Founder of the Mask Network loses more than $4 million to a wallet hack
Suji Yan, the founder of the Mask Network, suffered the loss of more than $4 million in various cryptocurrency assets to an apparent wallet hack. According to Yan, the theft happened on his birthday while he was at a party. "[E]ither the private key was leaked same day as my birthday and hacker manual[ly transferred assets] out or it might be an offline attack. I was in a private gathering with dozen friends and my phone was away for some minutes when I using the restroom etc."
Almost $50 million stolen from Infini "stablecoin neobank"
Around $49.5 million in the USDC stablecoin was stolen from the Infini crypto-focused "stablecoin neobank", a fintech company that promises "financial freedom" by "democratizing banking" and "redefining the future of digital finance".
Infini experienced a different form of "financial freedom" when attackers liberated almost $50 million from the company after a thief with access to a wallet with admin rights drained tokens, then swapped them for the DAI stablecoin, which unlike USDC cannot be frozen by its issuer.
The attack came only a day after a celebratory tweet from the company in which it had announced that they had achieved $50 million in total value locked, suggesting that the theft affected substantially all of the assets on the platform. Despite this, they have claimed that transactions on the platform are unaffected, and when someone asked how that was possible, they simply replied: "We've got solid runway to operate. No worries."
Infini attempted to contact the thief via on-chain message, threatening that they had "gathered critical IP and device information" about them, and asking them to return 80% of the funds in exchange for a promise that Infini "will cease further tracking or analysis, and you will not face accountability". However, Infini's 48-hour deadline has come and gone without any reply.
- "0xInfini Incident Analysis", CertiK
- Tweet by Infini [archive]
- Messages from Infini to the exploiter
$1.5 billion taken from Bybit crypto exchange
In what is looking like largest ever theft from a cryptocurrency exchange, attackers took control of a hot wallet belonging to the Bybit cryptocurrency exchange and moved a massive amount of ETH-based tokens amounting to approximately $1.5 billion in notional value (though it should be noted that that quantity of stolen tokens could not be quickly cashed out for that many dollars without affecting the ETH price).
Bybit CEO Ben Zhou confirmed the attack on Twitter, writing that an attacker used an advanced phishing technique to take control of the hot wallet. Zhou also promised "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss."
Around 9,000 wallets used with Cardex fantasy trading card game compromised
Around $400,000 in ETH was stolen from around 9,000 wallets on the Abstract layer-2 network, which is built by the same company that makes the Pudgy Penguins NFTs. It appears that the affected wallets had all been used to play Cardex, a fantasy trading card game that had launched only a week prior.
Attackers compromised a private key belonging to the game's creators, which allowed them to drain wallets that still had an active session with the game.
Argentinian president Javier Milei promotes memecoin that then crashes 95% in apparent $100 million+ rug pull
A tweet from Argentina's president Javier Milei promoted a memecoin called Libra, which he described as a "private project [that] will [be] dedicated to encouraging the growth of the Argentine economy by funding small Argentine businesses and startups". The token quickly soared in price as traders poured in.
However, within hours of the launch, insiders began selling off their holdings of the token. The token had been highly concentrated among insiders, with around 82% of the token held in a small cluster of apparently insider addresses. Those insiders cashed out around $107 million, crashing the token price by around 95%.
After the crash, Milei deleted his tweet promoting the project. He later claimed he was "not aware of the details of the project and after having become aware of it I decided not to continue spreading the word (that is why I deleted the tweet)."
zkLend hacked for around $9.5 million
The Starknet-based lending platform zkLend was exploited for around $9.5 million. zkLend paused the protocol after the attack was discovered, and began working with various crypto security groups to try to trace the stolen funds and identify the thief. zkLend also sent a message to the attacker, offering a 10% "bounty" and a "release from any and all liability" if they returned 90% of the funds. As of twelve hours after the hack, no reply had been made.
Trader accidentally sends 2,000 SOL to bankrupt FTX
A former FTX customer made an expensive mistake in October 2023 when he transferred 2,000 SOL (~$64,000 at the time, almost $400,000 today) to an old FTX account, about a year after the company went bankrupt. Unlike you might expect with an attempt to wire traditional funds to a bank account that's been closed, the funds didn't bounce back. Instead, they've been sitting around under control of the FTX bankruptcy estate, requiring the former customer to seek a court order to get his funds back.
All in all, this customer is actually pretty lucky as far as erroneous transfers go. FTX's bankruptcy team still has access to FTX wallets, and are still actively working on recovering and disbursing assets to creditors. In some cases in the crypto world, erroneous transfers are lost forever.
BNB-based pump.fun competitor Four.Meme loses $183,000 to attack
A BNB Chain memecoin platform, Four.Meme, announced on Twitter that they were "currently experiencing a malicious attack". The team briefly paused a portion of the service while deploying a fix, but brought it back online later that day. Around $183,000 was lost to the attack.
Coinbase accused by crypto sleuth zachxbt of allowing more than $300 million per year in social engineering attacks on its customers
Crypto sleuth zachxbt has accused the popular American cryptocurrency exchange Coinbase of "fail[ing] to stop its users losing $300M+ per year to social engineering scams". He identified $65 million in crypto thefts from Coinbase in just the most recent two months, but noted that the "number is likely much lower than the actual amount stolen as our data was limited to my DMs and thefts we discovered on-chain which does not account for Coinbase support tickets and police reports we do not have access to."
zachxbt recounted how scammers routinely spoof phone numbers and use stolen personal information to gain trust with victims on phone calls, where they claim to be Coinbase employees informing users of unauthorized account access. They then walk victims through "securing" their accounts, but in reality they direct people to cloned versions of the Coinbase website where the victims are made to transfer their assets to the scammers.
zachxbt concluded, "Coinbase needs to urgently make changes as more and more users are being scammed for tens of millions every month. ... Coinbase is in a position where they have the power to make these changes and set a good example but they have chosen to do little to nothing ."
AlleyCat project developer takes presale money to fund gambling habit
The creator of the AlleyCat Solana-based cryptocurrency project has reportedly taken about 600 SOL (~$130,000) raised during the project's presale and transferred it to gambling platforms including Sportsbet.io and Bitcasino. Although the project raised hundreds of thousands of dollars in presale funds, stating it was needed for token liquidity on launch, only 18 SOL (~$11,000) was ever used for liquidity.
Altogether, around $827,000 has passed through the AlleyCat creator's Sportsbet.io account in seven months. Crypto scam-spotting account Rug Pull Finder has alleged that the AlleyCat creator is also behind other rugpulls.
The AlleyCat cryptocurrency project is based on the 1983 Atari game of the same name, though the crypto project does not appear to have any affiliation with (or approval from) the game's creators.
- "AlleyCat - The Gambling Deployer!", Rug Pull Finder