Attackers previously stored the malicious code on typical webhosting services, but those services began to take it down. Now, some have started using Binance's blockchain to store these payloads, taking advantage of the immutable nature of blockchains to prevent anyone from taking it down.
The de-peg occurred amid a "liquidity crunch" as holders rushed to redeem their USDR for the DAI stablecoin, draining the project of its DAI reserves. The team behind the project, TangibleDAO, issued a statement stating that "the real estate and digital assets backing USDR still exist and will be used to support redemptions." However, despite their insistence that the problem is just a liquidity issue rather than a solvency one, a dashboard on their own website showed that the stablecoin isn't fully backed and has a deficit of around $3.4 million.
In a related incident, a trader trying to swap their $131,350 in USDR for the USDC stablecoin lost every penny of it when their transaction was arbitraged by a MEV bot.
Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.
The FTC lawsuit focuses on Voyager's claims suggesting to customers that accounts with the lender were FDIC insured. That complaint also names Voyager as a defendant. Voyager settled with the FTC, agreeing to pay a $1.65 billion judgment that will be suspended until customers are repaid.
- "CFTC Charges Former Chief Executive Officer of Digital Asset Platform with Fraud in Massive Commodity Pool Scheme", CFTC press release [archive]
- "FTC Reaches Settlement with Crypto Company Voyager Digital; Charges Former Executive with Falsely Claiming Consumers' Deposits Were Insured by FDIC", FTC press release [archive]
- "CFTC and FTC sue former CEO of bankrupt crypto lender Voyager", BlockWorks [archive]
- "Voyager Ex-CEO Charged by U.S. Regulators With Fraud, Making False Claims", CoinDesk [archive]
Black Hole Token is a Chinese project built on BNB Chain, which promises an original mechanism that only goes up. "The more you sell, the more the price goes up", promises their website.
The team behind the FinSoul project was reportedly the same as the group who pulled off the much larger $31 million Fintoch exit scam in May. They used similar strategies, including using paid actors to pose as their executive team, to push the FinSoul scam.
They may now be discovering this was a bad idea, as an impending default on a $20 million loan from February 2022 threatens the platform with a possible $7 million loss.
The loan went to a fintech credit fund called Stratos, who in turn used the money for a risky real estate technology investment (now written down to zero), crypto investments of their own (not disclosed to Goldfinch, and sold at a "near full loss"), and other investments. Stratos is, awkwardly, an investor in Goldfinch, and Stratos' founder was an advisor.
This is not the first loan gone bad for Goldfinch, who suffered a loss when an African motorcycle taxi financing company used a $5 million loan to try to plug the hole in the finances of a sister company.
A commenter on the disclosure about the distressed loan wrote, "This is the second occurrence of a lack of transparency from a borrower or a lack of auditing capability from Goldfinch. We can all appreciate that Warbler Labs will backstop the loss, but it is increasingly worrying to discover a complete lack of control from the loan underwriter, especially in the context of Stratos being an equity investor in Goldfinch."
- "Real-World Asset Loan Worth $20M Sours on DeFi Platform Goldfinch, Bringing RWA Lending Under Scrutiny", CoinDesk [archive]
- "Update on Stratos Pool", post on Goldfinch governance forum [archive]
- "DeFi protocol Goldfinch aims to sever crypto's reliance on crypto", Axios
This is actually the second such lawsuit by the supermarket against the exchange, after the first was thrown out when defendants claimed that they had simply named the project after the co-founder's brother, Joe. However, shortly after the victory, a co-founder admitted on their blog that they "just named it Trader Joe, after the supermarket".
Trader Joe's is seeking all profits made by the exchange, plus damages and compensation for the failed lawsuit last year.
This isn't the first security breach to tarnish 3Commas' reputation. In October 2022, customers reported losing a significant amount of assets in what 3Commas first tried to blame on phishing websites resembling FTX. 3Commas months later owned up to the fact that their database had been compromised, and that API keys were leaked.