Kraken to suspend ACH transfers after Silvergate collapse
The Kraken cryptocurrency exchange announced to its users that it will be suspending ACH transfers on March 27, as a result of the collapse of its banking partner, Silvergate. Based on their communications, it sounds like they have been unsuccessful in finding a new banking provider since Silvergate's March 8 collapse, which will impact customers' abilities to perform bank transfers to and from the exchange.
SEC sends a Wells notice to Coinbase
The SEC sent Coinbase a Wells notice, which is basically their way of saying "we're about to file a complaint against you, here's your chance to convince us not to."
According to Coinbase, the Wells notice related to "aspects of the company's exchange, our staking service Coinbase Earn, and Coinbase Wallet". It's not terribly surprising that the SEC might have Coinbase Earn in its crosshairs, as it has recently taken action against similar products, such as Kraken's staking service. In the wake of the action against Kraken, Coinbase seemed to try to pre-empt SEC arguments by sending an email to customers emphasizing things like "You earn rewards from the protocol, not Coinbase". It doesn't look like this has shifted the SEC's thoughts much, though.
This should be an interesting saga to watch, partly because Coinbase has expressed willingness in the past to go head to head with the SEC.
Lindsay Lohan, Jake Paul, and other celebrities charged for illegally touting Justin Sun's tokens
Celebrities Lindsay Lohan, Jake Paul, Soulja Boy, Austin Mahone, Kendra Lust, Lil Yachty, Ne-Yo, and Akon were all charged by the SEC for violating anti-touting laws that would require them to disclose if and how much they were being paid to promote securities. The alleged securities in question are TRX and BTT, two tokens both closely tied to Justin Sun, who was also charged in relation to the scheme.
With the exception of Soulja Boy and Mahone, the celebrities paid a total of more than $400,000 in disgorgement, interest, and penalties to settle the charges without admitting or denying them.
Justin Sun charged with offering unregistered securities and market manipulation
His (former?) Excellency Justin Sun has been charged by the US Securities and Exchange Commission for offering unregistered securities. His businesses, the Tron Foundation and two BitTorrent-related entities, were also named in the complaint. According to the SEC, Sun offered the unregistered securities TRX and BTT, and "fraudulently manipulat[ed] the secondary market for TRX through extensive wash trading". He also allegedly "orchestrat[ed] a scheme to pay celebrities to tout TRX and BTT without disclosing their compensation".
Eight celebrities were also charged with violations of anti-touting law.
SpankPay payments service for sex workers shuts down
Despite people periodically claiming that crypto is a panacea for the many issues that make it difficult for sex workers to get paid, the SpankPay crypto-based payments processor is calling it quits after their payment processor Wyre decided they didn't want to work with them, because their payment processor Checkout.com didn't want to work with them. As it turns out, it's tough to use crypto for censorship-resistance when you still need dollars at the end of the day.
In a tweet announcing the shutdown, SpankPay reassured customers, "Rest assured your money is safe and we'll get it to you as soon as possible" — always a scary thing to hear from a crypto company.
It seems that only the payments processing side of the business is shutting down, with projects including SpankChain and SpankMatch continuing to operate.
General Bytes crypto ATMs exploited for over $1.6 million
The largest manufacturer of Bitcoin ATMs, General Bytes, disclosed that attackers had stolen more than $1.6 million by exploiting a vulnerability in their software. The company released a statement on March 18 disclosing the breach, and urging operators of their ATMs to immediately upgrade their software to patch the devices.
In addition to standalone servers, General Bytes' cloud service was impacted, and the company announced that it would be permanently shuttering it. "It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors," wrote the company in their statement explaining the decision, apparently unaware that this is something software companies find themselves doing all the time.
This exploit was the second breach suffered by General Bytes this year, after hackers exploited a vulnerability in August 2022 that allowed them to steal customer funds. It's unknown how much was stolen in that attack. The company also patched multiple hardware and software issues in their ATMs in September 2021, after Kraken Security Labs discovered issues including poor security practices that would allow attackers to "walk up to an ATM and compromise it".
- "General Bytes Bitcoin ATMs hacked using zero-day, $1.5M stolen", BleepingComputer
- "Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug", BleepingComputer
- "Kraken Security Labs Identifies Vulnerabilities In Commonly Used Bitcoin ATM", Kraken Security Labs
Thousands lose money to iEarn Bot crypto scam
According to a report by the BBC, a scam called iEarn Bot has impacted thousands of victims across multiple countries. In the scam, victims are convinced to sign up for an "AI intelligent quantitative trading robot" called iEarn Bot, which appears to successfully trade cryptocurrencies on their behalf. However, after a time, victims realize they are not able to withdraw their supposed earnings, nor the funds they've put in.
According to the BBC, dozens of high-profile individuals in Romania, including members of the government and academics, lost money to the scam after it was promoted by technology expert Gabriel Garais — who also says he lost money in the scheme.
iEarn Bot claims to be a US-based company, although its website is full of false information. The person named as the company's founder told the BBC he has nothing to do with the scheme, and companies and institutions listed as "strategic partners" say there is no such partnership.
The BBC identified one cryptocurrency wallet that received payments from around 13,000 others totaling nearly $1.3 million.
Thwarted hacker asks security firm to reimburse gas fees
File this one under "the audacity".
On March 17, blockchain security company BlockSec observed an attacker trying to exploit a vulnerability in the NFT lending project Paraspace. Although they had successfully identified a vulnerability that could have allowed them to steal 2,900 ETH (a bit over $5 million), their attempt to execute the hack failed because they didn't correctly estimate what it would cost them in gas fees.
After observing the attempt, BlockSec executed a whitehat rescue, where they successfully executed the same attack to remove the funds from Paraspace and secure them until they could return them to the project team.
Incredibly, the exploiter sent an on-chain message to BlockSec: "hey man, I am the one who made the contract you just copied, I couldn't make it work for a stupid gas estimation error. since I lost a lot of money trying to make it work, it would be cool to get at least some of them back... best of luck". Altogether, the would-be attacker spent around 0.7 ETH (~$1,200) on gas fees while trying to pull off the hack.
International group of law enforcement agencies shuts down ChipMixer
Law enforcement from the United States, Germany, and the European Union worked together to take down the ChipMixer cryptocurrency tumbler, which they allege had been used to launder $3 billion since 2017 related to "ransomware, darknet market, fraud, cryptocurrency heists and other hacking schemes". The US Department of Justice also charged an individual with money laundering, operating an unlicensed money transmitting business, and identity theft in connection with the project.
According to the US DOJ, ChipMixer had been used to process, among other things, proceeds of the massive March 2022 Axie Infinity hack by a North Korean cybercrime group.
US law enforcement seized two domains and a Github account tied to the organization, and German law enforcement seized ChipMixer's back-end servers and $46 million in cryptocurrency.
Phishers take advantage of fears surrounding the USDC de-peg
When USDC deviated from its dollar peg on March 10, phishers were quick to devise a scheme to take advantage of holders' fears. A group launched a website appearing to be the blog belonging to Circle, the company that backs USDC. On the fake blog, they announced a supposed defi exchange where users would be able to exchange their USDC for stablecoins like Tether.
Holders trying to use the exchange approved transactions which they didn't realize allowed the phishers to drain their ETH. So far, the scammers have stolen around 74 ETH ($130,500).