Whoever was behind these transactions airdropped fake NFTs purporting to be a part of an upcoming BAYC metaverse land project, sending them to owners of pricey NFTs and various NFT influencers. It's not clear whether the NFT can perform malicious actions, or if any individuals have been impacted by it if so. However, part of the scam appeared to be to try to entice other users hoping to get in on the next new BAYC project to fall for a phishing scam. Tracing the transactions back showed an OpenSea profile with a fake "verified" badge and a mint link to what appears to be a phishing website, which invites people to connect their wallets to supposedly mint their own BAYC land NFTs.
Apparent scammers drop NFTs appearing to be from the Bored Ape Yacht Club project
An apparent scammer was able to create transactions that appeared as though they were coming from the smart contract belonging to the Bored Ape Yacht Club. OpenSea's UI doesn't differentiate these spoofed transfers from those that are actually coming from the project's contract, and so only users who carefully look at the transaction details can spot that the NFT is suspicious. "This is unfortunately just how the blockchain works", wrote gofannon.eth, the Director of Engineering for the company behind BAYC.
Discord servers of several big-name NFT projects including Bored Apes and Doodles are compromised
Another day, another Discord compromise — or in this case, many Discord compromises. Bored Apes wrote on their Twitter account in the early hours of the morning, "STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now."
Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.
Nate Chastain, executive who was canned from OpenSea for alleged insider trading, creates a new NFT platform
Nate Chastain resigned from OpenSea at their request in September 2021 after it was discovered that he had allegedly been buying NFTs based on insider knowledge that they would be featured on the OpenSea front page, then reselling them at a profit. Fortunately for him, the crypto sphere is a great place for scammers and fraudsters to get second and third and fourth chances, and so Chastain is right back at NFTs with a new venture, "Oval". Oval is trying to raise a $3 million seed round and $30 million pre-money valuation, or a $7.5 million seed round and $50 million valuation, depending which pitch deck you look at.
Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling
The former head moderator of the Cosmic Cowgirls NFT project Discord, Esh, wrote on Twitter that that the project team had fired all moderators and scrapped all of their roadmaps. The previous roadmap had promised gamification, meetups, merchandise, comics, an animated series, and all sorts of other things, though no headway appeared to have been made on any of them. The team also removed around 300 ETH (a bit over $1 million) in funds from the project wallet.
The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".
Lending protocol Ola Finance is hacked for $3.6 million
Ola Finance is a lending protocol that allows others to create their own lending networks. It promises to allow users to create their own loan platforms where "assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.)"
One of their networks, built on top of the Fuse chain, was exploited for crypto assets priced at around $3.6 million. By taking advantage of a re-entrancy vulnerability, the attacker was able to take loans on the platform, then withdraw the collateral without paying back the loans. They then took the stolen assets and transferred them to the BNB and Ethereum chains, making them more difficult to recover.
Creator of apparent $21 million Bored Bunny rug pull miraculously resurfaces following DOJ action against a different rug pull
Many had written off the Bored Bunny NFT project (and its subsequent spin-off NFT collections) as a rug pull. After releasing several new NFT collections that appeared to be little more than cash grabs, each less popular than the last, the team behind the project grew increasingly distant until going silent for over a month. Meanwhile, the team had pocketed over $21 million, largely thanks to the popularity the project had drummed up through influencer promotions from the likes of Jake Paul and Floyd Mayweather (both of whom, incidentally, are facing separate class-action lawsuits alleging impropriety in their promotions of crypto projects).
Suddenly, the project creator resurfaced on March 29, with a tweet claiming that he had been absent for a month because he had been... reading emails. The team then announced they would be handing the project reins over to a community member, though there was no mention of the $21.1 million that had already been pocketed by the original team.
The unexpected return came only days after the U.S. Department of Justice announced charges against two perpetrators of a different NFT rug pull, in which they stated unequivocally that "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."
