Security researchers desperately try to contact Ocean Protocol about a critical security problem

Screenshots of Kubernetes credentials and a shell connection, with sensitive credentials blurred out.Image from Bleckmann-Dreher's tweet (attribution)
Ocean Protocol is a web3 project promising to help people "publish, discover, and consume data in a secure, privacy-preserving fashion". Recently, they've been promoting the ALGA defi wallet, a project created by an external development team called Data Whale. Security researcher Christopher Bleckmann-Dreher, also known as "schniggie", resorted to publicly replying to one of Ocean Protocol's promo tweets to try to get the group's attention on a security vulnerability he and his collaborator Daniel Matesic ("mtd_0x00") had discovered. The duo found Kubernetes infrastructure that appeared to be completely compromised, and were able to get a shell, call their underlying AWS metaservice, and more. When Bleckmann-Dreher tried to report the bug through Ocean Protocol's Github bug bounty program, he found it was retired. He also tried to contact the team via their security email address, Telegram, and Discord, but received no reply.

After Bleckmann-Dreher's attempts to contact the project were published on Web3 Is Going Great on February 26, Ocean Protocol's founder Bruce Pon commented to say they were "on it", and that he had alerted Data Whale about what appeared to be an issue in the ALGA project. Several hours later, Data Whale announced they would be taking the app offline due to concerns that there was a vulnerability, and that they had contacted the researchers. ALGA was later brought back online after they confirmed the vulnerability was not an issue with their project, but rather with Ocean Protocol itself. Pon acknowledged on February 27 that "there was a configuration issue on Ocean compute-to-data which is being fixed now", and later that day Ocean Protocol cut a new release of their operator engine which appeared to be a patch.

Coinbase CEO tries to weave a compelling story about how their own team came up with a Super Bowl ad that "broke the rules on marketing", is quickly revealed to just be taking credit for the work of an outside ad agency

Two tweets. First by Brian Armstrong: "10/ I guess if there is a lesson here it is that constraints breed creativity, and that as founders you can empower your team to break the rules on marketing because you're not trying to impress your peers at AdWeek or wherever. No ad agency would have done this ad." Reply by Kristen Cavallo: "Except an ad agency did do that ad."Tweet by Armstrong, with reply from Cavallo (attribution)
Coinbase CEO Brian Armstrong embarked on a 12-tweet-long thread congratulating Coinbase employees for coming up with the bouncing QR code Super Bowl ad. He wrote, "I guess if there is a lesson here it is that constraints breed creativity, and that as founders you can empower your team to break the rules on marketing because you're not trying to impress your peers at AdWeek or wherever. No ad agency would have done this ad."

Unfortunately for him, CEO of The Martin Agency Kristen Cavallo showed up with receipts: "It was actually inspired by presentations our agency showed your team on 8/18 (pages 19-24) and 10/7 (pages 11-18) with ad concepts for the Super Bowl with floating QR codes on a blank screen."

I guess if there is a lesson here it is that if you're going to take credit for someone else's idea to try to make your team sound good, maybe you shouldn't also use it as an opportunity to dunk on the people who actually came up with the idea.

Another pseudonymous defi project exec revealed to have a checkered past

Composable Finance is a company that makes infrastructure tools for defi. Until recently, their head of product has been known only as 0xbrainjar, and has operated pseudonymously. However, on February 18, the crypto detective zachxbt revealed his discovery that 0xbrainjar was actually Omar Zaki. Zaki was charged with fraud by the SEC in 2019 for misleading investors while operating an unregistered investment adviser and hedge fund. He ultimately settled the case for a $25,000 fine, and a three-year ban from working in the investment industry. Although I personally think it's reasonable not to describe anything crypto-related as an "investment", I'm curious how the SEC might feel about him working on defi projects.

On February 20, 0xbrainjar confirmed that he was indeed Zaki. He wrote, "I did this so that my efforts to build up a suite of products would not be shadowed by a mistake that I made in my past.... 0xbrainjar was a place for me to not be defined by this serious misstep (which has been settled and was amplified by the media)". He also wrote on Twitter that "I do not want a mistake in my youth to cloud all of the team's efforts", though the SEC charge was filed less than three years ago, when Zaki was 21.

Avalanche-based Atom Protocol rug pulls within a day of its launch, claiming a bug

Tweet by Atom Protocol: "There is a problem/mistake in contracts, we can't do anything. We have to close the project, sorry"Tweet by Atom Protocol (attribution)
Atom Protocol, a project built on the Avalanche blockchain (and not to be confused with the Atom/Cosmos project on Binance), rug pulled within a day of launching. The developers posted a tweet reading, "There is a problem/mistake in contracts, we can't do anything. We have to close the project, sorry". Shortly afterwards, they deleted their Twitter account and Discord.

