After being alerted to the theft by several security companies, Sonne announced they had paused the contract on the Optimism Ethereum layer-2 chain.
Sonne Finance hacked for at least $20 million
The Sonne Finance lending protocol was exploited for at least $20 million as an attacker was able to exploit a vulnerability in some of their smart contracts. Sonne is a fork of the Compound Finance project, which has known vulnerabilities that are sometimes not properly addressed by people who reuse the code — as has happened with Radiant Capital and Rari.
Cypher contributor admits to stealing over $300,000 due to "crippling gambling addiction"
After the founder of the Solana-based Cypher futures trading protocol publicly accused a core contributor of stealing funds, the contributor — publicly known only as "hoak" — has confessed to the thefts.
Cypher was hacked for $1 million in August 2023, but was able to recover around $600,000 of the stolen funds, which they promised to distribute to impact users via a redemption fund. However, over a period of months and unbeknownst to the rest of the team, hoak had been dipping into the recovered funds — taking around half of what was in the fund for himself.
After he was accused, hoak fessed up in a public statement where he wrote that his actions were a "culmination of what snowballed into a crippling gambling addiction and probably multiple other psychological factors that went by unchecked for too long." He continued: "I know likely nothing I say or do will make things better - perhaps other than rotting in jail. To address the elephant in the room, the allegations are true, I took the funds and gambled them away. I didn’t run away with it, nor did anyone else."
- "Public statement" by hoak [archive]
- "Cypher Redemption Packages Stolen" report by cobra [archive]
SEC sends Wells notice to Robinhood Crypto
Robinhood has disclosed that they received a Wells notice from the US Securities and Exchange Commission in relation to their "Robinhood Crypto" product. This indicates that the SEC believes that some of the assets that can be traded via Robinhood Crypto are securities.
In the past, Robinhood has removed cryptocurrencies from trading after they were alleged to be securities by the SEC, such as Solana (SOL), Cardano (ADA), and Polygon (MATIC) in the wake of the lawsuits against Binance and Coinbase. However, given the SEC's stance that most cryptocurrencies are securities, it seems likely that the SEC believes one or more of the 14 non-bitcoin cryptocurrencies Robinhood offers may also be a security.
Robinhood's Chief Legal Officer issued a statement that "We firmly believe that the assets listed on our platform are not securities and we look forward to engaging with the SEC to make clear just how weak any case against Robinhood Crypto would be."
GNUS.ai exploited for $1.27 million
An exploiter was able to create a fake version of the $GNUS token on the Fantom blockchain, then bridge the tokens to Ethereum and Polygon where they were then sold as though they were authentic. They were able to drain $1.27 million from the project's liquidity pools.
GNUS.ai (short for "Genius", not a reference to the animal) is one of many AI-related blockchain projects that has sprung out of the recent AI hype. This particular one promises to allow people to "utiliz[e] unused cycles" on various computing devices for computation-intensive AI systems, using cryptocurrency for payments.
Cred executives indicted
The former CEO, CFO, and CCO of the cryptocurrency lending service Cred have been indicted on multiple charges involving wire fraud and money laundering. They were charged in connection with their operation of the Cred platform, which went bankrupt in November 2020 after hiding its insolvency for several months.
Cred had claimed to customers that they engaged in only "collateralized or guaranteed lending", hedged their investments, and "comprehensive insurance", but hid that "virtually all the assets to pay the yield were generated by a single company whose business was to make unsecured micro-loans to Chinese gamers." Furthermore, they did engage in uncollateralized lending, did not hedge their investments, and did not hold insurance as they had claimed.
Around $150 million in customer funds were lost in the collapse based on prices at the time, though those crypto assets would have been priced substantially higher at various times since.
- "Former CEO, CFO, And CCO Of Cred LLC Charged With Alleged Multi-Million-Dollar Cryptocurrency-Related Wire Fraud Conspiracy", U.S. Attorney's Office, Northern District of California [archive]
Wallet loses over $72 million to address poisoning
An Ethereum wallet was apparently drained of 1,155 wrapped bitcoin (~$72.7 million) when they transferred it to a malicious address that had been operating an address poisoning scheme.
Address poisoning is a scam tactic that takes advantage of crypto traders' tendencies to copy and paste wallet addresses from their transaction histories, since the addresses are long strings of characters that are not practical to type from memory. By creating a new wallet address with identical start and/or ending character strings to addresses used by the victim, and spamming the victim with transactions from that similar address, scammers are sometimes able to get victims to erroneously copy the spoofed address for future transfers.
That's what appears to have happened in this case, when a victim transferred 1,155 wrapped bitcoin — tokens pegged to the bitcoin price meant for use on the Ethereum blockchain — to the malicious address.
The victim and the exploiter later reached an agreement for the return of most of the funds, with the exploiter keeping $7.2 million as a "bounty".
Pike Finance exploited for $2 million in two separate attacks
Pike Finance, a cross-chain lending protocol, was exploited twice in four days as attackers discovered vulnerabilities in the project's smart contracts.
The first attack, on April 26, was enabled by a flaw in the security measures related to transfers of the USDC stablecoin. An attacker was able to change the recipient address and amount, ultimately making off with almost $300,000 in the stablecoin. Pike released a postmortem two days later, acknowledging that the bug had been identified by a third-party auditor but had not been rectified by their team.
When the Pike team went to patch the smart contracts to thwart this attack, they introduced new, even worse vulnerabilities. As a result, on April 30, an attacker was able to upgrade the project's smart contracts to malicious ones, then withdraw $1.68 million in ETH, ARB, and OP tokens.
Pike Finance has offered a 20% reward for the return of the funds or information pertaining to the attacker, and has promised "a plan to make users whole". Pike, which launched in early 2024, is backed by Circle and Wormhole.
Roger Ver arrested for $50 million tax fraud
Roger Ver, an early bitcoin investor who later became an outspoken evangelist for the fork Bitcoin Cash, has been arrested on tax fraud charges. According to the Department of Justice, Ver evaded almost $50 million in owed taxes by concealing income and lying to tax preparers about his bitcoin assets as he attempted to renounce his US citizenship and become a citizen of the tax haven St. Kitts and Nevis.
Ver was arrested in Spain, and the United States will seek his extradition.
Besides his tax woes, Ver has also been caught up in accusations by CoinFLEX that he owed the platform around $84 million after failing to meet a margin call. Ver has in turn claimed that CoinFLEX owed him money. CoinFLEX filed for restructuring in August 2022.
- "Early Bitcoin Investor Charged with Tax Fraud", U.S. Department of Justice [archive]
Changpeng Zhao sentenced to four months imprisonment
Former Binance CEO Changpeng "CZ" Zhao has been sentenced to four months in prison after pleading guilty to money laundering-related charges. The charges were filed in November, and Zhao entered a guilty plea, resigned from the company, and agreed to pay a $50 million fine.
Prosecutors sought a three year sentence for Zhao, while Zhao requested to serve no time. The judge ultimately decided on a sentence closer to the five-month sentence that was being recommended by the Probation Office.
Rain cryptocurrency exchange hacked for $14.8 million
Bahrain-based cryptocurrency exchange Rain was exploited for around $14.8 million dollars on April 29. The exchange did not publicly disclose the hack until the suspicious outflows across wallets on multiple blockchains were noticed by blockchain investigator zachxbt.
After zachxbt sounded the alarm on May 13, Rain admitted that they had had a "security incident", but stressed that customer funds were safe, and stated that the Rain Group had "covered any potential losses resulting from this incident".