"SeaFlower" hacks target crypto users via backdoored iOS and Android crypto wallets

The Confiant security research group has discovered a group that is backdooring and distributing versions of legitimate crypto wallets including Coinbase Wallet, MetaMask, TokenPocket, and imToken. The hackers have created reverse-engineered versions of the crypto wallets that operate as designed, but also steal the user's seed phrase, later using it to drain the users' cryptocurrency.

The attackers have distributed the tampered applications through websites that clone the legitimate applications' websites. Through search engine poisoning, primarily via Chinese search engines like Baidu, the attackers have successfully gotten unsuspecting users to install the malicious programs.

Lido-staked Ether (stETH) loses peg

Lido-staked ETH, a project that offers to allow users to stake ETH for the purposes of securing it after the Ethereum "merge" — that is, the ever-delayed move to proof-of-stake. Although stETH is backed 1:1 with ETH, it's not very liquid aside from the primary liquidity on Curve. Huge sell-offs of stETH for ETH have been causing slippage in the Curve pool, which was off peg by around 5% and heavily imbalanced on June 12.

Crypto researcher Small Cap Scientist suggested on June 9 that the sell-offs may have been triggered by a "canary in the coal mine": a 50,000 stETH (nominally worth $45.8 million) sell-off by Alameda Research, a trading firm founded by Sam Bankman-Fried. SCS also reported that Celsius Network was "quickly running out of liquid funds to pay back their investors", and "they are taking massive loans" against "billions in illiquid positions" to pay back customers.

Celsius pauses all withdrawals

The Celsius platform announced that they would be pausing all withdrawals, swaps, and transfers due to "extreme market conditions".

There has been a lot of concern lately about Celsius' reserves and its ability to honor redemptions, with some speculating that the platform might be underwater and forced to default. Celsius released a blog post on June 7 titled, "Damn the Torpedoes, Full Speed Ahead" where they accused "vocal actors" of "spreading misinformation and confusion", and promised that "Celsius continues to process withdrawals without delay", and that "Celsius has the reserves (and more than enough ETH) to meet obligations".

Celsius' June 12 announcement did not include any details on what their plans would be, just that they hoped it would allow them to "stabilize liquidity and operations while we take steps to preserve and protect assets".

On June 14, the Wall Street Journal reported that Celsius had hired restructuring attorneys.

Offline Cash project finally gives the world what it really needs: physical digital physical cash

Photo of hands holding colorful banknotes denominated in 10 (blue), 5 (red), 2 (green), and 1 (orange).Offline Cash's Bitcoin Notes (attribution)
Some crypto advocates have long promoted crypto as a proper digital equivalent to cash. Physical dollars have a lot of benefits, including that you don't need a bank account to use them and they provide a lot of privacy. Although bank transfers and apps like Venmo offer digital ways to transfer money, they typically require a bank account to use, and they leave a digital record of the transaction. Crypto advocates have long promised that crypto is a proper digital equivalent to cash, despite its own accessibility and privacy concerns.

Anyway, a project called Offline Cash has sprung up. In a stunning example of Poe's Law, the project seeks to provide a physical form of that digital physical cash people have spent so much time working on.

Hear me out: imagine you had paper notes that you could transfer to people in lieu of making a Bitcoin transaction! And unlike regular cash, it has an expiration date to keep track of!

Scammers compromise verified, 5-million-follower Twitter account for Venezuelan newspaper El Universal, use it to promote fake Goblintown site

Verified Twitter account showing the display name "goblintown.wtf", but a username of ElUniversalCompromised Twitter account (attribution)
Scammers successfully compromised the Twitter account for El Universal, a Venezuelan newspaper. The account is verified, and has five million followers. The scammers used the account to promote "goblintowm" (note the m on the end), a fake website pretending to be the recently-popular Goblintown project. Users who connected their wallets to try to mint the free NFTs instead saw their wallets drained of their cryptocurrency and NFTs.

One of the wallets used by the scammers had stolen 64 NFTs, though most of them were low in value. The address had also pulled in 16.5 ETH (~$30,000). However, most scammers rotate wallets, and this likely doesn't reflect the total damage from the scam.

