Roughly an hour after the attack, the project tweeted that they were aware of the attack, and had paused all markets. On June 19 the project sent a message to the attacker, pleading with them to return the funds and threatening: "There are criminal organizations following the same evidence trails we are. This isn't going away until you return funds. We are your best option out of this."
Sturdy Finance exploited for $775,000
The Sturdy Finance defi lending protocol was exploited, with hackers taking advantage of an oracle manipulation vulnerability to make off with 442 ETH (~$775,000). They subsequently transferred the funds into Tornado Cash. The total loss to the project was somewhat higher: 504 ETH (~$884,000).
Minting of TrueUSD stablecoin through Prime Trust halted; TUSD deviates from peg
On June 10, TrueUSD announced on Twitter: "TUSD mints via Prime Trust are paused for further notification." They offered no further explanation. TUSD is the fifth largest stablecoin by market capitalization.
The decision may have been related to insolvency rumors surrounding Prime Trust, a US-based fintech company. On June 8, BitGo announced a non-binding letter of intent to acquire Prime Trust.
After the announcement, the TUSD stablecoin dipped as low as $0.9951. This is a seemingly small deviation from the $1 peg, but in the stablecoin world, such small variances can be serious.
- "TrueUSD stops minting via Prime Trust, loses dollar peg", CoinTelegraph
Crypto.com to shut down institutional trading in the US
Singapore's Crypto.com has announced it will be imminently shutting down its institutional exchange service in the US, citing "limited demand from institutions in the U.S. in the current market landscape". The firm will continue to serve retail customers in the country, however.
CFTC awarded default judgment in case against Ooki DAO
Ooki DAO was sued in September of last year for allowing illegal trading of digital assets, engaging in activities only allowed by registered futures commission merchants, and not performing proper KYC. It was a potentially landmark case, as one of the first actions to be taken against a DAO and an opportunity to test various DAOs' claims that by decentralizing governance, they can skirt regulatory enforcement.
Now, a judge has awarded default judgment in the case, requiring the DAO to pay a more than $640,000 penalty, close down its website, and stop trading.
The court held that the Ooki DAO was a "person" under the Commodity Exchange Act and thus could be held liable for violations of the law.
- Order on Motion for Default Judgment, Commodity Futures Trading Commission v. Ooki DAO
Robinhood to delist Solana, Cardano, Polygon tokens after SEC describes them as securities
Robinhood announced that its crypto exchange will delist the tokens for Solana (SOL), Cardano (ADA), and Polygon (MATIC) after they were described as unregistered securities in lawsuits against Binance and Coinbase. They seem to be the first exchange serving US customers to delist tokens mentioned by the SEC in the lawsuits. On June 12, they were followed by eToro US, who delisted ALGO, MANA, DASH, and MATIC. On June 16, Bakkt delisted SOL, ADA, and MATIC.
While simply claiming in a lawsuit that a crypto token is a security does not necessarily constitute a firm decision that it is so, this has been enough in the past to lead exchanges to remove token listings. The 2020 lawsuit against Ripple and its XRP token led to the token widely being delisted from exchanges serving US customers.
Scammers capitalize on Binance lawsuit fears to pull off Discord phishing scam
Adding insult to injury in Binance's tough couple of days, someone has managed to hijack the Discord vanity URL used by BNB Chain, the blockchain project associated with Binance. The scammers created a fake Discord channel where they have posted a message: "In order to curb the reactionary market's response to patently false SEC accusations, we are hosting a $BNB airdrop on BSC to show our faith in our technology and community!" The scammers urged members to connect their crypto wallets, ostensibly to receive their share of the roughly 100,000 BNB (nearly $30 million) the scammers claimed they'd allocated to the giveaway.
After this was brought to BNB Chain's attention by crypto sleuth zachxbt, they tweeted that they "acted quickly (within 10 minutes) to ban the offending accounts and remove the posts. We've taken steps to secure the server and protect against any further abuse." However, less than an hour later they put out a new tweet announcing that the URL had been hijacked to redirect to a new server.
"This is a scam, and if you connect your wallet, you will lose your funds. Please exercise caution until we are able to confirm a resolution", they wrote.
SEC files complaint against Coinbase
The SEC has clearly been busy. The agency followed up its complaint against Binance by smacking Coinbase with charges the very next day. This isn't terribly unexpected: in late March the SEC hit Coinbase with a Wells notice, which is a formal notice saying "we're about to file a complaint against you, convince us not to." Coinbase decided that instead of any real attempt at convincing them not to, they would use the incident as a PR opportunity to try to win hearts and minds (of the public but also critically in Congress), convincing people that the SEC was being unfair to them and stifling innovation in the United States and all sorts of other things.
