An anonymous source corresponding with TechCrunch claims that the total amount of cryptocurrency stolen is somewhere between $15 million and $20 million. The tipster also claimed that the hackers have the ability to gain access to any AT&T account via the AT&T employee portal; AT&T has denied this and instead claimed that "the bad actors used an API access."
AT&T customers suffer crypto wallet compromises reportedly totaling $15–$20 million
TechCrunch reported that attackers were able to gain access to AT&T email accounts which they then used to gain access to customers' cryptocurrency accounts. Various customers reported their accounts at exchanges including Coinbase and Gemini had been drained. One individual victim lost $134,000 from their Coinbase account.
"Rogue developers" make off with $1.82 million from Merlin
The brand new Merlin DEX had only just launched on the zkSync Ethereum layer-2, with a public token sale beginning on April 25. The following day, they suddenly asked users to revoke permissions to the project, saying they believed there was an exploit. They later wrote: "it is with deepest regret that we have to notify you of a major fault in the structural integrity and controls of the Merlin Platform. In the early hours of this morning the several members of the Back-End Team drained all of our Contracts."
The Merlin DEX had been audited by the CertiK security firm, which stated it was working with the remaining team members to try to trace the thieves. Meanwhile, they wrote that they would be working to compensate affected users.
Some didn't seem to buy the story that the theft was carried out by a few rogue developers, accusing the entire Merlin project team of rug-pulling.
CoinLoan suspends withdrawals
The Estonian crypto exchange CoinLoan announced they were immediately suspending all operations, including withdrawals. The action came after CoinLoan was declared insolvent by an Estonian court, which mandated they suspend activities pending permission from the court.
Protos speculated that the suspension could be related to Vauld, an exchange that collapsed last July. Vauld is rumored to have tens of millions of assets on CoinLoan.
The same day as Vauld's collapse, CoinLoan implemented a withdrawal limit of $5,000/day.
- Notice of restraint on disposition , Ametlikud Teadaanded
- "Did Vauld drive CoinLoan into court-ordered liquidation?", Protos
- "CoinLoan halts all withdrawals, user services", CryptoSlate
Binance cancels Voyager acquisition
After surmounting various obstacles to acquire the assets of the bankrupt Voyager Digital crypto lending firm, Binance.US abruptly backed out of the $1.3 billion deal.
Binance cited "hostile and uncertain regulatory climate" as its reason for calling off the acquisition. A recent lawsuit from the CFTC against Binance and its CEO Changpeng "CZ" Zhao likely contributed to the cancellation, as it seems clear that Binance is being increasingly scrutinized by US regulatory and law enforcement bodies.
The acquisition had been supported by a massive majority of Voyager creditors, who were looking forward to recovering 73% of their assets trapped on the platform. Now that number is uncertain, but likely to be a good deal lower. Attorneys for Voyager estimated the recovery now would likely be between 40 and 65%.
Ordinals Finance rug pulls for at least $1 million
Ordinals Finance was a short-lived project, emerging in late February with promises to help build out a defi ecosystem on the Bitcoin blockchain.
On April 24, the project developer withdrew 256 million OFI tokens and swapped them to ETH worth around $1 million. They then laundered the funds through the Tornado Cash crypto mixer. The project creator deleted the project's Twitter account and took down its website.
"First BRC-20 wallet" UniSat launches, is immediately exploited
Over on the Bitcoin blockchain, people are abuzz over the launch of "BRC-20": a similar concept to the ERC-20 token on Ethereum that allows people to create their own tokens. The standard, which first emerged in early March, is built atop the controversial Ordinals inscription technique that was developed in January. Coins including $ORDI, $PEPE, and $MEME have been created on a blockchain that previously only supported the Bitcoin token.
Not everything has gone smoothly, though. As developers rushed to release wallets to support these new tokens, the UniSat wallet claimed to be the first. However, shortly after it launched, the developers made the Chrome extension inaccessible. They later revealed that the code had contained a vulnerability that exposed it to double-spend attacks. "Currently, we have preliminary investigation results, and out of all 383 transactions, 70 transactions have been identified as affected," they wrote.
It's not yet clear how much was stolen, but the UniSat team promised to compensate affected users. They later tweeted that they had determined the identity of the thief, though the funds have not yet been returned.