Some users directed their anger at Assure DeFi, a project that claims to "privately verify the identity" of various projects. The group had reportedly verified the identities of those behind Atom Protocol, lending the project credibility to some who bought in. Assure later tweeted that "many people are still misunderstanding the role of KYC/verification. KYC is a deterrent and not a scam prevention and if anyone says otherwise they are misleading you."

Indian authorities arrest a group accused of $5 million cryptocurrency scam

Indian authorities arrested at least eleven people accused of running a cryptocurrency scam that drew ₹40 crore (around $5.3 million) from investors. The alleged ringleader, Nishid Wasnik, flaunted his luxury lifestyle to help convince investors to put money into his firm, which he said traded Ether. According to one official, "He manipulated the website of the firm to show a steady rise in the value of investments, while transferring money into his accounts fraudulently between 2017 and 2021". Wasnik is also facing outstanding cases, including two murder charges, and had been in hiding since March 2021.

Seventeen OpenSea users have their NFTs stolen and flipped for a total of $2.9 million by a phishing scammer

Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them. Early explanations blamed a new contract that OpenSea had rolled out, or an airdrop from a new NFT marketplace called X2Y2. People urged NFT owners to revoke permissions for both the OpenSea contract and for X2Y2 until more was known, although one of the most popular websites helping people do so went down shortly after from the high traffic.

An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue. They tweeted that they were "actively investigating rumors of an exploit associated with OpenSea related smart contracts", and wrote that they believed it was a phishing attack coming from outside of OpenSea, rather than an issue with their contract. It was later determined that an attacker had successfully phished 17 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million.

Former owner of a reportedly stolen Bored Ape files million-dollar lawsuit against OpenSea

An illustration of an ape wearing a blue bonnet, sunglasses, and black turtleneck, biting its lower lipBored Ape #3475 (attribution)
Businessman Timothy McKimmy is the former owner of Bored Ape #3475, an NFT he purchased in December for 55 ETH (then about $232,000). In a lawsuit against OpenSea, McKimmy alleged that on February 7, a "security vulnerability allowed an outside party to illegally enter through OpenSea's code and access Plaintiff's NFT wallet, in order to list and sell Plaintiff's Bored Ape at a literal fraction of the value". The Bored Ape was purchased for 0.01 ETH (about $30), then flipped by the alleged thief within hours for 98.9 ETH (a bit over $300,000). McKimmy alleges that OpenSea knew about the reported vulnerability, and failed in their duties to him as a customer by not informing customers of the issue, or shutting down the platform while it was reportedly vulnerable. The lawsuit further argues that because Bored Ape #3475 has a higher "rarity score" than the one supposedly purchased by Justin Bieber for 500 ETH ($1.3M) in January, the value of #3475 is "arguably in the millions of dollars and growing as each day passes". The lawsuit seeks "any and all damages to which [McKimmy] may be entitled, including the return of the Bored Ape, damages equivalent to the valuation of the Bored Ape, and/or monetary damages over $1,000,000."

Crypto.Chicks team member gives a non-apology for blatantly copying the work of another artist

Side-by-side comparison of an Instagram post and an NFT listing, both containing similar illustrations of a woman with a grimace and three eyesComparison of the original and Crypto.Chick #2 (attribution)
Polly, a member of the popular Crypto.Chicks NFT team, apologized for "drawing inspiration from" artists and "inadvertently cop[ying]" their work, after it is discovered that she blatantly traced the artwork used in some of the Crypto.Chicks NFTs. Although she wrote that she had "redrawn" the NFT in question, the artwork was nearly identical to artwork by a Brazilian artist named Amanda, who apparently was never credited nor compensated. The Crypto.Chick in question had sold for $27,500 in late January.

The following day, Crypto.Chicks announced that they would be replacing Polly as a team member, and pausing their planned release of another NFT collection that also appeared to contain stolen artwork.

Appeals court allows legal claim to continue against online promoters of Bitconnect

An appeals court found that a legal claim could continue to be pursued against some of the major voices that promoted Bitconnect online. Bitconnect was a Ponzi scheme that collapsed in early 2018, defrauding investors of $2 billion. This claim, should it succeed, could set a frightening precedent for those irresponsibly hyping cryptocurrency schemes in online videos and other promotions.

Authorities raid Generación Zoe, an Argentine pyramid scheme propped up by cryptocurrencies

Authorities performed nine separate raids targeting Generación Zoe, a holding company raising money from thousands of Argentines. The company promised 7.5% monthly returns at the lowest level, but more if investors recruited others to the scheme. They said these returns came from cryptocurrency trading, sales of "coaching" courses, and other investment strategies. The group even had their own cryptocurrency, Zoe Cash, and had begun other ventures—including a church. The accountant from the firm and several others were arrested in the February 18 raid, but the head of the scheme was on the lam.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.