NBA player De'Aaron Fox ditches his NFT project after raking in $1.5 million

A 3D fox wearing a black ball cap and purple basketball jersey reading "Swipa". His eyes are popping out like in a cartoon.Swipa The Fox #5784 (attribution)
Sacramento Kings player De'Aaron Fox announced his "SwipaTheFox" NFT project in mid-December, and the "high utility NFT collection" went live on January 15. The project roadmap promised a metaverse basketball court, a scholarship to a University of Kentucky student, and chances to win all-star game tickets, as well as "much more to come". The project had over 100,000 people in its Discord, and pulled in about 475 ETH (about $1.5 million at the time).

Suddenly, on February 23, the project deleted its social media accounts and most of its Discord. Fox wrote in the remaining Discord announcements channel that "The time and attention that y’all deserve and that I wanted to give you all/what this project requires, was not known to me and I overstepped and stretched myself too thin, trying to do this project in the middle of an NBA season." He promised to send anyone who bought more than five NFTs (which would have cost ~0.4 ETH, around $1,300, if bought at mint price) a signed jersey (available for purchase online for around $100).

The following day, after some attention was drawn to the rug pull, Fox released a Twitter statement that said basically nothing at all, and made no mention of reimbursing holders. Meanwhile, the floor price of the NFTs dropped to around 0.003 ETH ($8).

Seller withdraws Sotheby's CryptoPunks auction minutes before it's due to go live, likely due to "tepid" reception

A pixel-art person with black bob-style hair and blue makeup around their eyes, on a blue backgroundCryptoPunk #1563 (attribution)
Two weeks prior, collector 0x650d announced that they would be partnering with the Sotheby's auction house to auction a single lot of 104 CryptoPunks. CryptoPunks are some of the earliest NFTs, and trade for hundreds and even thousands of ETH (equivalent to hundreds of thousands to millions of dollars). The collector wrote in a Twitter thread that they "simply could not pass up the opportunity to elevate CryptoPunks in the international art community. And with this sale, the CryptoPunk collection will be solidified in the broader art world." Media reports speculated that the auction would fetch as much as $30 million.

However, 0x650d withdrew the sale only minutes before the auction was due to start, tweeting only "nvm, decided to hodl". CoinDesk reported that, "Perhaps contributing to 0x650d’s reversal were rumors of a tepid reception for the CryptoPunks mega-lot. Three sources, including one bidder on-site at Sotheby’s, told CoinDesk that the highest pre-bid offer was $14 million, which was also the reserve price."

Journalist says she's been able to use chain analysis tools to discover the person behind the 2016 hack of The DAO

"The DAO", one of the first DAOs, was famously hacked in 2016, requiring a hard fork of the Ethereum blockchain to "undo" the breach. (So immutable!) Had Ethereum not forked, members of The DAO would have lost 3.6 million ETH—then worth around $50 million.

Journalist and researcher Laura Shin reported on February 22 that she had successfully used a forensics tool from Chainalysis to discover the identity of the hacker: Toby Hoenisch, a co-founder of the TenX "crypto debit card" project. Hoenisch refused to speak with Shin, and has denied the allegation.

For a technology that makes lofty promises of anonymity and privacy, increasingly-powerful technology is being released that at least claims to be able to unwind crypto mixing and make other connections between wallets and transactions that were previously extremely difficult, if not next to impossible. I imagine there may be a few people behind various crypto crimes sweating a bit as these technologies progress and threaten to unmask those behind other hacks and scams.

Security researchers desperately try to contact Ocean Protocol about a critical security problem

Screenshots of Kubernetes credentials and a shell connection, with sensitive credentials blurred out.Image from Bleckmann-Dreher's tweet (attribution)
Ocean Protocol is a web3 project promising to help people "publish, discover, and consume data in a secure, privacy-preserving fashion". Recently, they've been promoting the ALGA defi wallet, a project created by an external development team called Data Whale. Security researcher Christopher Bleckmann-Dreher, also known as "schniggie", resorted to publicly replying to one of Ocean Protocol's promo tweets to try to get the group's attention on a security vulnerability he and his collaborator Daniel Matesic ("mtd_0x00") had discovered. The duo found Kubernetes infrastructure that appeared to be completely compromised, and were able to get a shell, call their underlying AWS metaservice, and more. When Bleckmann-Dreher tried to report the bug through Ocean Protocol's Github bug bounty program, he found it was retired. He also tried to contact the team via their security email address, Telegram, and Discord, but received no reply.

After Bleckmann-Dreher's attempts to contact the project were published on Web3 Is Going Great on February 26, Ocean Protocol's founder Bruce Pon commented to say they were "on it", and that he had alerted Data Whale about what appeared to be an issue in the ALGA project. Several hours later, Data Whale announced they would be taking the app offline due to concerns that there was a vulnerability, and that they had contacted the researchers. ALGA was later brought back online after they confirmed the vulnerability was not an issue with their project, but rather with Ocean Protocol itself. Pon acknowledged on February 27 that "there was a configuration issue on Ocean compute-to-data which is being fixed now", and later that day Ocean Protocol cut a new release of their operator engine which appeared to be a patch.

