Web3 is Going Just Great

The OFAC sanction was imposed due to 116,421 reported sanctions violations in which Bittrex failed to prevent people in Crimea, Cuba, Iran, Sudan, and Syria from using their service. In total, these prohibited individuals performed more than $263 million in transactions on the platform.

The FinCEN fine was imposed due to "willful violations" of the Bank Secrecy Act's requirements pertaining to anti-money laundering (AML) and suspicious activity reports.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

Although CNN claimed in their shutdown announcement that "Vault was originally launched as a 6-week experiment", CNN had not mentioned that the project was an experiment that was expected to possibly end. As recently as last month, Vault had been teasing upcoming events scheduled around election day in November, and encouraging users to buy more Vault NFTs to access the upcoming drops.

As an apparent attempt to placate angry users worried that the value of their NFTs might drop, CNN promised to return "either FLOW tokens or stablecoins" for "roughly 20% of the original mint price". However, the project is built on the Flow blockchain, where users can only withdraw stablecoins $10 at a time — and with a $4 fee on each withdrawal. Some angry users in the project's Discord channel threatened legal action, claiming that CNN had rug pulled.

Yuga Labs is the company behind the Bored Apes NFTs and spinoff projects (Mutant Apes, and Bored Ape Kennel Club), and in March also acquired the blue-chip NFT collections CryptoPunks and Meebits.

A probe does not necessarily mean that Yuga has violated the law, but such an investigation could have major ramifications for the world of NFTs.

NFT trader Laszlo_btc went to swap his Bored Ape #8274 for another Bored Ape after reaching a deal with someone he met on Discord. He opened up Sudoswap to do the swap, but was tricked into trading his pricey NFT for a worthless NFT that was disguised to look like a Bored Ape. This is how Laszlo was scammed out of his first Bored Ape, which he'd only purchased three days prior, for 80 ETH (~$108,000). The scammer quickly flipped the NFT for around 70 ETH (~$92,000).

Realizing he'd been scammed, Laszlo went to revoke the permissions he'd granted in case he'd opened himself up to other thefts. However, instead of using the real permission revocation service Revoke.cash, he ended up using a phishing site: Revokecash.net. Only fifteen minutes after the first theft, six more Bored Apes were transferred out of his wallet.

Altogether, Laszlo had paid over $1.9 million for the collection of seven apes, which he purchased between January and October 2022. The priciest was Bored Ape #2951, which he bought for 173 ETH on May 1 — at the time, $490,000. The two sets of scammers quickly flipped all the NFTs, selling them for a total of $608,000.