The SEC, apparently unconvinced by Coinbase's usual spiel, filed a complaint with five claims for relief involving operating without registering with the SEC and offering unregistered securities by way of providing a cryptocurrency staking program.
Coinbase has responded with its usual bluster, and vowed to fight the lawsuit. They don't really have much choice, given their business is almost entirely predicated on being able to continue operating in the US. A tweet by Coinbase CEO Brian Armstrong refers to "the US congress... introducing new legislation to fix the situation", suggesting he is hoping that Congress might bail him out of the mess he's in. Given the amount of lobbying Coinbase has been doing, and the apparent bought and paid for crypto advocates who sit in Congress, his hopes are not entirely misplaced, but we shall see. As with the lawsuit against Binance, this is not likely to resolve anytime soon, particularly if the companies both decide to fight in court.
- "SEC Charges Coinbase for Operating as an Unregistered Securities Exchange, Broker, and Clearing Agency", U.S. Securities and Exchange Commission
- SEC v. Coinbase
- Tweet by Brian Armstrong
SEC files complaint against Binance
The SEC has filed a complaint against Binance, various related companies, and Binance CEO Changpeng "CZ" Zhao. They allege that the company has been acting with "blatant disregard" of US securities laws through their operation of unregistered trading platforms, have performed multiple offers of unregistered securities and investment schemes, and have defrauded investors through material misstatements around supposed controls for manipulative trading activity, such as wash trading, on the Binance platforms.
The complaint echoes some of the allegations made by the CFTC in a March lawsuit, including that Binance.US was primarily a front for Binance's international platform that was used to try to distract US regulators. However, it also goes farther by adding allegations around Binance's lack of controls around market manipulation, which the SEC alleges contradict public statements by Binance that they had sophisticated programs to prevent wash trading and other manipulative actions. The SEC even claims that the CZ-owned and -operated market maker Sigma Chain was engaged in substantial wash trading on the platform.
The SEC lawsuit was also a bit of a bombshell in its naming of some major cryptocurrencies as securities: SOL, ADA, MATIC, FIL, ATOM, SAND, MANA, ALGO, AXS, and COTI. These are the crypto assets associated, respectively, with the Solana, Cardano, Polygon, Filecoin,[d] Cosmos, The Sandbox, Decentraland, Algorand, Axie Infinity, and Coti projects.
Atomic Wallet hacks total over $100 million
Multiple users of the Atomic Wallet software suffered wallet compromises totaling more than $100 million in a spate of hacks suggesting an issue with the wallet itself. Atomic Wallet is a self-custody wallet, a suggested safer alternative than storing crypto assets in accounts controlled by third party companies. In February 2022, a security firm was forced to publicly disclose issues with the Atomic Wallet software after attempting to address them with the company via traditional routes, but went ignored.
Following the thefts, Atomic Wallet tweeted that they were aware of the reports of wallet compromises, and that they were attempting to learn more about the attacks, but had not yet confirmed any method of attack. They've since taken down the wallet software download page, likely out of concern that the software itself has been compromised.
Crypto sleuth zachxbt compiled a list of reported compromised Atomic Wallets, finding that multiple individuals lost multiple millions in the attack. The largest known individual theft so far involved almost $8 million in USDT (Tether); other individuals lost $2.8 million in USDT and 1,897 ETH (~$3.5 million).
Users of Atomic Wallet have been advised to transfer their assets to other wallets.
On June 6, both zachxbt and blockchain research group Elliptic speculated that the laundering strategy by the thieves resembled that of the North Korea-linked Lazarus Group, which has been responsible for other major crypto thefts.
unshETH compromised after private key leaked to GitHub
After a developer leaked private keys to GitHub, someone used them to drain $375,000 from the unshETH defi project. The project emergency paused withdrawals of unshETH ether to prevent further damage.
The leaked key allowed the attacker to transfer ownership of project smart contracts to themselves, though they later returned ownership.
unshETH posted a message to the hacker, demanding they return 90% of the stolen funds. They threatened: "We want to be clear, and this is not a bluff: we know who you and some people connected to you (friends) are, and we will absolutely move forward with law enforcement if you have not returned the money by the deadline above. We don't want to do this to you or have to rope your friends in, and would prefer everything be settled and everyone just move forward, but if we don't get the funds back by the above-mentioned time, we will be left with no choice in order to protect our protocol."
"Sounds exactly like someone bluffing would say", wrote one commenter.