Coinbase CEO tries to weave a compelling story about how their own team came up with a Super Bowl ad that "broke the rules on marketing", is quickly revealed to just be taking credit for the work of an outside ad agency

Two tweets. First by Brian Armstrong: "10/ I guess if there is a lesson here it is that constraints breed creativity, and that as founders you can empower your team to break the rules on marketing because you're not trying to impress your peers at AdWeek or wherever. No ad agency would have done this ad." Reply by Kristen Cavallo: "Except an ad agency did do that ad."Tweet by Armstrong, with reply from Cavallo (attribution)
Coinbase CEO Brian Armstrong embarked on a 12-tweet-long thread congratulating Coinbase employees for coming up with the bouncing QR code Super Bowl ad. He wrote, "I guess if there is a lesson here it is that constraints breed creativity, and that as founders you can empower your team to break the rules on marketing because you're not trying to impress your peers at AdWeek or wherever. No ad agency would have done this ad."

Unfortunately for him, CEO of The Martin Agency Kristen Cavallo showed up with receipts: "It was actually inspired by presentations our agency showed your team on 8/18 (pages 19-24) and 10/7 (pages 11-18) with ad concepts for the Super Bowl with floating QR codes on a blank screen."

I guess if there is a lesson here it is that if you're going to take credit for someone else's idea to try to make your team sound good, maybe you shouldn't also use it as an opportunity to dunk on the people who actually came up with the idea.

Another pseudonymous defi project exec revealed to have a checkered past

Composable Finance is a company that makes infrastructure tools for defi. Until recently, their head of product has been known only as 0xbrainjar, and has operated pseudonymously. However, on February 18, the crypto detective zachxbt revealed his discovery that 0xbrainjar was actually Omar Zaki. Zaki was charged with fraud by the SEC in 2019 for misleading investors while operating an unregistered investment adviser and hedge fund. He ultimately settled the case for a $25,000 fine, and a three-year ban from working in the investment industry. Although I personally think it's reasonable not to describe anything crypto-related as an "investment", I'm curious how the SEC might feel about him working on defi projects.

On February 20, 0xbrainjar confirmed that he was indeed Zaki. He wrote, "I did this so that my efforts to build up a suite of products would not be shadowed by a mistake that I made in my past.... 0xbrainjar was a place for me to not be defined by this serious misstep (which has been settled and was amplified by the media)". He also wrote on Twitter that "I do not want a mistake in my youth to cloud all of the team's efforts", though the SEC charge was filed less than three years ago, when Zaki was 21.

Avalanche-based Atom Protocol rug pulls within a day of its launch, claiming a bug

Tweet by Atom Protocol: "There is a problem/mistake in contracts, we can't do anything. We have to close the project, sorry"Tweet by Atom Protocol (attribution)
Atom Protocol, a project built on the Avalanche blockchain (and not to be confused with the Atom/Cosmos project on Binance), rug pulled within a day of launching. The developers posted a tweet reading, "There is a problem/mistake in contracts, we can't do anything. We have to close the project, sorry". Shortly afterwards, they deleted their Twitter account and Discord.

Some users directed their anger at Assure DeFi, a project that claims to "privately verify the identity" of various projects. The group had reportedly verified the identities of those behind Atom Protocol, lending the project credibility to some who bought in. Assure later tweeted that "many people are still misunderstanding the role of KYC/verification. KYC is a deterrent and not a scam prevention and if anyone says otherwise they are misleading you."

Indian authorities arrest a group accused of $5 million cryptocurrency scam

Indian authorities arrested at least eleven people accused of running a cryptocurrency scam that drew ₹40 crore (around $5.3 million) from investors. The alleged ringleader, Nishid Wasnik, flaunted his luxury lifestyle to help convince investors to put money into his firm, which he said traded Ether. According to one official, "He manipulated the website of the firm to show a steady rise in the value of investments, while transferring money into his accounts fraudulently between 2017 and 2021". Wasnik is also facing outstanding cases, including two murder charges, and had been in hiding since March 2021.

Seventeen OpenSea users have their NFTs stolen and flipped for a total of $2.9 million by a phishing scammer

Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them. Early explanations blamed a new contract that OpenSea had rolled out, or an airdrop from a new NFT marketplace called X2Y2. People urged NFT owners to revoke permissions for both the OpenSea contract and for X2Y2 until more was known, although one of the most popular websites helping people do so went down shortly after from the high traffic.

An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue. They tweeted that they were "actively investigating rumors of an exploit associated with OpenSea related smart contracts", and wrote that they believed it was a phishing attack coming from outside of OpenSea, rather than an issue with their contract. It was later determined that an attacker had successfully phished 17 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million.

Former owner of a reportedly stolen Bored Ape files million-dollar lawsuit against OpenSea

An illustration of an ape wearing a blue bonnet, sunglasses, and black turtleneck, biting its lower lipBored Ape #3475 (attribution)
Businessman Timothy McKimmy is the former owner of Bored Ape #3475, an NFT he purchased in December for 55 ETH (then about $232,000). In a lawsuit against OpenSea, McKimmy alleged that on February 7, a "security vulnerability allowed an outside party to illegally enter through OpenSea's code and access Plaintiff's NFT wallet, in order to list and sell Plaintiff's Bored Ape at a literal fraction of the value". The Bored Ape was purchased for 0.01 ETH (about $30), then flipped by the alleged thief within hours for 98.9 ETH (a bit over $300,000). McKimmy alleges that OpenSea knew about the reported vulnerability, and failed in their duties to him as a customer by not informing customers of the issue, or shutting down the platform while it was reportedly vulnerable. The lawsuit further argues that because Bored Ape #3475 has a higher "rarity score" than the one supposedly purchased by Justin Bieber for 500 ETH ($1.3M) in January, the value of #3475 is "arguably in the millions of dollars and growing as each day passes". The lawsuit seeks "any and all damages to which [McKimmy] may be entitled, including the return of the Bored Ape, damages equivalent to the valuation of the Bored Ape, and/or monetary damages over $1,000,000."

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.