Tax loss harvesting service emerges to help collectors unload their worthless NFTs

If you bought an NFT for $1,000 and it's now worthless, you still have to find someone willing to buy it before you can claim it as a loss on your taxes. A project called "Unsellable" has emerged to fill that need—buying worthless NFTs for $0.01 (for a small fee) so that people can claim the losses.

"This tool really helped me unload those embarrassing early NFT Hype investments. Should shave about $1000 off my tax bill", a supposed user writes in a testimonial blurb on the site (although the testimonials appear to be faked).

Perhaps someone has finally found a viable crypto business model after all.

Wallets linked to Sam Bankman-Fried's Alameda Research unexpectedly begin selling off $1.7 million in tokens

Wallets known to be controlled by Alameda Research, the crypto trading firm founded by Sam Bankman-Fried and currently in bankruptcy with the other FTX companies, suddenly began selling off large quantities of mostly small altcoins on December 28. Whoever controls the wallets swapped the tokens for Tether stablecoins or Ethereum, then tumbled the funds through cryptocurrency mixers — a strong sign that this was probably not just the FTX liquidators consolidating wallets.

Altogether, an estimated $1.7 million was moved through various services to obfuscate the flow of funds.

3Commas finally owns up to API key leak

In October, several people reported losing more than a million dollars each from accounts that were connected to the 3Commas trading platform. 3Commas vociferously denied that there was any security breach of their crypto trading service, instead claiming that some of their users were at fault for being phished and having assets stolen. Now that someone has published the API key database that was exfiltrated from 3Commas, however, the company has finally owned up to the breach. They confirmed the data in the files was legitimate on Twitter, and wrote that they had contacted Binance, Kucoin, and other exchanges with whom they integrate to ask them to revoke all API keys connected to 3Commas.

3Commas did not come off looking very good after this incident, after they spent weeks denying any breach and accusing those who were concerned 3Commas had been compromised of spreading misinformation and "FUD".

Researcher zachxbt wrote that he had verified 44 victims who had lost a combined $14.8 million due to the leak, although he acknowledged that this was only the number of people he could verify and that the total number of people affected was likely much higher.

Midas Investments platform closes after revealing they're $63.3 million in the hole

Midas Investments announced suddenly that they would be shutting down their platform, which previously enabled users to deposit cryptocurrencies which would then be invested in various defi projects. The team revealed that they had only $51.7 million in assets compared to $115 million in liabilities, a fact they had not disclosed to most of their employees.

Users with assets on the platform will see a significant haircut in what they are allowed to withdraw. Midas intends to keep 55% of the Bitcoin, ETH, or stablecoins held by users in their accounts, as well as any rewards users had earned.

Lest the users be too upset that more than half of their assets no longer belong to them, fear not: Midas will be making up the difference in a new, valueless token that does not yet exist, but that will be associated with some future project that Midas has not described yet. You're welcome!

They've also announced they will be pivoting to "CeDeFi". Yes, that is indeed short for "centralized decentralized finance". No, I am not joking.

Mango Markets exploiter arrested despite claiming all his actions were legal

A very close-up portrait of Avraham Eisenberg, who has curly red hair and a beardAvraham Eisenberg (attribution)
In October, an exploiter was able to manipulate collateral prices to extract tokens from the Mango Markets defi project, ultimately resulting in a $116 million loss for the project. The exploiter then tried to create a governance proposal in which he would agree to return some of the stolen funds in exchange for an agreement that the protocol would not try to freeze the tokens or pursue criminal charges.

It quickly became apparent that a man named Avraham Eisenberg was behind the exploit. In screenshots leaked from a conversation in a private Discord channel shortly before the attack, Eisenberg talked about the exploit he had planned. "I'm investigating a platform that could maybe lead to a 9 figure payday. Should I do it?" he wrote. When someone replied, "unles[s] it is highly illegal", Eisenberg responded: "Are there rules these days?" When someone suggested responsibly disclosing the vulnerability to the protocol, Eisenberg refused, saying the bug bounty was likely to be too small.

Eisenberg later owned up to the attack, tweeting a thread in which he wrote that he "was involved with a team that operated a highly profitable trading strategy last week. I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are."

The feds apparently disagreed with his evaluation, and arrested Eisenberg in Puerto Rico on December 26. He is charged with commodities fraud and commodities manipulation.

BTC.com suffers $3 million attack

In a press release, BIT Mining reported that their subsidiary BTC.com had experienced a "cyberattack" in which $700,000 of customer assets were stolen. They also reported that $2.3 million of company assets were stolen, though they said that some of these funds had been recovered. They wrote that they were working with Shenzhen law enforcement to investigate the attack, but provided few details on the attack vector.

BTC.com is the seventh largest Bitcoin mining pool, which also operates other crypto mining services. Its parent company, BIT Mining, is publicly traded on the NSYE.

Millions of dollars of user funds stolen in BitKeep wallet hack

BitKeep, a popular cryptocurrency wallet in Asia, suffered a hack in which at least $8 million in various cryptocurrencies were stolen from user accounts.

BitKeep has claimed that attackers were able to compromise a version of their software and introduce malicious code which enabled them to drain user funds. BitKeep recommended their users contact the team behind BNB Chain on social media to plead with them to freeze an address used by the hackers, although the attackers had already begun to tumble the funds.

This is the second BitKeep-related hack in the last few months. In October, hackers stole more than $1 million worth of BNB when the Swap feature of the BitKeep wallet was exploited.

Rubic cross-chain exchange hacked, $1.4 million in user funds stolen

The Rubic cross-chain exchange suffered an exploit in which attackers were able to siphon a total of around $1.4 million in user funds from their wallets. The exploit was enabled by an error by the project team, who erroneously added the USDC stablecoin address as a router, which allowed attackers to arbitrarily withdraw USDC held by Rubic users. The hacker then transferred the stolen funds through the Tornado Cash cryptocurrency mixer.

Rubic paused their project to limit further thefts, and stated they would pursue audits before coming back online. They also stated that they would "strive to compensate for the losses".

Police arrest two executives of shuttered AAX exchange

The Hong Kong-headquartered AAX cryptocurrency exchange suddenly halted withdrawals on November 13, claiming they were performing temporary system maintenance. However, withdrawals were never re-enabled, and customers quickly realized the exchange was unlikely to resume withdrawals. Some even began searching for the whereabouts of AAX execs, showing up at offices in Hong Kong and Singapore.

Now, Hong Kong police have arrested Liang Haoming and Thor Chan, two executives connected to AAX. Police have reportedly accused the men of using the maintenance excuse to halt customer withdrawals while dealing with a liquidity crisis.

Defrost Finance fails to rug pull

Defrost Finance, a defi trading platform built on the Avalanche Network, apparently tried and failed to rug pull its users. The project claimed on December 23 that they were "sad to announce that our V2 has suffered a hack, with an attacker using a flash loan function to withdraw funds". They later announced that this "hacker" had also managed to exploit the v1 version of their project. Altogether, it appeared that tokens valued at around $12 million had been stolen.

Observers were quick to notice that the "hack" was made possible by the addition of a fake collateral token, which was then manipulated to liquidate the protocol's users, suggesting the "hack" was likely an inside job.

On December 26, Defrost claimed that the "hacker" had miraculously returned the money. The announcement didn't seem to convince the project's users, who left comments like, "It was never hacked. You tried to rug your users".

Defrost Finance's team had previously run a project called FinNexus, which also suffered a "hack" in May 2021 that was widely believed to have been a rug pull.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.