First, the team sniped their own $CAT token launch to obtain 63% of the token supply, ultimately selling a portion of it for around $5 million. Then, they took out $2.3 million and $1 million long positions on the ORDI and ETHFI tokens, respectively. Finally, they posted from the compromised influencer account to shill the ORDI and ETHFI tokens to his massive following. Ultimately, their gambit doesn't appear to have been incredibly successful: they made around $34,000 on the ORDI position, but lost $3,500 on the ETHFI position. However, as zachxbt noted, it's possible they also opened positions on centralized exchanges where the outcomes aren't publicly visible.
Memecoin team accused of hacking influencer Twitter account to manipulate markets
According to crypto sleuth zachxbt, the team behind the Solana-based $CAT memecoin hacked the Twitter account of "Gigantic-Cassocked-Rebirth" (@GCRClassic) crypto influencer.
"Normie" memecoin plummets 99% after exploit
An attacker perpetrated a flash loan attack on the "Normie" memecoin on the Base layer-2 blockchain to drain millions of NORMIE tokens. The vulnerability was evidently discovered in March, but never patched.
Although the token claimed to have a market cap of $42 million, the attacker was only able to cash out around 224 wETH (~$882,000). However, the losses to some holders of the token were much more substantial. One individual had put around $1.16 million into $NORMIE, and those holdings are now priced at around $150.
The attacker has been negotiating the possible return of funds to the project team, who has expressed interest in relaunching the token.
Caitlyn Jenner launches memecoin amid deepfake confusion
Olympic athlete-turned-Trumpworld media personality Caitlyn Jenner has confused many by apparently launching a memecoin on pump.fun and heavily promoting it on her Twitter account with more than 3 million followers. Her original post featured a photo of her grasping hands with Donald Trump, with the text "make america great again!!! đșđž and we love crypto!".
At first, people widely believed her account had been hacked, given how frequently celebrity token promotions turn out to be compromised Twitter accounts. Then, she began joining Twitter spaces and posting videos about the token, but with the emergence of more and more convincing deepfakes, even those didn't convince people that it was truly Jenner behind the token.
Despite the confusion â or perhaps because of it â the token has been popular.
The token launch was linked to Sahil Arora, a person allegedly connected to multiple celebrity rug pulls and pump-and-dumps. However, Jenner quickly turned on Arora shortly after the token's launch, posting on Twitter "FUCK SAHIL! He scammed us! BIG TIME!" and that "Sahil appears to be fully out".
Jenner is not the first in her family to get mixed up with crypto. In October 2023, her stepdaughter Kim Kardashian was fined over $1 million for unlawful touting of a crypto security.
Gala Games suffers $21 million hack
Someone was able to mint 5 billion $GALA tokens, the native token of the Gala Games blockchain gaming project. The tokens would be notionally worth around $200 million based on their paper value, although such a massive amount wouldn't be sellable without impacting the token price. Furthermore, the Gala Games team was able to add the attacker's address to a blocklist shortly after the theft a few hours after the attack began, preventing them from swapping more of the tokens.
Altogether, the attacker was able to swap around $21 million of the GALA tokens into ETH before the address was frozen.
The attacker was able to perform the exploit because they had access to a wallet with admin access to the Gala Games smart contract. It's not clear if the attacker is a rogue employee, or if an admin wallet was compromised.
As of writing, Gala Games has not publicly acknowledged the attack.
- Thief wallet on Etherscan [archive]
- Tweet by 0xQuit [archive]
Crypto scam money launderers charged for laundering more than $73 million through Deltec
Two people were charged in California for laundering money obtained from cryptocurrency and fiat "pig butchering" scams. After receiving the money from the investment scammers, the launderers then allegedly helped to obfuscate at least $73 million in transactions by moving the money through Deltec Bank in The Bahamas and converting it into the Tether stablecoin.
Deltec is a well-known bank in the cryptocurrency world, mostly for its ties to Tether and to FTX. In July 2023, US authorities seized tens of millions from Deltec accounts in connection to a cryptocurrency money laundering investigation. It's not clear if that was the same investigation.
"Crypto King" Aiden Pleterski arrested
Aiden Pleterski, a 25-year-old who goes by "Crypto King", has finally been arrested and charged with fraud and money laundering. In 2022, he was sued by a group of investors who have lost at least CA$41.5 million (~US$30.5 million) they entrusted to him to invest on their behalf. He had promised massive profits, and told them that any losses on their initial investments would be repaid in full. A judge froze his assets in July 2022, and the court ordered him and his company into bankruptcy the following month. The bankruptcy proceedings have so far recovered around CA$3 million (US$2.2 million).
Investigators for the bankruptcy proceedings found that Pleterski had invested less than 2% of customer funds. Around $16 million instead went to personal expenses, including luxury cars, a $45,000-a-month lakefront mansion, private jets, and vacations.