Popular blockchain game Axie Infinity suffers a $625 million exploit, the largest in defi history
One of the most popular play-to-earn games, Axie Infinity, suffered an enormous hack to the Ronin network on which it runs. The project announced that a majority of Ronin validator nodes had been compromised — four belonging to the Sky Mavis company that builds Axie Infinity, and one belonging to the Axie DAO. After gaining control of the validators, they were able to approve malicious withdrawals of 173,600 ETH (about $600 million) and 25.5M USDC (a stablecoin, worth $25.5M). The $625 million loss was possibly the largest to date in the history of defi projects.
Sky Mavis announced that they had halted the Ronin Bridge and Katana DEX, and were making changes to their network to try to guard against future attacks. They also wrote that they were "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed".
Would-be collectors of new Pak NFTs lose thousands of dollars in gas fees on failed transactions
Collectors were excited for a chance to obtain NFTs from the artist Pak's upcoming collection, "Ash Chapter II: Metamorphosis". Pak is an extremely popular digital artist, and his newest collection boasted collaborators including Pussy Riot, Paris Hilton, and others.
Unfortunately, the drop did not go smoothly. Heavy botting caused gas fees to spike, and the project claimed there were issues with MetaMask's estimation of gas fees. Outside parties have suggested the issue was not with MetaMask, but rather with a poorly-implemented smart contract.
People wound up making transactions that ran out of gas before completing, meaning they lost their gas fees and did not successfully receive any NFTs. Others paid sufficient gas, but ran into other errors with the contract that meant they didn't get an NFT. The spiking gas fees meant some people lost a considerable amount of money — people reported failed transactions that cost them amounts ranging from 0.1 and 0.8 ETH (between $338 and $2,700). Some who did successfully receive NFTs also claimed to have lost value as a result of the rocky mint, which they said contributed to a lower-valued NFT.
manifold.xyz, the group behind the mint, reported that they planned to reimburse people who lost gas trying to mint NFTs. Some people seemed happy with this solution, while others were upset that they missed their chance to obtain an NFT they wanted as a result of the problems.
Artist for Andrew Yang's crypto lobbying DAO is offered $500 after being promised "a percentage" of revenue in a project that raised at least $790,000
In February, perennial political candidate Andrew Yang announced he had created "Lobby3", a DAO which he says will push for crypto-friendly regulation and "eradicate poverty". The website sports a cute illustration of a city, which was created by a group of artists, and which was also originally intended to be split into "puzzle pieces" to be minted as NFTs (though this apparently never came to pass).
One of the artists, Phillip Lietz, took to Twitter on March 28 to call out the group for the pittance he was offered for his work, posting screenshots of an email exchange he had had with a member of the project team. The emails show Lietz asking whether artists would receive compensation for their work, and a project team member replying: "Yes... any artist we select will receive a percentage of our revenue".
They went on to say that if they used his work, they would "negotiate a percentage of what we sell". The reply to Lietz's question about if there was a contract was: "No formal contract as we need to move fast, but I imagine this email would hold up in court as a written agreement if it ever came to that (it wouldn't! Andrew and I are men of our words!)" In a subsequent email, the team member wrote that they would "love to send you a Lobby3 Member token", and that "our artist commissions weren't huge, but [we] would love to send you $500 for your time and effort". Lietz replied to say that the DAO's NFT fundraising appeared to have raised at least $790,000, and that $500 was an unfair amount (although I suppose 0.06% is technically "a percentage"). The team member replied by basically negging Lietz, writing "Honestly, I didn't want to say this, but I will now mention: we weren't actually going to use your art in the project... but you seemed like a great guy and I wanted to throw you some cash and get you some exposure".
Anyway, nice job Andrew and team! Nothing says "eradicating poverty" and "empowering creatives" like paying them basically nothing.
Top Super Smash Bros. Ultimate player has his Twitter account hacked to shill NFTs
MkLeo, who is widely considered to be the best Smash Ultimate player in the world, had his 217,000-follower Twitter account hacked and repurposed for NFT shilling. The scammers changed his profile picture to a pink robot creature with green drool, and began posting tweets talking about his supposed collaboration with The Possessed NFT project. The link in the tweets went to a scam website that claimed to allow people to mint NFTs from the actual Possessed NFT project. It's not yet clear how many people fell for the malicious link, but MkLeo's Twitter account appeared to be back under his control later that evening.