the email.

The email in question appeared to be from Trezor, and claimed that users' funds were in jeopardy. It prompted them to download a new (fake) version of the Trezor wallet software, and when users entered their seed phrase to restore their wallet from a backup, it drained their crypto. "What a mug I am," wrote the affected user. "Had been building up my BTC for seven years and lost it in a few minutes' utter stupidity."

The Reddit post also included two follow-up edits, displaying the victim blaming that is common when users are hit with phishing scams and other attacks. The user wrote "Edit: yes I entered my keys, because I'm a twat Edit 2: a lot of people saying they'd never fall for it. I hope they're right."

Attack on Inverse Finance results in a $15.6 million loss

An attacker targeting the defi project Inverse Finance was able to manipulate the price oracle of INV/ETH, artificially inflating the apparent price of INV and allowing the attacker to borrow against it. The attacker was ultimately able to turn the borrowed DOLA, ETH, WBTC, and YFI tokens, priced at a total of around $15.6 million, into around 4300 ETH (priced at around $14.5 million). As of early April 2, the attacker had transferred 1,300 ETH (around $4.5 million) to a tumbler to make it more difficult to trace.

Taiwanese singer Jay Chou has Bored Ape stolen

An illustration of a grimacing ape with pink fur and diamond teeth wearing a colorful stunt jacket on an orange backgroundBAYC #3738 (attribution)
Taiwanese singer Jay Chou fell victim to an apparent phishing scam, in which a malicious actor transferred his pricey Bored Ape NFT to their own wallet. The scammer then flipped the NFT for sale on LooksRare for 130 ETH (~$425,000).

The theft prompted security researchers at Check Point Research to investigate what ended up being a serious bug in Rarible, where malicious NFTs could execute JavaScript and trick users into signing a contract that would then empty their wallets.

Class action lawsuit filed against "Let's Go Brandon" coin creators for alleged pump-and-dump

NASCAR driver poses standing against a racecar with American flag detailing, the domain "LGBcoin.io", and the number 68 painted on itBrandon Brown poses with LGB coin branded car before sponsorship deal is cancelled (attribution)
A class-action lawsuit filed by Missouri investor Eric De Ford claims that the people behind the pro-Trump "Let's Go Brandon" (LGB) memecoin misled investors about a NASCAR sponsorship deal and celebrity backing. LGB coin had nearly reached an agreement to be the primary sponsor for NASCAR driver Brandon Brown, but the sponsorship was axed by NASCAR shortly after LGB coin announced it. Regardless, those behind the coin allegedly continued to promote the coin as though the NASCAR sponsorship was in motion, even as the token value cratered. The lawsuit alleges that "Defendants pushed the LGB Tokens as a means of promoting the American dream, while simultaneously touting the prospects for LGB Tokens and the ability for investors to make significant returns from the LGB Tokens like other so-called 'meme coin' digital assets... In truth, Defendants cynically marketed the LGB Tokens to investors so that they could sell off their portion of the Float for a profit."

De Ford has named the LGB coin creators in the suit, as well as NASCAR, and promoters like Brandon Brown and Candace Owens.

Apparent scammers drop NFTs appearing to be from the Bored Ape Yacht Club project

3D-rendered piece of "land" crudely made from simple polygons, with block text reading "1x1" underneathFake BAYC land NFT (attribution)
An apparent scammer was able to create transactions that appeared as though they were coming from the smart contract belonging to the Bored Ape Yacht Club. OpenSea's UI doesn't differentiate these spoofed transfers from those that are actually coming from the project's contract, and so only users who carefully look at the transaction details can spot that the NFT is suspicious. "This is unfortunately just how the blockchain works", wrote gofannon.eth, the Director of Engineering for the company behind BAYC.

Whoever was behind these transactions airdropped fake NFTs purporting to be a part of an upcoming BAYC metaverse land project, sending them to owners of pricey NFTs and various NFT influencers. It's not clear whether the NFT can perform malicious actions, or if any individuals have been impacted by it if so. However, part of the scam appeared to be to try to entice other users hoping to get in on the next new BAYC project to fall for a phishing scam. Tracing the transactions back showed an OpenSea profile with a fake "verified" badge and a mint link to what appears to be a phishing website, which invites people to connect their wallets to supposedly mint their own BAYC land NFTs.

Discord servers of several big-name NFT projects including Bored Apes and Doodles are compromised

Another day, another Discord compromise — or in this case, many Discord compromises. Bored Apes wrote on their Twitter account in the early hours of the morning, "STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now."

Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.

Nate Chastain, executive who was canned from OpenSea for alleged insider trading, creates a new NFT platform

Nate Chastain resigned from OpenSea at their request in September 2021 after it was discovered that he had allegedly been buying NFTs based on insider knowledge that they would be featured on the OpenSea front page, then reselling them at a profit. Fortunately for him, the crypto sphere is a great place for scammers and fraudsters to get second and third and fourth chances, and so Chastain is right back at NFTs with a new venture, "Oval". Oval is trying to raise a $3 million seed round and $30 million pre-money valuation, or a $7.5 million seed round and $50 million valuation, depending which pitch deck you look at.

Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling

Illustration of a woman wearing a blue and pink cowboy hat, with blue hair, crying green tears, on a green backgroundCosmic Cowgirls #1128 (attribution)
The former head moderator of the Cosmic Cowgirls NFT project Discord, Esh, wrote on Twitter that that the project team had fired all moderators and scrapped all of their roadmaps. The previous roadmap had promised gamification, meetups, merchandise, comics, an animated series, and all sorts of other things, though no headway appeared to have been made on any of them. The team also removed around 300 ETH (a bit over $1 million) in funds from the project wallet.

The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.