Even after being sued, filing for bankruptcy, and being kidnapped and beaten by angry investors, Pleterski flaunted his supposed wealth online. Much to the indignation of the creditors in his bankruptcy, he has continued to regularly livestream himself gambling for hours, spending $150,000 on Legos, and driving luxury cars.
Pleterski was released the same day he was arrested, thanks to a CA$100,000 (~US$75,000) surety bond posted by his parents.
Pump.fun suffers $2 million loss to former employee who claims he wanted to "kill" the project for "inadvertently hurt[ing] people"
Pump.fun is a Solana-based memecoin generator that soared to popularity recently amid a resurgence in memecoin trading. On May 16, the project suffered a $2 million exploit by an attacker who then began airdropping the money to somewhat random wallets.
A former employee â whose real identity is known â brazenly took credit for the theft on Twitter. They wrote: "everybody be cool, this is a r o b b e r y. ... I'm about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: life without parole."
In a Twitter Spaces chat, the attacker stated that he had worked for the company briefly, and that he had grievances against its management. "I just kind of wanted to kill Pump.fun because it's something to do... It's inadvertently hurt people for a long time," he said.
Pump.fun paused trading shortly after the attack, and stated that they were "cooperating with relevant parties, including law enforcement, to minimize the damage." The attacker responded to the post: "Neener neener neener".
Brothers indicted for $25 million MEV bot exploit
Two brothers, Anton and James Peraire-Bueno, were indicted for a theft involving MEV â maximal extractable value. MEV involves previewing upcoming transactions on a blockchain and taking actions to extract additional profits â which can sometimes be substantial â based on that information.
According to the Justice Department, the Peraire-Buenos exploited a flaw in popular MEV software called "MEV-boost", which is used by most Ethereum validators. By creating their own validators and "bait transactions", they were able to trick MEV bots into proposing transactions involving illiquid cryptocurrencies, which the brothers then frontran. They were able to create false signatures that tricked a MEV-boost relay into releasing information about upcoming blocks that they were able to tamper with.
The brothers were charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering, and face up to 20 years in prison for each charge.
The Justice Department is describing the case as a "first-of-its-kind manipulation of the Ethereum blockchain". The case is an interesting one, as some believe the practice of MEV itself exploits Ethereum users. Others believe anything you can do with code should be allowed â "code is law". However, by signing false transactions and tricking the relay into releasing private information, the brothers' actions do seem to go beyond simply making profits in a "code is law" Wild West, and into the realm of actual fraud.
- "Two Brothers Arrested for Attacking Ethereum Blockchain and Stealing $25M in Cryptocurrency", press release by the U.S. Department of Justice [archive]
$2 million stolen from ALEX's XLink bridge by bumbling exploiter
An attacker tried to pull off what could have been a ~$12 million heist from ALEX Lab's XLink bridge after a private key was compromised. However, the sloppy work by the attacker enabled an apparent whitehat hacker to step in.
The attacker was successfully able to transfer around 13.8 million STX (~$2 million) on the Stack BTC layer-2 chain. However, their attempts to steal assets notionally worth around $4.3 million from the project's BNB Chain implementation failed when they upgraded the project contract to a malicious version, but failed to prevent other people from calling the withdraw function. The attacker's first transactions to withdraw the funds themself failed, and an apparent whitehat hacker was able to step in and complete the withdrawal ahead of the exploiter. They later negotiated a deal for the funds' return, after offering a 10% "bounty".
The exploiter had also tried, and failed, to steal assets notionally worth around $5 million on the Ethereum blockchain, but failed to do so. ALEX Lab later announced they were able to recover or secure around $4.5 million of those assets. ALEX also later announced that they believed the attackers were part of the North Korean Lazarus Group.
Tornado Cash developer sentenced to more than five years imprisonment in the Netherlands
Alexey Pertsev, one of the developers of the Tornado Cash mixing service, was found guilty of money laundering and sentenced to 64 months imprisonment in the Netherlands. Prosecutors claimed that Pertsev knew the service was being used to launder money, but "chose not to intervene". They argued that, although the developers could not necessarily prevent bad actors from laundering money through the service directly, they could have done more to prevent people from using the web interface to wash funds from known criminal wallets.
The case is a concerning one, as sanctioning software developers for how the code they write is used â particularly when it comes to software intended to protect privacy â has frightening implications. Although there is some precedent in the United States that "code is speech", and merely writing and publishing code is protected by the First Amendment, that obviously does not apply to the Netherlands. A collaborator to Pertsev, Roman Storm, is set to be tried on charges of money laundering and sanctions violations in the United States in September, and that case is likely to grapple with this exact issue.