Supply chain attack stemming from JavaScript animation library results in losses for users of 1inch and other platforms

Attackers were able to inject malicious code into the popular "LottieFiles" JavaScript animations library. Visitors to websites using the library saw a prompt to connect their crypto wallets to what was ultimately a cryptocurrency wallet drainer. This affected some crypto platforms that used the library, including the 1inch decentralized exchange aggregator. One victim who connected their wallet suffered the loss of 10 BTC (~$723,000).

Other crypto platforms affected included TEN Finance and Movement. Because the animations library is widely used, other non-crypto-related websites also showed the prompt.

M2 cryptocurrency exchange hacked for $13.7 million

The UAE-based M2 cryptocurrency exchange was hacked for $13.7 million in bitcoin, ether, and Solana tokens. The exploiter compromised several of the exchange's hot wallets to take the funds.

Shortly after the theft, M2 acknowledged the hack and announced that "the situation has been fully resolved". This apparently involved M2 restoring customer funds from their own assets, rather than recovering the stolen assets.

Sunray Finance hacked for $2.7 million

A perpetuals trading platform called Sunray Finance was hacked on October 30 by an attacker who was able to upgrade a smart contract used by the protocol. They then were able to mint a massive number of the protocol's SUN token — 200 sextillion, to be precise. Then, they cashed out what they were able to, crashing the SUN token price in the process. Ultimately, the attacker made off with about $2.1 million of the Tether stablecoin.

In the process of selling off tokens, an arbitrage bot was able to take advantage of the price difference by selling the rapidly crashing SUN token into a second liquidity pool that apparently went unnoticed by the hacker, and the bot operator also profited around $560,000.

$20 million moved from US government wallet in possible theft

More than $20 million in stablecoins and Ethereum were transferred from a wallet identified as belonging to the US government, and holding funds connected to the 2016 hack of the Bitfinex cryptocurrency exchange. While the government does occasionally shuffle cryptocurrency around, these funds were moved to a brand new wallet and then began to be shuffled through cryptocurrency exchanges — something that crypto sleuth zachxbt noted "looks nefarious".

The government has not made any statements regarding the movement of assets.

The following day, $19.3 million in tokens were returned to the original wallet.

Sharpei memecoin rug pulls for $3.4 million

A dog-themed memecoin project called Sharpei abruptly cashed out $3.4 million, tanking the token price by more than 96% in seconds. The project had been promoted by crypto influencers, but hit a snag when a pitch deck for the project leaked. The deck contained multiple lies, including claims to have hired multiple "KOLs" who later denied involvement, and false claims of partnerships with various platforms and projects.

As the token price stuttered along with these revelations, insiders apparently decided to quit while they were ahead, and cashed out in a quick and coordinated sale.

Blockchain company Forte acquires games studios, demands secrecy, shuts them down

Sometime in 2023, blockchain firm Forte acquired game studios Phoenix Labs and Rumble Games. However, it would be a year before this came to light, because according to a report from Game Developer, Forte demanded secrecy from employees. (Forte refutes this). In both cases, some employees believed that Forte was funding their development, but didn't find out until later that Forte owned the companies.

Both studios had several games in progress, and two of Phoenix Labs' games were explicitly designed for younger players. Developers reportedly voiced discomfort with incorporating blockchains into the games, selling digital items to children.

Later, Forte pulled the plug on several in-development games at both studios. Then, Forte shut down Rumble in 2024, laying off all employees. Forte also laid off over 100 people from Phoenix Labs that year.

Tapioca DAO exploited for most of its assets — over $4 million

The defi lending protocol Tapioca DAO was exploited after an attacker reportedly socially engineered the DAO's co-founder and gain access to their private key. The attacker then used their access to sell off TAP tokens, and to drain a stablecoin liquidity pool on the platform, netting around $4.4 million in USDC and ETH. The TAP token price subsequently crashed by around 96%.

Various security researchers have observed that the attack appears to be linked to a slew of social engineering attacks perpetrated by cybercriminals out of North Korea.

Radiant Capital exploited again, this time for at least $50 million

The cryptocurrency lending project Radiant Capital was hacked for the second time in under a year, this time for more than $50 million in the USDC stablecoin, wBNB, ETH, and other tokens. An attacker successfully gained access to three of eleven private keys controlling a multisignature wallet, which enabled them to upgrade the project's smart contracts in such a way as to drain funds.

This is the second Radiant Capital exploit this year, after a $4.5 million theft in January that was enabled by an unaddressed vulnerability in the underlying Compound Finance code.

Cosmos founder reveals a portion of the protocol was created by North Korean developers

Cosmos creator Jae Kwon has raised concerns about a portion of the Cosmos protocol called the "Liquid Staking Module" after learning it was developed by North Korean agents. Although a contributor to the protocol, Zaki Manian, learned of the developers' links to North Korea after contact from the FBI in March 2023, Kwon claims that Manian ignored known flaws in their code, failed to fully audit their code, and did not report the issue to the project team or the Cosmos community. According to Kwon, the code contained a vulnerability that would allow stakers to avoid having their stakes slashed, which "contradicts the fundamental principles of staking security."

Kwon urged the Cosmos governance team to perform a full audit of the code written by these developers, and develop more protocols to prevent issues like this going forward. He also called for the governance team to blacklist Zaki Manian.

Permit phisher steals almost $1.4 million in frog tokens

An attacker using the permit phishing technique stole $1.39 million in tokens from an unsuspecting holder. The victim unknowingly signed a "Permit2" signature — a function intended to make crypto transactions smoother and less expensive, but one that also makes it possible for malicious actors to completely drain crypto wallets.

The attacker stole around $1.1 million of the cartoon frog-themed PEPE tokens, and another roughly $50,000 of the also cartoon frog-themed APU token.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.