Attacker steals $3 million from Fortress Protocol

An attacker was able to steal 1,048 ETH (~$2.65 million) and 400,000 DAI from the Fortress Protocol borrowing and lending platform in what appears to have been an oracle manipulation attack. The attacker quickly moved their ~$3 million in stolen funds to the Tornado Cash cryptocurrency tumbler to obscure their tracks.

The exploit caused the $FTS token to drop 42%. The creators of Fortress urged people not to supply any assets to the pool as the attack was ongoing, and tweeted "we need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds!"

Cashera makes off with $90,000

Cashera was a project claiming to provide a "banking revolution" with its CSR crypto token. The project did many things to try to appear legitimate, including linking to government records showing a company with their name is registered in the UK and undergoing a smart contract audit by AuditRateTech. Their website boasted "partners" including VISA, PayPal, Netflix, and Spotify.

Despite all this, the project deployer suddenly minted 23 million CSR tokens, which they swapped for almost $90,000 in other assets, crashing the token value in the process by about 70%. The development team also took the project website offline.

Hunter defi project rug pulls for $1.2 million

Under the pretense of a contract upgrade, the Hunter defi project team drained the liquidity from the project, swapping the tokens for assets worth around $1.2 million. The team also took down the project website and closed the Discord server.

The rug pull was first noticed by CertiK, a blockchain security firm that had also audited the project. "We pointed out these major centralization issues in their audit," CertiK wrote on Twitter.

Fury of the Fur rug pulls for $300,000

A 3D model somewhat resembling a bear. Its surface appears to be diamond-embossed black leather, and it has a blue mohawk and is holding a black metal scepter.FuryTed #2597 (attribution)
The Fury of the Fur NFT project was a collection of 3D models that sort of resembled bears. The project advertised that the models were "metaverse and game-ready", and the roadmap promised a merchandise store, animated series, "sandbox hideout", and card game.

However, the NFT launch went poorly — fewer than 2,800 NFTs were minted out of the total supply of 9,671 NFTs. The project tried to relaunch but failed to drum up much more interest, so the creators apparently decided to call it quits — while keeping the money, of course. The project founder left a long message to the community, in which they said that they would be shutting the project and spoke at length about how difficult it had been for them.

Coinbase's new NFT marketplace hasn't had more than 200 transactions in a day since its public launch

Coinbase is a big name in the crypto exchange world, enjoying the highest trading volume in the United States. The company decided to enter the NFT trading space, first releasing an NFT marketplace to a small group of beta users, then opening it to the public on April 20.

Although the company claimed to have 3 million users on its waitlist, the public marketplace release has gone shockingly poorly given Coinbase's existing reputation. The platform has yet to see more than 200 transactions in a given day (compared to OpenSea, which regularly sees more than 100,000 transactions a day, or its smaller competitor LooksRare which sees more than 1,000 daily). Furthermore, the platform has only broken $50,000 in volume traded on five of the days it's been publicly available, with some days seeing only a few thousand dollars traded. OpenSea has been doing over $150 million in daily volume in that same time frame, and LooksRare around $100 million (though it should be noted that the prevalence of wash trading, particularly on LooksRare, makes these numbers hard to evaluate).

U.S. Treasury sanctions cryptocurrency tumbler Blender, the first sanction of its kind

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced that they had sanctioned the North Korean cryptocurrency tumbler Blender.io. This was the first U.S. government sanction levied against a cryptocurrency tumbling service. Blender was used to launder more than $20.5 million of the $620 million stolen in March from the blockchain used by the play-to-earn game Axie Infinity. The U.S. government has alleged that the North Korean state-sponsored cybercrime group Lazarus was behind the hack.

The U.S. began sanctioning various wallet addresses belonging to the hackers in mid-April, though have faced obstacles given that it is trivial for the hackers to create new wallets. The use of cryptocurrency tumblers (also called "mixers") has also stymied the government's attempts to limit the DPRK's access to the ill-gotten funds. Blender is not the primary tumbler that Lazarus has been using — that would be Tornado Cash, which they have used to tumble more than $213 million from the hack. Tornado has taken perfunctory steps to comply with sanctions, but nothing that would meaningfully impact Lazarus' ability to use the service.

Someone hijacks a Ferrari domain to host scam NFT mint

A website with the URL forms.ferrari.com, showing the text "Mint your Ferrari! A collection of 4,458 horsepowered NFTs on the Ethereum network"Scam webpage (attribution)
Someone was able to gain control of a ferrari.com subdomain to create a scam NFT mint. Most scam NFT projects rely on eager NFT collectors not noticing a URL that isn't quite right — for example, something like ferrari-nft.com. This one was able to gain some additional legitimacy by using an actual ferrari.com subdomain. Additionally, Ferrari had recently announced an upcoming NFT project, making the scam project seem more plausible.

Sadly for the scammer, the scam was discovered and shut down when they had only managed to scam one person. The unsuspecting collector sent 0.3 ETH ($800), which the scammer transferred to Tornado Cash.

Day of Defeat project rug pulls for $1.35 million

The token associated with the Day of Defeat project, which describes itself as a "radical social experiment token mathematically designed to give holders 10,000,000X PRICE INCREASE" (🚩🚩🚩), suddenly dropped in value by more than 96% as the project rug pulled. More than $1.35 million worth of assets were drained from the BSC-based project and transferred to external wallets.

The project's website is one of the most absurd I've seen, promising that "all final holders will get 10,000,000x gains". Their project roadmap includes a "mystery plan" that results in a 1,000,000x price increase. Their FAQ states, "First of all, we promise that the team will not redeem the fund pool." Apparently projects based on pinky swears aren't great investments.

After the funds were drained, the project claimed that they had been compromised by an external actor, and had "reported to Binance and local authorities".

OpenSea Discord hacked

The OpenSea Discord server was compromised, allowing a scammer to post a seemingly-official announcement that OpenSea was partnering with YouTube on a line of NFTs. They urged people to act quickly to snag one of only 100 free NFTs that would offer "insane utility".

Given OpenSea's prominence, it's surprising that the hacker managed to obtain relatively few NFTs of much value. The wallet appeared to have successfully stolen only 13 NFTs, none of which were from high-value collections, that are worth a collective $20,000 if resold at the collections' floor prices.

OpenSea tweeted several messages acknowledging the hack and urging users not to click any links. They have not yet confirmed that they've conclusively re-secured their server.

"Double your money" scam using an old livestream of Elon Musk, Jack Dorsey, and Cathie Wood earns crypto scammers $1.3 million in 24 hours

A screenshot of a YouTube video, showing a panel with Elon Musk highlighted and three others speaking alongside. Around the video are a fake tweet from Musk and blocks of text advertising a "double your money" scam. The website URL has been blurred.Scam livestream (attribution)
Crypto scammers on YouTube rehosted a "live" panel discussion — actually from "The ₿ Word" conference in July 2021 — in which Elon Musk, Jack Dorsey, and Cathie Wood discussed "Bitcoin as a Tool for Economic Empowerment". The scammers added a frame around the video that advertised "giveaways" and "double your money" scam websites. The websites promised that if you sent cryptocurrency to the address, you would receive twice as much in return — a classic scam I remember from the Runescape days, which has also enjoyed success in crypto markets for years. The scammers inflated YouTube subscriber and active watcher numbers to add legitimacy to their streams, and some of them faked screenshots of tweets from Musk.

McAfee identified 26 scam websites that were linked from the YouTube livestreams, which altogether took in $1.3 million in Bitcoin and Ether in a 24 hour period.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.