20 million Optimism tokens sent to nonexistent address, someone else snags them before they can be recovered

As the Ethereum scaling project Optimism worked to create the $OP token, a token they launched in a move towards decentralizing the project's governance, they decided to obtain a loan from a third party, Wintermute, to provide initial liquidity, in exchange for 20 million $OP. However, Wintermute mistakenly provided the wrong multi-sig wallet address to Optimism, and the 20 million tokens were sent to an address that had not yet been created. The teams attempted to deploy the multi-sig wallet address to retrieve the tokens, but another person noticed the blunder and was able to do so first.

Wintermute published a blog post taking responsibility for the error, and announced that they would "proceed to buy OP every time the attacker sells it to make the protocol whole eventually". So far the attacker has sold 1 million $OP for about $1 million USD.

Wintermute wrote that they were "open to see this as a white hat exploit", but if the funds were not returned within a week, they were "100% committed to returning all the funds, tracking the person(s) responsible for the exploit, fully doxxing them and delivering them to the corresponding juridical system".

Remarkably, the attacker returned 17 million of the tokens two days later, keeping 2 million as a "bounty". Wintermute agreed to reimburse the Optimism Foundation for the remaining 2 million $OP.

Players Only NFT project, founded by NBA players, rug pulls for $1.4 million

A 3D rendering of a football player running with a football, wearing a red uniform showing the number 13. He has a bald head and his tongue is sticking out.Player #4820 (attribution)
Crypto-sleuth zachxbt reported on June 8 that Players Only, and NFT project created by a group of NBA players including Michael Carter-Williams and Jerami Grant, appears to be a rug pull. The players used their star power to drum up interest in the project and its somewhat unsettling NFTs of various bobblehead-esque sports players. The project promised close involvement from the athletes who founded it, with a roadmap advertising autographed merchandise, real life and metaverse meetups with the players, and other giveaways.

Although the project team promised that "every single one of our holders will win something", the collectors were in for a lot of disappointment: players never showed up for events, and Zoom meetups were never scheduled despite repeated requests, and merchandise was never sent. One person who was promised a signed jersey instead received a t-shirt, apparently devoid of any signature.

In mid-May, two project creators announced they would be "stepping back on the project as [they] cannot seem to please the community". The announcement broadly blamed the project's failures on "lack of interest" in the project. They said they would no longer be providing physical items, and would focus on "athlete utility", though in the time since then the project has remained similarly stagnant.

Collectors minted Players Only NFTs in early December for 0.08 ETH each (~$144). One NFT from the project has been sold on the secondary market in the last month, for $0.001 ETH (less than $2).

Baby Elon coin rug pulls for $179,000

The Baby Elon project on BNBChain rug pulled on June 8, with the token price plummeting 98% as the team withdrew 623 BNB (~$179,000) from the project. They quickly moved the funds to the Tornado Cash cryptocurrency tumbler.

The Baby Elon token is of course not to be confused with Baby Musk, a different BNB Chain-based, baby Elon Musk-themed memecoin that rug pulled in February after a $2 million ICO.

ApolloX exchange exploited for $1.5 million

The ApolloX exchange suffered an exploit where an attacker was able to withdraw around 40 million $APX, which they were able to swap for around $1.5 million. This also caused the $APX price to drop by more than 50%.

The exchange has announced plans to repurchase $APX to boost the price, so far spending $600,000 to do so.

Osmosis chain halted after bug leads to $5 million loss

The Osmosis chain was halted on June 8 after users discovered a bug where people could deposit money into Osmosis pools and receive 3x the amount when they withdrew. The bug was first reported in a public Reddit post where a user posted, "Bug on Osmosis There is a serious problem with osmosis. If you add liquidity to a pool and then remove it, it grows by 50%! How can we fix this!?!? Pools empty by morning!"

Developers halted the chain before liquidity pools were fully drained, but estimated that about $5 million was lost. They wrote that they were working on recovery plan; perhaps they will also encourage their community to report bugs privately, rather than via public Reddit post.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.