"Animate your Bored Ape" scammers linked to more phishing attacks amounting to more than $2.5 million

Screenshot of an Instagram post promising to animate users' Bored Ape NFTs. Text reads "Wanna turn your Ape or Mutant into a cool GIF? - High quality - All attributes working - Only gas fees to pay (50$) boredapeyachtclub.github.io (LINK IN BIO) PM @exyt to get gas fees refunded!"Screenshot of an Instagram post promising to animate users' Bored Ape NFTs (attribution)
Crypto sleuth zachxbt has uncovered a French scam duo, Mathys and Camille, who he believes were behind the March "turn your BAYC animated" phishing scam in which they stole a collector's Bored Ape NFT and flipped it for 264 ETH (at the time worth $764,000). He has also tied them to four other Bored Ape holders who fell victim to fake "animator" phishing schemes that also stole pricey NFTs including Doodles and Mutant Apes. Among them, they lost NFTs collectively valued at $1.7 million. In his investigation, zachxbt also uncovered other crypto wallets that appeared to contain proceeds from other phishing scams, totaling around 497 ETH (~$851,000). "Undoubtedly there is more to uncover, but there is only so much that can be tracked through Tornado Cash," he wrote.

Tornado Cash added to U.S. sanctions list

The U.S. Office of Foreign Assets Control (OFAC) added Tornado Cash to its SDN list: a list of "Specially Designated Nationals And Blocked Persons" with whom U.S. individuals and organizations are prohibited from doing business.

Tornado Cash is the most prominent cryptocurrency tumbler (or "mixer") and has been used in a multitude of instances to launder proceeds from cryptocurrency hacks and scams. In a press release, the Treasury Department named the North Korea-sponsored Lazarus Group's $625 million hack of Axie Infinity in March, the $100 million theft from Horizon Bridge in June, and the $190 million hack of the Nomad bridge in August as contributing to the decision.

Although Tornado Cash had claimed to be complying with sanctions in the wake of the Axie hack, the Treasury Department wrote in their press release that, "Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks".

Tornado Cash is also widely used to maintain privacy in a world where transactions are publicly visible, and it remains to be seen how the cryptocurrency ecosystem will react to this major development. Tornado Cash is also relatively decentralized in its operations, meaning it may be difficult for the sanctions list to be kept up to date and for the sanctions to be enforced.

The fallout from the sanction was swift: in the days following the action, Tornado's source code repository was removed from Github and the accounts of some of its developers were suspended; the project's Gitcoin funding page was taken down; and the project's own website, governance pages, and Discord server went offline.

Bitcoin mining operation Riot Blockchain earns more money in July by not mining, effectively mines without paying for power

An aerial photo of large warehouse-style buildings, electricity infrastructure, and shipping containers on a large dirt plotRiot Blockchain's Rockdale, Texas facility (attribution)
The Bitcoin mining firm Riot Blockchain produced 318 BTC in July, valued at around $6.88 million, from its mining operations located in central Texas. The firm also received $9.5 million in power credits for switching off their power-hungry Bitcoin miners during all-time-high energy demands in a month where the state has been experience extreme heat waves.

A press release from Riot proudly announced that "Riot curtailed a total of 11,717 megawatt hours in July, enough to power 13,121 average homes for one month", as though it is acceptable that they are normally using this amount of electricity solely to churn out Bitcoins.

They also wrote that "When applied to anticipated power costs for the month, the power credits and other benefits are expected to effectively eliminate Riot’s power costs for July"—meaning that Texas residents are effectively subsidizing the cost of Bitcoin mining whether they like it or not. Meanwhile, the Texas Tribune and The Dallas Morning News report that many Texans are paying 50–70% more for electricity than this time last year.

Hodlnaut halts withdrawals

Crypto lending firm Hodlnaut announced they would be suspending withdrawals "due to recent market conditions". They also announced they would be withdrawing their license application with the Monetary Authority of Singapore, and that "Hodlnaut is therefore no longer providing regulated digital payment token (DPT) services, ie our token swap feature. For the avoidance of doubt, Hodlnaut will also cease all borrowing and lending services."

In an FAQ attached to the announcement, Hodlnaut told users that "it will not be a short process" to re-enable withdrawals and token swaps.

No one wants to admit to owning the WazirX crypto exchange

Tweet by Nischal Shetty, quote-tweeting a tweet by Changpeng Zhao.

CZ tweet reads: Sad that these have to be debated on Twitter:
Binance provides wallet services for WazirX.
WazirX domain is transferred to our control.
We were given a shared access to an AWS account.
We could shutdown WazirX. But we can't, because.. 1/2

Shetty's tweet reads:'We could shut down WazirX' - Proves you have control
'Shared access of AWS' - You have ROOT access of AWS! Anyone with root access controls AWS
'WazirX domain transferred to our control' - Good to see you confirm that
Only control now is Zanmai, why are you not taking it?Tweet by WazirX founder Nischal Shetty (attribution)
After India froze the assets of the WazirX cryptocurrency exchange due to suspicions they were enabling money laundering, suddenly no one wants to admit to operating it.

