Megabot exit scams for almost $750,000

The Megabot project rug pulled, stealing $742,000 from those who bought in to the project's presale. The majority of the money — around $692,000 — was stolen on the Solana network.

Megabot had advertised itself as an AI trading bot that would earn users "up to 30% monthly". The team had promised that the bot would perform trades while "sidestepping potential risks such as honeypots, rugs, and slow rugs".

"No one will be able to rug you anymore", their website boasted. Ah, well.

Defunct BarnBridge reaches $1.7 million settlement with SEC

About six months after the SEC filed a complaint against the BarnBridge DAO, the group has agreed to disgorge almost $1.5 million in proceeds from their "SMART Yield bonds" — which the SEC also says attracted more than $509 million in investments. The two co-founders will also pay $125,000 each in civil penalties.

The SEC charged that the group had not registered their sale of the bonds as was required under US securities laws. BarnBridge shut down very shortly after the complaint was filed, without any input from its community, despite ostensibly being community governed.

Catalyx exchange ordered to freeze trading after theft

The Canadian Catalyx cryptocurrency exchange has frozen trading and halted withdrawals after an emergency order by the Alberta Securities Commission on December 21. Catalyx consented to the order.

Catalyx announced in a press release on December 28 that they had "recently discovered a security breach on the Platform in connection with the holding of crypto assets on behalf of clients. Management suspects that this security breach, which may involve an employee, has resulted in the loss of a portion of the crypto assets held by the Company on behalf of its clients".

Catalyx did not state how much had been stolen.

Qredo dumps CEO, raises emergency financing after burning through funding

Despite raising $80 million in February 2022 in a Series A round that saw the company valued at $460 million, the Qredo crypto custody platform just had to secure debt financing to keep the company afloat. Its lead investor also pushed to oust the company's CEO and COO, and shake up the board.

Qredo had already been forced to perform layoffs in September and then November, and in November was searching for a rescue after saying their user "activity ha[d] fallen" in the "prolonged cryptowinter".

On December 15, Qredo had also announced that they would be shutting down their Ankex trading platform, which was previously led by Michael Moro, who was previously booted as CEO from Genesis Trading.

New wallet drainer steals almost $60 million in 9 months

A new wallet drainer tool has stolen $58.98 million in cryptocurrency assets from more than 63,000 victims in the past nine months. People using the drainer software have pulled in victims by running ads on Twitter and through Google ads, employing various tricks to thwart ad reviewers trying to thwart malicious ads on their platforms.

Aurory bridge hacked for over $1 million

The Aurory gaming platform uses a bridge called SyncSpace to move assets between the blockchain and the game's off-chain network. On December 17, the bridge was targeted on Arbitrum's Camelot DEX, and an attacker successfully siphoned around 600,000 $AURY tokens from the liquidity pool. As a result, the pool went from around $1.5 million in liquidity to around $312,000, and the price of the $AURY token dropped 11% as the attacker sold it off in bulk.

The Aurory team posted on Twitter to acknowledge the hack, writing that they'd disabled SyncSpace as they investigated. They also wrote that SyncSpace had been audited months ago, but that the audit had failed to detect the vulnerability.

"Top tier" NFTs stolen in NFT Trader hack

A collage of Bored Apes, Mutant Apes, and World of Women NFTs stolen in the NFT Trader hackSome of the stolen NFTs (attribution)
Attackers exploited old smart contracts from the NFT Trader peer-to-peer NFT trading application to steal pricey NFTs, including at least 37 Bored Apes, 13 Mutant Apes, and NFTs from the VeeFriends and World of Women collections. Some ETH and APE tokens were also stolen. Altogether, the stolen NFTs are priced at around $3 million, though the hacker may not be able to liquidate them for that ammount.

One attacker claimed in on-chain messages that the original attack had been perpetrated by someone else, but that they were one of the many copycat attackers, describing themselves as someone who had "[come] here to pick up residual garbage". They requested victims send additional ETH to get their NFTs back. "If you want the monkey nft back, then you need to pay me a bouty, which is what I deserve", they wrote, asking for NFT holders to send them 10% of the Ape floor price.

Meanwhile, NFT holders were urged to revoke access to NFT Trader, since the platform seemed aware of the attack but unable to stop it. NFT Trader was ultimately able to thwart the attacker to stem additional bleeding, likely thanks to help from community members who pointed out a way the contract could be shut down.

Later, the "residual garbage" attacker returned 36 Bored Apes and 18 Mutant Apes after a Yuga Labs co-founder paid the 120 ETH (~$260,000) ransom.

SafeMoon files for bankruptcy

The company behind the SafeMoon cryptocurrency scam has filed for Chapter 7 bankruptcy. Screenshots circulated on Twitter of a letter to employees citing "a number of operational and financial challenges", likely referring to — oh, I don't know — maybe the whole criminal indictment against SafeMoon's founders and executives and simultaneous civil lawsuit from the SEC.

Although SafeMoon claimed to have created a token that would "safely go to the moon", executives allegedly siphoned millions of dollars of investor funds to spend on personal expenses including luxury cars and real estate.

In the bankruptcy filing, SafeMoon has claimed to have 50–99 creditors, between $10 and $50 million in estimated assets, and $100,000 to $500,000 in estimated liabilities.

Supply chain attack on Ledger puts much of defi at risk

A supply chain attack on the Ledger connector application has rippled throughout the world of decentralized apps, which widely use the software to enable people to connect their popular Ledger hardware wallets to perform transactions. Although hardware wallets are meant to be among the most secure ways to store crypto, they too are vulnerable to attacks when they are connected to perform transactions.

A hacker was able to obtain access to Ledger's source code management tool and push out a new release that contained code that would drain wallets as users connect them. Because the library is so widely used, many crypto applications were vulnerable — including Revoke.cash, a security-focused project intended to help people guard against attacks on their wallets.

CTO of the Sushi crypto project issued a broad warning: "Do not interact with ANY dApps until further notice." At least $600,000 has been drained from multiple users so far.

CoinList reaches $1.2 million settlement with OFAC over Russian sanction violations

The Californian cryptocurrency exchange CoinList has settled a lawsuit from the Treasury Departments Office of Foreign Assets Control (OFAC) for $1.2 million. OFAC charged CoinList for processing almost 1,000 transactions between April 2020 and May 2022 on behalf of residents of Crimea, a Ukrainian territory occupied by Russia in 2014 and sanctioned by the United States shortly after.

CoinList reportedly allowed 89 users to sign up for accounts on the platform, most of whom had stated that they were residents of Russia but provided addresses in Crimea.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.