€1.5 million stolen in celeb-backed French NFT rug pull that promised to make a movie called Plush
Around 770 people were convinced to spend a combined almost €1.5 million (~$1.66 million) on NFTs of teddy bears, which sold for around €1,250 each (~$1,380). Buyers were told they would become "co-producers" of the Plush animated film, which would star Kev Adams and other French comedians as voice actors. Adams led the promotion of the NFT project, along with a mysterious figure called "Fabi". Other French celebrities and influencers were also involved in touting the project, and Bella Thorne and Amaury Nolasco were listed on the site as "US voices" for the project.
The NFT buyers — er, "co-producers" — were promised credit in the film credits, voting rights on the script, and a split of 80% of the profits. "Although there is nothing guaranteed, on average, you will make six to seven times what you put in 24 months. Which is huge, when you think, you go to the Caisse d'Epargne, a traditional bank, and you make less than 1% in the year," said one promotional video.
A report from French investigative newspaper Mediapart discovered that the project was backed by a Dubai-registered company called "Illuminart", which played on confusion between its name and that of the France-based Universal Studios subsidiary Illumination. An Illuminart marketing campaign even used Illumination titles, such as The Lorax, Minions, and Despicable Me, and their box office proceeds to suggest Plush buyers were in for a 516% profit.
Meanwhile, the project has gone silent, and its Twitter account last posted in September 2022. NFTs are no longer offered for sale on the official project website, and Illuminart's business license has expired.
- "Nounours et cryptomonnaies à Dubaï : le mauvais film de Kev Adams", Mediapart (in French)
Kyiv Post alleges misappropriation of funds by Ukraine DAO
2,258 ETH (~$4.2 million at today's prices) was raised via the sale of an NFT of the Ukraine flag (attribution)Ukraine DAO is a project that emerged shortly after the Russian invasion of Ukraine, aiming to raise cryptocurrency funds to support Ukrainians. Despite the name, it is not a DAO in the typical sense where token holders have voting rights in the project. The initiative has raised millions in donations, and at least $5 million has gone to the Ukrainian government or legitimate charities. The group's website claims $7 million has been donated in total.
However, the Kyiv Post has recently been asking questions about the organization. Earlier in April, the newspaper published an article claiming that the group had fabricated its claims that it was supported by Ukrainian governmental bodies. Now, they've published another article claiming that at least $500,000–$700,000 of funds seem to have been misappropriated.
One point of contention has been that the organization claims that 100% of money raised is donated, but in reality the project leader Alona Shevchenko takes a $5,000/month salary. This led to a split between Shevchenko and Pussy Riot's Nadya Tolokonnikova, who had once been active in promoting Ukraine DAO.
The Kyiv Post has raised questions about other transactions from the Ukraine DAO wallet, which went to other leaders of the project, or to centralized exchanges.
Shevchenko a London-based Ukrainian, who has in the past led the FreeRossDAO — a project to raise funds to support Ross Ulbricht, the jailed creator of the crypto-powered darknet Silk Road marketplace. Shevchenko's most recent project is Iran DAO, which claims to support "Iran's women-led revolution".
Blur NFT platform bug allows old bids to be accepted
The Blur NFT marketplace appeared to become vulnerable to a bug in which old, canceled bids could still be accepted. This meant that people who had placed bids on NFTs when they were selling for higher prices, then canceled them, suddenly found those purchases going through — in some cases on NFTs that were selling for considerably less.
Blur disabled bid acceptance functionality while investigating the bug. Amusingly, this led people to begin placing huge bids they knew couldn't be accepted in order to farm Blur points, some kinds of which are awarded based on bids rather than purchases.
It's not clear how much money was lost due to the bug, but Blur cofounder "Pacman" announced that "any losses will be refunded once the issue is resolved".
Crypto researcher identifies massive wallet draining operation
Crypto researcher Tayvano posted a Twitter thread about a massive, mysterious wallet draining operation that has siphoned more than 5,000 ETH (~$9.88 million at today's prices) as well as other tokens and NFTs from wallets across more than eleven blockchains since December 2022. The operation appears to target more sophisticated crypto users, but the mechanism of attack is unclear. The researcher hypothesized that "someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove", but emphasized that that was only speculation.