Despite a 2019 blog post by Binance titled, "Binance Acquires India’s Leading Digital Asset Platform WazirX to Launch Multiple Fiat-to-Crypto Gateways", Binance CEO Changpeng Zhao ("CZ") tweeted that "Binance does not own any equity in Zanmai Labs, the entity operating WazirX", and that besides wallet services and an off-chain transaction integration, "WazirX is responsible all other aspects of the WazirX exchange". These statements were disputed by Nischal Shetty, the founder of WazirX, who stated in no uncertain terms that WazirX was acquired by Binance. "Binance owns WazirX domain name. Binance has root access of AWS servers. Binance has all the Crypto assets. Binance has all the Crypto profits", Shetty wrote on Twitter.

Brand new Dragoma "move-to-earn" game rug pulls for around $3.5 million

An illustration of a purple dragon with white spikes all around its head, perched on the text "Dragoma" in blue all caps. Underneath that it says "Dragoma Web 3.0" in white text. In the background is an illustrated scene of trees and sky.Dragoma promotional image (attribution)
The Polygon-based Dragoma app promised to be a new move-to-earn game, the term for a category of web3 apps that promise to reward people in tokens when they exercise. This particular app promised to be a dragon-themed "adventure game" where users could hatch dragon eggs by walking 500 meters a day (about 1/3 of a mile) for 40 days.

The project launched only days before it rug pulled. On August 7, the $DMA token dropped in price over 99% as funds were removed from the project and moved to exchanges. According to CoinDesk, around $3.5 million was taken. The project's website, Telegram channel, and Twitter accounts were all taken offline.

Someone makes NFTs out of photographs from the Xinjiang Victims Database

A 3D rendering of a man, standing in a T-pose and pictured from above his head. The rendering itself is shown on what appears to be a polaroid-style photograph inside a black plastic sleeve with stickers on itMade in Uyghur NFT (blurring added by W3IGG) (attribution)
The Xinjiang Victims Database is a database that aims to collect records on ethnic minority citizens in China's Xinjiang Uyghur Autonomous Region who have been imprisoned in concentration camps as a part of the Uyghur genocide. According to the project, "The goal of this database consists in documenting the aforementioned individuals, so as to both protect them now and hold the Chinese authorities accountable later."

Someone apparently decided this was perfect material for an NFT project, which they named "Made In Uyghur". They took 100 images from the database, clumsily projected them onto 3D-rendered human models in a T-pose, and listed them for $25 apiece.

Upon becoming aware of the NFTs, the Xinjiang Victims Database updated their site licensing to CC BY-NC, a Creative Commons license that forbids commercial reuse. "Commercial use of the data, including images of victims, is not okay", they wrote on Twitter, "[Made In Uyghur] never contacted us about this".

"Saxon James Musk" token developer rug pulls for around $442,000

Who could have predicted that the shitcoin named after one of Elon Musk's 16-year-old sons could turn out to be a scam? Well, besides the people who fell for previous rug pulls of tokens based on the Musk family, such as Baby Elon coin in June or the Baby Musk Coin in February...

The project developer suddenly sold off their share of the coin for around 1355 WBNB (~$442,000), sending the coin price plummeting by more than 68% as a result.

Beanstalk Farms comes back for round two after $182 million exploit

The algorithmic stablecoin project Beanstalk Farms suffered a devastating hack in April 2022, suffering $182 million in losses from a governance attack and flash loan exploit on the project. The project tried a fundraiser to restore the stolen money, but only raised $10 million.

Now, Beanstalk is re-launching, saying they've made changes to their governance model and security practices, and have received audits from two major firms.

In June, the project creator stated that "The thing about a system like Beanstalk is that it works until it doesn't. You can never actually know if it works, only that it has worked so far."

Hacker compromises wallet of Steven Galanis, CEO of Cameo app, stealing $231,000

An illustration of an ape with grey-brown fur, with heavily lidded eyes, wearing 3D glasses and a togaBored Ape #9012 (attribution)
A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).

Galanis wrote on Twitter that he "Just got my Apple ID hacked". Although he didn't offer more details on how he had determined iCloud was to blame, it's likely he's referring to an attack vector where MetaMask automatically backs up users' seed phrases to iCloud unless it's disabled, meaning that a hacker who successfully accesses a person's iCloud account can also compromise any of their MetaMask wallets. The same type of attack saw a user lose $650,000 in April, and brought wider attention to the app's behavior.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.